private function syncWithDirectory($ps_username)
{
$va_default_roles = $this->getConfigValue("ldap_users_default_roles", array());
$va_default_groups = $this->getConfigValue("ldap_users_default_groups", array());
$t_user = new ca_users();
// don't try to sync roles for non-existing users (the first auth call is before the user is actually created)
if (!$t_user->load($ps_username)) {
return;
}
if ($this->getConfigValue('ldap_sync_user_roles')) {
$va_expected_roles = array_merge($va_default_roles, $this->getRolesToAddFromDirectory($ps_username));
foreach ($va_expected_roles as $vs_role) {
if (!$t_user->hasUserRole($vs_role)) {
$t_user->addRoles($vs_role);
}
}
foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) {
if (!in_array($va_role_info['code'], $va_expected_roles)) {
$t_user->removeRoles($vn_id);
}
}
}
if ($this->getConfigValue('ldap_sync_user_groups')) {
$va_expected_groups = array_merge($va_default_groups, $this->getGroupsToAddFromDirectory($ps_username));
foreach ($va_expected_groups as $vs_group) {
if (!$t_user->inGroup($vs_group)) {
$t_user->addToGroups($vs_group);
}
}
foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) {
if (!in_array($va_group_info['code'], $va_expected_groups)) {
$t_user->removeFromGroups($vn_id);
}
}
}
}
public static function authenticate($ps_username, $ps_password = '', $pa_options = null)
{
$po_auth_config = Configuration::load(Configuration::load()->get('authentication_config'));
if (!function_exists("ldap_connect")) {
throw new OpenLDAPException(_t("PHP's LDAP module is required for LDAP authentication!"));
}
if (!$ps_username) {
return false;
}
// ldap config
$vs_ldaphost = $po_auth_config->get("ldap_host");
$vs_ldapport = $po_auth_config->get("ldap_port");
$vs_base_dn = $po_auth_config->get("ldap_base_dn");
$vs_user_ou = $po_auth_config->get("ldap_user_ou");
$vs_bind_rdn = self::postProcessLDAPConfigValue("ldap_bind_rdn_format", $ps_username, $vs_user_ou, $vs_base_dn);
$va_default_roles = $po_auth_config->get("ldap_users_default_roles");
if (!is_array($va_default_roles)) {
$va_default_roles = array();
}
$va_default_groups = $po_auth_config->get("ldap_users_default_groups");
if (!is_array($va_default_groups)) {
$va_default_groups = array();
}
$vo_ldap = ldap_connect($vs_ldaphost, $vs_ldapport);
ldap_set_option($vo_ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!$vo_ldap) {
return false;
}
$vs_bind_rdn_filter = self::postProcessLDAPConfigValue("ldap_bind_rdn_filter", $ps_username, $vs_user_ou, $vs_base_dn);
if (strlen($vs_bind_rdn_filter) > 0) {
$vo_dn_search_results = ldap_search($vo_ldap, $vs_base_dn, $vs_bind_rdn_filter);
$va_dn_search_results = ldap_get_entries($vo_ldap, $vo_dn_search_results);
if (isset($va_dn_search_results[0]['dn'])) {
$vs_bind_rdn = $va_dn_search_results[0]['dn'];
}
}
// log in
$vo_bind = @ldap_bind($vo_ldap, $vs_bind_rdn, $ps_password);
if (!$vo_bind) {
// wrong credentials
if (ldap_get_option($vo_ldap, 0x32, $extended_error)) {
caLogEvent("ERR", "LDAP ERROR (" . ldap_errno($vo_ldap) . ") {$extended_error} [{$vs_bind_rdn}]", "OpenLDAP::Authenticate");
}
ldap_unbind($vo_ldap);
return false;
}
// check group membership
if (!self::isMemberinAtLeastOneGroup($ps_username, $vo_ldap)) {
ldap_unbind($vo_ldap);
return false;
}
// user role and group membership syncing with directory
$t_user = new ca_users();
if ($t_user->load($ps_username)) {
// don't try to sync roles for non-existing users (the first auth call is before the user is actually created)
if ($po_auth_config->get('ldap_sync_user_roles')) {
$va_expected_roles = array_merge($va_default_roles, self::getRolesToAddFromDirectory($ps_username, $vo_ldap));
foreach ($va_expected_roles as $vs_role) {
if (!$t_user->hasUserRole($vs_role)) {
$t_user->addRoles($vs_role);
}
}
foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) {
if (!in_array($va_role_info['code'], $va_expected_roles)) {
$t_user->removeRoles($vn_id);
}
}
}
if ($po_auth_config->get('ldap_sync_user_groups')) {
$va_expected_groups = array_merge($va_default_groups, self::getGroupsToAddFromDirectory($ps_username, $vo_ldap));
foreach ($va_expected_groups as $vs_group) {
if (!$t_user->inGroup($vs_group)) {
$t_user->addToGroups($vs_group);
}
}
foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) {
if (!in_array($va_group_info['code'], $va_expected_groups)) {
$t_user->removeFromGroups($vn_id);
}
}
}
}
ldap_unbind($vo_ldap);
return true;
}
/**
* Returns list of screens for a given UI.
