Changeset 1091

Timestamp:

08/03/12 09:07:20 (12 years ago)

Author:

nanardon

Message:

Add ACL support to datarequest

If the forms contains a list of validators and user match it, permissions are
granted,
If global acl config grant '@VALIDATE' over 'request' object and user match it,
permissions are granted,
and if nothing match, permissions are checked over the pointed object.

Location:

trunk

Files:

• LATMOS-Accounts-Web/root/html/admin/requests/default.tt (modified) (1 diff)
• LATMOS-Accounts-Web/root/html/admin/requests/index.tt (modified) (1 diff)
• LATMOS-Accounts/lib/LATMOS/Accounts/Bases.pm (modified) (2 diffs)
• LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Sql.pm (modified) (2 diffs)
• LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Sql/DataRequest.pm (modified) (3 diffs)

trunk/LATMOS-Accounts-Web/root/html/admin/requests/default.tt

@@ -49 +49 @@
 
 [% IF loop.last %]
+[% IF request.check_acl %]
 <tr><td></td><td></td><td>
     <input name="_cancel" type="submit" value="Refuser">
     <input name="_validate" type="submit" value="Procéder">
 </td></tr>
+[% END %]
 </table>
 </form>

trunk/LATMOS-Accounts-Web/root/html/admin/requests/index.tt

@@ -19 +19 @@
 <tr>
 <td>
+[% IF req.check_acl %]
+OK
+[% ELSE %]
+perm denied
+[% END %]
 <a href=[% c.uri_for(id) %]>
 [% req.accreq.get_attributes('description') || req.accreq.id | truncate(20) | html %]

trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases.pm

@@ -951 +951 @@
 }
 
+=head2 user
+
+Return the current connected username
+
+=cut
+
+sub user { $_[0]->{_user} }
+
 =head2 check_acl($obj, $attr, $perm)
 
@@ -961 +969 @@
     my ($self, $obj, $attr, $perm) = @_;
     if ($self->{_acls}) {
-        my ($who, $groups) = ($self->{_user} || '');
+        my ($who, $groups) = ($self->user || '');
         if ($who && (my $uo = $self->get_object('user', $who))) {
             $groups = [ $uo->_get_attributes('memberOf') ];

trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Sql.pm

@@ -487 +487 @@
 =head2 list_requests
 
-List user request currently waiting in base
+list user request currently waiting in base
 
 =cut
@@ -500 +500 @@
     });
     $sth->execute;
+    my @ids;
+    while (my $res = $sth->fetchrow_hashref) {
+        push(@ids, $res->{id});
+    }
+
+    @ids
+}
+
+=head2 list_requests_by_submitter ($id)
+
+list user request currently waiting in base ask by user C<$id>
+
+=cut
+
+sub list_requests_by_submitter {
+    my ($self, $id) = @_;
+
+    my $sth = $self->db->prepare(q{
+        select id from request
+        where done is null and user = ?
+        order by apply
+    });
+    $sth->execute($id);
+    my @ids;
+    while (my $res = $sth->fetchrow_hashref) {
+        push(@ids, $res->{id});
+    }
+
+    @ids
+}
+
+
+=head2 list_request_by_object ($otype, $id)
+
+Return the list of pending request for a specific object
+
+=cut
+
+sub list_request_by_object {
+    my ($self, $otype, $id) = @_;
+
+    my $sth = $self->db->prepare(q{
+        select * from request join
+        accreq on request.name = accreq.name
+        join accreq_attributes on accreq_attributes.okey = accreq.ikey
+        where
+        request.applied is NULL and
+        accreq_attributes.attr = 'oType' and
+        accreq_attributes.value = ?
+        and request.object = ?
+        order by apply
+    });
+    $sth->execute($otype, $id);
     my @ids;
     while (my $res = $sth->fetchrow_hashref) {

trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Sql/DataRequest.pm

@@ -7 +7 @@
 use LATMOS::Accounts::Utils;
 use LATMOS::Accounts::Log;
+use LATMOS::Accounts::Acls::Acl;
 
 our $VERSION = (q$Rev$ =~ /^Rev: (\d+) /)[0];
@@ -525 +526 @@
     my ($self, $comment, %attrs) = @_;
 
+    $self->check_acl or do {
+        $self->base->log(LA_ERR, 'Can\'t apply to object, permission denied by acl');
+    };
+
     my %newvalues = $self->_prepare_attrs(%attrs);
 
@@ -652 +657 @@
 }
 
+=head2 check_acl
+
+Return true if current connected user can validate the request
+
+=cut
+
+sub check_acl {
+    my ($self) = @_;
+
+    my $attr = $self->accreq->parse_form();
+    if (exists($attr->{validators})) {
+        my $acl = LATMOS::Accounts::Acls::Acl->new(
+            '*.*',
+            [ map { "  $_: write"} @{$attr->{validators} || [] } ]
+        );
+        my ($who, $groups) = ($self->base->user || '');
+        if ($who && (my $uo = $self->base->get_object('user', $who))) {
+            $groups = [ $uo->_get_attributes('memberOf') ];
+        } else {
+            $who = '';
+        } 
+
+        my $res = $acl->match($self->oobject || $self->otype, 'valid', 'w', $self->base->user, $groups);
+        defined($res) and return $res;
+
+        return;
+    }
+
+    # Check global Acl
+    if ($self->base->check_acl('request', 'VALIDATE', 'w')) {
+        return 1;
+    }
+
+    my $res = $self->_check_attr_acl;
+    return $res
+}
+
+sub _check_attr_acl {
+    my ($self) = @_;
+
+    if ($self->is_for_new_object) {
+        return $self->base->check_acl($self->otype, 'CREATE', 'w');
+    } else {
+        my $obj = $self->oobject;
+        foreach my $attr ($self->attributes) {
+            $self->base->check_acl($obj, $attr, 'w') or return;
+        }
+        return 1;
+    }
+}
+
+=head2 check_is_owner
+
+Return true if the connected user is the original requester
+
+=cut
+
+sub check_is_owner {
+    my ($self) = @_;
+
+    return (($self->base->user || '')  eq ($self->user || '--'))
+}
+
 1;