[evolvis-commits] r15115: Reimplemented Permission class with RBAC ( and without a reference to the user since it' s now always called to check permissions for the current session)
mirabilos at evolvis.org
mirabilos at evolvis.org
Mon Feb 28 23:41:31 CET 2011
Author: mirabilos
Date: 2011-02-28 23:41:31 +0100 (Mon, 28 Feb 2011)
New Revision: 15115
Modified:
trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Permission.class.php
Log:
Reimplemented Permission class with RBAC (and without a reference to the user since it's now always called to check permissions for the current session)
Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Permission.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Permission.class.php 2011-02-28 22:41:27 UTC (rev 15114)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Permission.class.php 2011-02-28 22:41:31 UTC (rev 15115)
@@ -39,7 +39,7 @@
* @return a Permission or false on failure
*
*/
-function &permission_get_object(&$_Group, &$_User) {
+function &permission_get_object(&$_Group, &$_User = NULL) {
//create a common set of Permission objects
//saves a little wear on the database
@@ -51,17 +51,10 @@
$group_id = 0;
}
- if (is_object($_User)) {
- $user_id = $_User->getID();
- } else {
- //invalid object, probably from user not being logged in
- $user_id = 0;
+ if (!isset($PERMISSION_OBJ[$group_id])) {
+ $PERMISSION_OBJ[$group_id]= new Permission($_Group);
}
-
- if (!isset($PERMISSION_OBJ["_".$group_id."_".$user_id])) {
- $PERMISSION_OBJ["_".$group_id."_".$user_id]= new Permission($_Group, $_User);
- }
- return $PERMISSION_OBJ["_".$group_id."_".$user_id];
+ return $PERMISSION_OBJ[$group_id];
}
class Permission extends Error {
@@ -80,11 +73,11 @@
var $Group;
/**
- * The User object.
+ * ID of the Group object
*
- * @var object $User.
+ * @var int $group_id.
*/
- var $User;
+ var $group_id
/**
* Whether the user is an admin/super user of this project.
@@ -107,7 +100,7 @@
* @param object User Object required.
*
*/
- function Permission (&$_Group, &$_User) {
+ function Permission (&$_Group) {
if (!$_Group || !is_object($_Group)) {
$this->setError('No Valid Group Object');
return false;
@@ -117,90 +110,16 @@
return false;
}
$this->Group =& $_Group;
-
- if (!$_User || !is_object($_User)) {
- $this->setError('No Valid User Object');
- return false;
- }
- if ($_User->isError()) {
- $this->setError('Permission: '.$_User->getErrorMessage());
- return false;
- }
- $this->User =& $_User;
-
- if (!$this->fetchData()) {
- return false;
- } else {
- return true;
- }
+ $this->group_id = $this->Group->getID() ;
}
/**
- * fetchData - fetch the data for this Permission from the database.
- *
- * @return boolean success.
- * @access private
- */
- function fetchData() {
- $res = db_query_params ('SELECT * FROM user_group WHERE user_id=$1 AND group_id=$2',
- array ($this->User->getID(),
- $this->Group->getID())) ;
- if (!$res || db_numrows($res) < 1) {
- $this->setError('Permission: User Not Found');
-
- if ($this->setUpSuperUser()) {
- return true;
- }
- } else {
- $this->data_array = db_fetch_array($res);
- if (trim($this->data_array['admin_flags']) == 'A') {
- $this->is_admin=true;
- } else {
- $this->setUpSuperUser();
- }
- db_free_result($res);
- return true;
- }
- }
-
- /**
- * setUpSuperUser - check to see if this User is a site super-user.
- *
- * @return boolean is_super_user.
- * @access private
- */
- function setUpSuperUser() {
- //
- // see if they are a site super-user
- // if not a member of this group
- //
- if ($this->isSuperUser()) {
- $this->clearError();
- $this->is_admin = true;
- return true;
- }
-
- return false;
- }
-
- /**
* isSuperUser - whether the current user has site admin privilege.
*
* @return boolean is_super_user.
