protected function setUser(User $user)
{
$this->user = $user;
$_SESSION['userID'] = $user->getUserID();
$_SESSION['auth_userID'] = $user->getUserID();
$_SESSION['auth'] = $user->getAuthenticationAuthorityIndex();
$_SESSION['ping'] = time();
}
/**
* sets the active user
* @param User $user
*/
private function setUser(User $user) {
if ($auth = $user->getAuthenticationAuthorityIndex()) {
$this->users[$auth] = $user;
$this->setSessionVars();
}
}
public function userIsMember(User $user)
{
//by definition LDAP groups can only contain users from the same authority
if ($user->getAuthenticationAuthorityIndex() == $this->getAuthenticationAuthorityIndex()) {
if (in_array($user->getAttribute($this->AuthenticationAuthority->getField('memberuid')), $this->members)) {
return true;
}
}
return false;
}
/**
* Sees if the given user matches the rule
* @param User $user a valid user object
* @return mixed, the action if the user matches the rule or false if the rule did not match
*/
public function evaluateForUser(User $user)
{
switch ($this->ruleScope) {
case self::RULE_SCOPE_USER:
/* if the value is all then see if the userID is set
this will NOT match an anonymous user
*/
if ($this->ruleAuthority) {
if ($user->getAuthenticationAuthorityIndex() == $this->ruleAuthority) {
/* can match either userID or email */
if ($this->ruleValue == self::RULE_VALUE_ALL) {
if ($user->getUserID()) {
return $this->ruleAction;
}
} else {
if ($user->getUserID() == $this->ruleValue || Validator::isValidEmail($this->ruleValue) && $user->getEmail() == $this->ruleValue) {
return $this->ruleAction;
}
}
}
} elseif ($this->ruleValue == self::RULE_VALUE_ALL) {
if ($user->getUserID()) {
return $this->ruleAction;
}
} else {
if ($user->getUserID() == $this->ruleValue || Validator::isValidEmail($this->ruleValue) && $user->getEmail() == $this->ruleValue) {
return $this->ruleAction;
}
}
break;
case self::RULE_SCOPE_GROUP:
/* Note: a group value of ALL is not valid */
if ($authority = AuthenticationAuthority::getAuthenticationAuthority($this->ruleAuthority)) {
if ($group = $authority->getGroup($this->ruleValue)) {
/* see if the user is a member of the group */
if ($group->userIsMember($user)) {
return $this->ruleAction;
}
}
}
break;
case self::RULE_SCOPE_EVERYONE:
/* always matches */
return $this->ruleAction;
break;
}
return false;
}
/**
* Logs in the user
* @param User $user
* @return User
*/
public function login(User $user)
{
Kurogo::log(LOG_NOTICE, sprintf("Logging in user %s:%s", $user->getAuthenticationAuthorityIndex(), $user->getUserID()), 'session');
session_regenerate_id(true);
$this->setUser($user);
$this->setLoginCookie();
return $user;
}
public function userIsMember(User $user)
{
$property = $this->AuthenticationAuthority->getField('group_groupmember');
if ($this->AuthenticationAuthority->getField('groupmember_authority')) {
$sql = sprintf("SELECT * FROM `%s` WHERE %s=? AND %s=? AND %s=?", $this->AuthenticationAuthority->getTable('groupmembers'), $this->AuthenticationAuthority->getField('groupmember_group'), $this->AuthenticationAuthority->getField('groupmember_authority'), $this->AuthenticationAuthority->getField('groupmember_user'));
$parameters = array($this->{$property}, $user->getAuthenticationAuthorityIndex(), $user->getUserID());
} elseif ($user->getAuthenticationAuthorityIndex() == $this->getAuthenticationAuthorityIndex()) {
//if we don't use authorities in this database then make sure the user is from the same authority
$sql = sprintf("SELECT * FROM `%s` WHERE %s=? AND %s=?", $this->AuthenticationAuthority->getTable('groupmembers'), $this->AuthenticationAuthority->getField('groupmember_group'), $this->AuthenticationAuthority->getField('groupmember_user'));
$parameters = array($this->{$property}, $user->getUserID());
} else {
//user is from another authority
return false;
}
$connection = $this->AuthenticationAuthority->connection();
$result = $connection->query($sql, $parameters);
if ($row = $result->fetch()) {
return true;
}
return false;
}
/**
* Sees if the given user matches the rule
* @param User $user a valid user object
* @return mixed, the action if the user matches the rule or false if the rule did not match
*/
public function evaluateForUser(User $user)
{
switch ($this->ruleType)
{
case self::RULE_TYPE_AUTHORITY:
/* if the value is all then see if the userID and authority are set and it's a MATCH
this will NOT match an anonymous user
*/
if ($this->ruleValue==self::RULE_VALUE_ALL) {
if ($user->getUserID() && $user->getAuthenticationAuthority()) {
return $this->ruleAction;
}
/* Otherwise see if the userID is set and the authority matches the rule value */
} elseif ($user->getUserID() && $user->getAuthenticationAuthorityIndex()==$this->ruleValue) {
return $this->ruleAction;
}
break;
case self::RULE_TYPE_USER:
/* if the value is all then see if the userID is set
this will NOT match an anonymous user
*/
if ($this->ruleValue==self::RULE_VALUE_ALL) {
if ($user->getUserID()) {
return $this->ruleAction;
}
} else {
/* user values are specified as AUTHORITY|userID */
$values = explode("|", $this->ruleValue);
switch (count($values)) {
case 1:
$authority = AuthenticationAuthority::getDefaultAuthenticationAuthorityIndex();
$userID = $values[0];
break;
case 2:
$authority = $values[0];
$userID = $values[1];
break;
}
/* see if the userID/email and authority match */
if ($user->getAuthenticationAuthorityIndex()==$authority) {
/* can match either userID or email */
if ($userID==self::RULE_VALUE_ALL) {
if ($user->getUserID()) {
return $this->ruleAction;
}
} else if ($user->getUserID()==$userID ||
(Validator::isValidEmail($userID) && $user->getEmail()==$userID)) {
return $this->ruleAction;
}
}
}
break;
case self::RULE_TYPE_GROUP:
/* Note: a group value of ALL is not valid */
/* group values are specified as AUTHORITY|group */
$values = explode("|", $this->ruleValue);
switch (count($values)) {
case 1:
$authority = AuthenticationAuthority::getDefaultAuthenticationAuthorityIndex();
$group = $values[0];
break;
case 2:
$authority = $values[0];
$group = $values[1];
break;
}
/* attempt to load the authority, then get the group */
if ($authority = AuthenticationAuthority::getAuthenticationAuthority($authority)) {
if ($group = $authority->getGroup($group)) {
/* see if the user is a member of the group */
if ($group->userIsMember($user)) {
return $this->ruleAction;
}
}
}
break;
case self::RULE_TYPE_EVERYONE:
/* always matches */
return $this->ruleAction;
break;
}
return false;
}
