class LdapAuthorizationConsumerOG in Lightweight Directory Access Protocol (LDAP) 8.2
Same name and namespace in other branches
- 7.2 ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php \LdapAuthorizationConsumerOG
- 7 ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php \LdapAuthorizationConsumerOG
Hierarchy
Expanded class hierarchy of LdapAuthorizationConsumerOG
1 string reference to 'LdapAuthorizationConsumerOG'
- ldap_authorization_og_ldap_authorization_consumer in ldap_authorization/
ldap_authorization_og/ ldap_authorization_og.module - Implements hook_ldap_authorization_consumer().
File
- ldap_authorization/
ldap_authorization_og/ LdapAuthorizationConsumerOG.class.php, line 18
View source
class LdapAuthorizationConsumerOG extends LdapAuthorizationConsumerAbstract {
public $consumerType = 'og_group';
public $allowConsumerObjectCreation = FALSE;
public $ogVersion = NULL;
// 1, 2, etc.
public $defaultMembershipRid;
public $anonymousRid;
public $defaultConsumerConfProperties = array(
'onlyApplyToLdapAuthenticated' => TRUE,
'useMappingsAsFilter' => TRUE,
'synchOnLogon' => TRUE,
'revokeLdapProvisioned' => TRUE,
'regrantLdapProvisioned' => TRUE,
'createConsumers' => TRUE,
);
function __construct($consumer_type) {
$this->ogVersion = ldap_authorization_og_og_version();
if ($this->ogVersion == 1) {
$this->defaultMembershipRid = ldap_authorization_og1_role_name_to_role_id(OG_AUTHENTICATED_ROLE);
$this->anonymousRid = ldap_authorization_og1_role_name_to_role_id(OG_ANONYMOUS_ROLE);
}
else {
//@todo these properties are not used in ldap og 2, but when they are their derivation needs to be examined and tested
// as they may be per entity rids, not global.
$this->defaultMembershipRid = NULL;
// ldap_authorization_og_rid_from_role_name(OG_AUTHENTICATED_ROLE);
$this->anonymousRid = NULL;
//ldap_authorization_og_rid_from_role_name(OG_ANONYMOUS_ROLE);
}
$params = ldap_authorization_og_ldap_authorization_consumer();
parent::__construct('og_group', $params['og_group']);
}
public function og1ConsumerIdParts($consumer_id) {
if (!is_scalar($consumer_id)) {
return array(
NULL,
NULL,
);
}
$parts = explode('-', $consumer_id);
return count($parts) != 2 ? array(
NULL,
NULL,
) : $parts;
}
public function og2ConsumerIdParts($consumer_id) {
if (!is_scalar($consumer_id)) {
return array(
NULL,
NULL,
NULL,
);
}
$parts = explode(':', $consumer_id);
return count($parts) != 3 ? array(
NULL,
NULL,
NULL,
) : $parts;
}
/**
* @see LdapAuthorizationConsumerAbstract::createConsumer
*
* this function is not implemented for og, but could be
* if a use case for generating og groups and roles on the
* fly existed.
*/
public function createConsumer($consumer_id, $consumer) {
return FALSE;
}
/**
* @see LdapAuthorizationConsumerAbstract::normalizeMappings
*/
public function normalizeMappings($mappings) {
$new_mappings = array();
if ($this->ogVersion == 2) {
$group_entity_types = og_get_all_group_bundle();
foreach ($mappings as $i => $mapping) {
$from = $mapping[0];
$to = $mapping[1];
$to_parts = explode('(raw: ', $to);
$user_entered = $to_parts[0];
$new_mapping = array(
'from' => $from,
'user_entered' => $user_entered,
'valid' => TRUE,
'error_message' => '',
);
if (count($to_parts) == 2) {
// has simplified and normalized part in (). update normalized part as validation
$to_normalized = trim($to_parts[1], ')');
/**
* users (node:35:1)
* node:students (node:21:1)
* faculty (node:33:2)
* node:35:1 (node:35:1)
* node:35 (node:35:1)
*/
$to_simplified = $to_parts[0];
$to_simplified_parts = explode(':', trim($to_simplified));
$entity_type = count($to_simplified_parts) == 1 ? 'node' : $to_simplified_parts[0];
$role = count($to_simplified_parts) < 3 ? OG_AUTHENTICATED_ROLE : $to_simplified_parts[2];
$group_name = count($to_simplified_parts) == 1 ? $to_simplified_parts[0] : $to_simplified_parts[1];
