search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
alphabetize the translated language titles per tracker artifact feature request ...
[openemr.git] / gacl / gacl.class.php
blobfc0f526594dd7917c79ff20775a8b4fbe1cfe8d6
1 <?php
2 // $Id$
3
4 /**
5 * phpGACL - Generic Access Control List
6 * Copyright (C) 2002,2003 Mike Benoit
7 *
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 *
22 * For questions, help, comments, discussion, etc., please join the
23 * phpGACL mailing list. http://sourceforge.net/mail/?group_id=57103
24 *
25 * You may contact the author of phpGACL by e-mail at:
26 * ipso@snappymail.ca
27 *
28 * The latest version of phpGACL can be obtained from:
29 * http://phpgacl.sourceforge.net/
30 *
31 * @package phpGACL
32 */
33
34 /*
35 * Path to ADODB.
36 */
37 if ( !defined('ADODB_DIR') ) {
38 define('ADODB_DIR', dirname(__FILE__).'/adodb');
39 }
40
41 //openemr configuration file - bm - 05-2009
42 // to collect sql database login info and the utf8 flag
43 include_once(dirname(__FILE__).'/../library/sqlconf.php');
44
45 /**
46 * phpGACL main class
47 *
48 * Class gacl should be used in applications where only querying the phpGACL
49 * database is required.
50 *
51 * @package phpGACL
52 * @author Mike Benoit <ipso@snappymail.ca>
53 */
54 class gacl {
55 /*
56 --- phpGACL Configuration path/file ---
57 */
58 var $config_file = './gacl.ini.php';
59
60 /*
61 --- Private properties ---
62 */
63 /** @var boolean Enables Debug output if true */
64 var $_debug = FALSE;
65
66 /*
67 --- Database configuration. ---
68 */
69 /** @var string Prefix for all the phpgacl tables in the database */
70 var $_db_table_prefix = 'gacl_';
71
72 /** @var string The database type, based on available ADODB connectors - mysql, postgres7, sybase, oci8po See here for more: http://php.weblogs.com/adodb_manual#driverguide */
73 var $_db_type = 'mysql';
74
75 /** @var string The database server */
76 var $_db_host = '';
77
78 /** @var string The database user name */
79 var $_db_user = '';
80
81 /** @var string The database user password */
82 var $_db_password = '';
83
84 /** @var string The database name */
85 var $_db_name = '';
86
87 /** @var object An ADODB database connector object */
88 var $_db = '';
89
90 /** @var boolean The utf8 encoding flag - bm 05-2009 */
91 var $_db_utf8_flag = '';
92
93 /*
94 * NOTE: This cache must be manually cleaned each time ACL's are modified.
95 * Alternatively you could wait for the cache to expire.
96 */
97
98 /** @var boolean Caches queries if true */
99 var $_caching = FALSE;
100
101 /** @var boolean Force cache to expire */
102 var $_force_cache_expire = TRUE;
103
104 /** @var string The directory for cache file to eb written (ensure write permission are set) */
105 var $_cache_dir = '/tmp/phpgacl_cache'; // NO trailing slash
106
107 /** @var int The time for the cache to expire in seconds - 600 == Ten Minutes */
108 var $_cache_expire_time=600;
109
110 /** @var string A switch to put acl_check into '_group_' mode */
111 var $_group_switch = '_group_';
112
113 /**
114 * Constructor
115 * @param array An arry of options to oeverride the class defaults
116 */
117 function gacl($options = NULL) {
118
119 $available_options = array('db','debug','items_per_page','max_select_box_items','max_search_return_items','db_table_prefix','db_type','db_host','db_user','db_password','db_name','caching','force_cache_expire','cache_dir','cache_expire_time');
120
121 //Values supplied in $options array overwrite those in the config file.
