protected function LdapAuthorizationConsumerAbstract::grantsAndRevokes in Lightweight Directory Access Protocol (LDAP) 8.2
Same name and namespace in other branches
- 7.2 ldap_authorization/LdapAuthorizationConsumerAbstract.class.php \LdapAuthorizationConsumerAbstract::grantsAndRevokes()
- 7 ldap_authorization/LdapAuthorizationConsumerAbstract.class.php \LdapAuthorizationConsumerAbstract::grantsAndRevokes()
Parameters
string $op 'grant' or 'revoke' signifying what to do with the $consumer_ids:
drupal user object $object:
array $user_auth_data is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>]:
$consumers as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds:
array $ldap_entry, when available user's ldap entry.:
boolean $user_save indicates is user data array should be saved or not. this depends on the implementation calling this function:
2 calls to LdapAuthorizationConsumerAbstract::grantsAndRevokes()
- LdapAuthorizationConsumerAbstract::authorizationGrant in ldap_authorization/
LdapAuthorizationConsumerAbstract.class.php - grant authorizations to a user
- LdapAuthorizationConsumerAbstract::authorizationRevoke in ldap_authorization/
LdapAuthorizationConsumerAbstract.class.php - revoke authorizations to a user
1 method overrides LdapAuthorizationConsumerAbstract::grantsAndRevokes()
- LdapAuthorizationConsumerOG::grantsAndRevokes in ldap_authorization/
ldap_authorization_og/ LdapAuthorizationConsumerOG.class.php
File
- ldap_authorization/
LdapAuthorizationConsumerAbstract.class.php, line 277 - abstract class to represent an ldap_authorization consumer behavior such as drupal_role, og_group, etc. each authorization comsumer will extend this class with its own class named LdapAuthorizationConsumer<consumer type> such as…
Class
Code
protected function grantsAndRevokes($op, &$user, &$user_auth_data, $consumers, &$ldap_entry = NULL, $user_save = TRUE) {
if (!is_array($user_auth_data)) {
$user_auth_data = array();
}
$detailed_watchdog_log = config('ldap_help.settings')
->get('watchdog_detail');
$this
->sortConsumerIds($op, $consumers);
$results = array();
$watchdog_tokens = array();
$watchdog_tokens['%username'] = $user->name;
$watchdog_tokens['%action'] = $op;
$watchdog_tokens['%user_save'] = $user_save;
$consumer_ids_log = array();
$users_authorization_ids = $this
->usersAuthorizations($user);
$watchdog_tokens['%users_authorization_ids'] = join(', ', $users_authorization_ids);
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "on call of grantsAndRevokes: user_auth_data=" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
}
foreach ($consumers as $consumer_id => $consumer) {
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "consumer_id={$consumer_id}, user_save={$user_save}, op={$op}", $watchdog_tokens, WATCHDOG_DEBUG);
}
$log = "consumer_id={$consumer_id}, op={$op},";
$user_has_authorization = in_array($consumer_id, $users_authorization_ids);
$user_has_authorization_recorded = isset($user_auth_data[$consumer_id]);
/** grants **/
if ($op == 'grant') {
if ($user_has_authorization && !$user_has_authorization_recorded) {
// grant case 1: authorization id already exists for user, but is not ldap provisioned. mark as ldap provisioned, but don't regrant
$results[$consumer_id] = TRUE;
$user_auth_data[$consumer_id] = array(
'date_granted' => time(),
'consumer_id_mixed_case' => $consumer_id,
);
}
elseif (!$user_has_authorization && $consumer['exists']) {
// grant case 2: consumer exists, but user is not member. grant authorization
$results[$consumer_id] = $this
->grantSingleAuthorization($user, $consumer_id, $consumer, $user_auth_data, $user_save);
// allow consuming module to add additional data to $user_auth_data
$existing = empty($user_auth_data[$consumer_id]) ? array() : $user_auth_data[$consumer_id];
$user_auth_data[$consumer_id] = $existing + array(
'date_granted' => time(),
'consumer_id_mixed_case' => $consumer_id,
);
}
elseif ($consumer['exists'] !== TRUE) {
// grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes
$results[$consumer_id] = FALSE;
}
elseif ($consumer['exists'] === TRUE) {
// grant case 4: consumer exists and user has authorization recorded. do nothing
$results[$consumer_id] = TRUE;
}
else {
// grant case 5: $consumer['exists'] has not been properly set before calling function
$results[$consumer_id] = FALSE;
watchdog('ldap_authorization', "grantsAndRevokes consumer[exists] not properly set. consumer_id={$consumer_id}, op={$op}, username=%username", $watchdog_tokens, WATCHDOG_ERROR);
}
}
elseif ($op == 'revoke') {
$log .= "revoking existing consumer object, ";
if ($user_has_authorization) {
// revoke case 1: user has authorization, revoke it. revokeSingleAuthorization will remove $user_auth_data[$consumer_id]
//debug("op=revoke, consumer_id=$consumer_id, calling revokeSingleAuthorization");
$results[$consumer_id] = $this
->revokeSingleAuthorization($user, $consumer_id, $consumer, $user_auth_data, $user_save);
// defer to default for $user_save param
$log .= t(',result=') . (bool) $results[$consumer_id];
}
elseif ($user_has_authorization_recorded) {
// revoke case 2: user does not have authorization, but has record of it. remove record of it.
unset($user_auth_data[$consumer_id]);
$results[$consumer_id] = TRUE;
}
else {
// revoke case 3: trying to revoke something that isn't there
$results[$consumer_id] = TRUE;
}
}
$consumer_ids_log[] = $log;
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "user_auth_data after consumer {$consumer_id}" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
}
$watchdog_tokens['%consumer_ids_log'] = count($consumer_ids_log) ? join('<hr/>', $consumer_ids_log) : t('no actions');
}
// debug("user->data and user_auth_data"); debug($user->data); debug($user_auth_data);
if ($user_save) {
$user = user_load($user->uid, TRUE);
$user_edit = $user->data;
$user_edit['data']['ldap_authorizations'][$this->consumerType] = $user_auth_data;
$user = user_save($user, $user_edit);
$user_auth_data = $user->data['ldap_authorizations'][$this->consumerType];
// reload this.
}
$this
->flushRelatedCaches($consumers);
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username:
<hr/>LdapAuthorizationConsumerAbstract grantsAndRevokes() method log. action=%action:<br/> %consumer_ids_log
', $watchdog_tokens, WATCHDOG_DEBUG);
}
}