list($group_entity, $group_entity_id) = ldap_authorization_og2_get_group_from_name($entity_type, $group_name);
$to_simplified = join(':', array(
$entity_type,
$group_name,
));
}
else {
// may be simplified or normalized, but not both
/**
* users
* node:students
* faculty
* node:35:1
* node:35
*/
$to_parts = explode(':', trim($to));
$entity_type = count($to_parts) == 1 ? 'node' : $to_parts[0];
$role = count($to_parts) < 3 ? OG_AUTHENTICATED_ROLE : $to_parts[2];
$group_name_or_entity_id = count($to_parts) == 1 ? $to_parts[0] : $to_parts[1];
list($group_entity, $group_entity_id) = ldap_authorization_og2_get_group_from_name($entity_type, $group_name_or_entity_id);
if ($group_entity) {
// if load by name works, $group_name_or_entity_id is group title
$to_simplified = join(':', array(
$entity_type,
$group_name_or_entity_id,
));
}
else {
$to_simplified = FALSE;
}
$simplified = (bool) $group_entity;
if (!$group_entity && ($group_entity = @entity_load_single($entity_type, $group_name_or_entity_id))) {
$group_entity_id = $group_name_or_entity_id;
}
}
if (!$group_entity) {
$new_mapping['normalized'] = FALSE;
$new_mapping['simplified'] = FALSE;
$new_mapping['valid'] = FALSE;
$new_mapping['error_message'] = t("cannot find matching group: !to", array(
'!to' => $to,
));
}
else {
$role_id = is_numeric($role) ? $role : ldap_authorization_og2_rid_from_role_name($entity_type, $group_entity->type, $group_entity_id, $role);
$roles = og_roles($entity_type, isset($group_entity->type) ? $group_entity->type : NULL, 0, FALSE, TRUE);
$role_name = is_numeric($role) ? $roles[$role] : $role;
$to_normalized = join(':', array(
$entity_type,
$group_entity_id,
$role_id,
));
$to_simplified = $to_simplified ? $to_simplified . ':' . $role_name : $to_normalized;
$new_mapping['normalized'] = $to_normalized;
$new_mapping['simplified'] = $to_simplified;
if ($to == $to_normalized) {
/** if not using simplified notation, do not convert to simplified.
this would create a situation where an og group
can change its title and the authorizations change when the
admin specified the group by entity id
*/
$new_mapping['user_entered'] = $to;
}
else {
$new_mapping['user_entered'] = $to_simplified . ' (raw: ' . $to_normalized . ')';
}
}
$new_mappings[] = $new_mapping;
}
}
else {
// og 1
foreach ($mappings as $i => $mapping) {
$new_mapping = array(
'from' => $mapping[0],
'user_entered' => $mapping[1],
'normalized' => NULL,
'simplified' => NULL,
'valid' => TRUE,
'error_message' => '',
);
$gid = NULL;
$rid = NULL;
$correct_syntax = "gid=43,rid=2 or group-name=students,role-name=member or node.title=students,role-name=member";
$incorrect_syntax = t('Incorrect mapping syntax. Correct examples are:') . $correct_syntax;
$targets = explode(',', $mapping[1]);
if (count($targets) != 2) {
$new_mapping['valid'] = FALSE;
$new_mapping['error_message'] = $incorrect_syntax;
continue;
}
$group_target_and_value = explode('=', $targets[0]);
if (count($group_target_and_value) != 2) {
$new_mapping['valid'] = FALSE;
$new_mapping['error_message'] = $incorrect_syntax;
continue;
}
list($group_target, $group_target_value) = $group_target_and_value;
$role_target_and_value = explode('=', $targets[1]);
if (count($role_target_and_value) != 2) {
$new_mapping['valid'] = FALSE;
$new_mapping['error_message'] = $incorrect_syntax;
continue;
}
list($role_target, $role_target_value) = $role_target_and_value;
$og_group = FALSE;
if ($group_target == 'gid') {
$gid = $group_target_value;
}
elseif ($group_target == 'group-name') {
list($og_group, $og_node) = ldap_authorization_og1_get_group($group_target_value, 'group_name', 'object');
if (is_object($og_group) && property_exists($og_group, 'gid') && $og_group->gid) {
$gid = $og_group->gid;
}
}
else {
$entity_type_and_field = explode('.', $group_target);
if (count($entity_type_and_field) != 2) {
