/**
* Constructor
*
* @return void
* @access public
* @since 11/5/07
*/
public function __construct()
{
parent::__construct();
$idMgr = Services::getService("Id");
$this->addFunction($idMgr->getId("edu.middlebury.authorization.view"));
$this->addFunction($idMgr->getId("edu.middlebury.authorization.comment"));
$this->addFunction($idMgr->getId("edu.middlebury.authorization.view_comments"));
$this->addFunction($idMgr->getId("edu.middlebury.authorization.add_children"));
}
/**
* Save a role for a hierarchy node
*
* @param object SiteComponent $component
* @param object SegueRole $role
* @return <##>
* @access public
* @since 11/16/07
*/
public function saveRole(SiteComponent $component, SegueRole $role)
{
$roleMgr = SegueRoleManager::instance();
$idMgr = Services::getService("Id");
$agentId = $this->getAgentId();
$componentId = $idMgr->getId($component->getId());
// Ensure that Everyone or Institute are not set to admin
$everyoneId = $idMgr->getId('edu.middlebury.agents.everyone');
$instituteId = $idMgr->getId('edu.middlebury.institute');
if ($agentId->isEqual($everyoneId) || $agentId->isEqual($instituteId)) {
if ($role->getIdString() == 'admin') {
$role = $roleMgr->getRole('editor');
}
}
// printpre("Saving role '".$role->getIdString()."' for ".$agentId." at ".$component->getDisplayName());
// Find the parent node.
$parent = $component->getParentComponent();
if ($parent) {
$parentQualifierId = $parent->getQualifierId();
$parentRole = $roleMgr->getAgentsRole($agentId, $parentQualifierId, true);
}
// Apply the role or clear it if it is less than the implicitly given role.
try {
if (isset($parentRole) && $role->isLessThanOrEqualTo($parentRole)) {
$roleMgr->clearRoleAZs($agentId, $componentId);
// printpre("Clearing duplicate role '".$role->getIdString()."' for ".$agentId." at ".$component->getDisplayName());
} else {
$role->apply($agentId, $componentId);
}
} catch (PermissionDeniedException $e) {
}
return true;
}
/**
* Answer the agents that have roles that are greater than or equal to the role passed.
*
* @param object SegueRole $role
* @param object Id $rootQualifierId
* @param optional boolean $overrideAzCheck If true, not not check AZs. Used by admin functions to force-set a role.
* @return array An array of Id objects
* @access public
* @since 11/29/07
*/
public function getAgentsWithExplicitRoleAtLeast(SegueRole $role, Id $rootQualifierId, $overrideAzCheck = false)
{
$authZ = Services::getService("AuthZ");
$idMgr = Services::getService("Id");
if (!$overrideAzCheck) {
if (!$authZ->isUserAuthorized($idMgr->getId("edu.middlebury.authorization.view_authorizations"), $rootQualifierId)) {
throw new PermissionDeniedException("Cannot view authorizations here.");
}
}
$qualifier = $authZ->getQualifier($rootQualifierId);
// Go through each qualifier and see who can do all of the functions in the role
$agentIdStrings = array();
$qualifierId = $qualifier->getId();
// Build up an array of what agents can do each function
$agentsForFunctions = array();
foreach ($role->getFunctions() as $functionId) {
$agentsForFunctions[$functionId->getIdString()] = array();
$explicitAZs = $authZ->getExplicitAZs(null, $functionId, $qualifierId);
while ($explicitAZs->hasNext()) {
$explicitAZ = $explicitAZs->next();
$agentIdString = $explicitAZ->getAgentId()->getIdString();
if (!in_array($agentIdString, $agentIdStrings)) {
$agentsForFunctions[$functionId->getIdString()][] = $agentIdString;
}
}
}
// Loop through the agents that can do the first function, if they can
// do all the others, then they match the role and can be added to the master list.
foreach (current($agentsForFunctions) as $agentIdString) {
$hasAllFunctions = true;
foreach ($role->getFunctions() as $functionId) {
if (!in_array($agentIdString, $agentsForFunctions[$functionId->getIdString()])) {
$hasAllFunctions = false;
break;
}
}
if ($hasAllFunctions) {
$agentIdStrings[] = $agentIdString;
}
}
$agentIdStrings = array_unique($agentIdStrings);
$agentIds = array();
foreach ($agentIdStrings as $idString) {
$agentIds[] = $idMgr->getId($idString);
}
return $agentIds;
}
/**
* Set authorizations to apply this role for an Agent at a Qualifier.
