Added Somali language
[openemr.git] / gacl / gacl.class.php
blob72a5f6b69376d3e11c17fd3638bb4f910bcacf83
1 <?php
2 // $Id$
4 /**
5 * phpGACL - Generic Access Control List
6 * Copyright (C) 2002,2003 Mike Benoit
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 * For questions, help, comments, discussion, etc., please join the
23 * phpGACL mailing list. http://sourceforge.net/mail/?group_id=57103
25 * You may contact the author of phpGACL by e-mail at:
26 * ipso@snappymail.ca
28 * The latest version of phpGACL can be obtained from:
29 * http://phpgacl.sourceforge.net/
31 * @package phpGACL
35 * Path to ADODB.
38 if ( !defined('ADODB_DIR') ) {
39 define('ADODB_DIR', dirname(__FILE__).'/../library/adodb');
42 //openemr configuration file - bm - 05-2009
43 // to collect sql database login info and the utf8 flag
44 include_once(dirname(__FILE__).'/../library/sqlconf.php');
46 /**
47 * phpGACL main class
49 * Class gacl should be used in applications where only querying the phpGACL
50 * database is required.
52 * @package phpGACL
53 * @author Mike Benoit <ipso@snappymail.ca>
55 class gacl {
57 --- phpGACL Configuration path/file ---
59 var $config_file = '';
62 --- Private properties ---
64 /** @var boolean Enables Debug output if true */
65 var $_debug = FALSE;
68 --- Database configuration. ---
70 /** @var string Prefix for all the phpgacl tables in the database */
71 var $_db_table_prefix = 'gacl_';
73 /** @var string The database type, based on available ADODB connectors - mysql, postgres7, sybase, oci8po See here for more: http://php.weblogs.com/adodb_manual#driverguide */
74 var $_db_type = 'mysqli';
76 /** @var string The database server */
77 var $_db_host = '';
79 /** @var string The database user name */
80 var $_db_user = '';
82 /** @var string The database user password */
83 var $_db_password = '';
85 /** @var string The database name */
86 var $_db_name = '';
88 /** @var object An ADODB database connector object */
89 var $_db = '';
91 /** @var boolean The utf8 encoding flag - bm 05-2009 */
92 var $_db_utf8_flag = '';
95 * NOTE: This cache must be manually cleaned each time ACL's are modified.
96 * Alternatively you could wait for the cache to expire.
99 /** @var boolean Caches queries if true */
100 var $_caching = FALSE;
102 /** @var boolean Force cache to expire */
103 var $_force_cache_expire = TRUE;
105 /** @var string The directory for cache file to eb written (ensure write permission are set) */
106 var $_cache_dir = '/tmp/phpgacl_cache'; // NO trailing slash
108 /** @var int The time for the cache to expire in seconds - 600 == Ten Minutes */
109 var $_cache_expire_time=600;
111 /** @var string A switch to put acl_check into '_group_' mode */
112 var $_group_switch = '_group_';
115 * Constructor
116 * @param array An arry of options to oeverride the class defaults
118 function __construct($options = NULL) {
120 $available_options = array('db','debug','items_per_page','max_select_box_items','max_search_return_items','db_table_prefix','db_type','db_host','db_user','db_password','db_name','caching','force_cache_expire','cache_dir','cache_expire_time');
122 //Values supplied in $options array overwrite those in the config file.