$new_mapping['valid'] = FALSE;
$new_mapping['error_message'] = $incorrect_syntax;
continue;
}
list($entity_type, $field) = $entity_type_and_field;
$query = new EntityFieldQuery();
$query
->entityCondition('entity_type', $entity_type)
->fieldCondition($field, 'value', $group_target_value, '=')
->addMetaData('account', user_load(1));
// run the query as user 1
$result = $query
->execute();
if (is_array($result) && isset($result[$entity_type]) && count($result[$entity_type]) == 1) {
$entities = array_keys($result[$entity_type]);
$gid = ldap_authorization_og1_entity_id_to_gid($entities[0]);
}
}
if (!$og_group && $gid) {
$og_group = og_load($gid);
}
if ($role_target == 'rid') {
$role_name = ldap_authorization_og1_role_name_from_rid($role_target_value);
$rid = $role_target_value;
}
elseif ($role_target == 'role-name') {
$rid = ldap_authorization_og_rid_from_role_name($role_target_value);
$role_name = $role_target_value;
}
$new_mapping['simplified'] = $og_group->label . ', ' . $role_name;
$new_mapping['normalized'] = $gid && $rid ? ldap_authorization_og_authorization_id($gid, $rid) : FALSE;
$new_mappings[] = $new_mapping;
}
}
return $new_mappings;
}
/**
* in organic groups 7.x-1.x, consumer ids are in form gid-rid such as 3-2, 3-3. We want highest authorization available granted.
* But, granting member role (2), revokes other roles such as admin in OG. So for granting we want the order:
* 3-1, 3-2, 3-3 such that 3-3 is retained. For revoking, the order should not matter, but reverse sorting makes
* intuitive sense.
*/
public function sortConsumerIds($op, &$consumers) {
if ($op == 'revoke') {
krsort($consumers, SORT_STRING);
}
else {
ksort($consumers, SORT_STRING);
}
}
/**
* @see LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds
*/
public function populateConsumersFromConsumerIds(&$consumers, $create_missing_consumers = FALSE) {
// generate a query for all og groups of interest
$gids = array();
foreach ($consumers as $consumer_id => $consumer) {
if (ldap_authorization_og_og_version() == 1) {
list($gid, $rid) = $this
->og1ConsumerIdParts($consumer_id);
$gids[] = $gid;
}
else {
list($entity_type, $gid, $rid) = explode(':', $consumer_id);
$gids[$entity_type][] = $gid;
}
}
if (ldap_authorization_og_og_version() == 1) {
$og_group_entities = og_load_multiple($gids);
}
else {
foreach ($gids as $entity_type => $gid_x_entity) {
$og_group_entities[$entity_type] = @entity_load($entity_type, $gid_x_entity);
}
}
foreach ($consumers as $consumer_id => $consumer) {
if (ldap_authorization_og_og_version() == 1) {
list($gid, $rid) = $this
->og1ConsumerIdParts($consumer_id);
$consumer['exists'] = isset($og_group_entities[$gid]);
if ($consumer['exists']) {
$consumer['value'] = $og_group_entities[$gid];
if (empty($consumer['name']) && property_exists($og_group_entities[$gid], 'title')) {
$consumer['name'] = $og_group_entities[$gid]->title;
}
$consumer['name'] = $consumer_id;
}
else {
$consumer['value'] = NULL;
$consumer['name'] = NULL;
}
$consumer['map_to_string'] = $consumer_id;
}
else {
list($entity_type, $gid, $rid) = explode(':', $consumer_id);
$consumer['exists'] = isset($og_group_entities[$entity_type][$gid]);
$consumer['value'] = $consumer['exists'] ? $og_group_entities[$entity_type][$gid] : NULL;
$consumer['map_to_string'] = $consumer_id;
if (empty($consumer['name']) && !empty($og_group_entities[$entity_type][$gid]) && property_exists($og_group_entities[$entity_type][$gid], 'title')) {
$consumer['name'] = $og_group_entities[$entity_type][$gid]->title;
}
}
if (!$consumer['exists'] && $create_missing_consumers) {
// @todo if creation of og groups were implemented, function would be called here
// this would mean mapping would need to have enough info to configure a group,
// or settings would need to include a default group type to create (entity type,
// bundle, etc.)
