search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix some failures to enforce required fields, and some code refactoring
[openemr.git] / gacl / gacl.class.php
blobcd4b0a02a14292f1cc48cfa504421cdfd776f4da
1 <?php
2 // $Id$
3
4 /**
5 * phpGACL - Generic Access Control List
6 * Copyright (C) 2002,2003 Mike Benoit
7 *
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 *
22 * For questions, help, comments, discussion, etc., please join the
23 * phpGACL mailing list. http://sourceforge.net/mail/?group_id=57103
24 *
25 * You may contact the author of phpGACL by e-mail at:
26 * ipso@snappymail.ca
27 *
28 * The latest version of phpGACL can be obtained from:
29 * http://phpgacl.sourceforge.net/
30 *
31 * @package phpGACL
32 */
33
34 /*
35 * Path to ADODB.
36 */
37 if ( !defined('ADODB_DIR') ) {
38 define('ADODB_DIR', dirname(__FILE__).'/adodb');
39 }
40
41 /**
42 * phpGACL main class
43 *
44 * Class gacl should be used in applications where only querying the phpGACL
45 * database is required.
46 *
47 * @package phpGACL
48 * @author Mike Benoit <ipso@snappymail.ca>
49 */
50 class gacl {
51 /*
52 --- phpGACL Configuration path/file ---
53 */
54 var $config_file = './gacl.ini.php';
55
56 /*
57 --- Private properties ---
58 */
59 /** @var boolean Enables Debug output if true */
60 var $_debug = FALSE;
61
62 /*
63 --- Database configuration. ---
64 */
65 /** @var string Prefix for all the phpgacl tables in the database */
66 var $_db_table_prefix = 'gacl_';
67
68 /** @var string The database type, based on available ADODB connectors - mysql, postgres7, sybase, oci8po See here for more: http://php.weblogs.com/adodb_manual#driverguide */
69 var $_db_type = 'mysql';
70
71 /** @var string The database server */
72 var $_db_host = '';
73
74 /** @var string The database user name */
75 var $_db_user = '';
76
77 /** @var string The database user password */
78 var $_db_password = '';
79
80 /** @var string The database name */
81 var $_db_name = '';
82
83 /** @var object An ADODB database connector object */
84 var $_db = '';
85
86 /*
87 * NOTE: This cache must be manually cleaned each time ACL's are modified.
88 * Alternatively you could wait for the cache to expire.
89 */
90
91 /** @var boolean Caches queries if true */
92 var $_caching = FALSE;
93
94 /** @var boolean Force cache to expire */
95 var $_force_cache_expire = TRUE;
96
97 /** @var string The directory for cache file to eb written (ensure write permission are set) */
98 var $_cache_dir = '/tmp/phpgacl_cache'; // NO trailing slash
99
100 /** @var int The time for the cache to expire in seconds - 600 == Ten Minutes */
101 var $_cache_expire_time=600;
102
103 /** @var string A switch to put acl_check into '_group_' mode */
104 var $_group_switch = '_group_';
105
106 /**
107 * Constructor
108 * @param array An arry of options to oeverride the class defaults
109 */
110 function gacl($options = NULL) {
111
112 $available_options = array('db','debug','items_per_page','max_select_box_items','max_search_return_items','db_table_prefix','db_type','db_host','db_user','db_password','db_name','caching','force_cache_expire','cache_dir','cache_expire_time');
113
114 //Values supplied in $options array overwrite those in the config file.
115 if ( file_exists($this->config_file) ) {
116 $config = parse_ini_file($this->config_file);
117
118 if ( is_array($config) ) {
119 $gacl_options = array_merge($config, $options);
120 }
121
122 unset($config);
123 }
124
125 if (is_array($options)) {
126 foreach ($options as $key => $value) {
127 $this->debug_text("Option: $key");
128
129 if (in_array($key, $available_options) ) {
130 $this->debug_text("Valid Config options: $key");
131 $property = '_'.$key;
132 $this->$property = $value;
133 } else {
134 $this->debug_text("ERROR: Config option: $key is not a valid option");
135 }
136 }
137 }
138
139 require_once( ADODB_DIR .'/adodb.inc.php');
140 require_once( ADODB_DIR .'/adodb-pager.inc.php');
141
142 if (is_object($this->_db)) {
143 $this->db = &$this->_db;
144 } else {
145 $this->db = ADONewConnection($this->_db_type);
146 //Use NUM for slight performance/memory reasons.