123 if ( file_exists($this->config_file) ) {
124 $config = parse_ini_file($this->config_file);
126 if ( is_array($config) ) {
127 $gacl_options = array_merge($config, $options);
130 unset($config);
133 if (is_array($options)) {
134 foreach ($options as $key => $value) {
135 $this->debug_text("Option: $key");
137 if (in_array($key, $available_options) ) {
138 $this->debug_text("Valid Config options: $key");
139 $property = '_'.$key;
140 $this->$property = $value;
141 } else {
142 $this->debug_text("ERROR: Config option: $key is not a valid option");
147 //collect openemr sql info from include at top of script - bm 05-2009
148 global $sqlconf, $disable_utf8_flag;
149 $this->_db_host = $sqlconf["host"];
150 $this->_db_user = $sqlconf["login"];
151 $this->_db_password = $sqlconf["pass"];
152 $this->_db_name = $sqlconf["dbase"];
153 if (!$disable_utf8_flag) {
154 $utf8_flag = true;
156 else {
157 $utf8_flag = false;
159 $this->_db_utf8_flag = $utf8_flag;
161 require_once( ADODB_DIR .'/adodb.inc.php');
162 require_once( ADODB_DIR .'/adodb-pager.inc.php');
164 if (is_object($this->_db)) {
165 $this->db = &$this->_db;
166 } else {
167 $this->db = ADONewConnection($this->_db_type);
168 //Use NUM for slight performance/memory reasons.
169 $this->db->SetFetchMode(ADODB_FETCH_NUM);
171 // Port to be used in connection
172 $this->db->port = $sqlconf["port"];
174 $this->db->PConnect($this->_db_host, $this->_db_user, $this->_db_password, $this->_db_name);
176 // Modified 5/2009 by BM for UTF-8 project
177 if ($this->_db_utf8_flag) {
178 $success_flag = $this->db->Execute("SET NAMES 'utf8'");
179 if (!$success_flag) {
180 error_log("PHP custom error: from gacl gacl/gacl.class.php - Unable to set up UTF8 encoding with mysql database".$this->db->ErrorMsg(), 0);
183 // ---------------------------------------
186 $this->db->debug = $this->_debug;
188 if ( $this->_caching == TRUE ) {
189 if (!class_exists('Hashed_Cache_Lite')) {
190 require_once(dirname(__FILE__) .'/Cache_Lite/Hashed_Cache_Lite.php');
194 * Cache options. We default to the highest performance. If you run in to cache corruption problems,
195 * Change all the 'false' to 'true', this will slow things down slightly however.
198 $cache_options = array(
199 'caching' => $this->_caching,
200 'cacheDir' => $this->_cache_dir.'/',
201 'lifeTime' => $this->_cache_expire_time,
202 'fileLocking' => TRUE,
203 'writeControl' => FALSE,
204 'readControl' => FALSE,
205 'memoryCaching' => TRUE,
206 'automaticSerialization' => FALSE
208 $this->Cache_Lite = new Hashed_Cache_Lite($cache_options);
211 return true;
215 * Prints debug text if debug is enabled.
216 * @param string THe text to output
217 * @return boolean Always returns true
219 function debug_text($text) {
221 if ($this->_debug) {
222 echo "$text<br>\n";
225 return true;
229 * Prints database debug text if debug is enabled.
230 * @param string The name of the function calling this method
231 * @return string Returns an error message
233 function debug_db($function_name = '') {
234 if ($function_name != '') {
235 $function_name .= ' (): ';
238 return $this->debug_text ($function_name .'database error: '. $this->db->ErrorMsg() .' ('. $this->db->ErrorNo() .')');
243 * Check if the current user has a given type or types of access to an access control object.
245 * Implemented as a wrapper of acl_query().
246 * This function exists simply to return TRUE/FALSE accordingly.
248 * @param string $aco_section_value The ACO section value
249 * @param string $aco_value The ACO value
250 * @param string $aro_section_value The ARO section value
251 * @param string $aro_value The ARO value
252 * @param string $axo_section_value The AXO section value (optional)
253 * @param string $axo_value The AXO section value (optional)
254 * @param integer $root_aro_group The group id of the ARO (optional)
255 * @param integer $root_axo_group The group id of the AXO (optional)
256 * @return boolean true if the check succeeds, false if not.
