/** * Set authorizations to apply this role for an Agent at a Qualifier. * * Explicit Authorizations for the Agent at the Qualifier will be removed * and added in order to apply the role. * * Implicit Authorizations will not be changed. * * @param object Id $agentId * @param object Id $qualifierId * @param optional boolean $overrideAzCheck If true, not not check AZs. Used by admin functions to force-set a role. * @return void * @access public * @since 11/5/07 */ public function apply(Id $agentId, Id $qualifierId, $overrideAzCheck = false) { $authZ = Services::getService("AuthZ"); $idMgr = Services::getService("Id"); $everyoneId = $idMgr->getId('edu.middlebury.agents.everyone'); if (!$agentId->isEqual($everyoneId)) { return parent::apply($agentId, $qualifierId, $overrideAzCheck); } if (!$overrideAzCheck) { if (!$authZ->isUserAuthorized($idMgr->getId("edu.middlebury.authorization.modify_authorizations"), $qualifierId)) { throw new PermissionDeniedException("Cannot modify authorizations here."); } } /********************************************************* * For this role, give the view and view_comments authorizations to * the 'everyone' group and the 'comment' authorization to * the 'users' group to prevent anonymous posting. * * Search for the string 'only-logged-in-can-edit' to find other code that * makes this effect happen. *********************************************************/ // Run through the Authorizations for the 'everyone' group $authorizations = $authZ->getExplicitAZs($everyoneId, null, $qualifierId, true); // Delete Conflicting functions. We leave functions that the roles don't know about. $existing = array(); while ($authorizations->hasNext()) { $authorization = $authorizations->next(); if ($this->functionConflicts($authorization->getFunction()->getId())) { $authZ->deleteAuthorization($authorization); } else { if ($this->hasFunction($authorization->getFunction()->getId())) { $existing[] = $authorization->getFunction()->getId(); } } } // Add in new needed functions $this->addAuthorizationForFunction($everyoneId, $idMgr->getId("edu.middlebury.authorization.view"), $qualifierId, $existing); $this->addAuthorizationForFunction($everyoneId, $idMgr->getId("edu.middlebury.authorization.view_comments"), $qualifierId, $existing); // Run through the Authorizations for the 'users' group $usersId = $idMgr->getId('edu.middlebury.agents.users'); $authorizations = $authZ->getExplicitAZs($usersId, null, $qualifierId, true); // Delete Conflicting functions. We leave functions that the roles don't know about. $existing = array(); while ($authorizations->hasNext()) { $authorization = $authorizations->next(); if ($this->functionConflicts($authorization->getFunction()->getId())) { $authZ->deleteAuthorization($authorization); } else { if ($this->hasFunction($authorization->getFunction()->getId())) { $existing[] = $authorization->getFunction()->getId(); } } } // Add in new needed functions $this->addAuthorizationForFunction($usersId, $idMgr->getId("edu.middlebury.authorization.comment"), $qualifierId, $existing); /********************************************************* * End only-logged-in-can-edit *********************************************************/ }