GlisWeb framework
_acl.utils.php
Vai alla documentazione di questo file.
1 <?php
2 
22  function getAccessPermission( $p ) {
23 
24  // namespace globale
25  global $cf;
26 
27  // controllo
28  if( ! isset( $cf['contents']['pages'][ $p ]['auth']['groups'] ) || ( isset( $_SESSION['account']['gruppi'] ) && count( array_intersect( $cf['contents']['pages'][ $p ]['auth']['groups'], $_SESSION['account']['gruppi'] ) ) > 0 ) ) {
29  return true;
30  }
31 
32  // ritorno false
33  return false;
34 
35  }
36 
44  function getAclPermission( $t, $a, &$i = NULL ) {
45 
46  // log
47  logWrite( 'richiesta di accesso per ' . $t . '/' . $a, 'auth', LOG_DEBUG );
48 
49  // debug
50  // echo 'getAclPermission ' . $t . '/' . $a . PHP_EOL;
51 
52  // controllo permessi
53  if( isset( $_SESSION['account']['permissions'][ $t ] ) ) {
54 
55  // passaggio ricorsivo dei permessi
56  $i['__auth__'] = $_SESSION['account']['permissions'][ $t ];
57 
58  // autorizzazione
59 // if( in_array( $a, $i['__auth__'] ) || in_array( FULL_CONTROL, $i['__auth__'] ) || ( $a != FULL_CONTROL && in_array( FILTERED_CONTROL, $i['__auth__'] ) ) ) {
60  if( in_array( $a, $i['__auth__'] ) || in_array( FULL_CONTROL, $i['__auth__'] ) || in_array( FILTERED_CONTROL, $i['__auth__'] ) ) {
61 // if( in_array( $a, $i['__auth__'] ) || in_array( FULL_CONTROL, $i['__auth__'] ) ) {
62  logWrite( 'accesso consentito per ' . $t . '/' . $a . ' -> ' . implode( ',',$i['__auth__'] ), 'auth', LOG_DEBUG );
63  // echo 'getAclPermission ' . $t . '/' . $a . ' OK' . PHP_EOL;
64  return true;
65  }
66 
67  // log
68  logWrite( 'accesso non consentito per ' . $t . '/' . $a . ' in ' . implode( ', ', $i['__auth__'] ), 'auth', LOG_ERR );
69 
70  }
71 
72  // debug
73  // echo 'getAclPermission ' . $t . '/' . $a . ' NO' . PHP_EOL;
74 
75  // log
76  logWrite( 'accesso non consentito per ' . $t, 'auth', LOG_ERR );
77 
78  // default
79  return false;
80 
81  }
82 
90 // function getAclRights( $c, $t, $a, $id, &$i = NULL, $pi = NULL ) {
91  function getAclRights( $c, $t, $a, $id, &$i = NULL ) {
92 
93  // log
94  logWrite( 'richiesta di accesso per ' . $t . '/' . $id . '/' . $a, 'auth', LOG_DEBUG );
95 
96  // passaggio ricorsivo dei permessi
97  $i['__auth__'] = $_SESSION['account']['permissions'][ $t ];
98 
99  // debug
100  // echo 'getAclRights ' . $t . '/' . $id . '/' . $a . PHP_EOL;
101  // echo 'getAclRights parent id -> ' . $p . PHP_EOL;
102  // print_r( $i );
103  // print_r( $pi );
104 
105  // verifico se l'utente non è root
106 // if( $_SESSION['account']['username'] == 'root' || in_array( 'roots', $_SESSION['account']['gruppi'] ) ) {
107 // if( getAclPermission( $t, FULL_CONTROL ) ) {
108  if( in_array( FULL_CONTROL, $i['__auth__'] ) ) {
109 
110  // log
111  logWrite( 'accesso FULL per ' . $t . '/' . $id . '/' . $a, 'auth', LOG_DEBUG );
112 
113  // debug
114  // echo 'getAclRights ' . $t . '/' . $id . '/' . $a . ' FULL OK' . PHP_EOL;
115 
116  // default
117  return true;
118 
119  } else {
120 
121  // prelevo la tabella delle ACL
122  $aclTb = getAclRightsTable( $c, $t );
123 
124  // prelevo l'utente per il controllo ACL
125  $aclId = getAclRightsAccountId();
126 
127  // log
128  logWrite( 'accesso FULL non consentito per ' . $t . '/' . $id . '/' . $a . ' procedo con le verifiche', 'auth', LOG_DEBUG );
129 
130  // debug
131  // echo 'tabella: ' . $aclTb . PHP_EOL;
132  // echo 'id account: ' . $aclId . PHP_EOL;
133 
134  // se esistono ACL per questa entità
135  if( empty( $aclTb ) ) {
136 
137  // debug
138  // echo 'getAclRights ' . $t . '/' . $id . '/' . $a . ' ACL table non esiste' . PHP_EOL;
139 
140  // log
141  logWrite( 'nessuna tabella di ACL presente per ' . $t . ', autorizzazione concessa', 'auth', LOG_DEBUG );
142 
143  // default
144  return true;
145 
146  } else {
147 
148  // debug
149  // echo 'getAclRights ' . $t . '/' . $id . '/' . $a . ' ACL table esiste' . PHP_EOL;
150 
151 /*
152  // valuto la riga
153  $r = mysqlSelectValue(
154  $c,
155  "SELECT concat_ws( ',', group_concat( ${aclTb}.permesso SEPARATOR ',' ), if( ${t}_view.id_account_inserimento = ?, 'FULL', NULL ) ) AS t ".
