/**
* Merges rights for multiple group memebership or templates
* @param object $userobj
* @param array $groups
*/
static function merge_rights($userobj, $groups, $primeObjects)
{
global $_zp_authority;
$templates = false;
$objects = $primeObjects;
$custom = array();
$oldgroups = $userobj->getGroup();
$oldrights = $userobj->getRights();
$oldobjects = $userobj->getObjects();
$rights = 0;
foreach ($groups as $key => $groupname) {
if (empty($groupname)) {
// force the first template to happen
$group = new Zenphoto_Administrator('', 0);
$group->setName('template');
} else {
$group = Zenphoto_Authority::newAdministrator($groupname, 0, false);
}
if ($group->loaded) {
if ($group->getName() == 'template') {
unset($groups[$key]);
if ($userobj->getID() > 0 && !$templates) {
// fetch the existing rights and objects
$templates = true;
// but only once!
$rights = $userobj->getRights();
$objects = $userobj->getObjects();
}
}
$rights = $group->getRights() | $rights;
$objects = array_merge($group->getObjects(), $objects);
$custom[] = $group->getCustomData();
} else {
unset($groups[$key]);
}
}
$userobj->setCustomData(array_shift($custom));
// for now it is first come, first served.
// unique objects
$newobjects = array();
foreach ($objects as $object) {
$key = serialize(array('type' => $object['type'], 'data' => $object['data']));
if (array_key_exists($key, $newobjects)) {
if (array_key_exists('edit', $object)) {
$newobjects[$key]['edit'] = @$newobjects[$key]['edit'] | $object['edit'];
}
} else {
$newobjects[$key] = $object;
}
}
$objects = array();
foreach ($newobjects as $object) {
$objects[] = $object;
}
$userobj->setGroup($newgroups = implode(',', $groups));
$userobj->setRights($rights);
$userobj->setObjects($objects);
$updated = $newgroups != $oldgroups || $oldobjects != $objects || empty($newgroups) && $rights != $oldrights;
return $updated;
}
/**
* Retuns the administration rights of a saved authorization code
* Will promote an admin to ADMIN_RIGHTS if he is the most privileged admin
*
* @param string $authCode the hash code to check
* @param int $id whom we think this is
*
* @return bit
*/
function checkAuthorization($authCode, $id)
{
global $_zp_current_admin_obj;
if (DEBUG_LOGIN) {
debugLogBacktrace("checkAuthorization({$authCode}, {$id})");
}
$admins = $this->getAdministrators();
if (count($admins) == 0) {
if (DEBUG_LOGIN) {
debugLog("checkAuthorization: no admins");
}
$_zp_current_admin_obj = new Zenphoto_Administrator('', 1);
$_zp_current_admin_obj->set('id', 0);
$_zp_current_admin_obj->reset = true;
return ADMIN_RIGHTS;
}
if (is_object($_zp_current_admin_obj) && $_zp_current_admin_obj->reset) {
if (DEBUG_LOGIN) {
debugLog("checkAuthorization: reset request");
}
return $_zp_current_admin_obj->getRights();
}
$_zp_current_admin_obj = NULL;
if (empty($authCode) || empty($id)) {
return 0;
}
// so we don't "match" with an empty password
if (DEBUG_LOGIN) {
debugLogVar("checkAuthorization: admins", $admins);
}
$rights = 0;
$criteria = array('`pass`=' => $authCode, '`id`=' => (int) $id, '`valid`=' => 1);
$user = $this->getAnAdmin($criteria);
if (is_object($user)) {
$_zp_current_admin_obj = $user;
$rights = $user->getRights();
if (DEBUG_LOGIN) {
debugLog(sprintf('checkAuthorization: from %1$s->%2$X', $authCode, $rights));
}
return $rights;
}
$_zp_current_admin_obj = NULL;
if (DEBUG_LOGIN) {
debugLog("checkAuthorization: no match");
}
return 0;
// no rights
}
/**
* This is the cookie processor filter handler
* it invokes the child class check() method to see if there is a valid visitor to the site
* The check() method should return "false" if there is no valid visitor or an array of
* User information if there is one.
*
* If there is a valid user, the user name is checked against Zenphoto users. If such user exists
* he will be automatically logged in. If no user by that userid exists a transient user will be
* created and logged in. User details are filled in from the user information in the passed array.
*
* Most enteries in the result array are simply stored into the user property of the same name. However,
* there are some special handling items that may be present:
* <ul>
* <li>groups: an array of the user's group membership</li>
* <li>objects: a Zenphoto "managed object list" array</li>
* <li>album: the name of the user's primary album</li>
* <li>logout_link: information that the plugin can use when a user loggs out</li>
* </ul>
*
* All the above may be missing. However, if there is no groups entry, there needs to be an
* entry for the user's rights otherwise he will have none. There should not be both a rights entry
* and a groups entry as they are mutually exclusive.
*
* album and objects entries should come last in the list so all other properties are processed first as
* these methods may modify other properties.
*
* @param BIT $authorized
*/
function check($authorized)
{
global $_zp_current_admin_obj;
if (!$authorized) {
// not logged in via normal Zenphoto handling
if ($result = $this->user()) {
$user = $result['user'];
$searchfor = array('`user`=' => $user, '`valid`=' => 1);
$userobj = Zenphoto_Authority::getAnAdmin($searchfor);
if (!$userobj) {
unset($result['id']);
unset($result['user']);
$authority = '';
// create a transient user
$userobj = new Zenphoto_Administrator('', 1);
$userobj->setUser($user);
$userobj->setRights(NO_RIGHTS);
// just incase none get set
// Flag as external credentials for completeness
$properties = array_keys($result);
// the list of things we got from the external authority
array_unshift($properties, $this->auth);
$userobj->setCredentials($properties);
// populate the user properties
$member = false;
// no group membership (yet)
foreach ($result as $key => $value) {
switch ($key) {
case 'authority':
$authority = '::' . $value;
unset($result['authority']);
break;
case 'groups':
// find the corresponding Zenphoto group (if it exists)
$rights = NO_RIGHTS;
$objects = array();
$groups = $value;
foreach ($groups as $key => $group) {
$groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $group, '`valid`=' => 0));
if ($groupobj) {
$member = true;
$rights = $groupobj->getRights() | $rights;
$objects = array_merge($groupobj->getObjects(), $objects);
if ($groupobj->getName() == 'template') {
unset($groups[$key]);
}
} else {
unset($groups[$key]);
}
}
if ($member) {
$userobj->setGroup(implode(',', $groups));
$userobj->setRights($rights);
$userobj->setObjects($objects);
}
break;
case 'defaultgroup':
if (!$member && isset($result['defaultgroup'])) {
// No Zenphoto group, use the default group
$group = $result['defaultgroup'];
$groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $group, '`valid`=' => 0));
if ($groupobj) {
$rights = $groupobj->getRights();
$objects = $groupobj->getObjects();
if ($groupobj->getName() != 'template') {
$group = NULL;
}
$userobj->setGroup($group);
$userobj->setRights($rights);
$userobj->setObjects($objects);
}
}
break;
case 'objects':
$userobj->setObjects($objects);
break;
case 'album':
$userobj->createPrimealbum(false, $value);
break;
default:
$userobj->set($key, $value);
break;
}
}
$properties = array_keys($result);
// the list of things we got from the external authority
array_unshift($properties, $this->auth . $authority);
$userobj->setCredentials($properties);
}
if (isset($result['logout_link'])) {
$userobj->logout_link = $result['logout_link'];
}
$_zp_current_admin_obj = $userobj;
$authorized = $_zp_current_admin_obj->getRights();
}
}
return $authorized;
}
