protected function LdapAuthorizationConsumerAbstract::grantsAndRevokes in Lightweight Directory Access Protocol (LDAP) 7.2
Same name and namespace in other branches
- 8.2 ldap_authorization/LdapAuthorizationConsumerAbstract.class.php \LdapAuthorizationConsumerAbstract::grantsAndRevokes()
- 7 ldap_authorization/LdapAuthorizationConsumerAbstract.class.php \LdapAuthorizationConsumerAbstract::grantsAndRevokes()
Parameters
string $op: 'grant' or 'revoke' signifying what to do with the $consumer_ids.
drupal user object $object:
array $user_auth_data: is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>].
$consumers: as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds
array $ldap_entry,: when available user's ldap entry.
bool $user_save: indicates is user data array should be saved or not. this depends on the implementation calling this function.
2 calls to LdapAuthorizationConsumerAbstract::grantsAndRevokes()
- LdapAuthorizationConsumerAbstract::authorizationGrant in ldap_authorization/
LdapAuthorizationConsumerAbstract.class.php - Grant authorizations to a user.
- LdapAuthorizationConsumerAbstract::authorizationRevoke in ldap_authorization/
LdapAuthorizationConsumerAbstract.class.php - Revoke authorizations to a user.
1 method overrides LdapAuthorizationConsumerAbstract::grantsAndRevokes()
- LdapAuthorizationConsumerOG::grantsAndRevokes in ldap_authorization/
ldap_authorization_og/ LdapAuthorizationConsumerOG.class.php
File
- ldap_authorization/
LdapAuthorizationConsumerAbstract.class.php, line 318 - Abstract class to represent an ldap_authorization consumer behavior such as drupal_role, og_group, etc. each authorization comsumer will extend this class with its own class named LdapAuthorizationConsumer<consumer type> such as…
Class
Code
protected function grantsAndRevokes($op, &$user, &$user_auth_data, $consumers, &$ldap_entry = NULL, $user_save = TRUE) {
if (!is_array($user_auth_data)) {
$user_auth_data = [];
}
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
$this
->sortConsumerIds($op, $consumers);
$results = [];
$watchdog_tokens = [];
$watchdog_tokens['%username'] = $user->name;
$watchdog_tokens['%action'] = $op;
$watchdog_tokens['%user_save'] = $user_save;
$consumer_ids_log = [];
$users_authorization_ids = $this
->usersAuthorizations($user);
$watchdog_tokens['%users_authorization_ids'] = join(', ', $users_authorization_ids);
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "on call of grantsAndRevokes: user_auth_data=" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
}
foreach ($consumers as $consumer_id => $consumer) {
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "consumer_id={$consumer_id}, user_save={$user_save}, op={$op}", $watchdog_tokens, WATCHDOG_DEBUG);
}
$log = "consumer_id={$consumer_id}, op={$op},";
$user_has_authorization = in_array($consumer_id, $users_authorization_ids);
$user_has_authorization_recorded = isset($user_auth_data[$consumer_id]);
/** grants **/
if ($op == 'grant') {
if ($user_has_authorization && !$user_has_authorization_recorded) {
// Grant case 1: authorization id already exists for user, but is not ldap provisioned. mark as ldap provisioned, but don't regrant.
$results[$consumer_id] = TRUE;
$user_auth_data[$consumer_id] = [
'date_granted' => time(),
'consumer_id_mixed_case' => $consumer_id,
];
}
elseif (!$user_has_authorization && $consumer['exists']) {
// Grant case 2: consumer exists, but user is not member. grant authorization
// allow consuming module to add additional data to $user_auth_data.
$results[$consumer_id] = $this
->grantSingleAuthorization($user, $consumer_id, $consumer, $user_auth_data, $user_save);
$existing = empty($user_auth_data[$consumer_id]) ? [] : $user_auth_data[$consumer_id];
$user_auth_data[$consumer_id] = $existing + [
'date_granted' => time(),
'consumer_id_mixed_case' => $consumer_id,
];
}
elseif ($consumer['exists'] !== TRUE) {
// Grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes.
$results[$consumer_id] = FALSE;
}
elseif ($consumer['exists'] === TRUE) {
// Grant case 4: consumer exists and user has authorization recorded. do nothing.
$results[$consumer_id] = TRUE;
}
else {
// Grant case 5: $consumer['exists'] has not been properly set before calling function.
$results[$consumer_id] = FALSE;
watchdog('ldap_authorization', "grantsAndRevokes consumer[exists] not properly set. consumer_id={$consumer_id}, op={$op}, username=%username", $watchdog_tokens, WATCHDOG_ERROR);
}
}
elseif ($op == 'revoke') {
$log .= "revoking existing consumer object, ";
if ($user_has_authorization) {
// Revoke case 1: user has authorization, revoke it. revokeSingleAuthorization will remove $user_auth_data[$consumer_id]
// defer to default for $user_save param.
$results[$consumer_id] = $this
->revokeSingleAuthorization($user, $consumer_id, $consumer, $user_auth_data, $user_save);
$log .= t(',result=') . (bool) $results[$consumer_id];
}
elseif ($user_has_authorization_recorded) {
// Revoke case 2: user does not have authorization, but has record of it. remove record of it.
unset($user_auth_data[$consumer_id]);
$results[$consumer_id] = TRUE;
}
else {
// Revoke case 3: trying to revoke something that isn't there.
$results[$consumer_id] = TRUE;
}
}
$consumer_ids_log[] = $log;
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "user_auth_data after consumer {$consumer_id}" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
}
}
$watchdog_tokens['%consumer_ids_log'] = count($consumer_ids_log) ? join('<hr/>', $consumer_ids_log) : t('no actions');
if ($user_save) {
$user = user_load($user->uid, TRUE);
$user_edit = $user->data;
$user_edit['data']['ldap_authorizations'][$this->consumerType] = $user_auth_data;
$user = user_save($user, $user_edit);
// Reload this.
$user_auth_data = $user->data['ldap_authorizations'][$this->consumerType];
}
$this
->flushRelatedCaches($consumers);
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username:
<hr/>LdapAuthorizationConsumerAbstract grantsAndRevokes() method log. action=%action:<br/> %consumer_ids_log
', $watchdog_tokens, WATCHDOG_DEBUG);
}
}