wCMF  3.6
 All Classes Namespaces Files Functions Variables Groups Pages
class.RightsManager.php
Go to the documentation of this file.
1 <?php
2 /**
3  * wCMF - wemove Content Management Framework
4  * Copyright (C) 2005-2014 wemove digital solutions GmbH
5  *
6  * Licensed under the terms of any of the following licenses
7  * at your choice:
8  *
9  * - GNU Lesser General Public License (LGPL)
10  * http://www.gnu.org/licenses/lgpl.html
11  * - Eclipse Public License (EPL)
12  * http://www.eclipse.org/org/documents/epl-v10.php
13  *
14  * See the license.txt file distributed with this work for
15  * additional information.
16  *
17  * $Id: class.RightsManager.php 1462 2014-02-04 23:52:27Z iherwig $
18  */
19 require_once(BASE."wcmf/lib/util/class.Message.php");
20 require_once(BASE."wcmf/lib/util/class.SessionData.php");
21 require_once(BASE."wcmf/lib/util/class.ObjectFactory.php");
22 require_once(BASE."wcmf/lib/presentation/class.WCMFInifileParser.php");
23 require_once(BASE."wcmf/lib/persistence/class.PersistenceFacade.php");
24 
25 /**
26  * Some constants describing actions on PersistentObjects
27  */
28 define("ACTION_READ", "read");
29 define("ACTION_MODIFY", "modify");
30 define("ACTION_DELETE", "delete");
31 define("ACTION_CREATE", "create");
32 
33 define("RIGHT_MODIFIER_ALLOW", "+");
34 define("RIGHT_MODIFIER_DENY", "-");
35 
36 define("AUTHORIZATION_SECTION", "authorization");
37 
38 /**
39  * Actions that do not require authorization
40  */
41 $PUBLIC_ACTIONS = array('fatal', 'login', 'dologin', 'logout');
42 
43 /**
44  * @class RightsManager
45  * @ingroup Security
46  * @brief RightsManager is used to handle all authorization requests.
47  *
48  * @author ingo herwig <ingo@wemove.com>
49  */
50 class RightsManager
51 {
52  var $_anonymousUser = null;
53 
54  /**
55  * Returns an instance of the class.
56  * @return A reference to the only instance of the Singleton object
57  */
58  function &getInstance()
59  {
60  static $instance = null;
61 
62  if (!isset($instance))
63  {
64  $instance = new RightsManager();
65  // include this later to avoid circular includes
66  require_once(BASE."wcmf/lib/security/class.AnonymousUser.php");
67  $instance->_anonymousUser = new AnonymousUser('');
68  }
69  return $instance;
70  }
71  /**
72  * Get session variable name for the authenticated user.
73  * @return The variable name.
74  */
75  function getAuthUserVarname()
76  {
77  return 'auth_user_'.Application::getId();
78  }
79  /**
80  * Get authenticated user.
81  * @return AuthUser object or null if not logged in.
82  */
83  function &getAuthUser()
84  {
85  if (RightsManager::isAnonymous())
86  return $this->_anonymousUser;
87  else
88  {
89  // include this later to avoid circular includes
90  require_once(BASE."wcmf/lib/security/class.AuthUser.php");
91  $session = &SessionData::getInstance();
92  $user = null;
93  $userVarname = $this->getAuthUserVarname();
94  if ($session->exist($userVarname))
95  {
96  $user = &$session->get($userVarname);
97  $user->resetRoleCache();
98  }
99  return $user;
100  }
101  }
102  /**
103  * See if the RightsManager is working in anonymous mode. In anonymous mode all
104  * authorization requests answered positive and AuthUser is an instance of AnonymousUser
105  * The mode is set in configuration section 'cms' key 'anonymous'
106  * @return True/False wether in anonymous mode
107  */
108  function isAnonymous()
109  {
110  $parser = &InifileParser::getInstance();
111  return $parser->getValue('anonymous', 'cms');
112  }
113  /**
114  * Deactivate rights checking by setting the anonymous confguration value.
115  */
116  function deactivate()
117  {
118  $parser = &InifileParser::getInstance();
119  $parser->setValue('anonymous', 1, 'cms');
120  }
121  /**
122  * (Re-)activate rights checking by unsetting the anonymous confguration value.
123  */
124  function activate()
125  {
126  $parser = &InifileParser::getInstance();
127  $parser->setValue('anonymous', 0, 'cms');
128  }
129  /**
130  * Authorize for given resource, context, action triple.
131  * @param resource The resource to authorize (e.g. class name of the Controller or OID).
132  * @param context The context in which the action takes place.
133  * @param action The action to process.
134  * @return True/False whether authorization succeded/failed.
