Drupal modules for browsing and managing Fedora-based digital repositories.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

224 lines
8.7 KiB

Merge branch 'ISLANDORA-278' into 6.x Conflicts: CollectionClass.inc CollectionPolicy.inc ConnectionHelper.inc ContentModel.inc MimeClass.inc ObjectHelper.inc SearchClass.inc SecurityClass.inc api/dublin_core.inc api/fedora_collection.inc api/fedora_export.inc api/fedora_item.inc api/fedora_utils.inc api/rels-ext.inc api/tagging.inc fedora_repository.module formClass.inc form_elements/css/copyright.css form_elements/css/filechooser.css form_elements/css/list.css form_elements/css/people.css form_elements/css/sticky.css form_elements/css/ui-lightness/jquery-ui-1.8.4.custom.css form_elements/includes/autocomplete.inc form_elements/includes/creative_commons.inc form_elements/includes/filechooser.inc form_elements/includes/people.inc form_elements/islandora_form_elements.module form_elements/js/copyright.js form_elements/js/filechooser.js form_elements/js/jcarousellite_1.0.1.js form_elements/js/jquery.breakly-1.0.js form_elements/js/jquery.easing.1.1.js form_elements/js/jquery.loadImages.1.0.1.js form_elements/js/jquery.loadImages.1.0.1.min.js form_elements/js/jquery.mousewheel.min.js form_elements/js/jquery.tag.editor-min.js form_elements/js/jquery.ui.core.js form_elements/js/jquery.ui.datepicker.js form_elements/js/jquery.ui.widget.js form_elements/js/otherselect.js form_elements/js/people_ahah.js form_elements/xml/gacs.xml form_elements/xml/languages.xml plugins/CollectionFormBuilder.inc plugins/CreateCollection.inc plugins/DemoFormBuilder.inc plugins/DocumentConverter.inc plugins/Exiftool.inc plugins/Ffmpeg.inc plugins/Flv.inc plugins/FlvFormBuilder.inc plugins/FormBuilder.inc plugins/ImageManipulation.inc plugins/ModsFormBuilder.inc plugins/PersonalCollectionClass.inc plugins/QtFormBuilder.php plugins/Refworks.inc plugins/ShowDemoStreamsInFieldSets.inc plugins/ShowStreamsInFieldSets.inc plugins/fedoraObject.inc plugins/herbarium.inc plugins/map_viewer.inc plugins/qt_viewer.inc plugins/slide_viewer.inc plugins/tagging_form.inc
13 years ago
<?php
Merge branch 'ISLANDORA-278' into 6.x Conflicts: CollectionClass.inc CollectionPolicy.inc ConnectionHelper.inc ContentModel.inc MimeClass.inc ObjectHelper.inc SearchClass.inc SecurityClass.inc api/dublin_core.inc api/fedora_collection.inc api/fedora_export.inc api/fedora_item.inc api/fedora_utils.inc api/rels-ext.inc api/tagging.inc fedora_repository.module formClass.inc form_elements/css/copyright.css form_elements/css/filechooser.css form_elements/css/list.css form_elements/css/people.css form_elements/css/sticky.css form_elements/css/ui-lightness/jquery-ui-1.8.4.custom.css form_elements/includes/autocomplete.inc form_elements/includes/creative_commons.inc form_elements/includes/filechooser.inc form_elements/includes/people.inc form_elements/islandora_form_elements.module form_elements/js/copyright.js form_elements/js/filechooser.js form_elements/js/jcarousellite_1.0.1.js form_elements/js/jquery.breakly-1.0.js form_elements/js/jquery.easing.1.1.js form_elements/js/jquery.loadImages.1.0.1.js form_elements/js/jquery.loadImages.1.0.1.min.js form_elements/js/jquery.mousewheel.min.js form_elements/js/jquery.tag.editor-min.js form_elements/js/jquery.ui.core.js form_elements/js/jquery.ui.datepicker.js form_elements/js/jquery.ui.widget.js form_elements/js/otherselect.js form_elements/js/people_ahah.js form_elements/xml/gacs.xml form_elements/xml/languages.xml plugins/CollectionFormBuilder.inc plugins/CreateCollection.inc plugins/DemoFormBuilder.inc plugins/DocumentConverter.inc plugins/Exiftool.inc plugins/Ffmpeg.inc plugins/Flv.inc plugins/FlvFormBuilder.inc plugins/FormBuilder.inc plugins/ImageManipulation.inc plugins/ModsFormBuilder.inc plugins/PersonalCollectionClass.inc plugins/QtFormBuilder.php plugins/Refworks.inc plugins/ShowDemoStreamsInFieldSets.inc plugins/ShowStreamsInFieldSets.inc plugins/fedoraObject.inc plugins/herbarium.inc plugins/map_viewer.inc plugins/qt_viewer.inc plugins/slide_viewer.inc plugins/tagging_form.inc
13 years ago
/**
* @file
* SecurityClass Class
*/
/**
* SecurityClass ??