258 function acl_check($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value=NULL, $axo_value=NULL, $root_aro_group=NULL, $root_axo_group=NULL) {
259 $acl_result = $this->acl_query($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value, $axo_value, $root_aro_group, $root_axo_group);
261 return $acl_result['allow'];
265 * Wraps the actual acl_query() function.
267 * Quick access to the return value of an ACL.
268 * @param string The ACO section value
269 * @param string The ACO value
270 * @param string The ARO section value
271 * @param string The ARO section
272 * @param string The AXO section value (optional)
273 * @param string The AXO section value (optional)
274 * @param integer The group id of the ARO (optional)
275 * @param integer The group id of the AXO (optional)
276 * @return string The return value of the ACL
278 function acl_return_value($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value=NULL, $axo_value=NULL, $root_aro_group=NULL, $root_axo_group=NULL) {
279 $acl_result = $this->acl_query($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value, $axo_value, $root_aro_group, $root_axo_group);
281 return $acl_result['return_value'];
285 * Handles ACL lookups over arrays of AROs
286 * @param string The ACO section value
287 * @param string The ACO value
288 * @param array An named array of arrays, each element in the format aro_section_value=>array(aro_value1,aro_value1,...)
289 * @return mixed The same data format as inputted.
290 \*======================================================================*/
291 function acl_check_array($aco_section_value, $aco_value, $aro_array) {
293 Input Array:
294 Section => array(Value, Value, Value),
295 Section => array(Value, Value, Value)
299 if (!is_array($aro_array)) {
300 $this->debug_text("acl_query_array(): ARO Array must be passed");
301 return false;
304 foreach($aro_array as $aro_section_value => $aro_value_array) {
305 foreach ($aro_value_array as $aro_value) {
306 $this->debug_text("acl_query_array(): ARO Section Value: $aro_section_value ARO VALUE: $aro_value");
308 if( $this->acl_check($aco_section_value, $aco_value, $aro_section_value, $aro_value) ) {
309 $this->debug_text("acl_query_array(): ACL_CHECK True");
310 $retarr[$aro_section_value][] = $aro_value;
311 } else {
312 $this->debug_text("acl_query_array(): ACL_CHECK False");
317 return $retarr;
322 * The Main function that does the actual ACL lookup.
324 * @param string The ACO section value
325 * @param string The ACO value
326 * @param string The ARO section value
327 * @param string The ARO value
328 * @param string The AXO section value (optional)
329 * @param string The AXO value (optional)
330 * @param string The value of the ARO group (optional)
331 * @param string The value of the AXO group (optional)
332 * @param boolean Debug the operation if true (optional)
333 * @param boolean Option to return all applicable ACL's rather than just one. (optional) (Added by OpenEMR)
334 * @return array Returns as much information as possible about the ACL so other functions can trim it down and omit unwanted data.
336 function acl_query($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value=NULL, $axo_value=NULL, $root_aro_group=NULL, $root_axo_group=NULL, $debug=NULL, $return_all=FALSE) {
338 $cache_id = 'acl_query_'.$aco_section_value.'-'.$aco_value.'-'.$aro_section_value.'-'.$aro_value.'-'.$axo_section_value.'-'.$axo_value.'-'.$root_aro_group.'-'.$root_axo_group.'-'.$debug.'-'.$return_all;
340 $retarr = $this->get_cache($cache_id);
342 if (!$retarr) {
344 * Grab all groups mapped to this ARO/AXO
346 $aro_group_ids = $this->acl_get_groups($aro_section_value, $aro_value, $root_aro_group, 'ARO');
348 if (is_array($aro_group_ids) AND !empty($aro_group_ids)) {
349 $sql_aro_group_ids = implode(',', $aro_group_ids);
352 if ($axo_section_value != '' AND $axo_value != '') {
353 $axo_group_ids = $this->acl_get_groups($axo_section_value, $axo_value, $root_axo_group, 'AXO');
355 if (is_array($axo_group_ids) AND !empty($axo_group_ids)) {
356 $sql_axo_group_ids = implode(',', $axo_group_ids);
361 * This query is where all the magic happens.