*
* @param int $pn_type_id Optional type to restrict screens to
* @param array $pa_options Options include:
* showAll = Include screens that do not have placements. Default is false.
* user_id = User_id to apply access control for
*
* @return array List of screens for this user interface
*/
public function getScreens($pn_type_id = null, $pa_options = null)
{
if (!$this->getPrimaryKey()) {
return false;
}
if (!($t_instance = $this->_DATAMODEL->getInstanceByTableNum($this->get('editor_type')))) {
return null;
}
if ($t_instance instanceof BaseRelationshipModel) {
$va_types = $t_instance->getRelationshipTypes();
} else {
$va_types = $t_instance->getTypeList();
}
$va_sql_params = array((int) $this->getPrimaryKey());
$o_db = $this->getDb();
$va_type_list = caMakeTypeIDList($this->get('editor_type'), array($pn_type_id), array('dontIncludeSubtypesInTypeRestriction' => true));
if (!sizeof($va_type_list)) {
$va_type_list = array($pn_type_id);
}
$vs_type_sql = (int) $pn_type_id ? "AND (ceustr.type_id IS NULL OR ceustr.type_id IN (" . join(",", $va_type_list) . "))" : '';
$vs_access_sql = '';
$t_user = new ca_users();
if (($vn_user_id = caGetOption('user_id', $pa_options, null)) && $t_user->load($vn_user_id)) {
$vs_access_sql = " AND ((ceus.screen_id IN \n\t\t\t\t\t(\n\t\t\t\t\t\tSELECT screen_id \n\t\t\t\t\t\tFROM ca_editor_ui_screens_x_users\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\tuser_id = ?\n\t\t\t\t\t)\n\t\t\t\t)";
$va_sql_params[] = $vn_user_id;
$va_groups = $t_user->getUserGroups();
if (is_array($va_groups) && sizeof($va_groups)) {
$vs_access_sql .= " OR (ceus.screen_id IN \n\t\t\t\t\t(\n\t\t\t\t\t\tSELECT screen_id \n\t\t\t\t\t\tFROM ca_editor_ui_screens_x_user_groups\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\tgroup_id IN (?)\n\t\t\t\t\t)\n\t\t\t\t)";
$va_sql_params[] = array_keys($va_groups);
}
$va_roles = $t_user->getUserRoles();
if (is_array($va_roles) && sizeof($va_roles)) {
$vs_access_sql .= " OR (ceus.screen_id IN \n\t\t\t\t\t(\n\t\t\t\t\t\tSELECT screen_id \n\t\t\t\t\t\tFROM ca_editor_ui_screens_x_roles\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\trole_id IN (?)\n\t\t\t\t\t)\n\t\t\t\t)";
$va_sql_params[] = array_keys($va_roles);
}
$vs_access_sql .= "\n\t\t\t\tOR (\n\t\t\t\t\tceus.screen_id NOT IN (\n\t\t\t\t\t\tSELECT screen_id FROM ca_editor_ui_screens_x_users\n\t\t\t\t\t)\n\t\t\t\t\tAND\n\t\t\t\t\tceus.screen_id NOT IN (\n\t\t\t\t\t\tSELECT screen_id FROM ca_editor_ui_screens_x_user_groups\n\t\t\t\t\t)\n\t\t\t\t\tAND\n\t\t\t\t\tceus.screen_id NOT IN (\n\t\t\t\t\t\tSELECT screen_id FROM ca_editor_ui_screens_x_roles\n\t\t\t\t\t)\n\t\t\t\t)\n\t\t\t)";
}