147 $this->db->SetFetchMode(ADODB_FETCH_NUM);
148 $this->db->PConnect($this->_db_host, $this->_db_user, $this->_db_password, $this->_db_name);
149 }
150 $this->db->debug = $this->_debug;
151
152 if ( $this->_caching == TRUE ) {
153 if (!class_exists('Hashed_Cache_Lite')) {
154 require_once(dirname(__FILE__) .'/Cache_Lite/Hashed_Cache_Lite.php');
155 }
156
157 /*
158 * Cache options. We default to the highest performance. If you run in to cache corruption problems,
159 * Change all the 'false' to 'true', this will slow things down slightly however.
160 */
161
162 $cache_options = array(
163 'caching' => $this->_caching,
164 'cacheDir' => $this->_cache_dir.'/',
165 'lifeTime' => $this->_cache_expire_time,
166 'fileLocking' => TRUE,
167 'writeControl' => FALSE,
168 'readControl' => FALSE,
169 'memoryCaching' => TRUE,
170 'automaticSerialization' => FALSE
171 );
172 $this->Cache_Lite = new Hashed_Cache_Lite($cache_options);
173 }
174
175 return true;
176 }
177
178 /**
179 * Prints debug text if debug is enabled.
180 * @param string THe text to output
181 * @return boolean Always returns true
182 */
183 function debug_text($text) {
184
185 if ($this->_debug) {
186 echo "$text<br>\n";
187 }
188
189 return true;
190 }
191
192 /**
193 * Prints database debug text if debug is enabled.
194 * @param string The name of the function calling this method
195 * @return string Returns an error message
196 */
197 function debug_db($function_name = '') {
198 if ($function_name != '') {
199 $function_name .= ' (): ';
200 }
201
202 return $this->debug_text ($function_name .'database error: '. $this->db->ErrorMsg() .' ('. $this->db->ErrorNo() .')');
203 }
204
205 /**
206 * Wraps the actual acl_query() function.
207 *
208 * It is simply here to return TRUE/FALSE accordingly.
209 * @param string The ACO section value
210 * @param string The ACO value
211 * @param string The ARO section value
212 * @param string The ARO section
213 * @param string The AXO section value (optional)
214 * @param string The AXO section value (optional)
215 * @param integer The group id of the ARO ??Mike?? (optional)
216 * @param integer The group id of the AXO ??Mike?? (optional)
217 * @return boolean TRUE if the check succeeds, false if not.
218 */
219 function acl_check($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value=NULL, $axo_value=NULL, $root_aro_group=NULL, $root_axo_group=NULL) {
220 $acl_result = $this->acl_query($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value, $axo_value, $root_aro_group, $root_axo_group);
221
222 return $acl_result['allow'];
223 }
224
225 /**
226 * Wraps the actual acl_query() function.
227 *
228 * Quick access to the return value of an ACL.
229 * @param string The ACO section value
230 * @param string The ACO value
231 * @param string The ARO section value
232 * @param string The ARO section
233 * @param string The AXO section value (optional)
234 * @param string The AXO section value (optional)
235 * @param integer The group id of the ARO (optional)
236 * @param integer The group id of the AXO (optional)
237 * @return string The return value of the ACL
238 */
239 function acl_return_value($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value=NULL, $axo_value=NULL, $root_aro_group=NULL, $root_axo_group=NULL) {
240 $acl_result = $this->acl_query($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value, $axo_value, $root_aro_group, $root_axo_group);
241
242 return $acl_result['return_value'];
243 }
244
245 /**
246 * Handles ACL lookups over arrays of AROs
247 * @param string The ACO section value
248 * @param string The ACO value
249 * @param array An named array of arrays, each element in the format aro_section_value=>array(aro_value1,aro_value1,...)
250 * @return mixed The same data format as inputted.
251 \*======================================================================*/
252 function acl_check_array($aco_section_value, $aco_value, $aro_array) {
253 /*
254 Input Array:
255 Section => array(Value, Value, Value),
256 Section => array(Value, Value, Value)
257
258 */
259
260 if (!is_array($aro_array)) {
261 $this->debug_text("acl_query_array(): ARO Array must be passed");
262 return false;
263 }
264
265 foreach($aro_array as $aro_section_value => $aro_value_array) {
266 foreach ($aro_value_array as $aro_value) {
267 $this->debug_text("acl_query_array(): ARO Section Value: $aro_section_value ARO VALUE: $aro_value");
268
269 if( $this->acl_check($aco_section_value, $aco_value, $aro_section_value, $aro_value) ) {
270 $this->debug_text("acl_query_array(): ACL_CHECK True");
271 $retarr[$aro_section_value][] = $aro_value;
272 } else {
273 $this->debug_text("acl_query_array(): ACL_CHECK False");
274 }
275 }
276 }
277
278 return $retarr;
279
280 }
281
282 /**
283 * The Main function that does the actual ACL lookup.
