/** * Constructor * * @return void * @access public * @since 11/5/07 */ public function __construct() { parent::__construct(); $idMgr = Services::getService("Id"); $this->addFunction($idMgr->getId("edu.middlebury.authorization.view")); $this->addFunction($idMgr->getId("edu.middlebury.authorization.comment")); $this->addFunction($idMgr->getId("edu.middlebury.authorization.view_comments")); $this->addFunction($idMgr->getId("edu.middlebury.authorization.add_children")); }
/** * Save a role for a hierarchy node * * @param object SiteComponent $component * @param object SegueRole $role * @return <##> * @access public * @since 11/16/07 */ public function saveRole(SiteComponent $component, SegueRole $role) { $roleMgr = SegueRoleManager::instance(); $idMgr = Services::getService("Id"); $agentId = $this->getAgentId(); $componentId = $idMgr->getId($component->getId()); // Ensure that Everyone or Institute are not set to admin $everyoneId = $idMgr->getId('edu.middlebury.agents.everyone'); $instituteId = $idMgr->getId('edu.middlebury.institute'); if ($agentId->isEqual($everyoneId) || $agentId->isEqual($instituteId)) { if ($role->getIdString() == 'admin') { $role = $roleMgr->getRole('editor'); } } // printpre("Saving role '".$role->getIdString()."' for ".$agentId." at ".$component->getDisplayName()); // Find the parent node. $parent = $component->getParentComponent(); if ($parent) { $parentQualifierId = $parent->getQualifierId(); $parentRole = $roleMgr->getAgentsRole($agentId, $parentQualifierId, true); } // Apply the role or clear it if it is less than the implicitly given role. try { if (isset($parentRole) && $role->isLessThanOrEqualTo($parentRole)) { $roleMgr->clearRoleAZs($agentId, $componentId); // printpre("Clearing duplicate role '".$role->getIdString()."' for ".$agentId." at ".$component->getDisplayName()); } else { $role->apply($agentId, $componentId); } } catch (PermissionDeniedException $e) { } return true; }
/** * Answer the agents that have roles that are greater than or equal to the role passed. * * @param object SegueRole $role * @param object Id $rootQualifierId * @param optional boolean $overrideAzCheck If true, not not check AZs. Used by admin functions to force-set a role. * @return array An array of Id objects * @access public * @since 11/29/07 */ public function getAgentsWithExplicitRoleAtLeast(SegueRole $role, Id $rootQualifierId, $overrideAzCheck = false) { $authZ = Services::getService("AuthZ"); $idMgr = Services::getService("Id"); if (!$overrideAzCheck) { if (!$authZ->isUserAuthorized($idMgr->getId("edu.middlebury.authorization.view_authorizations"), $rootQualifierId)) { throw new PermissionDeniedException("Cannot view authorizations here."); } } $qualifier = $authZ->getQualifier($rootQualifierId); // Go through each qualifier and see who can do all of the functions in the role $agentIdStrings = array(); $qualifierId = $qualifier->getId(); // Build up an array of what agents can do each function $agentsForFunctions = array(); foreach ($role->getFunctions() as $functionId) { $agentsForFunctions[$functionId->getIdString()] = array(); $explicitAZs = $authZ->getExplicitAZs(null, $functionId, $qualifierId); while ($explicitAZs->hasNext()) { $explicitAZ = $explicitAZs->next(); $agentIdString = $explicitAZ->getAgentId()->getIdString(); if (!in_array($agentIdString, $agentIdStrings)) { $agentsForFunctions[$functionId->getIdString()][] = $agentIdString; } } } // Loop through the agents that can do the first function, if they can // do all the others, then they match the role and can be added to the master list. foreach (current($agentsForFunctions) as $agentIdString) { $hasAllFunctions = true; foreach ($role->getFunctions() as $functionId) { if (!in_array($agentIdString, $agentsForFunctions[$functionId->getIdString()])) { $hasAllFunctions = false; break; } } if ($hasAllFunctions) { $agentIdStrings[] = $agentIdString; } } $agentIdStrings = array_unique($agentIdStrings); $agentIds = array(); foreach ($agentIdStrings as $idString) { $agentIds[] = $idMgr->getId($idString); } return $agentIds; }
/** * Set authorizations to apply this role for an Agent at a Qualifier. * * Explicit Authorizations for the Agent at the Qualifier will be removed * and added in order to apply the role. * * Implicit Authorizations will not be changed. * * @param object Id $agentId * @param object Id $qualifierId * @param optional boolean $overrideAzCheck If true, not not check AZs. Used by admin functions to force-set a role. * @return void * @access public * @since 11/5/07 */ public function apply(Id $agentId, Id $qualifierId, $overrideAzCheck = false) { $authZ = Services::getService("AuthZ"); $idMgr = Services::getService("Id"); $everyoneId = $idMgr->getId('edu.middlebury.agents.everyone'); if (!$agentId->isEqual($everyoneId)) { return parent::apply($agentId, $qualifierId, $overrideAzCheck); } if (!$overrideAzCheck) { if (!$authZ->isUserAuthorized($idMgr->getId("edu.middlebury.authorization.modify_authorizations"), $qualifierId)) { throw new PermissionDeniedException("Cannot modify authorizations here."); } } /********************************************************* * For this role, give the view and view_comments authorizations to * the 'everyone' group and the 'comment' authorization to * the 'users' group to prevent anonymous posting. * * Search for the string 'only-logged-in-can-edit' to find other code that * makes this effect happen. *********************************************************/ // Run through the Authorizations for the 'everyone' group $authorizations = $authZ->getExplicitAZs($everyoneId, null, $qualifierId, true); // Delete Conflicting functions. We leave functions that the roles don't know about. $existing = array(); while ($authorizations->hasNext()) { $authorization = $authorizations->next(); if ($this->functionConflicts($authorization->getFunction()->getId())) { $authZ->deleteAuthorization($authorization); } else { if ($this->hasFunction($authorization->getFunction()->getId())) { $existing[] = $authorization->getFunction()->getId(); } } } // Add in new needed functions $this->addAuthorizationForFunction($everyoneId, $idMgr->getId("edu.middlebury.authorization.view"), $qualifierId, $existing); $this->addAuthorizationForFunction($everyoneId, $idMgr->getId("edu.middlebury.authorization.view_comments"), $qualifierId, $existing); // Run through the Authorizations for the 'users' group $usersId = $idMgr->getId('edu.middlebury.agents.users'); $authorizations = $authZ->getExplicitAZs($usersId, null, $qualifierId, true); // Delete Conflicting functions. We leave functions that the roles don't know about. $existing = array(); while ($authorizations->hasNext()) { $authorization = $authorizations->next(); if ($this->functionConflicts($authorization->getFunction()->getId())) { $authZ->deleteAuthorization($authorization); } else { if ($this->hasFunction($authorization->getFunction()->getId())) { $existing[] = $authorization->getFunction()->getId(); } } } // Add in new needed functions $this->addAuthorizationForFunction($usersId, $idMgr->getId("edu.middlebury.authorization.comment"), $qualifierId, $existing); /********************************************************* * End only-logged-in-can-edit *********************************************************/ }
/** * Answer true if this role is equal to the role passed * * @param object SegueRole $role * @return boolean * @access public * @since 11/5/07 */ public function isEqualTo(SegueRole $role) { if ($role->getIdString() == $this->getIdString()) { return true; } return false; }