permissionutil.inc.php.tmp

来自「PHP 知识管理系统（基于树结构的知识管理系统）, 英文原版的PHP源码。」· TMP 代码 · 共 830 行 · 第 1/3 页

        $iFolderID = $oDocumentOrFolder->getID();
        $sFolderIDs = Folder::generateFolderIDs($iFolderID);
        $sFolderIDs .= '%';

        $sWhere = 'permission_object_id = ? AND parent_folder_ids LIKE ?';
        $aParams = array($oDocumentOrFolder->getPermissionObjectID(), $sFolderIDs);

        $aFolders =& Folder::getList(array($sWhere, $aParams));
        foreach ($aFolders as $oFolder) {
            KTPermissionUtil::updatePermissionLookup($oFolder);
        }

        $aDocuments =& Document::getList(array($sWhere, $aParams));
        foreach ($aDocuments as $oDocument) {
            KTPermissionUtil::updatePermissionLookup($oDocument);
        }
    }
    // }}}

    // {{{ updatePermissionLookup
    /**
     * Update's the permission lookup on one folder or document,
     * non-recursively.
     */
    function updatePermissionLookup(&$oFolderOrDocument, $aOptions = null) {
        $is_a_folder = is_a($oFolderOrDocument, 'Folder');
		$is_a_document = is_a($oFolderOrDocument, 'Document') || is_a($oFolderOrDocument, 'KTDocumentCore');

		//ensure that the document shortcut is being updated.
		if($is_a_document && $oFolderOrDocument->isSymbolicLink()){
			$oFolderOrDocument->switchToRealCore();
		}

		$oChannel = null;
		$aMapPermAllowed = null;
		$oPermLookup = null;
		if (!is_null($aOptions)) {
		  $oChannel = $aOptions['channel'];
		  $aMapPermAllowed = $aOptions['map_allowed'];
		  $oPermLookup = $aOptions['perm_lookup'];
		}

        if (!$is_a_folder && !$is_a_document) {
		  return ; // we occasionally get handed a PEAR::raiseError.  Just ignore it.
		}


        if (is_null($oChannel)) {
			$oChannel =& KTPermissionChannel::getSingleton();
		}
        if ($is_a_folder) {
            $msg = sprintf("Updating folder %s", join('/', $oFolderOrDocument->getPathArray()));
        } else {
            if (is_a($oFolderOrDocument, 'Document')) {
            	//modify the message to reflect that a shortcut is begin updated
            	if($oFolderOrDocument->isSymbolicLink()){
            		$msg = sprintf("Updating shortcut to %s", $oFolderOrDocument->getName());
            	}else{
                	$msg = sprintf("Updating document %s", $oFolderOrDocument->getName());
            	}
            } else {
                $msg = sprintf("Updating document %d", $oFolderOrDocument->getId());
            }
        }
        $oChannel->sendMessage(new KTPermissionGenericMessage($msg));
        //var_dump($msg);
        $iPermissionObjectId = $oFolderOrDocument->getPermissionObjectID();
        if (empty($iPermissionObjectId)) {
            return;
        }

        $oPO = KTPermissionObject::get($iPermissionObjectId);
        if (is_null($aMapPermAllowed)) {

			$aPAs = KTPermissionAssignment::getByObjectMulti($oPO);
			$aMapPermAllowed = array();
			foreach ($aPAs as $oPA) {
				$oPD = KTPermissionDescriptor::get($oPA->getPermissionDescriptorID());
				$aGroupIDs = $oPD->getGroups();
				$aUserIDs = array();
				$aRoleIDs = $oPD->getRoles();
				$aAllowed = array(
								  'group' => $aGroupIDs,
								  'user' => $aUserIDs,
								  'role' => $aRoleIDs,
								  );
				$aMapPermAllowed[$oPA->getPermissionID()] = $aAllowed;
			}
		}

        if (!$is_a_folder) {
            $aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
            if (!PEAR::isError($aDynamicConditions)) {
                foreach ($aDynamicConditions as $oDynamicCondition) {
                    $iConditionId = $oDynamicCondition->getConditionId();
                    if (KTSearchUtil::testConditionOnDocument($iConditionId, $oFolderOrDocument)) {
                        $iGroupId = $oDynamicCondition->getGroupId();
                        $aPermissionIds = $oDynamicCondition->getAssignment();
                        foreach ($aPermissionIds as $iPermissionId) {
                            $aCurrentAllowed = KTUtil::arrayGet($aMapPermAllowed, $iPermissionId, array());
                            $aCurrentAllowed['group'][] = $iGroupId;
                            $aMapPermAllowed[$iPermissionId] = $aCurrentAllowed;
                        }
                    }
                }
            }
        }

        if (!$is_a_folder) {
            $oState = KTWorkflowUtil::getWorkflowStateForDocument($oFolderOrDocument);
            if (!(PEAR::isError($oState) || is_null($oState) || ($oState == false))) {
                $aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
                foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
                    $iPermissionId = $oAssignment->getPermissionId();
                    $iPermissionDescriptorId = $oAssignment->getDescriptorId();

                    $oPD = KTPermissionDescriptor::get($iPermissionDescriptorId);
                    $aGroupIDs = $oPD->getGroups();
                    $aUserIDs = array();
                    $aRoleIDs = $oPD->getRoles();
                    $aAllowed = array(
                        'group' => $aGroupIDs,
                        'user' => $aUserIDs,
                        'role' => $aRoleIDs,
                    );
                    $aMapPermAllowed[$iPermissionId] = $aAllowed;
                }
            }
        }