284 * @param string The ACO section value
285 * @param string The ACO value
286 * @param string The ARO section value
287 * @param string The ARO section
288 * @param string The AXO section value (optional)
289 * @param string The AXO section value (optional)
290 * @param string The value of the ARO group (optional)
291 * @param string The value of the AXO group (optional)
292 * @param boolean Debug the operation if true (optional)
293 * @return array Returns as much information as possible about the ACL so other functions can trim it down and omit unwanted data.
294 */
295 function acl_query($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value=NULL, $axo_value=NULL, $root_aro_group=NULL, $root_axo_group=NULL, $debug=NULL) {
296
297 $cache_id = 'acl_query_'.$aco_section_value.'-'.$aco_value.'-'.$aro_section_value.'-'.$aro_value.'-'.$axo_section_value.'-'.$axo_value.'-'.$root_aro_group.'-'.$root_axo_group.'-'.$debug;
298
299 $retarr = $this->get_cache($cache_id);
300
301 if (!$retarr) {
302 /*
303 * Grab all groups mapped to this ARO/AXO
304 */
305 $aro_group_ids = $this->acl_get_groups($aro_section_value, $aro_value, $root_aro_group, 'ARO');
306
307 if (is_array($aro_group_ids) AND !empty($aro_group_ids)) {
308 $sql_aro_group_ids = implode(',', $aro_group_ids);
309 }
310
311 if ($axo_section_value != '' AND $axo_value != '') {
312 $axo_group_ids = $this->acl_get_groups($axo_section_value, $axo_value, $root_axo_group, 'AXO');
313
314 if (is_array($axo_group_ids) AND !empty($axo_group_ids)) {
315 $sql_axo_group_ids = implode(',', $axo_group_ids);
316 }
317 }
318
319 /*
320 * This query is where all the magic happens.
321 * The ordering is very important here, as well very tricky to get correct.
322 * Currently there can be duplicate ACLs, or ones that step on each other toes. In this case, the ACL that was last updated/created
323 * is used.
324 *
325 * This is probably where the most optimizations can be made.
326 */
327
328 $order_by = array();
329
330 $query = '
331 SELECT a.id,a.allow,a.return_value
332 FROM '. $this->_db_table_prefix .'acl a
333 LEFT JOIN '. $this->_db_table_prefix .'aco_map ac ON ac.acl_id=a.id';
334
335 if ($aro_section_value != $this->_group_switch) {
336 $query .= '
337 LEFT JOIN '. $this->_db_table_prefix .'aro_map ar ON ar.acl_id=a.id';
338 }
339
340 if ($axo_section_value != $this->_group_switch) {
341 $query .= '
342 LEFT JOIN '. $this->_db_table_prefix .'axo_map ax ON ax.acl_id=a.id';
343 }
344
345 /*
346 * if there are no aro groups, don't bother doing the join.
347 */
348 if (isset($sql_aro_group_ids)) {
349 $query .= '
350 LEFT JOIN '. $this->_db_table_prefix .'aro_groups_map arg ON arg.acl_id=a.id
351 LEFT JOIN '. $this->_db_table_prefix .'aro_groups rg ON rg.id=arg.group_id';
352 }
353
354 // this join is necessary to weed out rules associated with axo groups
355 $query .= '
356 LEFT JOIN '. $this->_db_table_prefix .'axo_groups_map axg ON axg.acl_id=a.id';
357
358 /*
359 * if there are no axo groups, don't bother doing the join.
360 * it is only used to rank by the level of the group.
361 */
362 if (isset($sql_axo_group_ids)) {
363 $query .= '
364 LEFT JOIN '. $this->_db_table_prefix .'axo_groups xg ON xg.id=axg.group_id';
365 }
366
367 //Move the below line to the LEFT JOIN above for PostgreSQL's sake.
