Archivado/Incam_SGD
Archived
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2024-11-28. You can view files and clone it, but cannot push or open issues or pull requests.
28b02db2ea
Incam_SGD/lib/roles/documentroleallocation.inc.php

297 lines
9.8 KiB
PHP
Raw Normal View History

Importación inicial con versión 3.7.0.2 original git-svn-id: https://192.168.0.254/svn/Proyectos.Incam_SGD/tags/3.7.0.2_original@1 eb19766c-00d9-a042-a3a0-45cb8ec72764
2010-09-10 16:45:26 +00:00
<?php
/**
* $Id$
*
* KnowledgeTree Community Edition
* Document Management Made Simple
* Copyright (C) 2008, 2009 KnowledgeTree Inc.
*
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License version 3 as published by the
* Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* You can contact KnowledgeTree Inc., PO Box 7775 #87847, San Francisco,
* California 94120-7775, or email info@knowledgetree.com.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU General Public License version 3.
*
* In accordance with Section 7(b) of the GNU General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "Powered by
* KnowledgeTree" logo and retain the original copyright notice. If the display of the
* logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
* must display the words "Powered by KnowledgeTree" and retain the original
* copyright notice.
* Contributor( s): ______________________________________
*/
require_once(KT_LIB_DIR . "/ktentity.inc");
require_once(KT_LIB_DIR . "/util/ktutil.inc");
require_once(KT_LIB_DIR . "/database/dbutil.inc");
require_once(KT_LIB_DIR . "/permissions/permissiondescriptor.inc.php");
require_once(KT_LIB_DIR . "/permissions/permissionutil.inc.php");
require_once(KT_LIB_DIR . "/users/User.inc");
require_once(KT_LIB_DIR . "/groups/Group.inc");
require_once(KT_LIB_DIR . "/groups/GroupUtil.php");
require_once(KT_LIB_DIR . "/documentmanagement/Document.inc");
require_once(KT_LIB_DIR . "/documentmanagement/documentcore.inc.php");
require_once(KT_LIB_DIR . "/roles/roleallocation.inc.php");
class DocumentRoleAllocation extends KTEntity {
/** role object primary key */
var $iId=-1;
var $iDocumentId;
var $iRoleId;
var $iPermissionDescriptorId;
var $_bUsePearError = true;
var $_aFieldToSelect = array(
'iId' => 'id',
'iRoleId' => 'role_id',
'iDocumentId' => 'document_id',
'iPermissionDescriptorId' => 'permission_descriptor_id',
);
function setDocumentId($iDocumentId) { $this->iDocumentId = $iDocumentId; }
function setRoleId($iRoleId) { $this->iRoleId = $iRoleId; }
function setPermissionDescriptorId($iPermissionDescriptorId) { $this->iPermissionDescriptorId = $iPermissionDescriptorId; }
function getDocumentId() { return $this->iDocumentId; }
function getRoleId() { return $this->iRoleId; }
function getPermissionDescriptorId() { return $this->iPermissionDescriptorId; }
// aggregate: set (for this alloc) the array('user' => array(), 'group' => array()).
function setAllowed($aAllowed) {
$oDescriptor = KTPermissionUtil::getOrCreateDescriptor($aAllowed); // fully done, etc.
$this->iPermissionDescriptorId = $oDescriptor->getId();
}
function getAllowed() {
if (!is_null($this->iPermissionDescriptorId)) {
$oDescriptor = KTPermissionDescriptor::get($this->iPermissionDescriptorId); // fully done, etc.
$aAllowed = $oDescriptor->getAllowed();
} else {
$aAllowed = array();
}
// special case "document owner".
if ($this->iRoleId == -2) {
$oDoc = KTDocumentCore::get($this->iDocumentId);
/* ! NBM Please Review
*
* This should never be an error - we were called by PermissionUtil
* to get the details for a document, but it _is_ be a DocumentCore
* object during _add.
*
* When we try to grab the Document, it blows up on the MetadataVersion,
* so we have to use a DocumentCore to avoid a fail-out on the initial
* on-add permission check.
*
* Is this bad/evil/not appropriate in some way? I can't see a major
* issue with it...
*
*/
if (PEAR::isError($oDoc)) {
return $aAllowed;
}
// ! NBM Please review
// we cascade "owner" from the folder (if, for some _bizarre_ reason the
// owner role is allocated to users/groups/etc. this can be disabled
// with the CRACK_IS_BAD flag, or removed entirely. I am undecided.
//
// There is some argument to be made for the consistency, but it may not be
// that big. I think it _may_ lead to easily misconfigured setups, but I
// really don't know.
