You are here

class LdapAuthorizationConsumerDrupalRole in Lightweight Directory Access Protocol (LDAP) 7.2

Same name and namespace in other branches
  1. 8.2 ldap_authorization/ldap_authorization_drupal_role/LdapAuthorizationConsumerRole.class.php \LdapAuthorizationConsumerDrupalRole
  2. 7 ldap_authorization/ldap_authorization_drupal_role/LdapAuthorizationConsumerRole.class.php \LdapAuthorizationConsumerDrupalRole

Hierarchy

Expanded class hierarchy of LdapAuthorizationConsumerDrupalRole

1 string reference to 'LdapAuthorizationConsumerDrupalRole'
ldap_authorization_drupal_role_ldap_authorization_consumer in ldap_authorization/ldap_authorization_drupal_role/ldap_authorization_drupal_role.module
Implements hook_ldap_authorization_consumer().

File

ldap_authorization/ldap_authorization_drupal_role/LdapAuthorizationConsumerRole.class.php, line 12

View source
class LdapAuthorizationConsumerDrupalRole extends LdapAuthorizationConsumerAbstract {
  public $consumerType = 'drupal_role';
  public $allowConsumerObjectCreation = TRUE;
  public $defaultConsumerConfProperties = [
    'onlyApplyToLdapAuthenticated' => TRUE,
    'useMappingsAsFilter' => TRUE,
    'synchOnLogon' => TRUE,
    'revokeLdapProvisioned' => TRUE,
    'regrantLdapProvisioned' => TRUE,
    'createConsumers' => TRUE,
  ];

  /**
   *
   */
  public function __construct($consumer_type = NULL) {
    $params = ldap_authorization_drupal_role_ldap_authorization_consumer();
    parent::__construct('drupal_role', $params['drupal_role']);
  }

  /**
   * @see LdapAuthorizationConsumerAbstract::createConsumer
   */
  public function createConsumer($consumer_id, $consumer) {
    $roles_by_consumer_id = $this
      ->existingRolesByRoleName();
    $existing_role = isset($roles_by_consumer_id[$consumer_id]) ? $roles_by_consumer_id[$consumer_id] : FALSE;
    if ($existing_role) {

      // Role exists.
      return FALSE;
    }
    elseif (drupal_strlen($consumer_id) > 63) {
      watchdog('ldap_authorization_drupal_role', 'Tried to create drupal role
        with name of over 63 characters (%group_name).  Please correct your
        drupal ldap_authorization settings', [
        '%group_name' => $consumer_id,
      ]);
      return FALSE;
    }
    $new_role = new stdClass();
    $new_role->name = empty($consumer['value']) ? $consumer_id : $consumer['value'];
    if (!($status = user_role_save($new_role))) {

      // If role is not created, remove from array to user object doesn't have it stored as granted.
      watchdog('user', 'failed to create drupal role %role in ldap_authorizations module', [
        '%role' => $new_role->name,
      ]);
      return FALSE;
    }
    else {

      // Flush existingRolesByRoleName cache after creating new role.
      $roles_by_consumer_id = $this
        ->existingRolesByRoleName(TRUE);
      watchdog('user', 'created drupal role %role in ldap_authorizations module', [
        '%role' => $new_role->name,
      ]);
    }
    return TRUE;
  }

  /**
   * @see LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds
   */
  public function populateConsumersFromConsumerIds(&$consumers, $create_missing_consumers = FALSE) {
    $roles_by_consumer_id = $this
      ->existingRolesByRoleName(TRUE);
    foreach ($consumers as $consumer_id => $consumer) {

      // Role marked as not existing.
      if (!$consumer['exists']) {

        // Check if is existing.
        if (isset($roles_by_consumer_id[$consumer_id])) {
          $consumer['exists'] = TRUE;
          $consumer['value'] = $roles_by_consumer_id[$consumer_id]['role_name'];
          $consumer['name'] = $consumer['map_to_string'];
          $consumer['map_to_string'] = $roles_by_consumer_id[$consumer_id]['role_name'];
        }
        elseif ($create_missing_consumers) {
          $consumer['value'] = $consumer['map_to_string'];
          $consumer['name'] = $consumer['map_to_string'];
          $result = $this
            ->createConsumer($consumer_id, $consumer);
          $consumer['exists'] = $result;
        }
        else {
          $consumer['exists'] = FALSE;
        }
      }
      elseif (empty($consumer['value'])) {
        $consumer['value'] = $roles_by_consumer_id[$consumer_id]['role_name'];
      }
      $consumers[$consumer_id] = $consumer;
    }
  }