122 if ( file_exists($this->config_file) ) {
123 $config = parse_ini_file($this->config_file);
124
125 if ( is_array($config) ) {
126 $gacl_options = array_merge($config, $options);
127 }
128
129 unset($config);
130 }
131
132 if (is_array($options)) {
133 foreach ($options as $key => $value) {
134 $this->debug_text("Option: $key");
135
136 if (in_array($key, $available_options) ) {
137 $this->debug_text("Valid Config options: $key");
138 $property = '_'.$key;
139 $this->$property = $value;
140 } else {
141 $this->debug_text("ERROR: Config option: $key is not a valid option");
142 }
143 }
144 }
145
146 //collect openemr sql info from include at top of script - bm 05-2009
147 global $sqlconf, $disable_utf8_flag;
148 $this->_db_host = $sqlconf["host"];
149 $this->_db_user = $sqlconf["login"];
150 $this->_db_password = $sqlconf["pass"];
151 $this->_db_name = $sqlconf["dbase"];
152 if (!$disable_utf8_flag) {
153 $utf8_flag = true;
154 }
155 else {
156 $utf8_flag = false;
157 }
158 $this->_db_utf8_flag = $utf8_flag;
159
160 require_once( ADODB_DIR .'/adodb.inc.php');
161 require_once( ADODB_DIR .'/adodb-pager.inc.php');
162
163 if (is_object($this->_db)) {
164 $this->db = &$this->_db;
165 } else {
166 $this->db = ADONewConnection($this->_db_type);
167 //Use NUM for slight performance/memory reasons.
168 $this->db->SetFetchMode(ADODB_FETCH_NUM);
169 $this->db->PConnect($this->_db_host, $this->_db_user, $this->_db_password, $this->_db_name);
170
171 // Modified 5/2009 by BM for UTF-8 project
172 if ($this->_db_utf8_flag) {
173 $success_flag = $this->db->Execute("SET NAMES 'utf8'");
174 if (!$success_flag) {
175 // commented out to avoid bunch of benign log errors when opening myphpadmin within openemr
176 // still working on figuring out source of this benign error.
177 // error_log("PHP custom error: from gacl gacl/gacl.class.php - Unable to set up UTF8 encoding with mysql database".$this->db->ErrorMsg(), 0);
178 }
179 }
180 // ---------------------------------------
181
182 }
183 $this->db->debug = $this->_debug;
184
185 if ( $this->_caching == TRUE ) {
186 if (!class_exists('Hashed_Cache_Lite')) {
187 require_once(dirname(__FILE__) .'/Cache_Lite/Hashed_Cache_Lite.php');
188 }
189
190 /*
191 * Cache options. We default to the highest performance. If you run in to cache corruption problems,
192 * Change all the 'false' to 'true', this will slow things down slightly however.
193 */
194
195 $cache_options = array(
196 'caching' => $this->_caching,
197 'cacheDir' => $this->_cache_dir.'/',
198 'lifeTime' => $this->_cache_expire_time,
199 'fileLocking' => TRUE,
200 'writeControl' => FALSE,
201 'readControl' => FALSE,
202 'memoryCaching' => TRUE,
203 'automaticSerialization' => FALSE
204 );
205 $this->Cache_Lite = new Hashed_Cache_Lite($cache_options);
206 }
207
208 return true;
209 }
210
211 /**
212 * Prints debug text if debug is enabled.
213 * @param string THe text to output
214 * @return boolean Always returns true
215 */
216 function debug_text($text) {
217
218 if ($this->_debug) {
219 echo "$text<br>\n";
220 }
221
222 return true;
223 }
224
225 /**
226 * Prints database debug text if debug is enabled.
227 * @param string The name of the function calling this method
228 * @return string Returns an error message
229 */
230 function debug_db($function_name = '') {
231 if ($function_name != '') {
232 $function_name .= ' (): ';
233 }
234
235 return $this->debug_text ($function_name .'database error: '. $this->db->ErrorMsg() .' ('. $this->db->ErrorNo() .')');
236 }
237
238 /**
239 * Wraps the actual acl_query() function.
240 *
241 * It is simply here to return TRUE/FALSE accordingly.
