[evolvis-commits] r15115: Reimplemented Permission class with RBAC ( and without a reference to the user since it' s now always called to check permissions for the current session)

mirabilos at evolvis.org mirabilos at evolvis.org
Mon Feb 28 23:41:31 CET 2011


Author: mirabilos
Date: 2011-02-28 23:41:31 +0100 (Mon, 28 Feb 2011)
New Revision: 15115

Modified:
   trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Permission.class.php
Log:
Reimplemented Permission class with RBAC (and without a reference to the user since it's now always called to check permissions for the current session)

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Permission.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Permission.class.php	2011-02-28 22:41:27 UTC (rev 15114)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Permission.class.php	2011-02-28 22:41:31 UTC (rev 15115)
@@ -39,7 +39,7 @@
  * @return a Permission or false on failure
  *
  */
-function &permission_get_object(&$_Group, &$_User) {
+function &permission_get_object(&$_Group, &$_User = NULL) {
 	//create a common set of Permission objects
 	//saves a little wear on the database
 	
@@ -51,17 +51,10 @@
 		$group_id = 0;
 	}
 
-	if (is_object($_User)) {
-		$user_id = $_User->getID();
-	} else {
-		//invalid object, probably from user not being logged in
-		$user_id = 0;
+	if (!isset($PERMISSION_OBJ[$group_id])) {
+		$PERMISSION_OBJ[$group_id]= new Permission($_Group);
 	}
-
-	if (!isset($PERMISSION_OBJ["_".$group_id."_".$user_id])) {
-		$PERMISSION_OBJ["_".$group_id."_".$user_id]= new Permission($_Group, $_User);
-	}
-	return $PERMISSION_OBJ["_".$group_id."_".$user_id];
+	return $PERMISSION_OBJ[$group_id];
 }
 
 class Permission extends Error {
@@ -80,11 +73,11 @@
 	var $Group;
 
 	/**
-	 * The User object.
+	 * ID of the Group object
 	 *
-	 * @var object $User.
+	 * @var int $group_id.
 	 */
-	var $User;
+	var $group_id
 
 	/**
 	 * Whether the user is an admin/super user of this project.
@@ -107,7 +100,7 @@
 	 *	@param	object	User Object required.
 	 *	
 	 */
-	function Permission (&$_Group, &$_User) {
+	function Permission (&$_Group) {
 		if (!$_Group || !is_object($_Group)) {
 			$this->setError('No Valid Group Object');
 			return false;
@@ -117,90 +110,16 @@
 			return false;
 		}
 		$this->Group =& $_Group;
-
-		if (!$_User || !is_object($_User)) {
-			$this->setError('No Valid User Object');
-			return false;
-		}   
-		if ($_User->isError()) {
-			$this->setError('Permission: '.$_User->getErrorMessage());
-			return false;
-		}   
-		$this->User =& $_User;
-
-		if (!$this->fetchData()) {
-			return false;
-		} else {
-			return true;
-		}
+		$this->group_id = $this->Group->getID() ;
 	}
 
 	/**
-	 *  fetchData - fetch the data for this Permission from the database.
-	 *
-	 *  @return	boolean success.
-	 *	@access private
-	 */
-	function fetchData() {
-		$res = db_query_params ('SELECT * FROM user_group WHERE user_id=$1 AND group_id=$2',
-					array ($this->User->getID(),
-					       $this->Group->getID())) ;
-		if (!$res || db_numrows($res) < 1) {
-			$this->setError('Permission: User Not Found');
-
-			if ($this->setUpSuperUser()) {
-				return true;
-			}
-		} else {
-			$this->data_array = db_fetch_array($res);
-			if (trim($this->data_array['admin_flags']) == 'A') {
-				$this->is_admin=true;
-			} else {
-				$this->setUpSuperUser();
-			}
-			db_free_result($res);
-			return true;
-		}
-	}
-
-	/**
-	 *	setUpSuperUser - check to see if this User is a site super-user.
-	 *
-	 *	@return	boolean	is_super_user.
-	 *	@access private
-	 */
-	function setUpSuperUser() {
-		//
-		//  see if they are a site super-user
-		//  if not a member of this group
-		//
-		if ($this->isSuperUser()) {
-			$this->clearError();
-			$this->is_admin = true;
-			return true;
-		}
-
-		return false;
-	}
-
-	/**
 	 *  isSuperUser - whether the current user has site admin privilege.
 	 *
 	 *  @return	boolean	is_super_user.
 	 */
 	function isSuperUser() {
-		if (isset($this->is_site_admin)) {
-			return $this->is_site_admin;
-		}
-
-		$res = db_query_params ('SELECT count(*) AS count FROM user_group WHERE user_id=$1 AND group_id=1 AND admin_flags=$2',
-					array ($this->User->getID(),
-					       'A')) ;
-		$row_count = db_fetch_array($res);
-		$this->is_site_admin = $res && $row_count['count'] > 0;
-		db_free_result($res);
-
-		return $this->is_site_admin;
+		return forge_check_global_perm ('forge_admin') ;
 	}
 
