3 # FILE: PrivilegeSet.php 5 # Part of the Collection Workflow Integration System (CWIS) 6 # Copyright 2013 Edward Almasy and Internet Scout Research Group 7 # http://scout.wisc.edu/cwis/ 19 # used as a field ID in conditions to test whether a resources is 20 # available as part of the privilege check 32 # if privilege data supplied 35 # if data is in legacy form (an array of privileges) 38 # set internal privilege set from array 39 $this->Privileges = $Data;
43 # set internal values from data 44 $this->LoadFromData($Data);
58 public function Data($NewValue = NULL)
60 # if new data supplied 61 if ($NewValue !== NULL)
63 # unpack privilege data and load 64 $this->LoadFromData($NewValue);
67 # serialize current data and return to caller 69 if (count($this->Privileges))
71 foreach ($this->Privileges as $Priv)
73 $Data[
"Privileges"][] = is_object($Priv)
74 ? array(
"SUBSET" => $Priv->Data())
78 $Data[
"Logic"] = $this->Logic;
79 return serialize($Data);
94 # when there are no requirements, then every user meets them 97 # for each privilege requirement 98 foreach ($this->Privileges as $Priv)
100 # if privilege is actually a privilege subgroup 101 if (is_object($Priv))
103 # check if the subgroup is satisfied 104 $Satisfied = $Priv->MeetsRequirements($User, $Resource);
106 # else if privilege is actually a condition 107 elseif (is_array($Priv))
109 # check if condition is satisfied for the given resource 110 $Satisfied = $this->MeetsCondition($Priv, $Resource, $User);
112 # else privilege is actually a privilege 115 # check if user has the spcified privilege 116 $Satisfied = $User->
HasPriv( $Priv );
119 # for AND logic, we can bail as soon as the first 120 # condition is not met 121 if ($this->Logic ==
"AND")
128 # conversely, for OR logic, we can bail as soon as any 139 # report result of the test back to caller 151 # convert incoming value to array if needed 152 if (!is_array($Privileges))
154 $Privileges = array($Privileges);
157 # for each privilege passed in 158 foreach ($Privileges as $Privilege)
160 # add privilege if not currently in set 163 if (is_object($Privilege)) { $Privilege = $Privilege->Id(); }
164 $this->Privileges[] = $Privilege;
177 # remove privilege if currently in set 180 if (is_object($Privilege)) { $Privilege = $Privilege->Id(); }
181 $Index = array_search($Privilege, $this->Privileges);
182 unset($this->Privileges[$Index]);
193 # check whether privilege is in our list and report to caller 194 if (is_object($Privilege)) { $Privilege = $Privilege->Id(); }
195 return $this->IsInPrivilegeData($Privilege) ? TRUE : FALSE;
208 # grab privilege information and add logic 209 $Info = $this->Privileges;
210 $Info[
"Logic"] = $this->Logic;
212 # return privilege info array to caller 224 # create list of privileges with conditions stripped out 226 foreach ($this->Privileges as $Priv)
228 if (!is_array($Priv)) { $List[] = $Priv; }
231 # return list of privileges to caller 252 $FieldId = is_object($Field) ? $Field->Id() : $Field;
254 # set up condition array 256 "FieldId" => intval($FieldId),
257 "Operator" => trim($Operator),
260 # if condition is not already in set 261 if (!$this->IsInPrivilegeData($Condition))
263 # add condition to privilege set 264 $this->Privileges[] = $Condition;
284 $FieldId = is_object($Field) ? $Field->Id() : $Field;
286 # set up condition array 288 "FieldId" => intval($FieldId),
289 "Operator" => trim($Operator),
292 # if condition is in set 293 if ($this->IsInPrivilegeData($Condition))
295 # remove condition from privilege set 296 $Index = array_search($Condition, $this->Privileges);
297 unset($this->Privileges[$Index]);
309 # if subgroup is not already in set 310 if (!$this->IsInPrivilegeData($Set))
312 # add subgroup to privilege set 313 $this->Privileges[] = $Set;
328 if ($NewValue !== NULL)
330 $this->Logic = $NewValue ?