362 * The ordering is very important here, as well very tricky to get correct.
363 * Currently there can be duplicate ACLs, or ones that step on each other toes. In this case, the ACL that was last updated/created
364 * is used; unless the $return_all parameter is set to TRUE, then will return the entire array of applicable ACL information (this
365 * option was added by OpenEMR)
367 * This is probably where the most optimizations can be made.
370 $order_by = array();
372 $query = '
373 SELECT a.id,a.allow,a.return_value
374 FROM '. $this->_db_table_prefix .'acl a
375 LEFT JOIN '. $this->_db_table_prefix .'aco_map ac ON ac.acl_id=a.id';
377 if ($aro_section_value != $this->_group_switch) {
378 $query .= '
379 LEFT JOIN '. $this->_db_table_prefix .'aro_map ar ON ar.acl_id=a.id';
382 if ($axo_section_value != $this->_group_switch) {
383 $query .= '
384 LEFT JOIN '. $this->_db_table_prefix .'axo_map ax ON ax.acl_id=a.id';
388 * if there are no aro groups, don't bother doing the join.
390 if (isset($sql_aro_group_ids)) {
391 $query .= '
392 LEFT JOIN '. $this->_db_table_prefix .'aro_groups_map arg ON arg.acl_id=a.id
393 LEFT JOIN '. $this->_db_table_prefix .'aro_groups rg ON rg.id=arg.group_id';
396 // this join is necessary to weed out rules associated with axo groups
397 $query .= '
398 LEFT JOIN '. $this->_db_table_prefix .'axo_groups_map axg ON axg.acl_id=a.id';
401 * if there are no axo groups, don't bother doing the join.
402 * it is only used to rank by the level of the group.
404 if (isset($sql_axo_group_ids)) {
405 $query .= '
406 LEFT JOIN '. $this->_db_table_prefix .'axo_groups xg ON xg.id=axg.group_id';
409 //Move the below line to the LEFT JOIN above for PostgreSQL's sake.
410 //AND ac.acl_id=a.id
411 $query .= '
412 WHERE a.enabled=1
413 AND (ac.section_value='. $this->db->quote($aco_section_value) .' AND ac.value='. $this->db->quote($aco_value) .')';
415 // if we are querying an aro group
416 if ($aro_section_value == $this->_group_switch) {
417 // if acl_get_groups did not return an array
418 if ( !isset ($sql_aro_group_ids) ) {
419 $this->debug_text ('acl_query(): Invalid ARO Group: '. $aro_value);
420 return FALSE;
423 $query .= '
424 AND rg.id IN ('. $sql_aro_group_ids .')';
426 $order_by[] = '(rg.rgt-rg.lft) ASC';
427 } else {
428 $query .= '
429 AND ((ar.section_value='. $this->db->quote($aro_section_value) .' AND ar.value='. $this->db->quote($aro_value) .')';
431 if ( isset ($sql_aro_group_ids) ) {
432 $query .= ' OR rg.id IN ('. $sql_aro_group_ids .')';
434 $order_by[] = '(CASE WHEN ar.value IS NULL THEN 0 ELSE 1 END) DESC';
435 $order_by[] = '(rg.rgt-rg.lft) ASC';
438 $query .= ')';
442 // if we are querying an axo group
443 if ($axo_section_value == $this->_group_switch) {
444 // if acl_get_groups did not return an array
445 if ( !isset ($sql_axo_group_ids) ) {
446 $this->debug_text ('acl_query(): Invalid AXO Group: '. $axo_value);
447 return FALSE;
450 $query .= '
451 AND xg.id IN ('. $sql_axo_group_ids .')';
453 $order_by[] = '(xg.rgt-xg.lft) ASC';
454 } else {
455 $query .= '
456 AND (';
458 if ($axo_section_value == '' AND $axo_value == '') {
459 $query .= '(ax.section_value IS NULL AND ax.value IS NULL)';
460 } else {
461 $query .= '(ax.section_value='. $this->db->quote($axo_section_value) .' AND ax.value='. $this->db->quote($axo_value) .')';
464 if (isset($sql_axo_group_ids)) {
465 $query .= ' OR xg.id IN ('. $sql_axo_group_ids .')';
467 $order_by[] = '(CASE WHEN ax.value IS NULL THEN 0 ELSE 1 END) DESC';
468 $order_by[] = '(xg.rgt-xg.lft) ASC';
469 } else {
470 $query .= ' AND axg.group_id IS NULL';
473 $query .= ')';
477 * The ordering is always very tricky and makes all the difference in the world.