 	/**
@@ -209,7 +128,7 @@
 	 *  @return	boolean	is_forum_admin.
 	 */
 	function isForumAdmin() {
-		return $this->isMember('forum_flags',2);
+		return forge_check_perm ('forum_admin', $this->group_id) ;
 	}
 
 	/**
@@ -218,7 +137,7 @@
 	 *  @return	boolean	is_doc_editor.
 	 */
 	function isDocEditor() {
-		return $this->isMember('doc_flags',1);
+		return forge_check_perm ('docman', $this->group_id, 'admin') ;
 	}
 
 	/**
@@ -227,7 +146,7 @@
 	 *  @return	boolean	is_release_technician.
 	 */
 	function isReleaseTechnician() {
-		return $this->isMember('release_flags',1);
+		return forge_check_perm ('frs', $this->group_id, 'write') ;
 	}
 
 	/**
@@ -236,7 +155,7 @@
 	 *  @return	boolean	is_artifact_admin.
 	 */
 	function isArtifactAdmin() {
-		return $this->isMember('artifact_flags',2);
+		return forge_check_perm ('tracker_admin', $this->group_id) ;
 	}
 
 	/**
@@ -245,60 +164,25 @@
 	 *  @return	boolean	is_projman_admin.
 	 */
 	function isPMAdmin() {
-		return $this->isMember('project_flags',2);
+		return forge_check_perm ('pm_admin', $this->group_id) ;
 	}
 
 	/**
-	 *  isMember - Simple test to see if the current user is a member of this project.
-	 *
-	 *  Can optionally pass in vars to test other permissions.
-	 *
-	 *  @param string	The field to check.
-	 *  @param int		The value that $field should have.
-	 *  @return	boolean	is_member.
-	 */
-	function isMember($field='user_id',$value='-1') {
-		if ($this->isAdmin()) {
-			//admins are tested first so that super-users can return true
-			//and admins of a project should always have full privileges 
-			//on their project
-			return true;
-		} else {
-			$arr =& $this->getPermData();
-			if ($arr[$field] >= $value) {
-				return true; 
-			} else {
-				return false;
-			}
-		}
-	}
-
-	/**
 	 *  isAdmin - User is an admin of the project or admin of the entire site.
 	 *
 	 *  @return	boolean	is_admin.
 	 */
 	function isAdmin() {
-		return $this->is_admin;
+		return forge_check_perm ('project_admin', $this->group_id) ;
 	}
 
 	/**
-	 *	getPermData - returns the assocative array from the db.
-	 *
-	 *	@return array The array of data.
-	 *	@access private
-	 */
-	function &getPermData() {
-		return $this->data_array;
-	}
-
-	/**
 	 *	isCVSReader - checks the cvs_flags field in user_group table.
 	 *
 	 *	@return	boolean	cvs_flags
 	 */
 	function isCVSReader() {
-		return $this->isMember('cvs_flags',0);
+		return forge_check_perm ('scm', $this->group_id, 'read') ;
 	}
 	
 	/**
@@ -307,8 +191,33 @@
 	 *      @return boolean cvs_flags
 	 */
 	function isCVSWriter() {
-		return $this->isMember('cvs_flags',1);
+		return forge_check_perm ('scm', $this->group_id, 'write') ;
 	}
+
+	/**
+	 *  isMember - Simple test to see if the current user is a member of this project.
+	 *
+	 *  @return	boolean	is_member.
+	 */
+	function isMember() {
+		if ($this->isAdmin()) {
+			//admins are tested first so that super-users can return true
+			//and admins of a project should always have full privileges 
+			//on their project
+			return true;
+		} else {
+			$engine = RBACEngine::getInstance() ;
+
+			$roles = $engine->getAvailableRoles () ;
+			foreach ($roles as $role) {
+				$hp = $role->getHomeProject () ;
+				if ($hp != NULL
+				    && $hp->getID() == $this->group_id) {
+					return $true ;
+				}
+			}
+		}
+	}
 }
 
 // Local Variables:



More information about the evolvis-commits mailing list