"AND" :
"OR";
332 return ($this->Logic ==
"AND") ? TRUE : FALSE;
343 unset ($Info[
"Logic"]);
346 foreach ($Info as $Item)
348 if (is_object($Item))
350 $Result = array_merge($Result, $Item->PrivilegeFlagsChecked() );
352 elseif (!is_array($Item))
357 return array_unique($Result);
369 unset ($Info[
"Logic"]);
372 foreach ($Info as $Item)
374 if (is_object($Item))
376 $Result = array_merge(
378 $Item->FieldsWithUserComparisons( $ComparisonType ) );
380 elseif (is_array($Item))
382 if ($Item[
"Operator"] == $ComparisonType &&
383 $Item[
"FieldId"] > 0 )
389 $Result[]= $Item[
"FieldId"];
395 return array_unique($Result);
398 # ---- PRIVATE INTERFACE ------------------------------------------------- 400 private $Privileges = array();
401 private $Logic =
"OR";
409 private function LoadFromData($Serialized)
411 # save calling context in case load causes out-of-memory crash 412 $GLOBALS[
"AF"]->RecordContextInCaseOfCrash();
415 $Data = unserialize($Serialized);
417 # unpack privilege data (if available) and load 418 if (array_key_exists(
"Privileges", $Data))
420 $this->Privileges = array();
421 foreach ($Data[
"Privileges"] as $Priv)
423 if (is_array($Priv) && array_key_exists(
"SUBSET", $Priv))
426 $Subset->LoadFromData($Priv[
"SUBSET"]);
427 $this->Privileges[] = $Subset;
431 $this->Privileges[] = $Priv;
436 # load logic if available 437 if (array_key_exists(
"Logic", $Data))
439 $this->Logic = $Data[
"Logic"];
450 private function MeetsCondition($Condition, $Resource, $User)
452 # if condition is a check for whether a resource is available 453 if ($Condition[
"FieldId"] == self::HAVE_RESOURCE)
455 # return a result based on whether a resource is available 456 return ((
bool)($Resource == self::NO_RESOURCE)
457 != (
bool)$Condition[
"Value"]) ? TRUE : FALSE;
459 # else if no resource is available 460 elseif ($Resource == self::NO_RESOURCE)
462 # return a result that in effect ignores the condition 463 return ($this->Logic ==
"AND") ? TRUE : FALSE;
465 # else if resource is valid 466 elseif ($Resource instanceof
Resource)
468 # pre-process condition parameters based on type of field 475 # if the field in a condition was invalid, the condition fails 479 $Operator = $Condition[
"Operator"];
480 $Value = $Condition[
"Value"];
481 $FieldValue = $Resource->Get($Field, TRUE);
482 switch ($Field->Type())
485 # if supplied value is NULL 488 $Value = $User->Id();
491 # get the UserIds contained in this field 492 $FieldValue = array_keys($FieldValue);
497 # date field values are Date objects, so handle those 498 if ($FieldValue instanceof
Date)
500 $FieldValue = strtotime($FieldValue->Formatted());
503 # timestamp field values are just the date/time string 506 $FieldValue = strtotime($FieldValue);
509 # use the current time for the value if it's NULL 515 # otherwise, parse the value to get a numeric timestamp 518 $Value = strtotime($Value);
527 # for options, construct a list of the CNIDs in this field 529 foreach ($FieldValue as $CName)
531 $NewValue[]= $CName->Id();
533 $FieldValue = $NewValue;
537 throw new Exception(
"Unsupported metadata field type (" 538 .print_r($Field->Type(), TRUE)
539 .
") for condition in privilege set.");
543 # compare field value and supplied value using specified operator 547 if (is_array($FieldValue))
549 # equality against an option field is a 'contains' condition, 550 # true if the specified value is one of those set 552 foreach ($FieldValue as $FieldValue_i)
554 $Result |= ($FieldValue_i == $Value);
559 $Result = ($FieldValue == $Value);
564 if (is_array($FieldValue))
566 # not equal against an option field is 'does not contains', 567 # true as long as the spcified value is not one of those set 569 foreach ($FieldValue as $FieldValue_i)
571 $Result &= ($FieldValue_i != $Value);
576 $Result = ($FieldValue != $Value);
581 $Result = ($FieldValue < $Value);
585 $Result = ($FieldValue > $Value);
589 $Result = ($FieldValue <= $Value);
593 $Result = ($FieldValue >= $Value);
597 throw new Exception(
"Unsupported condition operator (" 598 .print_r($Operator, TRUE).
") in privilege set.");
602 # report to caller whether condition was met 603 return $Result ? TRUE : FALSE;
607 # error out because resource was illegal 608 throw new Exception(
"Invalid Resource passed in for privilege" 609 .
" set comparison.");
621 private function IsInPrivilegeData($Item)
623 # step through privilege data 624 foreach ($this->Privileges as $Priv)
626 # report to caller if item is found 627 if (is_object($Item))
629 if (is_object($Priv) && ($Item == $Priv)) {
return TRUE; }
631 elseif (is_array($Item))
633 if (is_array($Priv) && ($Item == $Priv)) {
return TRUE; }
635 elseif ($Item == $Priv) {
return TRUE; }
638 # report to caller that item is not in privilege data
AddSet(PrivilegeSet $Set)
Add subgroup of privileges/conditions to set.
HasPriv($Privilege, $Privileges=NULL)
Determine if a user has a given privilege, or satisfies the conditions specified by a given privilege...
Set of privileges used to access resource information or other parts of the system.
MeetsRequirements(CWUser $User, $Resource=self::NO_RESOURCE)
Determine if a given user meets the requirements specified by this PrivilegeSet.
__construct($Data=NULL)
Class constructor, used to create a new set or reload an existing set from previously-constructed dat...
IncludesPrivilege($Privilege)
Check whether this privilege set includes the specified privilege.
GetPrivilegeInfo()
Get privilege information as an array, with numerical indexes except for the logic, which is contained in a element with the index "Logic".
AddPrivilege($Privileges)
Add specified privilege to set.
PrivilegeFlagsChecked()
List which privilege flags (e.g.
GetPrivilegeList()
Get list of privileges.
Data($NewValue=NULL)
Get/set privilege set data, in the form of an opaque string.
Represents a "resource" in CWIS.
FieldsWithUserComparisons($ComparisonType)
List which fields in this privset are involved in UserIs or UserIsNot comparisons for this privilege ...
CWIS-specific user class.
AddCondition($Field, $Value=NULL, $Operator="==")
Add condition to privilege set.
RemovePrivilege($Privilege)
Remove specified privilege from set.
AllRequired($NewValue=NULL)
Get/set whether all privileges/conditions in set are required (i.e.
RemoveCondition($Field, $Value=NULL, $Operator="==")
Remove condition from privilege set.