protected function LdapAuthorizationConsumerOG::grantsAndRevokes in Lightweight Directory Access Protocol (LDAP) 8.2
Same name and namespace in other branches
- 7.2 ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php \LdapAuthorizationConsumerOG::grantsAndRevokes()
Parameters
string $op 'grant' or 'revoke' signifying what to do with the $consumer_ids:
drupal user object $object:
array $user_auth_data is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>]:
$consumers as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds:
array $ldap_entry, when available user's ldap entry.:
boolean $user_save indicates is user data array should be saved or not. this depends on the implementation calling this function:
Overrides LdapAuthorizationConsumerAbstract::grantsAndRevokes
File
- ldap_authorization/
ldap_authorization_og/ LdapAuthorizationConsumerOG.class.php, line 436
Class
Code
protected function grantsAndRevokes($op, &$user, &$user_auth_data, $consumers, &$ldap_entry = NULL, $user_save = TRUE) {
// debug("grantsAndRevokes, op=$op, user_save=$user_save"); debug($user_auth_data); debug($consumers);
if (!is_array($user_auth_data)) {
$user_auth_data = array();
}
$detailed_watchdog_log = config('ldap_help.settings')
->get('watchdog_detail');
$this
->sortConsumerIds($op, $consumers);
$results = array();
$watchdog_tokens = array();
$watchdog_tokens['%username'] = $user->name;
$watchdog_tokens['%action'] = $op;
$watchdog_tokens['%user_save'] = $user_save;
/**
* get authorizations that exist, regardless of origin or ldap_authorization $user->data
* in form $users_authorization_consumer_ids = array('3-2', '3,3', '4-2')
*/
$users_authorization_consumer_ids = $this
->usersAuthorizations($user, TRUE);
$watchdog_tokens['%users_authorization_ids'] = join(', ', $users_authorization_consumer_ids);
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "on call of grantsAndRevokes: user_auth_data=" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
}
/**
* step #1: generate $og_actions = array of form $og_actions['revokes'|'grants'][$gid] = $rid
* based on all consumer ids granted and revokes
*/
$og_actions = array(
'grants' => array(),
'revokes' => array(),
);
//dpm('consumers');dpm($consumers); dpm('users_authorization_consumer_ids'); dpm($users_authorization_consumer_ids);
foreach ($consumers as $consumer_id => $consumer) {
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "consumer_id={$consumer_id}, user_save={$user_save}, op={$op}", $watchdog_tokens, WATCHDOG_DEBUG);
}
$user_has_authorization = in_array($consumer_id, $users_authorization_consumer_ids);
// does user already have authorization ?
$user_has_authorization_recorded = isset($user_auth_data[$consumer_id]);
// is authorization attribute to ldap_authorization_og in $user->data ?
if ($this->ogVersion == 1) {
list($gid, $rid) = $this
->og1ConsumerIdParts($consumer_id);
if ($rid == $this->anonymousRid) {
continue;
}
}
else {
list($entity_type, $gid, $rid) = $this
->og2ConsumerIdParts($consumer_id);
}
/** grants **/
if ($op == 'grant') {
if ($user_has_authorization && !$user_has_authorization_recorded) {
// grant case 1: authorization id already exists for user, but is not ldap provisioned. mark as ldap provisioned, but don't regrant
$results[$consumer_id] = TRUE;
$user_auth_data[$consumer_id] = array(
'date_granted' => time(),
'consumer_id_mixed_case' => $consumer_id,
);
}
elseif (!$user_has_authorization && $consumer['exists']) {
// grant case 2: consumer exists, but user is not member. grant authorization
if ($this->ogVersion == 1) {
$og_actions['grants'][$gid][] = $rid;
}
else {
$og_actions['grants'][$entity_type][$gid][] = $rid;
}
}
elseif ($consumer['exists'] !== TRUE) {
// grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes
$results[$consumer_id] = FALSE;
}
elseif ($consumer['exists'] === TRUE) {
// grant case 4: consumer exists and user has authorization recorded. do nothing
$results[$consumer_id] = TRUE;
}
else {
// grant case 5: $consumer['exists'] has not been properly set before calling function
$results[$consumer_id] = FALSE;
watchdog('ldap_authorization', "grantsAndRevokes consumer[exists] not properly set. consumer_id={$consumer_id}, op={$op}, username=%username", $watchdog_tokens, WATCHDOG_ERROR);
}
}
elseif ($op == 'revoke') {
if ($user_has_authorization) {
// revoke case 1: user has authorization, revoke it. revokeSingleAuthorization will remove $user_auth_data[$consumer_id]
if ($this->ogVersion == 1) {
$og_actions['revokes'][$gid][] = $rid;
}
else {
$og_actions['revokes'][$entity_type][$gid][] = $rid;
}
}
elseif ($user_has_authorization_recorded) {
// revoke case 2: user does not have authorization, but has record of it. remove record of it.
unset($user_auth_data[$consumer_id]);
$results[$consumer_id] = TRUE;
}
else {
// revoke case 3: trying to revoke something that isn't there
$results[$consumer_id] = TRUE;
}
}
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', "user_auth_data after consumer {$consumer_id}" . print_r($user_auth_data, TRUE), $watchdog_tokens, WATCHDOG_DEBUG);
}
}
/**
* Step #2: from array of form:
* og1.5: $og_actions['grants'|'revokes'][$gid][$rid]\
* og2: $og_actions['grants'|'revokes'][$entity_type][$gid][$rid]
* - generate $user->data['ldap_authorizations'][<consumer_id>]
* - remove and grant og memberships
* - remove and grant og roles
* - flush appropriate caches
*/
debug("og_actions");
debug($og_actions);
debug("user_auth_data");
debug($user_auth_data);
if ($this->ogVersion == 1) {
$this
->og1Grants($og_actions, $user, $user_auth_data);
$this
->og1Revokes($og_actions, $user, $user_auth_data);
}
else {
$this
->og2Grants($og_actions, $user, $user_auth_data);
$this
->og2Revokes($og_actions, $user, $user_auth_data);
}
$user_edit['data']['ldap_authorizations'][$this->consumerType] = $user_auth_data;
$user = user_save($user, $user_edit);
$user_auth_data = $user->data['ldap_authorizations'][$this->consumerType];
// reset this variable because user save hooks can impact it.
$this
->flushRelatedCaches($consumers, $user);
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username:
<hr/>LdapAuthorizationConsumerAbstract grantsAndRevokes() method log. action=%action:<br/> %consumer_ids_log
', $watchdog_tokens, WATCHDOG_DEBUG);
}
}