368 //AND ac.acl_id=a.id
369 $query .= '
370 WHERE a.enabled=1
371 AND (ac.section_value='. $this->db->quote($aco_section_value) .' AND ac.value='. $this->db->quote($aco_value) .')';
372
373 // if we are querying an aro group
374 if ($aro_section_value == $this->_group_switch) {
375 // if acl_get_groups did not return an array
376 if ( !isset ($sql_aro_group_ids) ) {
377 $this->debug_text ('acl_query(): Invalid ARO Group: '. $aro_value);
378 return FALSE;
379 }
380
381 $query .= '
382 AND rg.id IN ('. $sql_aro_group_ids .')';
383
384 $order_by[] = '(rg.rgt-rg.lft) ASC';
385 } else {
386 $query .= '
387 AND ((ar.section_value='. $this->db->quote($aro_section_value) .' AND ar.value='. $this->db->quote($aro_value) .')';
388
389 if ( isset ($sql_aro_group_ids) ) {
390 $query .= ' OR rg.id IN ('. $sql_aro_group_ids .')';
391
392 $order_by[] = '(CASE WHEN ar.value IS NULL THEN 0 ELSE 1 END) DESC';
393 $order_by[] = '(rg.rgt-rg.lft) ASC';
394 }
395
396 $query .= ')';
397 }
398
399
400 // if we are querying an axo group
401 if ($axo_section_value == $this->_group_switch) {
402 // if acl_get_groups did not return an array
403 if ( !isset ($sql_axo_group_ids) ) {
404 $this->debug_text ('acl_query(): Invalid AXO Group: '. $axo_value);
405 return FALSE;
406 }
407
408 $query .= '
409 AND xg.id IN ('. $sql_axo_group_ids .')';
410
411 $order_by[] = '(xg.rgt-xg.lft) ASC';
412 } else {
413 $query .= '
414 AND (';
415
416 if ($axo_section_value == '' AND $axo_value == '') {
417 $query .= '(ax.section_value IS NULL AND ax.value IS NULL)';
418 } else {
419 $query .= '(ax.section_value='. $this->db->quote($axo_section_value) .' AND ax.value='. $this->db->quote($axo_value) .')';
420 }
421
422 if (isset($sql_axo_group_ids)) {
423 $query .= ' OR xg.id IN ('. $sql_axo_group_ids .')';
424
425 $order_by[] = '(CASE WHEN ax.value IS NULL THEN 0 ELSE 1 END) DESC';
426 $order_by[] = '(xg.rgt-xg.lft) ASC';
427 } else {
428 $query .= ' AND axg.group_id IS NULL';
429 }
430
431 $query .= ')';
432 }
433
434 /*
435 * The ordering is always very tricky and makes all the difference in the world.
436 * Order (ar.value IS NOT NULL) DESC should put ACLs given to specific AROs
437 * ahead of any ACLs given to groups. This works well for exceptions to groups.
438 */
439
440 $order_by[] = 'a.updated_date DESC';
441
442 $query .= '
443 ORDER BY '. implode (',', $order_by) . '
444 ';
445
446 // we are only interested in the first row
447 $rs = $this->db->SelectLimit($query, 1);
448
449 if (!is_object($rs)) {
450 $this->debug_db('acl_query');
451 return FALSE;
452 }
453
454 $row =& $rs->FetchRow();
455
456 /*
457 * Return ACL ID. This is the key to "hooking" extras like pricing assigned to ACLs etc... Very useful.
458 */
459 if (is_array($row)) {
460 // Permission granted?
461 // This below oneliner is very confusing.
462 //$allow = (isset($row[1]) AND $row[1] == 1);
463
464 //Prefer this.
465 if ( isset($row[1]) AND $row[1] == 1 ) {
466 $allow = TRUE;
467 } else {
468 $allow = FALSE;
469 }
470
471 $retarr = array('acl_id' => &$row[0], 'return_value' => &$row[2], 'allow' => $allow);
472 } else {
473 // Permission denied.
474 $retarr = array('acl_id' => NULL, 'return_value' => NULL, 'allow' => FALSE);
475 }
476
477 /*
478 * Return the query that we ran if in debug mode.
479 */
480 if ($debug == TRUE) {
481 $retarr['query'] = &$query;
482 }
483
484 //Cache data.
485 $this->put_cache($retarr, $cache_id);
486 }
487
488 $this->debug_text("<b>acl_query():</b> ACO Section: $aco_section_value ACO Value: $aco_value ARO Section: $aro_section_value ARO Value $aro_value ACL ID: ". $retarr['acl_id'] .' Result: '. $retarr['allow']);
489 return $retarr;
490 }
491
492 /**
493 * Grabs all groups mapped to an ARO. You can also specify a root_group for subtree'ing.