  /**
   *
   */
  public function revokeSingleAuthorization(&$user, $consumer_id, $consumer, &$user_auth_data, $user_save = FALSE, $reset = FALSE) {
    $role_name_lcase = $consumer_id;
    $role_name = empty($consumer['value']) ? $consumer_id : $consumer['value'];
    $rid = $this
      ->getDrupalRoleIdFromRoleName($role_name);
    if (!$rid) {

      // Role id not found.
      $result = FALSE;
    }
    elseif (!$user->roles[$rid]) {
      if (isset($user_auth_data[$consumer_id])) {
        unset($user_auth_data[$consumer_id]);
      }
      $result = TRUE;
    }
    else {
      unset($user->roles[$rid]);
      $user_edit = [
        'roles' => $user->roles,
      ];
      $account = user_load($user->uid);
      $user = user_save($account, $user_edit);
      $result = $user && !isset($user->roles[$rid]);
      if ($result && isset($user_auth_data[$consumer_id])) {
        unset($user_auth_data[$consumer_id]);
      }
    }
    if ($this->detailedWatchdogLog) {
      watchdog('ldap_authorization', 'LdapAuthorizationConsumerDrupalRole.revokeSingleAuthorization()
        revoked:  rid=%rid, role_name=%role_name for username=%username, result=%result', [
        '%rid' => $rid,
        '%role_name' => $role_name,
        '%username' => $user->name,
        '%result' => $result,
      ], WATCHDOG_DEBUG);
    }
    return $result;
  }

  /**
   * Extends grantSingleAuthorization()
   */
  public function grantSingleAuthorization(&$user, $consumer_id, $consumer, &$user_auth_data, $user_save = FALSE, $reset = FALSE) {
    $role_name_lcase = $consumer_id;
    $role_name = empty($consumer['value']) ? $consumer_id : $consumer['value'];
    $rid = $this
      ->getDrupalRoleIdFromRoleName($role_name);
    if (is_null($rid)) {
      watchdog('ldap_authorization', 'LdapAuthorizationConsumerDrupalRole.grantSingleAuthorization()
      failed to grant %username the role %role_name because role does not exist', [
        '%role_name' => $role_name,
        '%username' => $user->name,
      ], WATCHDOG_ERROR);
      return FALSE;
    }
    $user->roles[$rid] = $role_name;
    $user_edit = [
      'roles' => $user->roles,
    ];
    if ($this->detailedWatchdogLog) {
      watchdog('ldap_authorization', 'grantSingleAuthorization in drupal rold' . print_r($user, TRUE), [], WATCHDOG_DEBUG);
    }
    $account = user_load($user->uid);
    $user = user_save($account, $user_edit);
    $result = $user && !empty($user->roles[$rid]);
    if ($this->detailedWatchdogLog) {
      watchdog('ldap_authorization', 'LdapAuthorizationConsumerDrupalRole.grantSingleAuthorization()
        granted: rid=%rid, role_name=%role_name for username=%username, result=%result', [
        '%rid' => $rid,
        '%role_name' => $role_name,
        '%username' => $user->name,
        '%result' => $result,
      ], WATCHDOG_DEBUG);
    }
    return $result;
  }

  /**
   *
   */
  public function usersAuthorizations(&$user) {
    $authorizations = [];
    foreach ($user->roles as $rid => $role_name_mixed_case) {
      $authorizations[] = drupal_strtolower($role_name_mixed_case);
    }
    return $authorizations;
  }