478 * Order (ar.value IS NOT NULL) DESC should put ACLs given to specific AROs
479 * ahead of any ACLs given to groups. This works well for exceptions to groups.
480 * If the $return_all parameter is set to TRUE, then will return the entire
481 * array of applicable ACL information (this option was added by OpenEMR)
484 $order_by[] = 'a.updated_date DESC';
486 $query .= '
487 ORDER BY '. implode (',', $order_by) . '
490 // we are only interested in the first row unless $return_all is set
491 if ($return_all) {
492 $rs = $this->db->Execute($query);
494 else {
495 $rs = $this->db->SelectLimit($query, 1);
498 if (!is_object($rs)) {
499 $this->debug_db('acl_query');
500 return FALSE;
503 if ($return_all) {
504 while ($arr = $rs->FetchRow()) {
505 $row[] = $arr;
508 else {
509 $row = $rs->FetchRow();
514 * Return ACL ID. This is the key to "hooking" extras like pricing assigned to ACLs etc... Very useful.
516 if (isset($row) && is_array($row)) {
518 if ($return_all) {
519 foreach ($row as $single_row) {
520 $allow = FALSE;
521 if ( isset($single_row[1]) AND $single_row[1] == 1 ) {
522 $allow = TRUE;
524 $retarr[] = array('acl_id' => &$single_row[0], 'return_value' => &$single_row[2], 'allow' => $allow);
527 else {
528 $allow = FALSE;
529 if ( isset($row[1]) AND $row[1] == 1 ) {
530 $allow = TRUE;
532 $retarr = array('acl_id' => &$row[0], 'return_value' => &$row[2], 'allow' => $allow);
534 } else {
535 if ($return_all) {
536 // Permission denied.
537 $retarr[] = array('acl_id' => NULL, 'return_value' => NULL, 'allow' => FALSE);
539 else {
540 // Permission denied.
541 $retarr = array('acl_id' => NULL, 'return_value' => NULL, 'allow' => FALSE);
546 * Return the query that we ran if in debug mode.
548 if ($debug == TRUE) {
549 $retarr['query'] = &$query;
552 //Cache data.
553 $this->put_cache($retarr, $cache_id);
556 if ($return_all)
558 $this->debug_text("<b>acl_query():</b> ACO Section: $aco_section_value ACO Value: $aco_value ARO Section: $aro_section_value ARO Value $aro_value ACL ID: OMITTED due to return_all");
560 else
562 $this->debug_text("<b>acl_query():</b> ACO Section: $aco_section_value ACO Value: $aco_value ARO Section: $aro_section_value ARO Value $aro_value ACL ID: ". $retarr['acl_id'] .' Result: '. $retarr['allow']);
565 return $retarr;
569 * Grabs all groups mapped to an ARO. You can also specify a root_group for subtree'ing.
