Re: [Glpi-dev] A way to get rights for another entity.

Damien Touraine Sun, 24 Jul 2011 23:56:39 -0700

Hi,

I have tried the method you propose. However, the rights are only checkregarding the current session. Thus, if you have write access inside thecurrent session, you will have write access on any objects whatever itsentity.

That is a problem for the IPv4 network object I try to implement. I tryto make "delegation of sub networks". I suggest you to give a look onthe wiki page I developped to describe my proposal :https://forge.indepnet.net/projects/glpi/wiki/IPv4Netowrk_class

So, the method you proposed is not convenient, as it only check wirtesregarding current session entity wherever we must check rights from thepoint of view of other entities.Thus, I propose you the attached patch : it provide the'haveAbsoluteRight' function. This one directly ask the database toretrieve the given right inside the given entity of the given user. Ittake care of the recursive rights. We should avoid using it everytime asit may be time consuming (use of SQL request). But some times (my caseis the only one I see), it may be usefull.


Regards
    Damien Touraine
On 07/21/11 13:04, MoYo wrote:

Le 21/07/2011 12:55, Damien Touraine a écrit :

Hi,
Is there a way to know the rights for the current user on anotherentity than the current one ?For instance, we are inside the "A" entity, and we want to know ifthe current user has rights for write networking inside entity "B".
I can use :
$currentEntity = $_SESSION["glpiactive_entity"]; // That should beequal the "A id"
changeActiveEntities("B id");
$allowed = haveRights('networking', 'w');
changeActiveEntities($currentEntity); // Go back to "A" entity
...

But I think it should be to rough.


Hi,

What is the real usage of this checks ?
Check to know if you can add / update an item ?

For an item checking the right add on a specific entity
$item->can(-1,'w',array('entities_id'=>$entities_id));
you can add others params if needed in third argument.

Regards

Julien

KR
    Damien Touraine



_______________________________________________
Glpi-dev mailing list
Glpi-dev@gna.org
https://mail.gna.org/listinfo/glpi-dev



--
--------------------------------------------------------------------
Damien TOURAINE - Ingénieur de Recherche CNRS, LIMSI-CNRS
Groupe de RV&A "VENISE", (http://www.limsi.fr/venise/)
Bat. 508, Universite Paris-Sud 91403 Orsay cedex - +33 1 69 85 81 64
--------------------------------------------------------------------

Index: inc/auth.function.php
===================================================================
--- inc/auth.function.php       (revision 15011)
+++ inc/auth.function.php       (working copy)
@@ -95,6 +95,71 @@
 
 
 /**
+ * Does $user have the absolute right $right to module $module (compare to 
session variable)
+ * inside $entity
+ * The main difference with haveRight remains that it does not rely on the 
current user
+ * nor session and it straightly make a request to the database, thus to 
require to
+ * login/logout after profiles modifications
+ *
+ * @param $module Module to check
+ * @param $right Right to check
+ * @param $entity Entity to check
+ * @param $user User to check
+ *
+ * @return Boolean : session variable have more than the right specified for 
the module
+**/
+function haveAbsoluteRight($module, $right, $entity = -1, $user = -1) {
+   global $DB;
+
+   //If GLPI is using the slave DB -> read only mode
+   if ($DB->isSlave() && $right == "w") {
+      return false;
+   }
+
+   $matches = array(""  => array("''", "'r'", "'w'"), // ne doit pas arriver 
normalement
+                    "r" => array("'r'", "'w'"),
+                    "w" => array("'w'"),
+                    "1" => array("'1'"),
+                    "0" => array("'0'", "'1'")); // ne doit pas arriver non 
plus
+   $WHERE_RIGHT_FILTER = "0";
+   if ((isset($matches[$right])) && (count($matches[$right]) >0)) {
+     $WHERE_RIGHT_FILTER = "`glpi_profiles`.`$module` IN (".implode(',', 
$matches[$right]).")";
+   }
+
+   if ($entity < 0) $entity = $_SESSION["glpiactive_entity"];
+   $entities = getAncestorsOf("glpi_entities", $entity);
+   if (count($entities) > 0) {
+     $WHERE_ENTITY_FILTER =
+       "(
+          (`glpi_profiles_users`.`entities_id`='$entity')
+        OR
+          (`glpi_profiles_users`.`entities_id` IN (".implode(",", $entities).")
+            AND
+          `glpi_profiles_users`.`is_recursive`='1')
+        )";
+   } else {
+     $WHERE_ENTITY_FILTER = "`glpi_profiles_users`.`entities_id`='$entity'";
+   }
+
+   if ($user == -1) $user = getLoginUserID();
+
+   $query = "SELECT `glpi_profiles`.`id`
+             FROM `glpi_profiles`
+             WHERE `glpi_profiles`.`id` IN (
+               SELECT `glpi_profiles_users`.`profiles_id`
+               FROM `glpi_profiles_users`
+               WHERE `glpi_profiles_users`.`users_id`='$user'
+               AND $WHERE_ENTITY_FILTER)
+             AND $WHERE_RIGHT_FILTER";
+
+   $result = $DB->query($query);
+   if ($DB->numrows($result))
+     return true;
+   return false;
+}
+
+
+/**
  * Display common message for privileges errors
  *
  * @return Nothing (die)

_______________________________________________
Glpi-dev mailing list
Glpi-dev@gna.org
https://mail.gna.org/listinfo/glpi-dev

Re: [Glpi-dev] A way to get rights for another entity.

Reply via email to