156  "FROM ${t}_view ".
157  "LEFT JOIN ${aclTb} ON ${aclTb}.id_entita = ${t}_view.id ".
158  "LEFT JOIN account_gruppi ON account_gruppi.id_gruppo = ${aclTb}.id_gruppo ".
159  "WHERE ( account_gruppi.id_account = ? OR ${t}_view.id_account_inserimento = ? ) ".
160  "AND ${t}_view.id = ? ",
161  array( array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $id ) )
162  );
163 */
164 /*
165  // genero l'array dei diritti
166 // if( getAclPermission( $t, FILTERED_CONTROL ) ) {
167  if( in_array( FILTERED_CONTROL, $i['__auth__'] ) ) {
168  logWrite( 'accesso FILTERED per ' . $t . '/' . $id . '/' . $a, 'auth', LOG_NOTICE );
169  // echo 'getAclRights ' . $t . '/' . $id . '/' . $a . ' accesso FILTRATO' . PHP_EOL;
170  $y = ( ! empty( $pi ) ) ? 'GET' : NULL;
171  $r = mysqlSelectValue(
172  $c,
173 // "SELECT if( ${t}_view.id_account_inserimento = ?, 'FULL', '${y}' ) AS t ".
174  "SELECT if( ${t}_view.id_account_inserimento = ?, 'FULL', NULL ) AS t ".
175  "FROM ${t}_view ".
176  "WHERE ${t}_view.id = ? ",
177  array( array( 's' => $aclId ), array( 's' => $id ) )
178  );
179  } else {
180  logWrite( 'accesso STANDARD per ' . $t . '/' . $id . '/' . $a, 'auth', LOG_NOTICE );
181  // echo 'getAclRights ' . $t . '/' . $id . '/' . $a . ' accesso STANDARD' . PHP_EOL;
182  $r = mysqlSelectValue(
183  $c,
184  "SELECT concat_ws( ',', group_concat( ${aclTb}.permesso SEPARATOR ',' ), if( ${t}_view.id_account_inserimento = ?, 'FULL', NULL ) ) AS t ".
185  "FROM ${t}_view ".
186  "LEFT JOIN ${aclTb} ON ${aclTb}.id_entita = ${t}_view.id ".
187  "LEFT JOIN account_gruppi ON account_gruppi.id_gruppo = ${aclTb}.id_gruppo ".
188  "WHERE ( account_gruppi.id_account = ? OR ${t}_view.id_account_inserimento = ? ) ".
189  "AND ${t}_view.id = ? ",
190  array( array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $id ) )
191  );
192  }
193 */
194 
195  $r = mysqlSelectValue(
196  $c,
197  "SELECT concat_ws( ',', group_concat( ${aclTb}.permesso SEPARATOR ',' ), if( ( ${t}_view.id_account_inserimento = ? OR ${t}_view.id_account_editor = ? ), 'FULL', NULL ) ) AS t ".
198  "FROM ${t}_view ".
199  "LEFT JOIN ${aclTb} ON ${aclTb}.id_entita = ${t}_view.id ".
200 # NON GERARCHICO "LEFT JOIN account_gruppi ON account_gruppi.id_gruppo = ${aclTb}.id_gruppo ".
201  "LEFT JOIN account_gruppi ON ( account_gruppi.id_gruppo = ${aclTb}.id_gruppo OR gruppi_path_check( ${aclTb}.id_gruppo, account_gruppi.id_gruppo ) ) ".
202 # NON CONSIDERA EDITOR "WHERE ( account_gruppi.id_account = ? OR ${t}_view.id_account_inserimento = ? ) ".
203  "WHERE ( account_gruppi.id_account = ? OR ${t}_view.id_account_inserimento = ? OR ${t}_view.id_account_editor = ? ) ".