$qr_res = $o_db->query("\n\t\t\tSELECT ceus.*, ceusl.*, ceustr.type_id restriction_type_id\n\t\t\tFROM ca_editor_ui_screens ceus\n\t\t\tINNER JOIN ca_editor_ui_screen_labels AS ceusl ON ceus.screen_id = ceusl.screen_id\n\t\t\tLEFT JOIN ca_editor_ui_screen_type_restrictions AS ceustr ON ceus.screen_id = ceustr.screen_id\n\t\t\tWHERE\n\t\t\t\t(ceus.ui_id = ?) {$vs_type_sql}\n\t\t\t\t{$vs_access_sql}\n\t\t\tORDER BY \n\t\t\t\tceus.rank, ceus.screen_id\n\t\t", $va_sql_params);
$va_screens = array();
while ($qr_res->nextRow()) {
if (!$va_screens[$vn_screen_id = $qr_res->get('screen_id')][$vn_screen_locale_id = $qr_res->get('locale_id')]) {
$va_screens[$vn_screen_id][$vn_screen_locale_id] = $qr_res->getRow();
if ((bool) $va_screens[$vn_screen_id][$vn_screen_locale_id]['is_default']) {
$va_screens[$vn_screen_id][$vn_screen_locale_id]['isDefault'] = "◉";
}
$va_screens[$vn_screen_id][$vn_screen_locale_id]['numPlacements'] = sizeof($this->getScreenBundlePlacements($vn_screen_id));
}
if ($qr_res->get('restriction_type_id')) {
$vs_key_to_add = $t_instance instanceof BaseRelationshipModel ? 'type_code' : 'name_plural';
$va_screens[$vn_screen_id][$vn_screen_locale_id]['typeRestrictions'][$qr_res->get('restriction_type_id')] = $va_types[$qr_res->get('restriction_type_id')][$vs_key_to_add];
}
}
$va_screens_with_bundles = null;
if ((!isset($pa_options['showAll']) || !$pa_options['showAll']) && sizeof($va_screens)) {
// Get placements for all screens, so we can filter screens without placements
$qr_res = $o_db->query("\n\t\t\t\tSELECT screen_id, placement_id, bundle_name\n\t\t\t\tFROM ca_editor_ui_bundle_placements\n\t\t\t\tWHERE\n\t\t\t\t\tscreen_id IN (?)\n\t\t\t", array(array_keys($va_screens)));
$vs_table = $t_instance->tableName();
$va_screens_with_bundles = array();
while ($qr_res->nextRow()) {
$vn_screen_id = $qr_res->get('screen_id');
if (isset($va_screens_with_bundles[$vn_screen_id])) {
continue;
}
if (caGetBundleAccessLevel($vs_table, $qr_res->get('bundle_name')) != __CA_BUNDLE_ACCESS_NONE__) {
$va_screens_with_bundles[$vn_screen_id] = true;
}
}
}
foreach ($va_screens as $vn_screen_id => $va_screen_labels_by_locale) {
if (is_array($va_screens_with_bundles) && !isset($va_screens_with_bundles[$vn_screen_id])) {
unset($va_screens[$vn_screen_id]);
continue;
}
foreach ($va_screen_labels_by_locale as $vn_locale_id => $va_restriction_info) {
if (!is_array($va_screens[$vn_screen_id][$vn_locale_id]['typeRestrictions'])) {
continue;
}
$va_screens[$vn_screen_id][$vn_locale_id]['typeRestrictionsForDisplay'] = join(', ', $va_screens[$vn_screen_id][$vn_locale_id]['typeRestrictions']);
}
}
return caExtractValuesByUserLocale($va_screens);
}