242 * @param string The ACO section value
243 * @param string The ACO value
244 * @param string The ARO section value
245 * @param string The ARO section
246 * @param string The AXO section value (optional)
247 * @param string The AXO section value (optional)
248 * @param integer The group id of the ARO ??Mike?? (optional)
249 * @param integer The group id of the AXO ??Mike?? (optional)
250 * @return boolean TRUE if the check succeeds, false if not.
251 */
252 function acl_check($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value=NULL, $axo_value=NULL, $root_aro_group=NULL, $root_axo_group=NULL) {
253 $acl_result = $this->acl_query($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value, $axo_value, $root_aro_group, $root_axo_group);
254
255 return $acl_result['allow'];
256 }
257
258 /**
259 * Wraps the actual acl_query() function.
260 *
261 * Quick access to the return value of an ACL.
262 * @param string The ACO section value
263 * @param string The ACO value
264 * @param string The ARO section value
265 * @param string The ARO section
266 * @param string The AXO section value (optional)
267 * @param string The AXO section value (optional)
268 * @param integer The group id of the ARO (optional)
269 * @param integer The group id of the AXO (optional)
270 * @return string The return value of the ACL
271 */
272 function acl_return_value($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value=NULL, $axo_value=NULL, $root_aro_group=NULL, $root_axo_group=NULL) {
273 $acl_result = $this->acl_query($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value, $axo_value, $root_aro_group, $root_axo_group);
274
275 return $acl_result['return_value'];
276 }
277
278 /**
279 * Handles ACL lookups over arrays of AROs
280 * @param string The ACO section value
281 * @param string The ACO value
282 * @param array An named array of arrays, each element in the format aro_section_value=>array(aro_value1,aro_value1,...)
283 * @return mixed The same data format as inputted.
284 \*======================================================================*/
285 function acl_check_array($aco_section_value, $aco_value, $aro_array) {
286 /*
287 Input Array:
288 Section => array(Value, Value, Value),
289 Section => array(Value, Value, Value)
290
291 */
292
293 if (!is_array($aro_array)) {
294 $this->debug_text("acl_query_array(): ARO Array must be passed");
295 return false;
296 }
297
298 foreach($aro_array as $aro_section_value => $aro_value_array) {
299 foreach ($aro_value_array as $aro_value) {
300 $this->debug_text("acl_query_array(): ARO Section Value: $aro_section_value ARO VALUE: $aro_value");
301
302 if( $this->acl_check($aco_section_value, $aco_value, $aro_section_value, $aro_value) ) {
303 $this->debug_text("acl_query_array(): ACL_CHECK True");
304 $retarr[$aro_section_value][] = $aro_value;
305 } else {
306 $this->debug_text("acl_query_array(): ACL_CHECK False");
307 }
308 }
309 }
310
311 return $retarr;
312
313 }
314
315 /**
316 * The Main function that does the actual ACL lookup.
317 * @param string The ACO section value
318 * @param string The ACO value
319 * @param string The ARO section value
320 * @param string The ARO section
321 * @param string The AXO section value (optional)
322 * @param string The AXO section value (optional)
323 * @param string The value of the ARO group (optional)
324 * @param string The value of the AXO group (optional)
325 * @param boolean Debug the operation if true (optional)
326 * @return array Returns as much information as possible about the ACL so other functions can trim it down and omit unwanted data.
327 */
328 function acl_query($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value=NULL, $axo_value=NULL, $root_aro_group=NULL, $root_axo_group=NULL, $debug=NULL) {
329
330 $cache_id = 'acl_query_'.$aco_section_value.'-'.$aco_value.'-'.$aro_section_value.'-'.$aro_value.'-'.$axo_section_value.'-'.$axo_value.'-'.$root_aro_group.'-'.$root_axo_group.'-'.$debug;
331
332 $retarr = $this->get_cache($cache_id);
333
334 if (!$retarr) {
335 /*
336 * Grab all groups mapped to this ARO/AXO
337 */
338 $aro_group_ids = $this->acl_get_groups($aro_section_value, $aro_value, $root_aro_group, 'ARO');
339
340 if (is_array($aro_group_ids) AND !empty($aro_group_ids)) {
341 $sql_aro_group_ids = implode(',', $aro_group_ids);
342 }
343
344 if ($axo_section_value != '' AND $axo_value != '') {
345 $axo_group_ids = $this->acl_get_groups($axo_section_value, $axo_value, $root_axo_group, 'AXO');
346
347 if (is_array($axo_group_ids) AND !empty($axo_group_ids)) {
348 $sql_axo_group_ids = implode(',', $axo_group_ids);
349 }
350 }
351
352 /*
353 * This query is where all the magic happens.
