You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 8.2 » ldap_authorization.inc

function _ldap_authorizations_user_authorizations_set in Lightweight Directory Access Protocol (LDAP) 8.2

Same name and namespace in other branches
  1. 7.2 ldap_authorization/ldap_authorization.inc \_ldap_authorizations_user_authorizations_set()
  2. 7 ldap_authorization/ldap_authorization.inc \_ldap_authorizations_user_authorizations_set()

Parameters

object $user is a drupal user account object, need not be current user:

object $consumer is instance of an authorization consumer class: such as LdapAuthorizationConsumerDrupalRole

associative array of lower case authorization ids as keys and: mixed case strings as values $filtered_ldap_authorizations all authorization ids a user is granted via ldap authorization configuration

object $ldap_entry is users ldap entry. mapping of drupal user to: ldap entry is stored in ldap_server configuration

returns nothing

1 call to _ldap_authorizations_user_authorizations_set()
_ldap_authorizations_user_authorizations in ldap_authorization/ldap_authorization.inc
return all desired authorizations for a given user

File

ldap_authorization/ldap_authorization.inc, line 329
bulk of authorization code executed to determine a users authorizations

Code

function _ldap_authorizations_user_authorizations_set(&$user, $consumer, $filtered_ldap_authorizations, &$ldap_entry, $watchdog_tokens, $test) {
  $detailed_watchdog_log = config('ldap_help.settings')
    ->get('watchdog_detail');
  ldap_authorization_cleanse_empty_og_fields($user);

  /**
   * A.  Determine what authorizations have been granted in the past by ldap authorization
   */
  if (isset($user->data['ldap_authorizations'][$consumer->consumerType]) && is_array($user->data['ldap_authorizations'][$consumer->consumerType])) {
    $user_auth_data = $user->data['ldap_authorizations'][$consumer->consumerType];
    $initial_existing_ldap_authorizations = array_keys($user_auth_data);
  }
  else {
    $user_auth_data = array();
    $initial_existing_ldap_authorizations = array();
  }
  if ($test) {
    $_SESSION['ldap_authorization_test_query']['setting_data']['Pre Grant/Revokes $user->data[ldap_authorizations][' . $consumer->consumerType . ']'] = $user_auth_data;
    $_SESSION['ldap_authorization_test_query']['setting_data']['Pre Grant/Revokes authorizations user has'] = $consumer
      ->usersAuthorizations($user);
  }
  $watchdog_tokens['%initial'] = join(', ', $initial_existing_ldap_authorizations);
  $watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations));

  /**
   * B. if regrantLdapProvisioned is false, $grants_lcase array should only be new authorizations
   */
  if (!$consumer->consumerConf->regrantLdapProvisioned) {

    // if regranting disabled, filter off previously granted roles
    $grants = array_diff(array_keys($filtered_ldap_authorizations), $initial_existing_ldap_authorizations);
    if ($test) {
      $_SESSION['ldap_authorization_test_query']['setting_data']['Grants after regrantLdapProvisioned filter'] = $grants;
    }
  }
  else {
    $grants = array_keys($filtered_ldap_authorizations);
  }
  $watchdog_tokens['%grants1'] = join(', ', $grants);

  /**
   * D.  Only grant authorization consumer ids that exist
   */
  $existing_grants = array();

  // keys are lcase, values are mixed case
  foreach ($grants as $i => $grant) {
    if (!empty($filtered_ldap_authorizations[$grant]['exists'])) {
      $existing_grants[$grant] = $filtered_ldap_authorizations[$grant];
    }
  }

  /**
   * E. Do grants
   */
  $watchdog_tokens['%filtered_grants_full_array'] = print_r($existing_grants, TRUE);
  $consumer
    ->authorizationGrant($user, $user_auth_data, $existing_grants, $ldap_entry, FALSE);
  $watchdog_tokens['%user_auth_data_post_grants'] = print_r($user_auth_data, TRUE);
  $watchdog_tokens['%user_data_post_grants'] = print_r($user->data, TRUE);