494 * @param string The section value or the ARO or ACO
495 * @param string The value of the ARO or ACO
496 * @param integer The group id of the group to start at (optional)
497 * @param string The type of group, either ARO or AXO (optional)
498 */
499 function acl_get_groups($section_value, $value, $root_group=NULL, $group_type='ARO') {
500
501 switch(strtolower($group_type)) {
502 case 'axo':
503 $group_type = 'axo';
504 $object_table = $this->_db_table_prefix .'axo';
505 $group_table = $this->_db_table_prefix .'axo_groups';
506 $group_map_table = $this->_db_table_prefix .'groups_axo_map';
507 break;
508 default:
509 $group_type = 'aro';
510 $object_table = $this->_db_table_prefix .'aro';
511 $group_table = $this->_db_table_prefix .'aro_groups';
512 $group_map_table = $this->_db_table_prefix .'groups_aro_map';
513 break;
514 }
515
516 //$profiler->startTimer( "acl_get_groups()");
517
518 //Generate unique cache id.
519 $cache_id = 'acl_get_groups_'.$section_value.'-'.$value.'-'.$root_group.'-'.$group_type;
520
521 $retarr = $this->get_cache($cache_id);
522
523 if (!$retarr) {
524
525 // Make sure we get the groups
526 $query = '
527 SELECT DISTINCT g2.id';
528
529 if ($section_value == $this->_group_switch) {
530 $query .= '
531 FROM ' . $group_table . ' g1,' . $group_table . ' g2';
532
533 $where = '
534 WHERE g1.value=' . $this->db->quote( $value );
535 } else {
536 $query .= '
537 FROM '. $object_table .' o,'. $group_map_table .' gm,'. $group_table .' g1,'. $group_table .' g2';
538
539 $where = '
540 WHERE (o.section_value='. $this->db->quote($section_value) .' AND o.value='. $this->db->quote($value) .')
541 AND gm.'. $group_type .'_id=o.id
542 AND g1.id=gm.group_id';
543 }
544
545 /*
546 * If root_group_id is specified, we have to narrow this query down
547 * to just groups deeper in the tree then what is specified.
548 * This essentially creates a virtual "subtree" and ignores all outside groups.
549 * Useful for sites like sourceforge where you may seperate groups by "project".
550 */
551 if ( $root_group != '') {
552 //It is important to note the below line modifies the tables being selected.
553 //This is the reason for the WHERE variable.
554 $query .= ','. $group_table .' g3';
555
556 $where .= '
557 AND g3.value='. $this->db->quote( $root_group ) .'
558 AND ((g2.lft BETWEEN g3.lft AND g1.lft) AND (g2.rgt BETWEEN g1.rgt AND g3.rgt))';
559 } else {
560 $where .= '
561 AND (g2.lft <= g1.lft AND g2.rgt >= g1.rgt)';
562 }
563
564 $query .= $where;
565
566 // $this->debug_text($query);
567 $rs = $this->db->Execute($query);
568
569 if (!is_object($rs)) {
570 $this->debug_db('acl_get_groups');
571 return FALSE;
572 }
573
574 $retarr = array();
575
576 //Unbuffered query?
577 while (!$rs->EOF) {
578 $retarr[] = reset($rs->fields);
579 $rs->MoveNext();
580 }
581
582 //Cache data.
583 $this->put_cache($retarr, $cache_id);
584 }
585
586 return $retarr;
587 }
588
589 /**
590 * Uses PEAR's Cache_Lite package to grab cached arrays, objects, variables etc...
591 * using unserialize() so it can handle more then just text string.
592 * @param string The id of the cached object
593 * @return mixed The cached object, otherwise FALSE if the object identifier was not found
594 */
595 function get_cache($cache_id) {
596
597 if ( $this->_caching == TRUE ) {
598 $this->debug_text("get_cache(): on ID: $cache_id");
599
600 if ( is_string($this->Cache_Lite->get($cache_id) ) ) {
601 return unserialize($this->Cache_Lite->get($cache_id) );
602 }
603 }
604
605 return false;
606 }
607
608 /**
609 * Uses PEAR's Cache_Lite package to write cached arrays, objects, variables etc...
610 * using serialize() so it can handle more then just text string.
611 * @param mixed A variable to cache
612 * @param string The id of the cached variable
613 */
614 function put_cache($data, $cache_id) {
615
616 if ( $this->_caching == TRUE ) {
617 $this->debug_text("put_cache(): Cache MISS on ID: $cache_id");
618
619 return $this->Cache_Lite->save(serialize($data), $cache_id);
620 }
621
622 return false;
623 }
624 }
625 ?>
Mirror of official OpenEMR Sourceforge repository