function _ldap_authorizations_user_authorizations_set in Lightweight Directory Access Protocol (LDAP) 8.2
Same name and namespace in other branches
- 7.2 ldap_authorization/ldap_authorization.inc \_ldap_authorizations_user_authorizations_set()
- 7 ldap_authorization/ldap_authorization.inc \_ldap_authorizations_user_authorizations_set()
Parameters
object $user is a drupal user account object, need not be current user:
object $consumer is instance of an authorization consumer class: such as LdapAuthorizationConsumerDrupalRole
associative array of lower case authorization ids as keys and: mixed case strings as values $filtered_ldap_authorizations all authorization ids a user is granted via ldap authorization configuration
object $ldap_entry is users ldap entry. mapping of drupal user to: ldap entry is stored in ldap_server configuration
returns nothing
1 call to _ldap_authorizations_user_authorizations_set()
- _ldap_authorizations_user_authorizations in ldap_authorization/
ldap_authorization.inc - return all desired authorizations for a given user
File
- ldap_authorization/
ldap_authorization.inc, line 329 - bulk of authorization code executed to determine a users authorizations
Code
function _ldap_authorizations_user_authorizations_set(&$user, $consumer, $filtered_ldap_authorizations, &$ldap_entry, $watchdog_tokens, $test) {
$detailed_watchdog_log = config('ldap_help.settings')
->get('watchdog_detail');
ldap_authorization_cleanse_empty_og_fields($user);
/**
* A. Determine what authorizations have been granted in the past by ldap authorization
*/
if (isset($user->data['ldap_authorizations'][$consumer->consumerType]) && is_array($user->data['ldap_authorizations'][$consumer->consumerType])) {
$user_auth_data = $user->data['ldap_authorizations'][$consumer->consumerType];
$initial_existing_ldap_authorizations = array_keys($user_auth_data);
}
else {
$user_auth_data = array();
$initial_existing_ldap_authorizations = array();
}
if ($test) {
$_SESSION['ldap_authorization_test_query']['setting_data']['Pre Grant/Revokes $user->data[ldap_authorizations][' . $consumer->consumerType . ']'] = $user_auth_data;
$_SESSION['ldap_authorization_test_query']['setting_data']['Pre Grant/Revokes authorizations user has'] = $consumer
->usersAuthorizations($user);
}
$watchdog_tokens['%initial'] = join(', ', $initial_existing_ldap_authorizations);
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations));
/**
* B. if regrantLdapProvisioned is false, $grants_lcase array should only be new authorizations
*/
if (!$consumer->consumerConf->regrantLdapProvisioned) {
// if regranting disabled, filter off previously granted roles
$grants = array_diff(array_keys($filtered_ldap_authorizations), $initial_existing_ldap_authorizations);
if ($test) {
$_SESSION['ldap_authorization_test_query']['setting_data']['Grants after regrantLdapProvisioned filter'] = $grants;
}
}
else {
$grants = array_keys($filtered_ldap_authorizations);
}
$watchdog_tokens['%grants1'] = join(', ', $grants);
/**
* D. Only grant authorization consumer ids that exist
*/
$existing_grants = array();
// keys are lcase, values are mixed case
foreach ($grants as $i => $grant) {
if (!empty($filtered_ldap_authorizations[$grant]['exists'])) {
$existing_grants[$grant] = $filtered_ldap_authorizations[$grant];
}
}
/**
* E. Do grants
*/
$watchdog_tokens['%filtered_grants_full_array'] = print_r($existing_grants, TRUE);
$consumer
->authorizationGrant($user, $user_auth_data, $existing_grants, $ldap_entry, FALSE);
$watchdog_tokens['%user_auth_data_post_grants'] = print_r($user_auth_data, TRUE);
$watchdog_tokens['%user_data_post_grants'] = print_r($user->data, TRUE);
/**
* 3.F take away any authorizations not in proposed authorization,
* but previously granted by ldap
*/
$watchdog_tokens['%revokes'] = t('none');
if ($consumer->consumerConf->revokeLdapProvisioned) {
$revokes_lcase = $consumer
->authorizationDiff($initial_existing_ldap_authorizations, array_keys($filtered_ldap_authorizations));
if (count($revokes_lcase)) {
$revokes = array();
// keys are lcase, values are mixed case
foreach ($revokes_lcase as $i => $revoke_lcase) {
$revokes[$revoke_lcase] = array(
'value' => NULL,
'map_to_string' => NULL,
'exists' => TRUE,
);
}
if ($test) {
$_SESSION['ldap_authorization_test_query']['setting_data']['Revokes'] = $revokes;
}
$consumer
->authorizationRevoke($user, $user_auth_data, $revokes, $ldap_entry, FALSE);
$watchdog_tokens['%revokes'] = join(', ', array_keys($revokes));
}
}
$watchdog_tokens['%user_auth_data_post_revokes'] = print_r($user_auth_data, TRUE);
$watchdog_tokens['%user_data_post_revokes'] = print_r($user->data, TRUE);
/**
* 3.G save user object and user data
* note $user object is passed by reference into this function
*/
$uid = $user->uid;
$user_edit = array(
'data' => $user->data,
);
$user_edit['data']['ldap_authorizations'] = empty($user->data['ldap_authorizations']) ? array() : $user->data['ldap_authorizations'];
$consumer
->sortConsumerIds('grant', $user_auth_data);
// keep in good display order
$user_edit['data']['ldap_authorizations'][$consumer->consumerType] = $user_auth_data;
$watchdog_tokens['%user_edit_presave'] = print_r($user_edit, TRUE);
$user = user_save($user, $user_edit);
$watchdog_tokens['%user_data_post_save'] = print_r($user->data, TRUE);
$watchdog_tokens['%user_roles_post_save'] = print_r($user->roles, TRUE);
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : user_authorizations_set results for %consumer_type:
<hr/>1. Initial existing authorizations: %initial
<hr/>2. Filtered Authorizations: %filtered_ldap_authorizations
<hr/>3. After filtering off previously granted authorizations (if regrant is false): %grants1
<hr/>4a. full consumers array, pre grants: %filtered_grants_full_array
<hr/>4b. user auth data after grants %consumer_type: <pre>%user_auth_data_post_grants</pre>
<hr/>4c. user data after grants for %consumer_type: <pre>%user_data_post_grants</pre>
<hr/>5a. revokes passed to authorizationRevoke(): %revokes
<hr/>5b. user auth data after revokes %consumer_type: <pre>%user_auth_data_post_revokes</pre>
<hr/>5c. user data after revokes for %consumer_type: <pre>%user_data_post_revokes</pre>
<hr/>6a. user_edit pre save : <pre>%user_edit_presave</pre>
<hr/>6b. user data post save: <pre>%user_data_post_save</pre>
<hr/>6c. user roles post save: <pre>%user_roles_post_save</pre>
', $watchdog_tokens, WATCHDOG_DEBUG);
}
if ($test) {
$_SESSION['ldap_authorization_test_query']['setting_data']['Post Grant/Revokes authorizations user has'] = $consumer
->usersAuthorizations($user);
$_SESSION['ldap_authorization_test_query']['setting_data']['Post Grant/Revokes $user->data[ldap_authorizations][' . $consumer->consumerType . ']'] = $user->data['ldap_authorizations'][$consumer->consumerType];
}
}