/** * Init with allowed permissions for the user in the given KS or kCurrentContext if not KS given * kCurrentContext::init should have been executed before! * @param string $ks KS to extract user and partner IDs from instead of kCurrentContext * @param boolean $useCache use cache or not * @throws TODO: add all exceptions */ public static function init($useCache = null) { $securityContext = array(kCurrentContext::$partner_id, kCurrentContext::$ks); if ($securityContext === self::$lastInitializedContext) { KalturaLog::log('Already initalized for this security context'); self::$cacheWatcher->apply(); return; } // verify that kCurrentContext::init has been executed since it must be used to init current context permissions if (!kCurrentContext::$ksPartnerUserInitialized) { KalturaLog::crit('kCurrentContext::initKsPartnerUser must be executed before initializing kPermissionManager'); throw new Exception('kCurrentContext has not been initialized!', null); } // can be initialized more than once to support multirequest with different kCurrentContext parameters self::$lastInitializedContext = null; self::$cacheWatcher = new kApiCacheWatcher(); self::$useCache = $useCache ? true : false; // copy kCurrentContext parameters (kCurrentContext::init should have been executed before) self::$requestedPartnerId = !self::isEmpty(kCurrentContext::$partner_id) ? kCurrentContext::$partner_id : null; self::$ksPartnerId = !self::isEmpty(kCurrentContext::$ks_partner_id) ? kCurrentContext::$ks_partner_id : null; if (self::$ksPartnerId == Partner::ADMIN_CONSOLE_PARTNER_ID && kConf::hasParam('admin_console_partner_allowed_ips')) { $ipAllowed = false; $ipRanges = explode(',', kConf::get('admin_console_partner_allowed_ips')); foreach ($ipRanges as $curRange) { if (kIpAddressUtils::isIpInRange($_SERVER['REMOTE_ADDR'], $curRange)) { $ipAllowed = true; break; } } if (!$ipAllowed) { throw new kCoreException("Admin console partner used from an unallowed address", kCoreException::PARTNER_BLOCKED); } } self::$ksUserId = !self::isEmpty(kCurrentContext::$ks_uid) ? kCurrentContext::$ks_uid : null; if (self::$ksPartnerId != Partner::BATCH_PARTNER_ID) { self::$kuser = !self::isEmpty(kCurrentContext::getCurrentKsKuser()) ? kCurrentContext::getCurrentKsKuser() : null; } self::$ksString = kCurrentContext::$ks ? kCurrentContext::$ks : null; self::$adminSession = !self::isEmpty(kCurrentContext::$is_admin_session) ? kCurrentContext::$is_admin_session : false; // if ks defined - check that it is valid self::errorIfKsNotValid(); // init partner, user, and role objects self::initPartnerUserObjects(); // throw an error if KS partner (operating partner) is blocked self::errorIfPartnerBlocked(); //throw an error if KS user is blocked self::errorIfUserBlocked(); // init role ids self::initRoleIds(); // init permissions map self::initPermissionsMap(); // initialization done self::$lastInitializedContext = $securityContext; self::$cacheWatcher->stop(); return true; }