  /**
   *
   */
  public function validateAuthorizationMappingTarget($mapping, $form_values = NULL, $clear_cache = FALSE) {
    $has_form_values = is_array($form_values);
    $message_type = NULL;
    $message_text = NULL;
    $role_name = $mapping['normalized'];
    $tokens = [
      '!map_to' => $role_name,
    ];
    $roles_by_name = $this
      ->existingRolesByRoleName();
    $pass = isset($roles_by_name[drupal_strtolower($role_name)]);
    if (!$pass) {
      $message_text = '"' . t('Drupal role') . ' ' . t('!map_to', $tokens) . '" ' . t('does not map to any existing Drupal roles.');
      if ($has_form_values) {
        $create_consumers = isset($form_values['synchronization_actions']['create_consumers']) && $form_values['synchronization_actions']['create_consumers'];
      }
      else {
        $create_consumers = $this->consumerConf->createConsumers;
      }
      if ($create_consumers && $this->allowConsumerObjectCreation) {
        $message_type = 'warning';
        $message_text .= ' ' . t('"!map_to" will be created when needed.  If "!map_to" is not intentional, please fix it.', $tokens);
      }
      elseif (!$this->allowConsumerObjectCreation) {
        $message_type = 'error';
        $message_text .= ' ' . t('Since automatic Drupal role creation is not possible with this module, an existing role must be mapped to.');
      }
      elseif (!$create_consumers) {
        $message_type = 'error';
        $message_text .= ' ' . t('Since automatic Drupal role creation is disabled, an existing role must be mapped to.  Either enable role creation or map to an existing role.');
      }
    }
    return [
      $message_type,
      $message_text,
    ];
  }

  /**
   * @param string mixed case $role_name
   * @return integer role id
   */
  private function getDrupalRoleIdFromRoleName($role_name) {
    $role_ids_by_name = $this
      ->existingRolesByRoleName();
    $role_name_lowercase = drupal_strtolower($role_name);
    return empty($role_ids_by_name[$role_name_lowercase]) ? NULL : $role_ids_by_name[$role_name_lowercase]['rid'];
  }

  /**
   * @param bool $reset
   *   to reset static values.
   * @return associative array() keyed on lowercase role names with values
   *   of array('rid' => role id, 'role_name' => mixed case role name)
   */
  public function existingRolesByRoleName($reset = FALSE) {
    static $roles_by_name;
    if ($reset || !is_array($roles_by_name)) {
      $roles_by_name = [];
      foreach (array_flip(user_roles(TRUE)) as $role_name => $rid) {
        $roles_by_name[drupal_strtolower($role_name)]['rid'] = $rid;
        $roles_by_name[drupal_strtolower($role_name)]['role_name'] = $role_name;
      }
    }
    return $roles_by_name;
  }

  /**
   * @see LdapAuthorizationConsumerAbstract::normalizeMappings
   */
  public function normalizeMappings($mappings) {
    $new_mappings = [];

    // In rid => role name format.
    $roles = user_roles(TRUE);
    $roles_by_name = array_flip($roles);
    foreach ($mappings as $i => $mapping) {
      $new_mapping = [];
      $new_mapping['user_entered'] = $mapping[1];
      $new_mapping['from'] = $mapping[0];
      $new_mapping['normalized'] = $mapping[1];
      $new_mapping['simplified'] = $mapping[1];
      $create_consumers = (bool) ($this->allowConsumerObjectCreation && $this->consumerConf->createConsumers);
      $new_mapping['valid'] = (bool) (!$create_consumers && !empty($roles_by_name[$mapping[1]]));
      $new_mapping['error_message'] = $new_mapping['valid'] ? '' : t("Role %role_name does not exist and role creation is not enabled.", [
        '%role' => $mapping[1],
      ]);
      $new_mappings[] = $new_mapping;
    }
    return $new_mappings;
  }

  /**
   * @see ldapAuthorizationConsumerAbstract::convertToFriendlyAuthorizationIds
   */
  public function convertToFriendlyAuthorizationIds($authorizations) {
    $authorization_ids_friendly = [];
    foreach ($authorizations as $authorization_id => $authorization) {
      $authorization_ids_friendly[] = $authorization['name'] . '  (' . $authorization_id . ')';
    }
    return $authorization_ids_friendly;
  }