}
$consumers[$consumer_id] = $consumer;
}
}
public function hasAuthorization(&$user, $consumer_id) {
if ($this->ogVersion == 1) {
$result = FALSE;
list($gid, $rid) = $this
->og1ConsumerIdParts($consumer_id);
return ldap_authorization_og1_has_membership($gid, $user->uid) && ldap_authorization_og1_has_role($gid, $user->uid, $rid);
}
else {
return ldap_authorization_og2_has_consumer_id($consumer_id, $user->uid);
}
}
public function flushRelatedCaches($consumers = NULL, $user = NULL) {
if ($user) {
$this
->usersAuthorizations($user, TRUE, FALSE);
// clear user authorizations cache
}
if ($this->ogVersion == 1) {
og_group_membership_invalidate_cache();
}
else {
og_membership_invalidate_cache();
}
if ($consumers) {
$gids_to_clear_cache = array();
foreach ($consumers as $i => $consumer_id) {
if ($this->ogVersion == 1) {
// og 7.x-1.x
list($gid, $rid) = $this
->og1ConsumerIdParts($consumer_id);
}
else {
list($entity_type, $gid, $rid) = $this
->og2ConsumerIdParts($consumer_id);
}
$gids_to_clear_cache[$gid] = $gid;
}
og_invalidate_cache(array_keys($gids_to_clear_cache));
}
else {
og_invalidate_cache();
}
}
/**
* @param string $op 'grant' or 'revoke' signifying what to do with the $consumer_ids
* @param drupal user object $object
* @param array $user_auth_data is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>]
* @param $consumers as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds
* @param array $ldap_entry, when available user's ldap entry.
* @param boolean $user_save indicates is user data array should be saved or not. this is always overridden for og
*/
public function authorizationDiff($existing, $desired) {
if ($this->ogVersion != 1) {
return parent::authorizationDiff($existing, $desired);
}
/**
* for og 1.5, goal is not to recognize X-2 consumer ids if X-N exist
* since X-2 consumer ids are granted as a prerequisite of X-N
*/
$diff = array_diff($existing, $desired);
$desired_group_ids = array();
foreach ($desired as $i => $consumer_id) {
list($gid, $rid) = $this
->og1ConsumerIdParts($consumer_id);
$desired_group_ids[$gid] = TRUE;
}
foreach ($diff as $i => $consumer_id) {
list($gid, $rid) = $this
->og1ConsumerIdParts($consumer_id);
// if there are still roles in this group that are desired, do
// not remove default mambership role id
if ($rid == $this->defaultMembershipRid && !empty($desired_group_ids[$gid])) {
unset($diff[$i]);
}
}
// dpm("diff"); dpm($diff); dpm("existing"); dpm($existing); dpm("desired"); dpm($desired); dpm("final diff"); dpm($diff);
return $diff;
}
protected function grantsAndRevokes($op, &$user, &$user_auth_data, $consumers, &$ldap_entry = NULL, $user_save = TRUE) {
// debug("grantsAndRevokes, op=$op, user_save=$user_save"); debug($user_auth_data); debug($consumers);
if (!is_array($user_auth_data)) {
$user_auth_data = array();
}
$detailed_watchdog_log = config('ldap_help.settings')
->get('watchdog_detail');
$this
->sortConsumerIds($op, $consumers);
$results = array();
$watchdog_tokens = array();
$watchdog_tokens['%username'] = $user->name;
$watchdog_tokens['%action'] = $op;
$watchdog_tokens['%user_save'] = $user_save;
/**
* get authorizations that exist, regardless of origin or ldap_authorization $user->data
* in form $users_authorization_consumer_ids = array('3-2', '3,3', '4-2')
*/
$users_authorization_consumer_ids = $this
->usersAuthorizations($user, TRUE);
$watchdog_tokens['%users_authorization_ids'] = join(', ', $users_authorization_consumer_ids);
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "on call of grantsAndRevokes: user_auth_data=" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
}
/**
* step #1: generate $og_actions = array of form $og_actions['revokes'|'grants'][$gid] = $rid
* based on all consumer ids granted and revokes
*/
$og_actions = array(
'grants' => array(),
'revokes' => array(),
);
//dpm('consumers');dpm($consumers); dpm('users_authorization_consumer_ids'); dpm($users_authorization_consumer_ids);
foreach ($consumers as $consumer_id => $consumer) {
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "consumer_id={$consumer_id}, user_save={$user_save}, op={$op}", $watchdog_tokens, WATCHDOG_DEBUG);
}
$user_has_authorization = in_array($consumer_id, $users_authorization_consumer_ids);
// does user already have authorization ?
