/**
* This is a static helper function which retrieves a single given privilege
* at a content object, identified by the combination of assignee and privilege
* name.
*
* This call will return an object even if the privilege is set to INHERITED at
* the given object (i.e. does not exist) for consistency reasons. Errors are
* thrown for example on database inconsistencies.
*
* This function is for use in the authentication framework only and may only
* be called statically.
*
* @param object $object The object to query.
* @param string $name The name of the privilege to query
* @param string $assignee The identifier of the assignee to query.
* @param string $classname The optional classname required only for class-limited SELF privileges.
* @return midcom_core_privilege The privilege matching the constraints.
*/
public static function get_privilege($object, $name, $assignee, $classname = '')
{
$qb = new midgard_query_builder('midcom_core_privilege_db');
$qb->add_constraint('objectguid', '=', $object->guid);
$qb->add_constraint('privilegename', '=', $name);
$qb->add_constraint('assignee', '=', $assignee);
$qb->add_constraint('classname', '=', $classname);
$result = @$qb->execute();
if (!$result) {
$result = array();
}
if (count($result) > 1) {
midcom::get('auth')->request_sudo('midcom.core');
debug_add('A DB inconsistency has been detected. There is more then one record for privilege specified. Deleting all excess records after the first one!', MIDCOM_LOG_ERROR);
debug_print_r('Content Object:', $object);
debug_add("Privilege {$name} for assignee {$assignee} with classname {$classname} was queried.", MIDCOM_LOG_INFO);
debug_print_r('Resultset was:', $result);
while (count($result) > 1) {
$privilege = array_pop($result);
$privilege->delete();
}
midcom::get('auth')->drop_sudo();
} else {
if (count($result) == 0) {
// No such privilege stored, return non-persistent one
$privilege = new midcom_core_privilege();
$privilege->set_object($object);
$privilege->set_assignee($assignee);
$privilege->privilegename = $name;
if (!is_null($classname)) {
$privilege->classname = $classname;
}
$privilege->value = MIDCOM_PRIVILEGE_INHERIT;
return $privilege;
}
}
return new midcom_core_privilege($result[0]);
}
/**
* This helper function will create a new privilege object for the object in question.
* It will initialize the privilege with the values given in the arguments, as outlined
* below.
*
* This call requires the <i>midgard:privileges</i> privilege.
*
* @param midcom_core_dbaobject $object The DBA object we're working on
* @param string $name The name of the privilege to add.
* @param int $value The privilege value, this defaults to MIDCOM_PRIVILEGE_ALLOW.
* @param mixed $assignee A valid assignee suitable for midcom_core_privilege::set_privilege(). This defaults to the currently
* active user if authenticated or to 'EVERYONE' otherwise.
* @param string $classname An optional class name to which a SELF privilege gets restricted to. Only valid for SELF privileges.
* @return midcom_core_privilege The newly created privilege record or false on failure.
*/
public static function create_new_privilege_object(midcom_core_dbaobject $object, $name, $assignee = null, $value = MIDCOM_PRIVILEGE_ALLOW, $classname = '')
{
if (!$object->can_do('midgard:privileges')) {
debug_add('Could not create a new privilege, permission denied.', MIDCOM_LOG_WARN);
return false;
}
if ($assignee === null) {
if (midcom::get('auth')->user === null) {
$assignee = 'EVERYONE';
} else {
$assignee =& midcom::get('auth')->user;
}
}
$privilege = new midcom_core_privilege();
if (!$privilege->set_assignee($assignee)) {
debug_add('Failed to set the assignee, aborting.', MIDCOM_LOG_INFO);
return false;
}
$privilege->set_object($object);
$privilege->privilegename = $name;
$privilege->value = $value;
$privilege->classname = $classname;
if (!$privilege->validate()) {
debug_add('Failed to validate the newly created privilege.', MIDCOM_LOG_INFO);
return false;
}
return $privilege;
}