}

Members

Namesort descending Modifiers Type Description Overrides
LdapAuthorizationConsumerAbstract::$consumerConf public property LDAPConsumerConf object class encapuslating admin form.
LdapAuthorizationConsumerAbstract::$consumerModule public property Module providing consumer functionality e.g. ldap_authorization_drupal_roles.
LdapAuthorizationConsumerAbstract::$description public property E.g. roles, groups.
LdapAuthorizationConsumerAbstract::$detailedWatchdogLog public property @property boolean $detailedWatchdogLog
LdapAuthorizationConsumerAbstract::$editLink public property Link to configure this consumer.
LdapAuthorizationConsumerAbstract::$emptyConsumer public property
LdapAuthorizationConsumerAbstract::$name public property User interface name of consumer. e.g. drupal role, og group.
LdapAuthorizationConsumerAbstract::$namePlural public property User interface name of consumer. e.g. drupal roles, og groups.
LdapAuthorizationConsumerAbstract::$shortName public property User interface short name of consumer. e.g. role, group.
LdapAuthorizationConsumerAbstract::$shortNamePlural public property User interface short name of consumer plural, e.g. roles, groups.
LdapAuthorizationConsumerAbstract::$testLink public property Link to test this consumer.
LdapAuthorizationConsumerAbstract::authorizationDiff public function 1
LdapAuthorizationConsumerAbstract::authorizationGrant public function Grant authorizations to a user.
LdapAuthorizationConsumerAbstract::authorizationRevoke public function Revoke authorizations to a user.
LdapAuthorizationConsumerAbstract::createSingleAuthorization public function
LdapAuthorizationConsumerAbstract::filterOffPastAuthorizationRecords public function This is a function to clear off.
LdapAuthorizationConsumerAbstract::flushRelatedCaches public function Attempt to flush related caches. This will be something like og_invalidate_cache($gids) 1
LdapAuthorizationConsumerAbstract::grantsAndRevokes protected function 1
LdapAuthorizationConsumerAbstract::hasAuthorization public function NOTE this is in mixed case, since we must rely on whatever module is storing the authorization id. 1
LdapAuthorizationConsumerAbstract::hasLdapGrantedAuthorization public function
LdapAuthorizationConsumerAbstract::sortConsumerIds public function Some authorization schemes such as organic groups, require a certain order. implement this method to sort consumer ids/authorization ids. 1
LdapAuthorizationConsumerDrupalRole::$allowConsumerObjectCreation public property @property boolean $allowConsumerObjectCreation Overrides LdapAuthorizationConsumerAbstract::$allowConsumerObjectCreation
LdapAuthorizationConsumerDrupalRole::$consumerType public property Machine name of consumer. e.g. og_group, drupal_role, etc. Overrides LdapAuthorizationConsumerAbstract::$consumerType
LdapAuthorizationConsumerDrupalRole::$defaultConsumerConfProperties public property @property array $defaultConsumerConfProperties default properties for consumer admin UI form Overrides LdapAuthorizationConsumerAbstract::$defaultConsumerConfProperties
LdapAuthorizationConsumerDrupalRole::convertToFriendlyAuthorizationIds public function Overrides LdapAuthorizationConsumerAbstract::convertToFriendlyAuthorizationIds
LdapAuthorizationConsumerDrupalRole::createConsumer public function Overrides LdapAuthorizationConsumerAbstract::createConsumer
LdapAuthorizationConsumerDrupalRole::existingRolesByRoleName public function
LdapAuthorizationConsumerDrupalRole::getDrupalRoleIdFromRoleName private function
LdapAuthorizationConsumerDrupalRole::grantSingleAuthorization public function Extends grantSingleAuthorization() Overrides LdapAuthorizationConsumerAbstract::grantSingleAuthorization
LdapAuthorizationConsumerDrupalRole::normalizeMappings public function Overrides LdapAuthorizationConsumerAbstract::normalizeMappings
LdapAuthorizationConsumerDrupalRole::populateConsumersFromConsumerIds public function Overrides LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds
LdapAuthorizationConsumerDrupalRole::revokeSingleAuthorization public function Overrides LdapAuthorizationConsumerAbstract::revokeSingleAuthorization
LdapAuthorizationConsumerDrupalRole::usersAuthorizations public function Return all user consumer ids regardless of it they were granted by this module. Overrides LdapAuthorizationConsumerAbstract::usersAuthorizations
LdapAuthorizationConsumerDrupalRole::validateAuthorizationMappingTarget public function Validate authorization mappings on LDAP Authorization OG Admin form. Overrides LdapAuthorizationConsumerAbstract::validateAuthorizationMappingTarget
LdapAuthorizationConsumerDrupalRole::__construct public function Constructor Method. Overrides LdapAuthorizationConsumerAbstract::__construct