$user_has_authorization_recorded = isset($user_auth_data[$consumer_id]);
// is authorization attribute to ldap_authorization_og in $user->data ?
if ($this->ogVersion == 1) {
list($gid, $rid) = $this
->og1ConsumerIdParts($consumer_id);
if ($rid == $this->anonymousRid) {
continue;
}
}
else {
list($entity_type, $gid, $rid) = $this
->og2ConsumerIdParts($consumer_id);
}
/** grants **/
if ($op == 'grant') {
if ($user_has_authorization && !$user_has_authorization_recorded) {
// grant case 1: authorization id already exists for user, but is not ldap provisioned. mark as ldap provisioned, but don't regrant
$results[$consumer_id] = TRUE;
$user_auth_data[$consumer_id] = array(
'date_granted' => time(),
'consumer_id_mixed_case' => $consumer_id,
);
}
elseif (!$user_has_authorization && $consumer['exists']) {
// grant case 2: consumer exists, but user is not member. grant authorization
if ($this->ogVersion == 1) {
$og_actions['grants'][$gid][] = $rid;
}
else {
$og_actions['grants'][$entity_type][$gid][] = $rid;
}
}
elseif ($consumer['exists'] !== TRUE) {
// grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes
$results[$consumer_id] = FALSE;
}
elseif ($consumer['exists'] === TRUE) {
// grant case 4: consumer exists and user has authorization recorded. do nothing
$results[$consumer_id] = TRUE;
}
else {
// grant case 5: $consumer['exists'] has not been properly set before calling function
$results[$consumer_id] = FALSE;
watchdog('ldap_authorization', "grantsAndRevokes consumer[exists] not properly set. consumer_id={$consumer_id}, op={$op}, username=%username", $watchdog_tokens, WATCHDOG_ERROR);
}
}
elseif ($op == 'revoke') {
if ($user_has_authorization) {
// revoke case 1: user has authorization, revoke it. revokeSingleAuthorization will remove $user_auth_data[$consumer_id]
if ($this->ogVersion == 1) {
$og_actions['revokes'][$gid][] = $rid;
}
else {
$og_actions['revokes'][$entity_type][$gid][] = $rid;
}
}
elseif ($user_has_authorization_recorded) {
// revoke case 2: user does not have authorization, but has record of it. remove record of it.
unset($user_auth_data[$consumer_id]);
$results[$consumer_id] = TRUE;
}
else {
// revoke case 3: trying to revoke something that isn't there
$results[$consumer_id] = TRUE;
}
}
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "user_auth_data after consumer {$consumer_id}" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
}
}
/**
* Step #2: from array of form:
* og1.5: $og_actions['grants'|'revokes'][$gid][$rid]\
* og2: $og_actions['grants'|'revokes'][$entity_type][$gid][$rid]
* - generate $user->data['ldap_authorizations'][<consumer_id>]
* - remove and grant og memberships
* - remove and grant og roles
* - flush appropriate caches
*/
debug("og_actions");
debug($og_actions);
debug("user_auth_data");
debug($user_auth_data);
if ($this->ogVersion == 1) {
$this
->og1Grants($og_actions, $user, $user_auth_data);
$this
->og1Revokes($og_actions, $user, $user_auth_data);
}
else {
$this
->og2Grants($og_actions, $user, $user_auth_data);
$this
->og2Revokes($og_actions, $user, $user_auth_data);
}
$user_edit['data']['ldap_authorizations'][$this->consumerType] = $user_auth_data;
$user = user_save($user, $user_edit);
$user_auth_data = $user->data['ldap_authorizations'][$this->consumerType];
// reset this variable because user save hooks can impact it.
