Changeset 2344
- Timestamp:
- 04/10/20 11:27:06 (4 years ago)
- Location:
- trunk/LATMOS-Accounts/lib/LATMOS/Accounts
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Acls.pm
r2320 r2344 171 171 172 172 sub check { 173 my ($self, $obj, $attr, $perm, $who, $groups ) = @_;173 my ($self, $obj, $attr, $perm, $who, $groups, $base) = @_; 174 174 # Asking 'r' perm over create or delete has no sense: 175 175 $attr =~ /^@(CREATE|DELETE)$/ && $perm eq 'r' and return; 176 176 177 177 foreach my $acl (@{$self->{_acls}}, @{$self->{_default_acls}}) { 178 my $res = $acl->match($obj, $attr, $perm, $who, $groups );178 my $res = $acl->match($obj, $attr, $perm, $who, $groups, $base); 179 179 if ( defined($res) ) { 180 180 if ( $ENV{LA_ACL_DEBUG} ) { -
trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Acls/Acl.pm
r2343 r2344 65 65 } 66 66 67 =head2 match($obj, $attr, $perm, $who, $groups )67 =head2 match($obj, $attr, $perm, $who, $groups, $base) 68 68 69 69 Return true is this sub acl apply to C<$obj>/C<$attr> for C<$perm> by user … … 73 73 74 74 sub match { 75 my ($self, $obj, $attr, $perm, $who, $groups ) = @_;75 my ($self, $obj, $attr, $perm, $who, $groups, $base) = @_; 76 76 my $objtype = ref $obj ? lc($obj->type) : $obj; 77 77 $attr = lc($attr); … … 89 89 # Obj have attr eq login user 90 90 if (substr($u->{user}, 0, 1) eq '$') { # check attr content 91 if (ref $obj) { 92 my $attribute = substr($u->{user}, 1); 93 my $val = $obj->_get_c_field($attribute) or return; 94 my @vals = ref $val ? (@{ $val }) : ($val); 95 foreach (@vals) { 96 my $uobj = $obj->base->get_object('user', $_) or next; 97 return $u->{$perm} if ($uobj->id eq $who); 98 } 91 my $attribute = substr($u->{user}, 1); 92 my $val = $obj->_get_c_field($attribute) or return; 93 my @vals = ref $val ? (@{ $val }) : ($val); 94 foreach (@vals) { 95 return $u->{$perm} if ($self->_objId('user', $_, $base) eq $who); 99 96 } 100 97 # user is in group 101 98 } elsif (substr($u->{user}, 0, 1) eq '%') { # group 102 99 my $group = substr($u->{user}, 1); 103 return $u->{$perm} if (grep { $ groupeq $_ } grep { $_ } @{$groups ||[]});100 return $u->{$perm} if (grep { $self->_objId('group', $group, $base) eq $_ } grep { $_ } @{$groups ||[]}); 104 101 # any user 105 102 } elsif ($u->{user} eq '*' || $u->{user} eq $who) { … … 116 113 } 117 114 return; 115 } 116 117 sub _objId { 118 my ( $self, $otype, $id, $base ) = @_; 119 120 $base or return $id; 121 122 my $obj = $base->get_object( $otype, $id ) or return $id; 123 124 return $obj->AclID; 118 125 } 119 126 -
trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases.pm
r2316 r2344 1277 1277 $who = ''; 1278 1278 } 1279 my $res = $self->{_acls}->check($obj, $attr, $perm, $who, $groups );1279 my $res = $self->{_acls}->check($obj, $attr, $perm, $who, $groups, $self); 1280 1280 $self->log(LA_INFO, 'permission denied for "%s" to get %s.%s for %s', 1281 1281 $who, ref $obj ? $obj->id . '(' . $obj->type . ')' : $obj, $attr, $perm) if (!$res); -
trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Objects.pm
r2342 r2344 129 129 $self->{_id} 130 130 } 131 132 =head2 AclID 133 134 Return object for acl check 135 136 =cut 137 138 sub AclID { $_[0]->id } 131 139 132 140 =head2 Iid
Note: See TracChangeset
for help on using the changeset viewer.