204  "AND ${t}_view.id = ? ",
205 # NON CONSIDERA EDITOR array( array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $id ) )
206  array( array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $id ) )
207  );
208 
209  $i['__auth__'] = explode( ',', $r );
210 
211  // debug
212  // echo 'risultato: ' . $r . ' per ' . $a . PHP_EOL;
213  // echo $a . PHP_EOL;
214  // print_r( $i['__auth__'] );
215 
216  // controllo dei diritti
217  if( in_array( $a, $i['__auth__'] ) || in_array( FULL_CONTROL, $i['__auth__'] ) || in_array( FILTERED_CONTROL, $i['__auth__'] ) ) {
218 
219  // debug
220  // echo 'getAclRights ' . $t . '/' . $id . '/' . $a . ' OK' . PHP_EOL;
221 
222  // log
223  logWrite( 'permessi presenti sulla tabella di ACL per ' . $t . '/' . $id . '/' . $a . ', autorizzazione concessa', 'auth', LOG_DEBUG );
224 
225  // default
226  return true;
227 
228  } else {
229 
230  // log
231  logWrite( 'permessi NON presenti sulla tabella di ACL per ' . $t . '/' . $id . '/' . $a . ' in (' . $r . '), autorizzazione negata', 'auth', LOG_DEBUG );
232 
233  }
234 
235 /*
236  // valuto la riga
237  $r = mysqlSelectValue(
238  $cf['mysql']['connection'],
239  "SELECT count( ${t}_view.id ) FROM ${t}_view ".
240  "LEFT JOIN ${aclTb} ON ${aclTb}.id_entita = ${t}_view.id ".
241  "LEFT JOIN account_gruppi ON account_gruppi.id_gruppo = ${aclTb}.id_gruppo ".
242  "WHERE ( account_gruppi.id_account = ? OR ${t}_view.id_account_inserimento = ? ) ".
243  "AND ${t}_view.id = ? ",
244  array( array( 's' => $aclId ), array( 's' => $aclId ), array( 's' => $id ) )
245  );
246 
247  // debug
248  // echo 'risultato ' . $r . PHP_EOL;
249 
250  // risultato
251  return $r;
252 */
253  }
254 
255  }
256 
257  // debug
258  // echo 'getAclRights ' . $t . '/' . $id . '/' . $a . ' NO' . PHP_EOL;
259 
260  // default
261  return false;
262 
263  }
264 
272  function getAclRightsAccountId() {
273  return ( isset( $_SESSION['account']['id'] ) ) ? $_SESSION['account']['id'] : false;
274  }
275 
283  function getAclRightsTable( $c, $t ) {
284 
285  // verifico se l'utente non è root
286  if( $_SESSION['account']['username'] != 'root' && ! in_array( 'roots', $_SESSION['account']['gruppi'] ) ) {
287 
288  // verifico se esiste la tabella $t_gruppi
289 # $r = mysqlSelectCachedValue(
290  $r = mysqlSelectValue(
291  $c,
292  "SELECT table_name FROM information_schema.tables WHERE table_name = '__acl_${t}__' AND table_schema = database()"
293  );
294 
295  // log
296  logWrite( $_SESSION['account']['username'] . ' (' . implode(',',$_SESSION['account']['gruppi']) . ') tabella di ACL ' . $r . ' trovata per ' . $t, 'auth', LOG_DEBUG );
297 
298  // risultato
299  return $r;
300 
301  }
302 
303  // log
304  logWrite( 'accesso non filtrato concesso a ' . $_SESSION['account']['username'] . ' (' . implode(',',$_SESSION['account']['gruppi']) . ') per ' . $t, 'auth', LOG_DEBUG );
305 
306  // default
307  return NULL;
308 
309  }
310 
311 ?>
logWrite
logWrite( $m, $f='site', $l=LOG_NOTICE, $d=DIRECTORY_LOG, $t=CURRENT_LOG_LEVEL, $s=SITE_STATUS)
scrive un messaggio nei log del sito
Definition: _log.utils.php:48
FILTERED_CONTROL
const FILTERED_CONTROL
Definition: _config.php:275
$p
$p['ricerca']
Definition: _ricerca.it-IT.php:11
$t
$t
Definition: _ricerca.it-IT.php:8
$cf
$cf['ricerca']['template']
Definition: _030.common.php:7
getAclRightsAccountId
getAclRightsAccountId()
Definition: _acl.utils.php:272
$c
$c
Definition: _default.riepilogo.php:4
$a
$a
Definition: _slack.php:21
FULL_CONTROL
const FULL_CONTROL
Definition: _config.php:276
mysqlSelectValue
mysqlSelectValue( $c, $q, $p=false, &$e=array())
Definition: _mysql.tools.php:394
$r
$r
Definition: _osm.php:25
getAclRightsTable
getAclRightsTable( $c, $t)
Definition: _acl.utils.php:283
$_SESSION
if(isset( $_REQUEST['amazonCheckoutSessionId'])) $_SESSION['carrello']
Definition: _710.session.php:141
getAccessPermission
getAccessPermission( $p)
Definition: _acl.utils.php:22
$id
$id
Definition: _task.sprint.pdf.php:24
getAclPermission
getAclPermission( $t, $a, &$i=NULL)
Definition: _acl.utils.php:44
getAclRights
getAclRights( $c, $t, $a, $id, &$i=NULL)
Definition: _acl.utils.php:91
Generato Sab 25 Lug 2020 23:06:28 per GlisWeb framework da   doxygen 1.8.13