/** * This is a static helper function which retrieves a single given privilege * at a content object, identified by the combination of assignee and privilege * name. * * This call will return an object even if the privilege is set to INHERITED at * the given object (i.e. does not exist) for consistency reasons. Errors are * thrown for example on database inconsistencies. * * This function is for use in the authentication framework only and may only * be called statically. * * @param object $object The object to query. * @param string $name The name of the privilege to query * @param string $assignee The identifier of the assignee to query. * @param string $classname The optional classname required only for class-limited SELF privileges. * @return midcom_core_privilege The privilege matching the constraints. */ public static function get_privilege($object, $name, $assignee, $classname = '') { $qb = new midgard_query_builder('midcom_core_privilege_db'); $qb->add_constraint('objectguid', '=', $object->guid); $qb->add_constraint('privilegename', '=', $name); $qb->add_constraint('assignee', '=', $assignee); $qb->add_constraint('classname', '=', $classname); $result = @$qb->execute(); if (!$result) { $result = array(); } if (count($result) > 1) { midcom::get('auth')->request_sudo('midcom.core'); debug_add('A DB inconsistency has been detected. There is more then one record for privilege specified. Deleting all excess records after the first one!', MIDCOM_LOG_ERROR); debug_print_r('Content Object:', $object); debug_add("Privilege {$name} for assignee {$assignee} with classname {$classname} was queried.", MIDCOM_LOG_INFO); debug_print_r('Resultset was:', $result); while (count($result) > 1) { $privilege = array_pop($result); $privilege->delete(); } midcom::get('auth')->drop_sudo(); } else { if (count($result) == 0) { // No such privilege stored, return non-persistent one $privilege = new midcom_core_privilege(); $privilege->set_object($object); $privilege->set_assignee($assignee); $privilege->privilegename = $name; if (!is_null($classname)) { $privilege->classname = $classname; } $privilege->value = MIDCOM_PRIVILEGE_INHERIT; return $privilege; } } return new midcom_core_privilege($result[0]); }
/** * This helper function will create a new privilege object for the object in question. * It will initialize the privilege with the values given in the arguments, as outlined * below. * * This call requires the <i>midgard:privileges</i> privilege. * * @param midcom_core_dbaobject $object The DBA object we're working on * @param string $name The name of the privilege to add. * @param int $value The privilege value, this defaults to MIDCOM_PRIVILEGE_ALLOW. * @param mixed $assignee A valid assignee suitable for midcom_core_privilege::set_privilege(). This defaults to the currently * active user if authenticated or to 'EVERYONE' otherwise. * @param string $classname An optional class name to which a SELF privilege gets restricted to. Only valid for SELF privileges. * @return midcom_core_privilege The newly created privilege record or false on failure. */ public static function create_new_privilege_object(midcom_core_dbaobject $object, $name, $assignee = null, $value = MIDCOM_PRIVILEGE_ALLOW, $classname = '') { if (!$object->can_do('midgard:privileges')) { debug_add('Could not create a new privilege, permission denied.', MIDCOM_LOG_WARN); return false; } if ($assignee === null) { if (midcom::get('auth')->user === null) { $assignee = 'EVERYONE'; } else { $assignee =& midcom::get('auth')->user; } } $privilege = new midcom_core_privilege(); if (!$privilege->set_assignee($assignee)) { debug_add('Failed to set the assignee, aborting.', MIDCOM_LOG_INFO); return false; } $privilege->set_object($object); $privilege->privilegename = $name; $privilege->value = $value; $privilege->classname = $classname; if (!$privilege->validate()) { debug_add('Failed to validate the newly created privilege.', MIDCOM_LOG_INFO); return false; } return $privilege; }