$this
->flushRelatedCaches($consumers, $user);
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username:
<hr/>LdapAuthorizationConsumerAbstract grantsAndRevokes() method log. action=%action:<br/> %consumer_ids_log
', $watchdog_tokens, WATCHDOG_DEBUG);
}
}
public function og1Grants($og_actions, &$user, &$user_auth_data) {
foreach ($og_actions['grants'] as $gid => $rids) {
$existing_roles = og_get_user_roles($gid, $user->uid);
if (!in_array($this->defaultMembershipRid, array_values($existing_roles))) {
$user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE][] = array(
'gid' => $gid,
);
og_entity_presave($user, 'user');
$consumer_id = ldap_authorization_og_authorization_id($gid, $this->defaultMembershipRid);
$user_auth_data[$consumer_id] = array(
'date_granted' => time(),
'consumer_id_mixed_case' => $consumer_id,
);
}
foreach ($rids as $rid) {
if ($rid != $this->defaultMembershipRid && $rid != $this->anonymousRid) {
og_role_grant($gid, $user->uid, $rid);
$consumer_id = ldap_authorization_og_authorization_id($gid, $rid);
$user_auth_data[$consumer_id] = array(
'date_granted' => time(),
'consumer_id_mixed_case' => $consumer_id,
);
}
}
}
}
public function og2Grants($og_actions, &$user, &$user_auth_data) {
foreach ($og_actions['grants'] as $group_entity_type => $gids) {
foreach ($gids as $gid => $granting_rids) {
// all rids ldap believes user should be granted and attributed to ldap
$all_group_roles = og_roles($group_entity_type, FALSE, $gid, FALSE, TRUE);
// all roles rid => role_name array w/ authen or anon roles
$authenticated_rid = array_search(OG_AUTHENTICATED_ROLE, $all_group_roles);
$anonymous_rid = array_search(OG_ANONYMOUS_ROLE, $all_group_roles);
$all_group_rids = array_keys($all_group_roles);
// all rids array w/ authen or anon rids
$users_group_rids = array_keys(og_get_user_roles($group_entity_type, $gid, $user->uid, TRUE));
// users current rids w/authen or anon roles returned
$users_group_rids = array_diff($users_group_rids, array(
$anonymous_rid,
));
$new_rids = array_diff($granting_rids, $users_group_rids, array(
$anonymous_rid,
));
// rids to be added without anonymous rid
// debug("new rids"); debug($new_rids);debug("granting_rids"); debug($granting_rids);debug("users_group_rids"); debug($users_group_rids);
// if adding OG_AUTHENTICATED_ROLE or any other role and does not currently have OG_AUTHENTICATED_ROLE, group
if (!in_array($authenticated_rid, $users_group_rids) && count($new_rids) > 0) {
$values = array(
'entity_type' => 'user',
'entity' => $user->uid,
'field_name' => FALSE,
'state' => OG_STATE_ACTIVE,
);
$og_membership = og_group($group_entity_type, $gid, $values);
// debug("consumer_id=$consumer_id, og group called( $group_entity_type, $gid, values:"); debug($values); debug("response og_membership"); debug($og_membership);
$consumer_id = join(':', array(
$group_entity_type,
$gid,
$authenticated_rid,
));
$user_auth_data[$consumer_id] = array(
'date_granted' => time(),
'consumer_id_mixed_case' => $consumer_id,
);
$new_rids = array_diff($new_rids, array(
$authenticated_rid,
));
// granted on membership creation
}
foreach ($new_rids as $i => $rid) {
// debug("role grant $group_entity_type $gid $user->uid $rid");
og_role_grant($group_entity_type, $gid, $user->uid, $rid);
}
foreach ($granting_rids as $i => $rid) {
// attribute to ldap regardless of if is being granted.
$consumer_id = join(':', array(
$group_entity_type,
$gid,
$rid,
));
$user_auth_data[$consumer_id] = array(
'date_granted' => time(),
'consumer_id_mixed_case' => $consumer_id,
);
}
}
}
}
public function og1Revokes($og_actions, &$user, &$user_auth_data) {
$group_audience_gids = empty($user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE]['gid']) ? array() : $user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE]['gid'];
foreach ($og_actions['revokes'] as $gid => $rids) {
$existing_roles = og_get_user_roles($gid, $user->uid);
if (in_array($this->defaultMembershipRid, array_values($existing_roles))) {
// ungroup and set audience
foreach ($group_audience_gids as $i => $_audience_gid) {
if ($_audience_gid == $gid) {
unset($user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE][$i]);
}
}
og_entity_presave($user, 'user');
$user = og_ungroup($gid, 'user', $user, TRUE);
foreach (array_values($existing_roles) as $rid) {