*/
function isSuperUser() {
- if (isset($this->is_site_admin)) {
- return $this->is_site_admin;
- }
-
- $res = db_query_params ('SELECT count(*) AS count FROM user_group WHERE user_id=$1 AND group_id=1 AND admin_flags=$2',
- array ($this->User->getID(),
- 'A')) ;
- $row_count = db_fetch_array($res);
- $this->is_site_admin = $res && $row_count['count'] > 0;
- db_free_result($res);
-
- return $this->is_site_admin;
+ return forge_check_global_perm ('forge_admin') ;
}
/**
@@ -209,7 +128,7 @@
* @return boolean is_forum_admin.
*/
function isForumAdmin() {
- return $this->isMember('forum_flags',2);
+ return forge_check_perm ('forum_admin', $this->group_id) ;
}
/**
@@ -218,7 +137,7 @@
* @return boolean is_doc_editor.
*/
function isDocEditor() {
- return $this->isMember('doc_flags',1);
+ return forge_check_perm ('docman', $this->group_id, 'admin') ;
}
/**
@@ -227,7 +146,7 @@
* @return boolean is_release_technician.
*/
function isReleaseTechnician() {
- return $this->isMember('release_flags',1);
+ return forge_check_perm ('frs', $this->group_id, 'write') ;
}
/**
@@ -236,7 +155,7 @@
* @return boolean is_artifact_admin.
*/
function isArtifactAdmin() {
- return $this->isMember('artifact_flags',2);
+ return forge_check_perm ('tracker_admin', $this->group_id) ;
}
/**
@@ -245,60 +164,25 @@
* @return boolean is_projman_admin.
*/
function isPMAdmin() {
- return $this->isMember('project_flags',2);
+ return forge_check_perm ('pm_admin', $this->group_id) ;
}
/**
- * isMember - Simple test to see if the current user is a member of this project.
- *
- * Can optionally pass in vars to test other permissions.
- *
- * @param string The field to check.
- * @param int The value that $field should have.
- * @return boolean is_member.
- */
- function isMember($field='user_id',$value='-1') {
- if ($this->isAdmin()) {
- //admins are tested first so that super-users can return true
- //and admins of a project should always have full privileges
- //on their project
- return true;
- } else {
- $arr =& $this->getPermData();
- if ($arr[$field] >= $value) {
- return true;
- } else {
- return false;
- }
- }
- }
-
- /**
* isAdmin - User is an admin of the project or admin of the entire site.
*
* @return boolean is_admin.
*/
function isAdmin() {
- return $this->is_admin;
+ return forge_check_perm ('project_admin', $this->group_id) ;
}
/**
- * getPermData - returns the assocative array from the db.
- *
- * @return array The array of data.
- * @access private
- */
- function &getPermData() {
- return $this->data_array;
- }
-
- /**
* isCVSReader - checks the cvs_flags field in user_group table.
*
* @return boolean cvs_flags
*/
function isCVSReader() {
- return $this->isMember('cvs_flags',0);
+ return forge_check_perm ('scm', $this->group_id, 'read') ;
}
/**
@@ -307,8 +191,33 @@
* @return boolean cvs_flags
*/
function isCVSWriter() {
- return $this->isMember('cvs_flags',1);
+ return forge_check_perm ('scm', $this->group_id, 'write') ;
}
+
+ /**
+ * isMember - Simple test to see if the current user is a member of this project.
+ *
+ * @return boolean is_member.
+ */
+ function isMember() {
+ if ($this->isAdmin()) {
+ //admins are tested first so that super-users can return true
+ //and admins of a project should always have full privileges
+ //on their project
+ return true;
+ } else {
+ $engine = RBACEngine::getInstance() ;
+
+ $roles = $engine->getAvailableRoles () ;
+ foreach ($roles as $role) {
+ $hp = $role->getHomeProject () ;
+ if ($hp != NULL
+ && $hp->getID() == $this->group_id) {
+ return $true ;
+ }
+ }
+ }
+ }
}
// Local Variables:
More information about the evolvis-commits
mailing list