$CRACK_IS_BAD = false;
if ((!$CRACK_IS_BAD) && is_null($this->iPermissionDescriptorId)) {
$oDerivedAlloc = RoleAllocation::getAllocationsForFolderAndRole($oDoc->getFolderID(), $this->iRoleId);
if (!(PEAR::isError($oDerivedAlloc) || is_null($oDerivedAlloc))) {
$aAllowed = $oDerivedAlloc->getAllowed();
}
}
$owner_id = $oDoc->getOwnerId();
if (is_null($aAllowed['user'])) {
$aAllowed['user'] = array($owner_id);
} else if (array_search($owner_id, $aAllowed['user']) === false) {
$aAllowed['user'][] = $owner_id;
}
}
return $aAllowed;
}
function _fieldValues () { return array(
'role_id' => $this->iRoleId,
'document_id' => $this->iDocumentId,
'permission_descriptor_id' => $this->iPermissionDescriptorId,
);
}
/* getAllocationForDocumentAndRole($iFolderId, $iRoleId)
*
* this is the key function: for a given document and role,
* returns either a RoleAllocation object, or null
* (if there is none). IT DOES NOT SCAN UP THE HIERACHY (Use RoleAllocation)
*/
function & getAllocationsForDocumentAndRole($iDocumentId, $iRoleId) {
$raTable = KTUtil::getTableName('document_role_allocations');
$dTable = KTUtil::getTableName('documents');
$sQuery = "SELECT ra.id as `id` FROM " . $raTable . " AS ra " .
' LEFT JOIN ' . $dTable . ' AS d ON (d.id = ra.document_id) ' .
' WHERE d.id = ?' .
' AND ra.role_id = ?';
$aParams = array($iDocumentId, $iRoleId);
$iAllocId = DBUtil::getOneResultKey(array($sQuery, $aParams), 'id');
if (PEAR::isError($iAllocId)) {
return null;
}
if (false) {
print '<pre>';
var_dump($iAllocId);
print '';
print $sQuery;
print '</pre>';
}
// magic for the Owner role here.
if (empty($iAllocId) && ($iRoleId == -2)) {
$permDescriptor = null;
// THIS OBJECT MUST NEVER BE MODIFIED, without first calling CREATE.
$oFakeAlloc = new DocumentRoleAllocation();
$oFakeAlloc->setDocumentId($iDocumentId);
$oFakeAlloc->setRoleId($iRoleId);
$oFakeAlloc->setPermissionDescriptorId($permDescriptor);
//var_dump($oFakeAlloc);
return $oFakeAlloc;
} else if (empty($iAllocId)) {
return null;
}
return DocumentRoleAllocation::get($iAllocId);
}
// static, boilerplate.
function _table () { return KTUtil::getTableName('document_role_allocations'); }
function & get($iRoleId) { return KTEntityUtil::get('DocumentRoleAllocation', $iRoleId); }
function & getList($sWhereClause = null) { return KTEntityUtil::getList2('DocumentRoleAllocation', $sWhereClause); }
function & createFromArray($aOptions) { return KTEntityUtil::createFromArray('DocumentRoleAllocation', $aOptions); }
function getPermissionDescriptor() {
// could be an error - return as-is.
$oDescriptor =& KTPermissionDescriptor::get($this->iPermissionDescriptorId);
return $oDescriptor;
}
// setting users and groups needs to use permissionutil::getOrCreateDescriptor
function getUsers() {
$aAllowed = $this->getAllowed();
if ($aAllowed['user'] !== null) {
$aUsers = $aAllowed['user'];
}
// now we want to map to oUsers, since that's what groups do.
$aFullUsers = array();
foreach ($aUsers as $iUserId) {
$oUser = User::get($iUserId);
if (!(PEAR::isError($oUser) || ($oUser == false))) {
$aFullUsers[$iUserId] = $oUser;
}
}
return $aFullUsers;
}
function getGroups() {
$aAllowed = $this->getAllowed();
if (is_null($aAllowed['group'])) {
return array(); // nothing here, move on.
} else {
$aGroups = $aAllowed['group'];
}
// now we want to map to oUsers, since that's what groups do.
$aFullGroups = array();
foreach ($aGroups as $iGroupId) {
$oGroup = Group::get($iGroupId);
if (!(PEAR::isError($oGroup) || ($oGroup == false))) {
$aFullGroups[$iGroupId] = $oGroup;
}
}
return $aFullGroups;
}
function getUserIds() {
$aAllowed = $this->getAllowed();
if ($aAllowed['user'] !== null) {
$aUsers = $aAllowed['user'];
}
return $aUsers;
}
function getGroupIds() {
$aAllowed = $this->getAllowed();
if ($aAllowed['group'] !== null) {
$aGroups = $aAllowed['group'];
}
return $aGroups;
}
// utility function to establish user membership in this allocation.
// FIXME nbm: is there are more coherent way to do this ITO your PD infrastructure?
function hasMember($oUser) {
$aAllowed = $this->getAllowed();
$iUserId = $oUser->getId();
if ($aAllowed['user'] != null) {
if (array_search($iUserId, $aAllowed['user']) !== false) {
return true;
}
}
// now we need the group objects.
// FIXME this could accelerated to a single SQL query on group_user_link.
$aGroups = $this->getGroups();
if (PEAR::isError($aGroups) || ($aGroups == false)) {
return false;
} else {
foreach ($aGroups as $oGroup) {
$reason = GroupUtil::getMembershipReason($oUser, $oGroup);
if (PEAR::isError($reason) || is_null($reason)) {
continue;
}
return true; // don't bother continuing - short-circuit for performance.
}
}
return false;
}
}
?>
Reference in New Issue Copy Permalink