$consumer_id = ldap_authorization_og_authorization_id($gid, $rid);
if (isset($user_auth_data[$consumer_id])) {
unset($user_auth_data[$consumer_id]);
}
}
}
else {
foreach ($existing_roles as $rid) {
if ($rid != $this->defaultMembershipRid && $this->defaultMembershipRid != 1) {
og_role_revoke($gid, $user->uid, $rid);
unset($user_auth_data[ldap_authorization_og_authorization_id($gid, $rid)]);
}
}
}
}
}
public function og2Revokes($og_actions, &$user, &$user_auth_data) {
foreach ($og_actions['revokes'] as $group_entity_type => $gids) {
foreach ($gids as $gid => $revoking_rids) {
// $revoking_rids are all rids to be removed. may include authen rids
$all_group_roles = og_roles($group_entity_type, FALSE, $gid, FALSE, TRUE);
// all roles rid => role_name array w/ authen or anon roles
$all_group_rids = array_keys($all_group_roles);
// all rids array w/ authen or anon rids
$users_group_rids = array_keys(og_get_user_roles($group_entity_type, $gid, $user->uid, TRUE));
// users current rids w/authen or anon roles returned
$remaining_rids = array_diff($users_group_rids, $revoking_rids);
// rids to be left at end of revoke process
$authenticated_rid = array_search(OG_AUTHENTICATED_ROLE, $all_group_roles);
// remove autenticated and anon rids here
foreach ($revoking_rids as $i => $rid) {
// revoke if user has role
if (in_array($rid, $users_group_rids)) {
og_role_revoke($group_entity_type, $gid, $user->uid, $rid);
}
// unattribute to ldap even if user does not currently have role
unset($user_auth_data[ldap_authorization_og_authorization_id($gid, $rid, $group_entity_type)]);
}
// define('OG_ANONYMOUS_ROLE', 'non-member'); define('OG_AUTHENTICATED_ROLE', 'member');
if (in_array($authenticated_rid, $revoking_rids) || count($remaining_rids) == 0) {
// ungroup if only authenticated and anonymous role left
$entity = og_ungroup($group_entity_type, $gid, 'user', $user->uid);
$result = (bool) $entity;
}
}
}
}
/**
* @see ldapAuthorizationConsumerAbstract::usersAuthorizations
*/
public function usersAuthorizations(&$user, $reset = FALSE, $return_data = TRUE) {
static $users;
if (!is_array($users)) {
$users = array();
// no cache exists, create static array
}
elseif ($reset && isset($users[$user->uid])) {
unset($users[$user->uid]);
// clear users cache
}
elseif (!$return_data) {
return NULL;
// simply clearing cache
}
elseif (!empty($users[$user->uid])) {
return $users[$user->uid];
// return cached data
}
$authorizations = array();
if ($this->ogVersion == 1) {
$gids = og_get_groups_by_user($user);
foreach ($gids as $i => $gid) {
$roles = og_get_user_roles($gid, $user->uid);
if (!empty($roles[$this->defaultMembershipRid])) {
// if you aren't a member, doesn't matter what roles you have in og 1.5
if (isset($roles[$this->anonymousRid])) {
unset($roles[$this->anonymousRid]);
}
// ignore anonymous role
$rids = array_values($roles);
asort($rids, SORT_NUMERIC);
// go low to high to get default memberships first
foreach ($rids as $rid) {
$authorizations[] = ldap_authorization_og_authorization_id($gid, $rid);
}
}
}
}
else {
// og 7.x-2.x
$user_entities = entity_load('user', array(
$user->uid,
));
$memberships = og_get_entity_groups('user', $user_entities[$user->uid]);
foreach ($memberships as $entity_type => $entity_memberships) {
foreach ($entity_memberships as $og_membership_id => $gid) {
$roles = og_get_user_roles($entity_type, $gid, $user->uid);
foreach ($roles as $rid => $discard) {
$authorizations[] = ldap_authorization_og_authorization_id($gid, $rid, $entity_type);
}
}
}
}
$users[$user->uid] = $authorizations;
return $authorizations;
}
/**
* @see ldapAuthorizationConsumerAbstract::convertToFriendlyAuthorizationIds
*/
public function convertToFriendlyAuthorizationIds($authorizations) {
$authorization_ids_friendly = array();
foreach ($authorizations as $authorization_id => $authorization) {
$authorization_ids_friendly[] = $authorization['name'] . ' (' . $authorization_id . ')';
}
return $authorization_ids_friendly;
}
/**
* @see ldapAuthorizationConsumerAbstract::validateAuthorizationMappingTarget
*/
public function validateAuthorizationMappingTarget($mapping, $form_values = NULL, $clear_cache = FALSE) {
// these mappings have already been through the normalizeMappings() method, so no real querying needed here.