354 * The ordering is very important here, as well very tricky to get correct.
355 * Currently there can be duplicate ACLs, or ones that step on each other toes. In this case, the ACL that was last updated/created
356 * is used.
357 *
358 * This is probably where the most optimizations can be made.
359 */
360
361 $order_by = array();
362
363 $query = '
364 SELECT a.id,a.allow,a.return_value
365 FROM '. $this->_db_table_prefix .'acl a
366 LEFT JOIN '. $this->_db_table_prefix .'aco_map ac ON ac.acl_id=a.id';
367
368 if ($aro_section_value != $this->_group_switch) {
369 $query .= '
370 LEFT JOIN '. $this->_db_table_prefix .'aro_map ar ON ar.acl_id=a.id';
371 }
372
373 if ($axo_section_value != $this->_group_switch) {
374 $query .= '
375 LEFT JOIN '. $this->_db_table_prefix .'axo_map ax ON ax.acl_id=a.id';
376 }
377
378 /*
379 * if there are no aro groups, don't bother doing the join.
380 */
381 if (isset($sql_aro_group_ids)) {
382 $query .= '
383 LEFT JOIN '. $this->_db_table_prefix .'aro_groups_map arg ON arg.acl_id=a.id
384 LEFT JOIN '. $this->_db_table_prefix .'aro_groups rg ON rg.id=arg.group_id';
385 }
386
387 // this join is necessary to weed out rules associated with axo groups
388 $query .= '
389 LEFT JOIN '. $this->_db_table_prefix .'axo_groups_map axg ON axg.acl_id=a.id';
390
391 /*
392 * if there are no axo groups, don't bother doing the join.
393 * it is only used to rank by the level of the group.
394 */
395 if (isset($sql_axo_group_ids)) {
396 $query .= '
397 LEFT JOIN '. $this->_db_table_prefix .'axo_groups xg ON xg.id=axg.group_id';
398 }
399
400 //Move the below line to the LEFT JOIN above for PostgreSQL's sake.
401 //AND ac.acl_id=a.id
402 $query .= '
403 WHERE a.enabled=1
404 AND (ac.section_value='. $this->db->quote($aco_section_value) .' AND ac.value='. $this->db->quote($aco_value) .')';
405
406 // if we are querying an aro group
407 if ($aro_section_value == $this->_group_switch) {
408 // if acl_get_groups did not return an array
409 if ( !isset ($sql_aro_group_ids) ) {
410 $this->debug_text ('acl_query(): Invalid ARO Group: '. $aro_value);
411 return FALSE;
412 }
413
414 $query .= '
415 AND rg.id IN ('. $sql_aro_group_ids .')';
416
417 $order_by[] = '(rg.rgt-rg.lft) ASC';
418 } else {
419 $query .= '
420 AND ((ar.section_value='. $this->db->quote($aro_section_value) .' AND ar.value='. $this->db->quote($aro_value) .')';
421
422 if ( isset ($sql_aro_group_ids) ) {
423 $query .= ' OR rg.id IN ('. $sql_aro_group_ids .')';
424
425 $order_by[] = '(CASE WHEN ar.value IS NULL THEN 0 ELSE 1 END) DESC';
426 $order_by[] = '(rg.rgt-rg.lft) ASC';
427 }
428
429 $query .= ')';
430 }
431
432
433 // if we are querying an axo group
434 if ($axo_section_value == $this->_group_switch) {
435 // if acl_get_groups did not return an array
436 if ( !isset ($sql_axo_group_ids) ) {
437 $this->debug_text ('acl_query(): Invalid AXO Group: '. $axo_value);
438 return FALSE;
439 }
440
441 $query .= '
442 AND xg.id IN ('. $sql_axo_group_ids .')';
443
444 $order_by[] = '(xg.rgt-xg.lft) ASC';
445 } else {
446 $query .= '
447 AND (';
448
449 if ($axo_section_value == '' AND $axo_value == '') {
450 $query .= '(ax.section_value IS NULL AND ax.value IS NULL)';
