You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 8.2 » LdapAuthorizationConsumerOG.class.php » LdapAuthorizationConsumerOG

protected function LdapAuthorizationConsumerOG::grantsAndRevokes in Lightweight Directory Access Protocol (LDAP) 8.2

Same name and namespace in other branches
  1. 7.2 ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php \LdapAuthorizationConsumerOG::grantsAndRevokes()

Parameters

string $op 'grant' or 'revoke' signifying what to do with the $consumer_ids:

drupal user object $object:

array $user_auth_data is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>]:

$consumers as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds:

array $ldap_entry, when available user's ldap entry.:

boolean $user_save indicates is user data array should be saved or not. this depends on the implementation calling this function:

Overrides LdapAuthorizationConsumerAbstract::grantsAndRevokes

File

ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php, line 436

Class

LdapAuthorizationConsumerOG

Code

protected function grantsAndRevokes($op, &$user, &$user_auth_data, $consumers, &$ldap_entry = NULL, $user_save = TRUE) {

  // debug("grantsAndRevokes, op=$op, user_save=$user_save"); debug($user_auth_data); debug($consumers);
  if (!is_array($user_auth_data)) {
    $user_auth_data = array();
  }
  $detailed_watchdog_log = config('ldap_help.settings')
    ->get('watchdog_detail');
  $this
    ->sortConsumerIds($op, $consumers);
  $results = array();
  $watchdog_tokens = array();
  $watchdog_tokens['%username'] = $user->name;
  $watchdog_tokens['%action'] = $op;
  $watchdog_tokens['%user_save'] = $user_save;

  /**
   * get authorizations that exist, regardless of origin or ldap_authorization $user->data
   * in form $users_authorization_consumer_ids = array('3-2', '3,3', '4-2')
   */
  $users_authorization_consumer_ids = $this
    ->usersAuthorizations($user, TRUE);
  $watchdog_tokens['%users_authorization_ids'] = join(', ', $users_authorization_consumer_ids);
  if ($detailed_watchdog_log) {
    watchdog('ldap_authorization', "on call of grantsAndRevokes: user_auth_data=" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
  }

  /**
   * step #1:  generate $og_actions = array of form $og_actions['revokes'|'grants'][$gid] = $rid
   *  based on all consumer ids granted and revokes
   */
  $og_actions = array(
    'grants' => array(),
    'revokes' => array(),
  );

  //dpm('consumers');dpm($consumers); dpm('users_authorization_consumer_ids'); dpm($users_authorization_consumer_ids);
  foreach ($consumers as $consumer_id => $consumer) {
    if ($detailed_watchdog_log) {
      watchdog('ldap_authorization', "consumer_id={$consumer_id}, user_save={$user_save}, op={$op}", $watchdog_tokens, WATCHDOG_DEBUG);
    }
    $user_has_authorization = in_array($consumer_id, $users_authorization_consumer_ids);

    // does user already have authorization ?
    $user_has_authorization_recorded = isset($user_auth_data[$consumer_id]);

    // is authorization attribute to ldap_authorization_og in $user->data ?
    if ($this->ogVersion == 1) {
      list($gid, $rid) = $this
        ->og1ConsumerIdParts($consumer_id);
      if ($rid == $this->anonymousRid) {
        continue;
      }
    }
    else {
      list($entity_type, $gid, $rid) = $this
        ->og2ConsumerIdParts($consumer_id);
    }

    /** grants **/
    if ($op == 'grant') {
      if ($user_has_authorization && !$user_has_authorization_recorded) {

        // grant case 1: authorization id already exists for user, but is not ldap provisioned.  mark as ldap provisioned, but don't regrant
        $results[$consumer_id] = TRUE;
        $user_auth_data[$consumer_id] = array(
          'date_granted' => time(),
          'consumer_id_mixed_case' => $consumer_id,
        );
      }
      elseif (!$user_has_authorization && $consumer['exists']) {

        // grant case 2: consumer exists, but user is not member. grant authorization
        if ($this->ogVersion == 1) {
          $og_actions['grants'][$gid][] = $rid;
        }
        else {
          $og_actions['grants'][$entity_type][$gid][] = $rid;
        }
      }
      elseif ($consumer['exists'] !== TRUE) {

        // grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes
        $results[$consumer_id] = FALSE;
      }
      elseif ($consumer['exists'] === TRUE) {

        // grant case 4: consumer exists and user has authorization recorded. do nothing
        $results[$consumer_id] = TRUE;
      }
      else {

        // grant case 5: $consumer['exists'] has not been properly set before calling function
        $results[$consumer_id] = FALSE;
        watchdog('ldap_authorization', "grantsAndRevokes consumer[exists] not properly set. consumer_id={$consumer_id}, op={$op}, username=%username", $watchdog_tokens, WATCHDOG_ERROR);
      }
    }
    elseif ($op == 'revoke') {
      if ($user_has_authorization) {

        // revoke case 1: user has authorization, revoke it.  revokeSingleAuthorization will remove $user_auth_data[$consumer_id]
        if ($this->ogVersion == 1) {
          $og_actions['revokes'][$gid][] = $rid;
        }
        else {
          $og_actions['revokes'][$entity_type][$gid][] = $rid;
        }
      }
      elseif ($user_has_authorization_recorded) {

        // revoke case 2: user does not have authorization, but has record of it. remove record of it.
        unset($user_auth_data[$consumer_id]);
        $results[$consumer_id] = TRUE;
      }
      else {

        // revoke case 3: trying to revoke something that isn't there
        $results[$consumer_id] = TRUE;
      }
    }
    if ($detailed_watchdog_log) {
      watchdog('ldap_authorization', "user_auth_data after consumer {$consumer_id}" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
    }
  }

  /**
   * Step #2: from array of form:
   *   og1.5: $og_actions['grants'|'revokes'][$gid][$rid]\
   *   og2:   $og_actions['grants'|'revokes'][$entity_type][$gid][$rid]
   * - generate $user->data['ldap_authorizations'][<consumer_id>]
   * - remove and grant og memberships
   * - remove and grant og roles
   * - flush appropriate caches
   */
  debug("og_actions");
  debug($og_actions);
  debug("user_auth_data");
  debug($user_auth_data);
  if ($this->ogVersion == 1) {
    $this
      ->og1Grants($og_actions, $user, $user_auth_data);
    $this
      ->og1Revokes($og_actions, $user, $user_auth_data);
  }
  else {
    $this
      ->og2Grants($og_actions, $user, $user_auth_data);
    $this
      ->og2Revokes($og_actions, $user, $user_auth_data);
  }
  $user_edit['data']['ldap_authorizations'][$this->consumerType] = $user_auth_data;
  $user = user_save($user, $user_edit);
  $user_auth_data = $user->data['ldap_authorizations'][$this->consumerType];

  // reset this variable because user save hooks can impact it.
  $this
    ->flushRelatedCaches($consumers, $user);
  if ($detailed_watchdog_log) {
    watchdog('ldap_authorization', '%username:
        <hr/>LdapAuthorizationConsumerAbstract grantsAndRevokes() method log.  action=%action:<br/> %consumer_ids_log
        ', $watchdog_tokens, WATCHDOG_DEBUG);
  }
}