$has_form_values = is_array($form_values);
$message_type = NULL;
$message_text = NULL;
$pass = !empty($mapping['valid']) && $mapping['valid'] === TRUE;
/**
* @todo need to look this over
*
*/
if (!$pass) {
$tokens = array(
'!from' => $mapping['from'],
'!user_entered' => $mapping['user_entered'],
'!error' => $mapping['error_message'],
);
$message_text = '<code>"' . t('!map_to|!user_entered', $tokens) . '"</code> ' . t('has the following error: !error.', $tokens);
}
return array(
$message_type,
$message_text,
);
}
/**
* Get list of mappings based on existing Organic Groups and roles
*
* @param associative array $tokens of tokens and replacement values
* @return html examples of mapping values
*/
public function mappingExamples($tokens) {
if ($this->ogVersion == 1) {
$groups = og_get_all_group();
$ogEntities = og_load_multiple($groups);
$OGroles = og_roles(0);
$rows = array();
foreach ($ogEntities as $group) {
foreach ($OGroles as $rid => $role) {
$example = "<code>ou=IT,dc=myorg,dc=mytld,dc=edu|gid=" . $group->gid . ',rid=' . $rid . '</code><br/>' . '<code>ou=IT,dc=myorg,dc=mytld,dc=edu|group-name=' . $group->label . ',role-name=' . $role . '</code>';
$rows[] = array(
$group->label,
$group->gid,
$role,
$example,
);
}
}
$variables = array(
'header' => array(
'Group Name',
'OG Group ID',
'OG Membership Type',
'example',
),
'rows' => $rows,
'attributes' => array(),
);
}
else {
/**
* OG 7.x-2.x mappings:
* $entity_type = $group_type,
* $bundle = $group_bundle
* $etid = $gid where edid is nid, uid, etc.
*
* og group is: entity_type (eg node) x entity_id ($gid) eg. node:17
* group identifier = group_type:gid; aka entity_type:etid e.g. node:17
*
* membership identifier is: group_type:gid:entity_type:etid
* in our case: group_type:gid:user:uid aka entity_type:etid:user:uid e.g. node:17:user:2
*
* roles are simply rids ((1,2,3) and names (non-member, member, and administrator member) in og_role table
* og_users_roles is simply uid x rid x gid
*
* .. so authorization mappings should look like:
* <ldap group>|group_type:gid:rid such as staff|node:17:2
*/
$og_fields = field_info_field(OG_GROUP_FIELD);
$rows = array();
$role_name = OG_AUTHENTICATED_ROLE;
if (!empty($og_fields['bundles'])) {
foreach ($og_fields['bundles'] as $entity_type => $bundles) {
foreach ($bundles as $i => $bundle) {
$query = new EntityFieldQuery();
$query
->entityCondition('entity_type', $entity_type)
->entityCondition('bundle', $bundle)
->range(0, 5)
->addMetaData('account', user_load(1));
// run the query as user 1
$result = $query
->execute();
$entities = entity_load($entity_type, array_keys($result[$entity_type]));
$i = 0;
foreach ($entities as $entity_id => $entity) {
$i++;
$rid = ldap_authorization_og2_rid_from_role_name($entity_type, $bundle, $entity_id, OG_AUTHENTICATED_ROLE);
$title = is_object($entity) && property_exists($entity, 'title') ? $entity->title : '';
$middle = $title && $i < 3 ? $title : $entity_id;
$group_role_identifier = ldap_authorization_og_authorization_id($middle, $rid, $entity_type);
$example = "<code>ou=IT,dc=myorg,dc=mytld,dc=edu|{$group_role_identifier}</code>";
$rows[] = array(
"{$entity_type} {$title} - {$role_name}",
$example,
);
}
}
}
}
$variables = array(
'header' => array(
'Group Entity - Group Title - OG Membership Type',
'example',
),
'rows' => $rows,
'attributes' => array(),
);
}
$table = theme('table', $variables);
$link = l(t('admin/config/people/ldap/authorization/test/og_group'), 'admin/config/people/ldap/authorization/test/og_group');
$examples = <<<EOT
<br/>
Examples for some (or all) existing OG Group IDs can be found in the table below.
This is complex. To test what is going to happen, uncheck "When a user logs on" in IV.B.
and use {<span class="php-variable">$link</span>} to see what memberships sample users would receive.
{<span class="php-variable">$table</span>}
EOT;
$examples = t($examples, $tokens);
return $examples;
}
}