451 } else {
452 $query .= '(ax.section_value='. $this->db->quote($axo_section_value) .' AND ax.value='. $this->db->quote($axo_value) .')';
453 }
454
455 if (isset($sql_axo_group_ids)) {
456 $query .= ' OR xg.id IN ('. $sql_axo_group_ids .')';
457
458 $order_by[] = '(CASE WHEN ax.value IS NULL THEN 0 ELSE 1 END) DESC';
459 $order_by[] = '(xg.rgt-xg.lft) ASC';
460 } else {
461 $query .= ' AND axg.group_id IS NULL';
462 }
463
464 $query .= ')';
465 }
466
467 /*
468 * The ordering is always very tricky and makes all the difference in the world.
469 * Order (ar.value IS NOT NULL) DESC should put ACLs given to specific AROs
470 * ahead of any ACLs given to groups. This works well for exceptions to groups.
471 */
472
473 $order_by[] = 'a.updated_date DESC';
474
475 $query .= '
476 ORDER BY '. implode (',', $order_by) . '
477 ';
478
479 // we are only interested in the first row
480 $rs = $this->db->SelectLimit($query, 1);
481
482 if (!is_object($rs)) {
483 $this->debug_db('acl_query');
484 return FALSE;
485 }
486
487 $row =& $rs->FetchRow();
488
489 /*
490 * Return ACL ID. This is the key to "hooking" extras like pricing assigned to ACLs etc... Very useful.
491 */
492 if (is_array($row)) {
493 // Permission granted?
494 // This below oneliner is very confusing.
495 //$allow = (isset($row[1]) AND $row[1] == 1);
496
497 //Prefer this.
498 if ( isset($row[1]) AND $row[1] == 1 ) {
499 $allow = TRUE;
500 } else {
501 $allow = FALSE;
502 }
503
504 $retarr = array('acl_id' => &$row[0], 'return_value' => &$row[2], 'allow' => $allow);
505 } else {
506 // Permission denied.
507 $retarr = array('acl_id' => NULL, 'return_value' => NULL, 'allow' => FALSE);
508 }
509
510 /*
511 * Return the query that we ran if in debug mode.
512 */
513 if ($debug == TRUE) {
514 $retarr['query'] = &$query;
515 }
516
517 //Cache data.
518 $this->put_cache($retarr, $cache_id);
519 }
520
521 $this->debug_text("<b>acl_query():</b> ACO Section: $aco_section_value ACO Value: $aco_value ARO Section: $aro_section_value ARO Value $aro_value ACL ID: ". $retarr['acl_id'] .' Result: '. $retarr['allow']);
522 return $retarr;
523 }
524
525 /**
526 * Grabs all groups mapped to an ARO. You can also specify a root_group for subtree'ing.
527 * @param string The section value or the ARO or ACO
528 * @param string The value of the ARO or ACO
529 * @param integer The group id of the group to start at (optional)
530 * @param string The type of group, either ARO or AXO (optional)
531 */
532 function acl_get_groups($section_value, $value, $root_group=NULL, $group_type='ARO') {
533
534 switch(strtolower($group_type)) {
535 case 'axo':
536 $group_type = 'axo';
537 $object_table = $this->_db_table_prefix .'axo';
538 $group_table = $this->_db_table_prefix .'axo_groups';
539 $group_map_table = $this->_db_table_prefix .'groups_axo_map';
540 break;
541 default:
542 $group_type = 'aro';
543 $object_table = $this->_db_table_prefix .'aro';
544 $group_table = $this->_db_table_prefix .'aro_groups';
545 $group_map_table = $this->_db_table_prefix .'groups_aro_map';
546 break;
547 }
548
549 //$profiler->startTimer( "acl_get_groups()");
550
551 //Generate unique cache id.