*
* Explicit Authorizations for the Agent at the Qualifier will be removed
* and added in order to apply the role.
*
* Implicit Authorizations will not be changed.
*
* @param object Id $agentId
* @param object Id $qualifierId
* @param optional boolean $overrideAzCheck If true, not not check AZs. Used by admin functions to force-set a role.
* @return void
* @access public
* @since 11/5/07
*/
public function apply(Id $agentId, Id $qualifierId, $overrideAzCheck = false)
{
$authZ = Services::getService("AuthZ");
$idMgr = Services::getService("Id");
$everyoneId = $idMgr->getId('edu.middlebury.agents.everyone');
if (!$agentId->isEqual($everyoneId)) {
return parent::apply($agentId, $qualifierId, $overrideAzCheck);
}
if (!$overrideAzCheck) {
if (!$authZ->isUserAuthorized($idMgr->getId("edu.middlebury.authorization.modify_authorizations"), $qualifierId)) {
throw new PermissionDeniedException("Cannot modify authorizations here.");
}
}
/*********************************************************
* For this role, give the view and view_comments authorizations to
* the 'everyone' group and the 'comment' authorization to
* the 'users' group to prevent anonymous posting.
*
* Search for the string 'only-logged-in-can-edit' to find other code that
* makes this effect happen.
*********************************************************/
// Run through the Authorizations for the 'everyone' group
$authorizations = $authZ->getExplicitAZs($everyoneId, null, $qualifierId, true);
// Delete Conflicting functions. We leave functions that the roles don't know about.
$existing = array();
while ($authorizations->hasNext()) {
$authorization = $authorizations->next();
if ($this->functionConflicts($authorization->getFunction()->getId())) {
$authZ->deleteAuthorization($authorization);
} else {
if ($this->hasFunction($authorization->getFunction()->getId())) {
$existing[] = $authorization->getFunction()->getId();
}
}
}
// Add in new needed functions
$this->addAuthorizationForFunction($everyoneId, $idMgr->getId("edu.middlebury.authorization.view"), $qualifierId, $existing);
$this->addAuthorizationForFunction($everyoneId, $idMgr->getId("edu.middlebury.authorization.view_comments"), $qualifierId, $existing);
// Run through the Authorizations for the 'users' group
$usersId = $idMgr->getId('edu.middlebury.agents.users');
$authorizations = $authZ->getExplicitAZs($usersId, null, $qualifierId, true);
// Delete Conflicting functions. We leave functions that the roles don't know about.
$existing = array();
while ($authorizations->hasNext()) {
$authorization = $authorizations->next();
if ($this->functionConflicts($authorization->getFunction()->getId())) {
$authZ->deleteAuthorization($authorization);
} else {
if ($this->hasFunction($authorization->getFunction()->getId())) {
$existing[] = $authorization->getFunction()->getId();
}
}
}
// Add in new needed functions
$this->addAuthorizationForFunction($usersId, $idMgr->getId("edu.middlebury.authorization.comment"), $qualifierId, $existing);
/*********************************************************
* End only-logged-in-can-edit
*********************************************************/
}
/**
* Answer true if this role is equal to the role passed
*
* @param object SegueRole $role
* @return boolean
* @access public
* @since 11/5/07
*/
public function isEqualTo(SegueRole $role)
{
if ($role->getIdString() == $this->getIdString()) {
return true;
}
return false;
}