135  */
136  function authorize($resource, $context, $action)
137  {
138  global $PUBLIC_ACTIONS;
139  if (RightsManager::isAnonymous())
140  return true;
141 
142  if (!in_array($action, $PUBLIC_ACTIONS))
143  {
144  // if authorization is requested for an oid, we check the type first
145  if (PersistenceFacade::isValidOID($resource))
146  {
147  $oidParts = PersistenceFacade::decomposeOID($resource);
148  if (!$this->authorize($oidParts['type'], $context, $action))
149  return false;
150  }
151 
152  $parser = &WCMFInifileParser::getInstance();
153  $actionKey = $parser->getBestActionKey(AUTHORIZATION_SECTION, $resource, $context, $action);
154 
155  $authUser = &$this->getAuthUser();
156  if (!($authUser && $authUser->authorize($actionKey)))
157  {
158  if ($authUser)
159  {
160  // valid user but authorization for action failed
161  return false;
162  }
163  else
164  {
165  // no valid user
166  return false;
167  }
168  }
169  }
170  return true;
171  }
172  /**
173  * Get the rights on a resource, context, action combination.
174  * @param config The configuration file to create the right in.
175  * @param resource The resource (e.g. class name of the Controller or OID).
176  * @param context The context in which the action takes place.
177  * @param action The action to process.
178  * @return An assoziative array with keys 'default', 'allow', 'deny' and the attached roles as values.
179  * @see AuthUser::parsePolicy
180  */
181  function getRight($config, $resource, $context, $action)
182  {
183  $iniFile = new IniFileParser();
184  $iniFile->parseIniFile($config);
185 
186  $rightDef = $resource."?".$context."?".$action;
187  if ($iniFile->getValue($rightDef, AUTHORIZATION_SECTION) !== false)
188  return AuthUser::parsePolicy($iniFile->getValue($rightDef, AUTHORIZATION_SECTION));
189  else
190  return array();
191  }
192  /**
193  * Create/Change a permission for a role on a resource, context, action combination.
194  * @param config The configuration file to create the right in.
195  * @param resource The resource (e.g. class name of the Controller or OID).
196  * @param context The context in which the action takes place.
197  * @param action The action to process.
198  * @param role The role to authorize.
199  * @param modifier One of the RIGHT_MODIFIER_ constants.
200  * @return True/False whether creation succeded/failed.
201  */
202  function createPermission($config, $resource, $context, $action, $role, $modifier)
203  {
204  return RightsManager::modifyRight($config, $resource, $context, $action, $role, $modifier);
205  }
206  /**
207  * Remove a role from a right on a resource, context, action combination.
208  * @param config The configuration file to remove the right from.
209  * @param resource The resource (e.g. class name of the Controller or OID).
210  * @param context The context in which the action takes place.
211  * @param action The action to process.
212  * @param role The role to remove.
213  * @return True/False whether removal succeded/failed.
214  */
215  function removePermission($config, $resource, $context, $action, $role)
216  {
217  return RightsManager::modifyRight($config, $resource, $context, $action, $role, null);
218  }
219  /**
220  * Modify a right of a role on a resource, context, action combination.
221  * @param config The configuration file to remove the right from.
222  * @param resource The resource (e.g. class name of the Controller or OID).
223  * @param context The context in which the action takes place.
224  * @param action The action to process.
225  * @param role The role for which to cancel authorization.
226  * @param modifier One of the RIGHT_MODIFIER_ constants or null (which means remove role).
227  * @return True/False whether modification succeded/failed.
228  */
229  function modifyRight($config, $resource, $context, $action, $role, $modifier)
230  {
231  $iniFile = new IniFileParser($config);
232  $iniFile->parseIniFile($config);
233 
234  $rightDef = $resource."?".$context."?".$action;
235  $rightVal = '';
236  if ($modifier != null)
237  $rightVal = $modifier.$role;
238 
239  if ($iniFile->getValue($rightDef, AUTHORIZATION_SECTION) === false && $modifier != null)
240  $iniFile->setValue($rightDef, $rightVal, AUTHORIZATION_SECTION, true);
241  else
242  {
243  $value = $iniFile->getValue($rightDef, AUTHORIZATION_SECTION);
244  // remove role from value
245  $value = trim(preg_replace("/[+\-]*".$role."/", "", $value));
246  if ($value != '')
247  $iniFile->setValue($rightDef, $value." ".$rightVal, AUTHORIZATION_SECTION, false);
248  else
249  $iniFile->removeKey($rightDef, AUTHORIZATION_SECTION);
250  }
251 
252  $iniFile->writeIniFile();
253  return true;
254  }
255 }
256 ?>
AnonymousUser
Anonymous User.
Definition: class.AnonymousUser.php:28
RightsManager\removePermission
removePermission($config, $resource, $context, $action, $role)
Definition: class.RightsManager.php:215
RightsManager\authorize
authorize($resource, $context, $action)
Definition: class.RightsManager.php:136
AuthUser\parsePolicy
parsePolicy($val)
Definition: class.AuthUser.php:162
RightsManager
RightsManager is used to handle all authorization requests.
Definition: class.RightsManager.php:50
RightsManager\getRight
getRight($config, $resource, $context, $action)
Definition: class.RightsManager.php:181
PersistenceFacade\decomposeOID
decomposeOID($oid, $validate=true)
Definition: class.PersistenceFacade.php:165
AUTHORIZATION_SECTION
const AUTHORIZATION_SECTION
Definition: class.RightsManager.php:36
RightsManager\modifyRight
modifyRight($config, $resource, $context, $action, $role, $modifier)
Definition: class.RightsManager.php:229
RightsManager\createPermission
createPermission($config, $resource, $context, $action, $role, $modifier)
Definition: class.RightsManager.php:202