        // if we have roles:  nearest folder.
        $iRoleSourceFolder = null;
        if ($is_a_document) {
            $iRoleSourceFolder = $oFolderOrDocument->getFolderID();
        }else {
            $iRoleSourceFolder = $oFolderOrDocument->getId();
        }

        // very minor perf win:  map role_id (in context) to PD.
        $_roleCache = array();

        foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
            $aAfterRoles = array();
            if (array_key_exists('role', $aAllowed)) {
                foreach ($aAllowed['role'] as $k => $iRoleId) {
                    // store the PD <-> RoleId map

                    // special-case "all" or "authenticated".
                    if (($iRoleId == -3) || ($iRoleId == -4)) {
                        $aAfterRoles[] = $iRoleId;
                        continue;
                    }
                    if (!array_key_exists($iRoleId, $_roleCache)) {
                        $oRoleAllocation = null;
                        if ($is_a_document) {
                            $oRoleAllocation =& DocumentRoleAllocation::getAllocationsForDocumentAndRole($oFolderOrDocument->getId(), $iRoleId);
                            if (PEAR::isError($oRoleAllocation)) { $oRoleAllocation = null; }
                        }
                        // if that's null - not set _on_ the document, then
                        if (is_null($oRoleAllocation)) {
                            $oRoleAllocation =& RoleAllocation::getAllocationsForFolderAndRole($iRoleSourceFolder, $iRoleId);
                        }
                        $_roleCache[$iRoleId] = $oRoleAllocation;
                    }
                    // roles are _not_ always assigned (can be null at root)
                    if (!is_null($_roleCache[$iRoleId])) {
                        $aMapPermAllowed[$iPermissionId]['user'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['user'], $_roleCache[$iRoleId]->getUserIds());
                        $aMapPermAllowed[$iPermissionId]['group'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['group'], $_roleCache[$iRoleId]->getGroupIds());
                        // naturally, roles cannot be assigned roles, or madness follows.
                    }

                    unset($aAllowed['role'][$k]);
                }

            }

            unset($aMapPermAllowed[$iPermissionId]['role']);
            if (!empty($aAfterRoles)) {
                $aMapPermAllowed[$iPermissionId]['role'] = $aAfterRoles;
            }
        }

        /*
        print '<pre>';
        print '=======' . $oFolderOrDocument->getName();
        print '<br />';
        var_dump($aMapPermAllowed);
        print '</pre>';
        */


        //if (is_null($oPermLookup)) {
            $aMapPermDesc = array();
            foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
                $oLookupPD = KTPermissionUtil::getOrCreateDescriptor($aAllowed);
                $aMapPermDesc[$iPermissionId] = $oLookupPD->getID();
            }

            $oPermLookup = KTPermissionLookupAssignment::findOrCreateLookupByPermissionDescriptorMap($aMapPermDesc);
        //}

        $oFolderOrDocument->setPermissionLookupID($oPermLookup->getID());
        $oFolderOrDocument->update();
    }
    // }}}

    // {{{ userHasPermissionOnItem
    /**
     * Check whether a given user has the given permission on the given
     * object, by virtue of a direct or indirect assignment due to the
     * user, its groups, its roles, or the roles assigned to its groups,
     * and so forth.
     */
    function userHasPermissionOnItem($oUser, $oPermission, $oFolderOrDocument) {

        if (is_string($oPermission)) {
             $oPermission =& KTPermission::getByName($oPermission);
        }
        if (PEAR::isError($oPermission)) {
            return false;
        }
        if (PEAR::isError($oFolderOrDocument) || $oFolderOrDocument == null) {
            return false;
        }

        // Quick fix for multiple permissions look ups.
        // For the current lookup, if the permissions have been checked then return their value
        $iPermId = $oPermission->getID();
        $iDocId = $oFolderOrDocument->getID();
        $lookup = 'folders';
        if(is_a($oEntity, 'Document') || is_a($oEntity, 'DocumentProxy')){
            $lookup = 'docs';
        }
        // check if permission has been set
        // $permArr[permId] = array('folders' => array('id' => bool), 'docs' => array('id' => bool));
        if(isset($permArr[$iPermId][$lookup][$iDocId])){
            return $permArr[$iPermId][$lookup][$iDocId];
        }



        $oPL = KTPermissionLookup::get($oFolderOrDocument->getPermissionLookupID());
        $oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
        if (PEAR::isError($oPLA)) {
            //print $oPL->getID();
            $permArr[$iPermId][$lookup][$iDocId] = false;
            return false;
        }
        $oPD = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());

        // set permission array to true
        $permArr[$iPermId][$lookup][$iDocId] = true;

        // check for permissions
        $aGroups = GroupUtil::listGroupsForUserExpand($oUser);
        if ($oPD->hasRoles(array(-3))) { return true; } // everyone has access.
        else if ($oPD->hasUsers(array($oUser))) { return true; }
        else if ($oPD->hasGroups($aGroups)) { return true; }
        else if ($oPD->hasRoles(array(-4)) && !$oUser->isAnonymous()) { return true; }

        // permission isn't true, set to false
        $permArr[$iPermId][$lookup][$iDocId] = false;
        return false;
    }
    // }}}

    // {{{ findRootObjectForPermissionObject
    /**
     * Given a specific permission object, find the object (Folder or
     * Document) that is the root of that permission object - the one
     * object that has this permission object, but its parent has a
     * different one.
     */
    function findRootObjectForPermissionObject($oPO) {
        global $default;
        /*