You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 7.2 » LdapAuthorizationConsumerOG.class.php » LdapAuthorizationConsumerOG

protected function LdapAuthorizationConsumerOG::grantsAndRevokes in Lightweight Directory Access Protocol (LDAP) 7.2

Same name and namespace in other branches
  1. 8.2 ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php \LdapAuthorizationConsumerOG::grantsAndRevokes()

Parameters

string $op: 'grant' or 'revoke' signifying what to do with the $consumer_ids.

drupal user object $object:

array $user_auth_data: is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>].

$consumers: as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds

array $ldap_entry,: when available user's ldap entry.

bool $user_save: indicates is user data array should be saved or not. this depends on the implementation calling this function.

Overrides LdapAuthorizationConsumerAbstract::grantsAndRevokes

File

ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php, line 275

Class

LdapAuthorizationConsumerOG

Code

protected function grantsAndRevokes($op, &$user, &$user_auth_data, $consumers, &$ldap_entry = NULL, $user_save = TRUE) {
  if (!is_array($user_auth_data)) {
    $user_auth_data = [];
  }
  $detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
  $this
    ->sortConsumerIds($op, $consumers);
  $results = [];
  $watchdog_tokens = [];
  $watchdog_tokens['%username'] = $user->name;
  $watchdog_tokens['%action'] = $op;
  $watchdog_tokens['%user_save'] = $user_save;

  /**
   * get authorizations that exist, regardless of origin or ldap_authorization $user->data
   * in form $users_authorization_consumer_ids = array('3-2', '3,3', '4-2')
   */
  $users_authorization_consumer_ids = $this
    ->usersAuthorizations($user, TRUE);
  $watchdog_tokens['%users_authorization_ids'] = join(', ', $users_authorization_consumer_ids);
  if ($detailed_watchdog_log) {
    watchdog('ldap_authorization', "on call of grantsAndRevokes: user_auth_data=" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
  }

  /**
   * step #1:  generate $og_actions = array of form $og_actions['revokes'|'grants'][$gid] = $rid
   *  based on all consumer ids granted and revokes
   */
  $og_actions = [
    'grants' => [],
    'revokes' => [],
  ];
  $consumer_ids_log = "";
  $log = "";
  foreach ($consumers as $consumer_id => $consumer) {
    if ($detailed_watchdog_log) {
      watchdog('ldap_authorization', "consumer_id={$consumer_id}, user_save={$user_save}, op={$op}", $watchdog_tokens, WATCHDOG_DEBUG);
    }
    $log = "consumer_id={$consumer_id}, op={$op},";

    // Does user already have authorization ?
    $user_has_authorization = in_array($consumer_id, $users_authorization_consumer_ids);

    // Is authorization attribute to ldap_authorization_og in $user->data ?
    $user_has_authorization_recorded = isset($user_auth_data[$consumer_id]);
    list($entity_type, $gid, $rid) = $this
      ->og2ConsumerIdParts($consumer_id);

    /** grants **/
    if ($op == 'grant') {
      if ($user_has_authorization && !$user_has_authorization_recorded) {

        // Grant case 1: authorization id already exists for user, but is not ldap provisioned.  mark as ldap provisioned, but don't regrant.
        $results[$consumer_id] = TRUE;
        $user_auth_data[$consumer_id] = [
          'date_granted' => time(),
          'consumer_id_mixed_case' => $consumer_id,
        ];
        $log .= "grant case 1: authorization id already exists for user, but is not ldap provisioned.  mark as ldap provisioned, but don't regrant";
        $log .= $consumer_id;
      }
      elseif (!$user_has_authorization && $consumer['exists']) {

        // Grant case 2: consumer exists, but user is not member. grant authorization.
        $og_actions['grants'][$entity_type][$gid][] = $rid;
        $log .= "grant case 2: consumer exists, but user is not member. grant authorization";
        $log .= " " . $entity_type . ":" . $gid . ":" . $rid;
      }
      elseif ($consumer['exists'] !== TRUE) {

        // Grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes.
        $results[$consumer_id] = FALSE;
        $log .= "grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes";
        $log .= " " . $consumer_id;
      }
      elseif ($consumer['exists'] === TRUE) {

        // Grant case 4: consumer exists and user has authorization recorded. do nothing.
        $results[$consumer_id] = TRUE;
        $log .= "grant case 4: consumer exists and user has authorization recorded. do nothing";
        $log .= " " . $consumer_id;
      }
      else {

        // Grant case 5: $consumer['exists'] has not been properly set before calling function.
        $results[$consumer_id] = FALSE;
        watchdog('ldap_authorization', "grantsAndRevokes consumer[exists] not properly set. consumer_id={$consumer_id}, op={$op}, username=%username", $watchdog_tokens, WATCHDOG_ERROR);
        $log .= "grantsAndRevokes consumer[exists] not properly set. consumer_id={$consumer_id}, op={$op}, username=%username";
      }
      $consumer_ids_log .= $log;
    }
    elseif ($op == 'revoke') {
      if ($user_has_authorization) {

        // Revoke case 1: user has authorization, revoke it.  revokeSingleAuthorization will remove $user_auth_data[$consumer_id].
        $og_actions['revokes'][$entity_type][$gid][] = $rid;
        $log .= "revoke case 1: user has authorization, revoke it.  revokeSingleAuthorization will remove {$consumer_id}";
        $log .= " " . $entity_type . ":" . $gid . ":" . $rid;
      }
      elseif ($user_has_authorization_recorded) {

        // Revoke case 2: user does not have authorization, but has record of it. remove record of it.
        unset($user_auth_data[$consumer_id]);
        $results[$consumer_id] = TRUE;
        $log .= "revoke case 2: user does not have authorization, but has record of it. remove record of it.";
        $log .= $consumer_id;
      }
      else {

        // Revoke case 3: trying to revoke something that isn't there.
        $results[$consumer_id] = TRUE;
        $log .= "revoke case 3: trying to revoke something that isn't there";
        $log .= $consumer_id;
      }
    }
    if ($detailed_watchdog_log) {
      watchdog('ldap_authorization', "user_auth_data after consumer {$consumer_id}" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
    }
    $consumer_ids_log .= $log;
  }
  $watchdog_tokens['%consumer_ids_log'] = $consumer_ids_log;

  /**
   * Step #2: from array of form:
   *   $og_actions['grants'|'revokes'][$entity_type][$gid][$rid]
   * - generate $user->data['ldap_authorizations'][<consumer_id>]
   * - remove and grant og memberships
   * - remove and grant og roles
   * - flush appropriate caches
   */
  $this
    ->og2Grants($og_actions, $user, $user_auth_data);
  $this
    ->og2Revokes($og_actions, $user, $user_auth_data);
  $user_edit = [
    'data' => $user->data,
  ];
  $user_edit['data']['ldap_authorizations'][$this->consumerType] = $user_auth_data;

  // Force a reload of the user object, since changes made through the grant-
  // and revoke-functions above might have changed og-related field data.
  // Those changes will not yet be reflected in $user, potentially causing
  // data loss when user_save() is called with stale data.
  $user = user_load($user->uid, TRUE);
  $user = user_save($user, $user_edit);

  // Reset this variable because user save hooks can impact it.
  $user_auth_data = $user->data['ldap_authorizations'][$this->consumerType];
  $this
    ->flushRelatedCaches($consumers, $user);
  if ($detailed_watchdog_log) {
    watchdog('ldap_authorization', '%username:
        <hr/>LdapAuthorizationConsumerAbstract grantsAndRevokes() method log.  action=%action:<br/> %consumer_ids_log
        ', $watchdog_tokens, WATCHDOG_DEBUG);
  }
}