[icinga-checkins] icinga.org: icinga-web/mfriedrich/fixes: * Choice of group inheritance ( fixes #2188)

git at icinga.org git at icinga.org
Mon Feb 20 19:24:45 CET 2012


Module: icinga-web
Branch: mfriedrich/fixes
Commit: 96824fff8332e716003ba1195b1f95dc53fb5877
URL:    https://git.icinga.org/?p=icinga-web.git;a=commit;h=96824fff8332e716003ba1195b1f95dc53fb5877

Author: Marius Hein <marius.hein at netways.de>
Date:   Tue Dec 13 11:50:50 2011 +0100

* Choice of group inheritance (fixes #2188)

---

 app/modules/AppKit/config/auth.xml.in              |   10 +++++
 app/modules/AppKit/lib/database/models/NsmRole.php |    1 -
 app/modules/AppKit/lib/database/models/NsmUser.php |   40 ++++++++++++++++---
 .../lib/database/models/generated/BaseNsmRole.php  |    5 ++
 4 files changed, 48 insertions(+), 8 deletions(-)

diff --git a/app/modules/AppKit/config/auth.xml.in b/app/modules/AppKit/config/auth.xml.in
index e3a59a4..250a518 100644
--- a/app/modules/AppKit/config/auth.xml.in
+++ b/app/modules/AppKit/config/auth.xml.in
@@ -15,6 +15,16 @@
 	
 
 	-->
+	
+	<!--
+	   This is how group-inheritance works. Top-down is like
+	   class inheritance: The deepest group gets all credentials.
+	   
+	   Setting this to 'false' its more like group management
+	   systems like LDAP/AD: The group on top will get all
+	   credentials
+	-->
+	<setting name="behaviour.group_topdown">true</setting>
 
 	<!-- Allow silent providers (like HTTPBasicAuthentication) -->
 	<setting name="behaviour.enable_silent">true</setting>
diff --git a/app/modules/AppKit/lib/database/models/NsmRole.php b/app/modules/AppKit/lib/database/models/NsmRole.php
index 1bd40d4..f337f9d 100644
--- a/app/modules/AppKit/lib/database/models/NsmRole.php
+++ b/app/modules/AppKit/lib/database/models/NsmRole.php
@@ -45,7 +45,6 @@ class NsmRole extends BaseNsmRole {
         return $this->storage;
     }
 
-
     public function hasParent() {
         if ($this->get('role_parent')) {
             return true;
diff --git a/app/modules/AppKit/lib/database/models/NsmUser.php b/app/modules/AppKit/lib/database/models/NsmUser.php
index c142a02..d364d93 100644
--- a/app/modules/AppKit/lib/database/models/NsmUser.php
+++ b/app/modules/AppKit/lib/database/models/NsmUser.php
@@ -338,22 +338,48 @@ class NsmUser extends BaseNsmUser {
             ->orWhere('p.principal_user_id = ?',$this->user_id)
             ->execute()->toArray());
     }
+    
+    private function collectChildRoleIdentifier(NsmRole $role, array &$store = array ()) {
+            foreach ($role->getChildren() as $child) {
+                $this->collectChildRoleIdentifier($child, $store);
+                $store[] = $child->role_id;
+            }
+    }
 
     private function getRoleIds() {
+        
+        $use_topdown = AgaviConfig::get('modules.appkit.auth.behaviour.group_topdown');
+        
         $ids = array();
         foreach($this->NsmRole as $role) {
             if($role->role_disabled)
                 continue;
             $ids[] = $role->role_id;
-
-            while ($role->hasParent()){
-                $role = $role->parent;
-                if($role->role_disabled)
-                    continue;
-                $ids[] = $role->role_id;       
+            
+            /*
+             * This is devel classic behaviour. Inheritance
+             * of roles goes top-down. This means the role with all
+             * credentials is the deepest.
+             */
+            if ($use_topdown === true) {
+                while ($role->hasParent()){
+                    $role = $role->parent;
+                    if($role->role_disabled)
+                        continue;
+                    $ids[] = $role->role_id;       
+                }
+            
+            /*
+             * This is more group managing like. The group on top
+             * collects all credentials from underlaying groups
+             */
+            } else {
+                $this->collectChildRoleIdentifier($role, $ids);
             }
         }
-         
+
+        $ids = array_unique($ids);
+        
         return $ids;
     }
     
diff --git a/app/modules/AppKit/lib/database/models/generated/BaseNsmRole.php b/app/modules/AppKit/lib/database/models/generated/BaseNsmRole.php
index d39457a..b9ac2c4 100644
--- a/app/modules/AppKit/lib/database/models/generated/BaseNsmRole.php
+++ b/app/modules/AppKit/lib/database/models/generated/BaseNsmRole.php
@@ -91,9 +91,14 @@ abstract class BaseNsmRole extends Doctrine_Record {
 
     public function setUp() {
         parent::setUp();
+        
         $this->hasOne('NsmRole as parent', array(
                           'local' => 'role_parent',
                           'foreign' => 'role_id'));
+        
+        $this->hasOne('NsmRole as childs', array(
+                                  'local' => 'role_id',
+                                  'foreign' => 'role_parent'));
 
         $this->hasOne('NsmPrincipal', array(
                           'local' => 'role_id',





More information about the icinga-checkins mailing list