You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 7.2 » LdapAuthorizationConsumerAbstract.class.php » LdapAuthorizationConsumerAbstract

protected function LdapAuthorizationConsumerAbstract::grantsAndRevokes in Lightweight Directory Access Protocol (LDAP) 7.2

Same name and namespace in other branches
  1. 8.2 ldap_authorization/LdapAuthorizationConsumerAbstract.class.php \LdapAuthorizationConsumerAbstract::grantsAndRevokes()
  2. 7 ldap_authorization/LdapAuthorizationConsumerAbstract.class.php \LdapAuthorizationConsumerAbstract::grantsAndRevokes()

Parameters

string $op: 'grant' or 'revoke' signifying what to do with the $consumer_ids.

drupal user object $object:

array $user_auth_data: is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>].

$consumers: as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds

array $ldap_entry,: when available user's ldap entry.

bool $user_save: indicates is user data array should be saved or not. this depends on the implementation calling this function.

2 calls to LdapAuthorizationConsumerAbstract::grantsAndRevokes()
LdapAuthorizationConsumerAbstract::authorizationGrant in ldap_authorization/LdapAuthorizationConsumerAbstract.class.php
Grant authorizations to a user.
LdapAuthorizationConsumerAbstract::authorizationRevoke in ldap_authorization/LdapAuthorizationConsumerAbstract.class.php
Revoke authorizations to a user.
1 method overrides LdapAuthorizationConsumerAbstract::grantsAndRevokes()
LdapAuthorizationConsumerOG::grantsAndRevokes in ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php

File

ldap_authorization/LdapAuthorizationConsumerAbstract.class.php, line 318
Abstract class to represent an ldap_authorization consumer behavior such as drupal_role, og_group, etc. each authorization comsumer will extend this class with its own class named LdapAuthorizationConsumer<consumer type> such as…

Class

LdapAuthorizationConsumerAbstract

Code

protected function grantsAndRevokes($op, &$user, &$user_auth_data, $consumers, &$ldap_entry = NULL, $user_save = TRUE) {
  if (!is_array($user_auth_data)) {
    $user_auth_data = [];
  }
  $detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
  $this
    ->sortConsumerIds($op, $consumers);
  $results = [];
  $watchdog_tokens = [];
  $watchdog_tokens['%username'] = $user->name;
  $watchdog_tokens['%action'] = $op;
  $watchdog_tokens['%user_save'] = $user_save;
  $consumer_ids_log = [];
  $users_authorization_ids = $this
    ->usersAuthorizations($user);
  $watchdog_tokens['%users_authorization_ids'] = join(', ', $users_authorization_ids);
  if ($detailed_watchdog_log) {
    watchdog('ldap_authorization', "on call of grantsAndRevokes: user_auth_data=" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
  }
  foreach ($consumers as $consumer_id => $consumer) {
    if ($detailed_watchdog_log) {
      watchdog('ldap_authorization', "consumer_id={$consumer_id}, user_save={$user_save}, op={$op}", $watchdog_tokens, WATCHDOG_DEBUG);
    }
    $log = "consumer_id={$consumer_id}, op={$op},";
    $user_has_authorization = in_array($consumer_id, $users_authorization_ids);
    $user_has_authorization_recorded = isset($user_auth_data[$consumer_id]);

    /** grants **/
    if ($op == 'grant') {
      if ($user_has_authorization && !$user_has_authorization_recorded) {

        // Grant case 1: authorization id already exists for user, but is not ldap provisioned.  mark as ldap provisioned, but don't regrant.
        $results[$consumer_id] = TRUE;
        $user_auth_data[$consumer_id] = [
          'date_granted' => time(),
          'consumer_id_mixed_case' => $consumer_id,
        ];
      }
      elseif (!$user_has_authorization && $consumer['exists']) {

        // Grant case 2: consumer exists, but user is not member. grant authorization
        // allow consuming module to add additional data to $user_auth_data.
        $results[$consumer_id] = $this
          ->grantSingleAuthorization($user, $consumer_id, $consumer, $user_auth_data, $user_save);
        $existing = empty($user_auth_data[$consumer_id]) ? [] : $user_auth_data[$consumer_id];
        $user_auth_data[$consumer_id] = $existing + [
          'date_granted' => time(),
          'consumer_id_mixed_case' => $consumer_id,
        ];
      }
      elseif ($consumer['exists'] !== TRUE) {

        // Grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes.
        $results[$consumer_id] = FALSE;
      }
      elseif ($consumer['exists'] === TRUE) {

        // Grant case 4: consumer exists and user has authorization recorded. do nothing.
        $results[$consumer_id] = TRUE;
      }
      else {

        // Grant case 5: $consumer['exists'] has not been properly set before calling function.
        $results[$consumer_id] = FALSE;
        watchdog('ldap_authorization', "grantsAndRevokes consumer[exists] not properly set. consumer_id={$consumer_id}, op={$op}, username=%username", $watchdog_tokens, WATCHDOG_ERROR);
      }
    }
    elseif ($op == 'revoke') {
      $log .= "revoking existing consumer object, ";
      if ($user_has_authorization) {

        // Revoke case 1: user has authorization, revoke it.  revokeSingleAuthorization will remove $user_auth_data[$consumer_id]
        // defer to default for $user_save param.
        $results[$consumer_id] = $this
          ->revokeSingleAuthorization($user, $consumer_id, $consumer, $user_auth_data, $user_save);
        $log .= t(',result=') . (bool) $results[$consumer_id];
      }
      elseif ($user_has_authorization_recorded) {

        // Revoke case 2: user does not have authorization, but has record of it. remove record of it.
        unset($user_auth_data[$consumer_id]);
        $results[$consumer_id] = TRUE;
      }
      else {

        // Revoke case 3: trying to revoke something that isn't there.
        $results[$consumer_id] = TRUE;
      }
    }
    $consumer_ids_log[] = $log;
    if ($detailed_watchdog_log) {
      watchdog('ldap_authorization', "user_auth_data after consumer {$consumer_id}" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
    }
  }
  $watchdog_tokens['%consumer_ids_log'] = count($consumer_ids_log) ? join('<hr/>', $consumer_ids_log) : t('no actions');
  if ($user_save) {
    $user = user_load($user->uid, TRUE);
    $user_edit = $user->data;
    $user_edit['data']['ldap_authorizations'][$this->consumerType] = $user_auth_data;
    $user = user_save($user, $user_edit);

    // Reload this.
    $user_auth_data = $user->data['ldap_authorizations'][$this->consumerType];
  }
  $this
    ->flushRelatedCaches($consumers);
  if ($detailed_watchdog_log) {
    watchdog('ldap_authorization', '%username:
        <hr/>LdapAuthorizationConsumerAbstract grantsAndRevokes() method log.  action=%action:<br/> %consumer_ids_log
        ', $watchdog_tokens, WATCHDOG_DEBUG);
  }
}