552 $cache_id = 'acl_get_groups_'.$section_value.'-'.$value.'-'.$root_group.'-'.$group_type;
553
554 $retarr = $this->get_cache($cache_id);
555
556 if (!$retarr) {
557
558 // Make sure we get the groups
559 $query = '
560 SELECT DISTINCT g2.id';
561
562 if ($section_value == $this->_group_switch) {
563 $query .= '
564 FROM ' . $group_table . ' g1,' . $group_table . ' g2';
565
566 $where = '
567 WHERE g1.value=' . $this->db->quote( $value );
568 } else {
569 $query .= '
570 FROM '. $object_table .' o,'. $group_map_table .' gm,'. $group_table .' g1,'. $group_table .' g2';
571
572 $where = '
573 WHERE (o.section_value='. $this->db->quote($section_value) .' AND o.value='. $this->db->quote($value) .')
574 AND gm.'. $group_type .'_id=o.id
575 AND g1.id=gm.group_id';
576 }
577
578 /*
579 * If root_group_id is specified, we have to narrow this query down
580 * to just groups deeper in the tree then what is specified.
581 * This essentially creates a virtual "subtree" and ignores all outside groups.
582 * Useful for sites like sourceforge where you may seperate groups by "project".
583 */
584 if ( $root_group != '') {
585 //It is important to note the below line modifies the tables being selected.
586 //This is the reason for the WHERE variable.
587 $query .= ','. $group_table .' g3';
588
589 $where .= '
590 AND g3.value='. $this->db->quote( $root_group ) .'
591 AND ((g2.lft BETWEEN g3.lft AND g1.lft) AND (g2.rgt BETWEEN g1.rgt AND g3.rgt))';
592 } else {
593 $where .= '
594 AND (g2.lft <= g1.lft AND g2.rgt >= g1.rgt)';
595 }
596
597 $query .= $where;
598
599 // $this->debug_text($query);
600 $rs = $this->db->Execute($query);
601
602 if (!is_object($rs)) {
603 $this->debug_db('acl_get_groups');
604 return FALSE;
605 }
606
607 $retarr = array();
608
609 //Unbuffered query?
610 while (!$rs->EOF) {
611 $retarr[] = reset($rs->fields);
612 $rs->MoveNext();
613 }
614
615 //Cache data.
616 $this->put_cache($retarr, $cache_id);
617 }
618
619 return $retarr;
620 }
621
622 /**
623 * Uses PEAR's Cache_Lite package to grab cached arrays, objects, variables etc...
624 * using unserialize() so it can handle more then just text string.
625 * @param string The id of the cached object
626 * @return mixed The cached object, otherwise FALSE if the object identifier was not found
627 */
628 function get_cache($cache_id) {
629
630 if ( $this->_caching == TRUE ) {
631 $this->debug_text("get_cache(): on ID: $cache_id");
632
633 if ( is_string($this->Cache_Lite->get($cache_id) ) ) {
634 return unserialize($this->Cache_Lite->get($cache_id) );
635 }
636 }
637
638 return false;
639 }
640
641 /**
642 * Uses PEAR's Cache_Lite package to write cached arrays, objects, variables etc...
643 * using serialize() so it can handle more then just text string.
644 * @param mixed A variable to cache
645 * @param string The id of the cached variable
646 */
647 function put_cache($data, $cache_id) {
648
649 if ( $this->_caching == TRUE ) {
650 $this->debug_text("put_cache(): Cache MISS on ID: $cache_id");
651
652 return $this->Cache_Lite->save(serialize($data), $cache_id);
653 }
654
655 return false;
656 }
657 }
658 ?>
Mirror of official OpenEMR Sourceforge repository