protected function LdapAuthorizationConsumerAbstract::grantsAndRevokes in Lightweight Directory Access Protocol (LDAP) 8.2

Same name and namespace in other branches

1. 7.2 ldap_authorization/LdapAuthorizationConsumerAbstract.class.php \LdapAuthorizationConsumerAbstract::grantsAndRevokes()
2. 7 ldap_authorization/LdapAuthorizationConsumerAbstract.class.php \LdapAuthorizationConsumerAbstract::grantsAndRevokes()

Parameters

string $op 'grant' or 'revoke' signifying what to do with the $consumer_ids:

drupal user object $object:

array $user_auth_data is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>]:

$consumers as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds:

array $ldap_entry, when available user's ldap entry.:

boolean $user_save indicates is user data array should be saved or not. this depends on the implementation calling this function:

2 calls to LdapAuthorizationConsumerAbstract::grantsAndRevokes()

LdapAuthorizationConsumerAbstract::authorizationGrant in ldap_authorization/LdapAuthorizationConsumerAbstract.class.php

grant authorizations to a user

LdapAuthorizationConsumerAbstract::authorizationRevoke in ldap_authorization/LdapAuthorizationConsumerAbstract.class.php

revoke authorizations to a user

1 method overrides LdapAuthorizationConsumerAbstract::grantsAndRevokes()

LdapAuthorizationConsumerOG::grantsAndRevokes in ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php

File

ldap_authorization/LdapAuthorizationConsumerAbstract.class.php, line 277

abstract class to represent an ldap_authorization consumer behavior such as drupal_role, og_group, etc. each authorization comsumer will extend this class with its own class named LdapAuthorizationConsumer<consumer type> such as…

Class

LdapAuthorizationConsumerAbstract

@file

Code

protected function grantsAndRevokes($op, &$user, &$user_auth_data, $consumers, &$ldap_entry = NULL, $user_save = TRUE) {
  if (!is_array($user_auth_data)) {
    $user_auth_data = array();
  }
  $detailed_watchdog_log = config('ldap_help.settings')
    ->get('watchdog_detail');
  $this
    ->sortConsumerIds($op, $consumers);
  $results = array();
  $watchdog_tokens = array();
  $watchdog_tokens['%username'] = $user->name;
  $watchdog_tokens['%action'] = $op;
  $watchdog_tokens['%user_save'] = $user_save;
  $consumer_ids_log = array();
  $users_authorization_ids = $this
    ->usersAuthorizations($user);
  $watchdog_tokens['%users_authorization_ids'] = join(', ', $users_authorization_ids);
  if ($detailed_watchdog_log) {
    watchdog('ldap_authorization', "on call of grantsAndRevokes: user_auth_data=" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
  }
  foreach ($consumers as $consumer_id => $consumer) {
    if ($detailed_watchdog_log) {
      watchdog('ldap_authorization', "consumer_id={$consumer_id}, user_save={$user_save}, op={$op}", $watchdog_tokens, WATCHDOG_DEBUG);
    }
    $log = "consumer_id={$consumer_id}, op={$op},";
    $user_has_authorization = in_array($consumer_id, $users_authorization_ids);
    $user_has_authorization_recorded = isset($user_auth_data[$consumer_id]);

    /** grants **/
    if ($op == 'grant') {
      if ($user_has_authorization && !$user_has_authorization_recorded) {

        // grant case 1: authorization id already exists for user, but is not ldap provisioned.  mark as ldap provisioned, but don't regrant
        $results[$consumer_id] = TRUE;
        $user_auth_data[$consumer_id] = array(
          'date_granted' => time(),
          'consumer_id_mixed_case' => $consumer_id,
        );
      }
      elseif (!$user_has_authorization && $consumer['exists']) {

        // grant case 2: consumer exists, but user is not member. grant authorization
        $results[$consumer_id] = $this
          ->grantSingleAuthorization($user, $consumer_id, $consumer, $user_auth_data, $user_save);

        // allow consuming module to add additional data to $user_auth_data
        $existing = empty($user_auth_data[$consumer_id]) ? array() : $user_auth_data[$consumer_id];
        $user_auth_data[$consumer_id] = $existing + array(
          'date_granted' => time(),
          'consumer_id_mixed_case' => $consumer_id,
        );
      }
      elseif ($consumer['exists'] !== TRUE) {

        // grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes
        $results[$consumer_id] = FALSE;
      }
      elseif ($consumer['exists'] === TRUE) {

        // grant case 4: consumer exists and user has authorization recorded. do nothing
        $results[$consumer_id] = TRUE;
      }
      else {

        // grant case 5: $consumer['exists'] has not been properly set before calling function
        $results[$consumer_id] = FALSE;
        watchdog('ldap_authorization', "grantsAndRevokes consumer[exists] not properly set. consumer_id={$consumer_id}, op={$op}, username=%username", $watchdog_tokens, WATCHDOG_ERROR);
      }
    }
    elseif ($op == 'revoke') {
      $log .= "revoking existing consumer object, ";
      if ($user_has_authorization) {

        // revoke case 1: user has authorization, revoke it.  revokeSingleAuthorization will remove $user_auth_data[$consumer_id]

        //debug("op=revoke, consumer_id=$consumer_id, calling revokeSingleAuthorization");
        $results[$consumer_id] = $this
          ->revokeSingleAuthorization($user, $consumer_id, $consumer, $user_auth_data, $user_save);

        // defer to default for $user_save param
        $log .= t(',result=') . (bool) $results[$consumer_id];
      }
      elseif ($user_has_authorization_recorded) {

        // revoke case 2: user does not have authorization, but has record of it. remove record of it.
        unset($user_auth_data[$consumer_id]);
        $results[$consumer_id] = TRUE;
      }
      else {

        // revoke case 3: trying to revoke something that isn't there
        $results[$consumer_id] = TRUE;
      }
    }
    $consumer_ids_log[] = $log;
    if ($detailed_watchdog_log) {
      watchdog('ldap_authorization', "user_auth_data after consumer {$consumer_id}" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
    }
    $watchdog_tokens['%consumer_ids_log'] = count($consumer_ids_log) ? join('<hr/>', $consumer_ids_log) : t('no actions');
  }

  // debug("user->data and user_auth_data"); debug($user->data); debug($user_auth_data);
  if ($user_save) {
    $user = user_load($user->uid, TRUE);
    $user_edit = $user->data;
    $user_edit['data']['ldap_authorizations'][$this->consumerType] = $user_auth_data;
    $user = user_save($user, $user_edit);
    $user_auth_data = $user->data['ldap_authorizations'][$this->consumerType];

    // reload this.
  }
  $this
    ->flushRelatedCaches($consumers);
  if ($detailed_watchdog_log) {
    watchdog('ldap_authorization', '%username:
        <hr/>LdapAuthorizationConsumerAbstract grantsAndRevokes() method log.  action=%action:<br/> %consumer_ids_log
        ', $watchdog_tokens, WATCHDOG_DEBUG);
  }
}