570 * @param string The section value or the ARO or ACO
571 * @param string The value of the ARO or ACO
572 * @param integer The group id of the group to start at (optional)
573 * @param string The type of group, either ARO or AXO (optional)
575 function acl_get_groups($section_value, $value, $root_group=NULL, $group_type='ARO') {
577 switch(strtolower($group_type)) {
578 case 'axo':
579 $group_type = 'axo';
580 $object_table = $this->_db_table_prefix .'axo';
581 $group_table = $this->_db_table_prefix .'axo_groups';
582 $group_map_table = $this->_db_table_prefix .'groups_axo_map';
583 break;
584 default:
585 $group_type = 'aro';
586 $object_table = $this->_db_table_prefix .'aro';
587 $group_table = $this->_db_table_prefix .'aro_groups';
588 $group_map_table = $this->_db_table_prefix .'groups_aro_map';
589 break;
592 //$profiler->startTimer( "acl_get_groups()");
594 //Generate unique cache id.
595 $cache_id = 'acl_get_groups_'.$section_value.'-'.$value.'-'.$root_group.'-'.$group_type;
597 $retarr = $this->get_cache($cache_id);
599 if (!$retarr) {
601 // Make sure we get the groups
602 $query = '
603 SELECT DISTINCT g2.id';
605 if ($section_value == $this->_group_switch) {
606 $query .= '
607 FROM ' . $group_table . ' g1,' . $group_table . ' g2';
609 $where = '
610 WHERE g1.value=' . $this->db->quote( $value );
611 } else {
612 $query .= '
613 FROM '. $object_table .' o,'. $group_map_table .' gm,'. $group_table .' g1,'. $group_table .' g2';
615 $where = '
616 WHERE (o.section_value='. $this->db->quote($section_value) .' AND o.value='. $this->db->quote($value) .')
617 AND gm.'. $group_type .'_id=o.id
618 AND g1.id=gm.group_id';
622 * If root_group_id is specified, we have to narrow this query down
623 * to just groups deeper in the tree then what is specified.
624 * This essentially creates a virtual "subtree" and ignores all outside groups.
625 * Useful for sites like sourceforge where you may seperate groups by "project".
627 if ( $root_group != '') {
628 //It is important to note the below line modifies the tables being selected.
629 //This is the reason for the WHERE variable.
630 $query .= ','. $group_table .' g3';
632 $where .= '
633 AND g3.value='. $this->db->quote( $root_group ) .'
634 AND ((g2.lft BETWEEN g3.lft AND g1.lft) AND (g2.rgt BETWEEN g1.rgt AND g3.rgt))';
635 } else {
636 $where .= '
637 AND (g2.lft <= g1.lft AND g2.rgt >= g1.rgt)';
640 $query .= $where;
642 // $this->debug_text($query);
643 $rs = $this->db->Execute($query);
645 if (!is_object($rs)) {
646 $this->debug_db('acl_get_groups');
647 return FALSE;
650 $retarr = array();
652 //Unbuffered query?
653 while (!$rs->EOF) {
654 $retarr[] = reset($rs->fields);
655 $rs->MoveNext();
658 //Cache data.
659 $this->put_cache($retarr, $cache_id);
662 return $retarr;
666 * Uses PEAR's Cache_Lite package to grab cached arrays, objects, variables etc...
667 * using unserialize() so it can handle more then just text string.
668 * @param string The id of the cached object
669 * @return mixed The cached object, otherwise FALSE if the object identifier was not found
671 function get_cache($cache_id) {
673 if ( $this->_caching == TRUE ) {
674 $this->debug_text("get_cache(): on ID: $cache_id");
676 if ( is_string($this->Cache_Lite->get($cache_id) ) ) {
677 return unserialize($this->Cache_Lite->get($cache_id) );
681 return false;
685 * Uses PEAR's Cache_Lite package to write cached arrays, objects, variables etc...
686 * using serialize() so it can handle more then just text string.
687 * @param mixed A variable to cache
688 * @param string The id of the cached variable
690 function put_cache($data, $cache_id) {
692 if ( $this->_caching == TRUE ) {
693 $this->debug_text("put_cache(): Cache MISS on ID: $cache_id");
695 return $this->Cache_Lite->save(serialize($data), $cache_id);
698 return false;