  /**
   *  3.F take away any authorizations not in proposed authorization,
   *      but previously granted by ldap
   */
  $watchdog_tokens['%revokes'] = t('none');
  if ($consumer->consumerConf->revokeLdapProvisioned) {
    $revokes_lcase = $consumer
      ->authorizationDiff($initial_existing_ldap_authorizations, array_keys($filtered_ldap_authorizations));
    if (count($revokes_lcase)) {
      $revokes = array();

      // keys are lcase, values are mixed case
      foreach ($revokes_lcase as $i => $revoke_lcase) {
        $revokes[$revoke_lcase] = array(
          'value' => NULL,
          'map_to_string' => NULL,
          'exists' => TRUE,
        );
      }
      if ($test) {
        $_SESSION['ldap_authorization_test_query']['setting_data']['Revokes'] = $revokes;
      }
      $consumer
        ->authorizationRevoke($user, $user_auth_data, $revokes, $ldap_entry, FALSE);
      $watchdog_tokens['%revokes'] = join(', ', array_keys($revokes));
    }
  }
  $watchdog_tokens['%user_auth_data_post_revokes'] = print_r($user_auth_data, TRUE);
  $watchdog_tokens['%user_data_post_revokes'] = print_r($user->data, TRUE);

  /**
   *  3.G  save user object and user data
   *  note $user object is passed by reference into this function
   */
  $uid = $user->uid;
  $user_edit = array(
    'data' => $user->data,
  );
  $user_edit['data']['ldap_authorizations'] = empty($user->data['ldap_authorizations']) ? array() : $user->data['ldap_authorizations'];
  $consumer
    ->sortConsumerIds('grant', $user_auth_data);

  // keep in good display order
  $user_edit['data']['ldap_authorizations'][$consumer->consumerType] = $user_auth_data;
  $watchdog_tokens['%user_edit_presave'] = print_r($user_edit, TRUE);
  $user = user_save($user, $user_edit);
  $watchdog_tokens['%user_data_post_save'] = print_r($user->data, TRUE);
  $watchdog_tokens['%user_roles_post_save'] = print_r($user->roles, TRUE);
  if ($detailed_watchdog_log) {
    watchdog('ldap_authorization', '%username : user_authorizations_set results for %consumer_type:
      <hr/>1. Initial existing authorizations:  %initial
      <hr/>2. Filtered Authorizations: %filtered_ldap_authorizations
      <hr/>3. After filtering off previously granted authorizations (if regrant is false): %grants1

      <hr/>4a. full consumers array, pre grants: %filtered_grants_full_array
      <hr/>4b. user auth data after grants %consumer_type: <pre>%user_auth_data_post_grants</pre>
      <hr/>4c. user data after grants for %consumer_type: <pre>%user_data_post_grants</pre>

      <hr/>5a. revokes passed to authorizationRevoke(): %revokes
      <hr/>5b. user auth data after revokes %consumer_type: <pre>%user_auth_data_post_revokes</pre>
      <hr/>5c. user data after revokes for %consumer_type: <pre>%user_data_post_revokes</pre>

      <hr/>6a. user_edit pre save : <pre>%user_edit_presave</pre>
      <hr/>6b. user data post save: <pre>%user_data_post_save</pre>
      <hr/>6c. user roles post save: <pre>%user_roles_post_save</pre>
      ', $watchdog_tokens, WATCHDOG_DEBUG);
  }
  if ($test) {
    $_SESSION['ldap_authorization_test_query']['setting_data']['Post Grant/Revokes authorizations user has'] = $consumer
      ->usersAuthorizations($user);
    $_SESSION['ldap_authorization_test_query']['setting_data']['Post Grant/Revokes $user->data[ldap_authorizations][' . $consumer->consumerType . ']'] = $user->data['ldap_authorizations'][$consumer->consumerType];
  }
}