*/
class SecurityClass {
public static $SECURITY_CLASS_SECURITY_STREAM = 'POLICY';
/**
* Constructor
*/
function SecurityClass() {
module_load_include('inc', 'SecurityClass', '');
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
}
/**
* canIngestHere ??
* @global type $user
* @param type $collection_pid
* @return type
*/
function canIngestHere($collection_pid) {
global $user;
module_load_include('inc', 'fedora_repository', 'ObjectHelper');
$objectHelper = new ObjectHelper();
// get the childsecurity policy from the collection.
$policyStream = $objectHelper->getStream($collection_pid, SECURITYCLASS :: $SECURITY_CLASS_SECURITY_STREAM, FALSE);
if ($policyStream == NULL) {
// no child policy stream so collection is wide open to anyone to ingest, that has the permission ingest in Drupal.
// maybe we should return FALSE here?? would be more secure.
return TRUE;
}
$allowedUsersAndRoles = $this->getAllowedUsersAndRoles($policyStream);
if (!$allowedUsersAndRoles) {
// error processing stream so don't let them ingest here.
return FALSE;
}
$allowedUsers = $allowedUsersAndRoles["users"];
$allowedRoles = $allowedUsersAndRoles["roles"];
foreach ($user->roles as $role) {
if (in_array($role, $allowedRoles)) {
return TRUE;
}
}
if (in_array($user->name, $allowedUsers)) {
return TRUE;
}
return FALSE;
}
/**
* parses our simple xacml policies checking for users or roles that are allowed to ingest
* @param type $policyStream
* @return type
*/
function getAllowedUsersAndRoles($policyStream) {
$allowedRoles = array();
$allowedUsers = array();
$usersAndRoles = array();
try {
$xml = new SimpleXMLElement($policyStream);
} catch (Exception $e) {
watchdog(t("Fedora_Repository"), t("No roles found in security policy, could not parse policy stream."), NULL, WATCHDOG_ERROR);
//we may not want to send this to the screen.
drupal_set_message(t('No roles found in security policy, could not parse policy stream: !message', array('!message' => $e->getMessage())), 'error');
return NULL;
}
$xml->registerXPathNamespace('default', 'urn:oasis:names:tc:xacml:1.0:policy');
$conditions = $xml->xpath("//default:Condition");
foreach ($conditions as $condition) {
$designator = $condition->Apply->SubjectAttributeDesignator;
if (empty($designator)) {//$disignator may be wrapped by an or
$designator = $condition->Apply->Apply->SubjectAttributeDesignator;
}
$attributeId = strip_tags($designator['AttributeId']);
if ($attributeId == "fedoraRole") {
foreach ($condition->Apply->Apply->AttributeValue as $attributeValue) {
$allowedRoles[] = strip_tags($attributeValue->asXML());
}
foreach ($condition->Apply->Apply->Apply->AttributeValue as $attributeValue) {
$allowedRoles[] = strip_tags($attributeValue->asXML());
}
}
if ($attributeId == "urn:fedora:names:fedora:2.1:subject:loginId") {
foreach ($condition->Apply->Apply->AttributeValue as $attributeValue) {
$allowedUsers[] = strip_tags($attributeValue->asXML());
}
foreach ($condition->Apply->Apply->Apply->AttributeValue as $attributeValue) {
$allowedUsers[] = strip_tags($attributeValue->asXML());
}
}
}
$usersAndRoles['users'] = $allowedUsers;
$usersAndRoles['roles'] = $allowedRoles;
return $usersAndRoles;
}
/**
* When a user's profile is saved in drupal we will attempt to create a collection for them in Fedora
* this will be their personal space. In the IR it is editable by users with the same role in the VRE
* it probably would not be.
* @param type $user
* @return DOMDocument
*/
function createPersonalPolicy($user) {
$doc = new DOMDocument();
try {
$doc->load(drupal_get_path('module', 'Fedora_Repository') . '/policies/noObjectEditPolicy.xml');
} catch (exception $e) {
watchdog(t("Fedora_Repository"), t("Problem loading policy file."), NULL, WATCHDOG_ERROR);
}
$conditions = $doc->getElementsByTagName('Condition');
foreach ($conditions as $condition) {
$designator = $condition->getElementsByTagName('SubjectAttributeDesignator');
foreach ($designator as $des) {
$attributeId = $des->getAttribute('AttributeId');
if ($attributeId == 'fedoraRole') {
$applies = $condition->getElementsByTagName('Apply');
foreach ($applies as $apply) {
$functionId = $apply->getAttribute('FunctionId');
if ($functionId == 'urn:oasis:names:tc:xacml:1.0:function:string-bag') {
foreach ($user->roles as $role) {
if (!($role == 'authenticated user' || $role == 'administrator')) { //don't want authenticated user included administrator already is included'
$newAttributeValue = $doc->createElement('AttributeValue', '<![CDATA[' . $role . ']]>');
$newAttributeValue->setAttribute('DataType', 'http://www.w3.org/2001/XMLSchema#string');
// $newAttributeValue->setAttribute('MustBePresent', 'FALSE');
$apply->appendChild($newAttributeValue);
}
}
}
}
}
if ($attributeId == 'urn:fedora:names:fedora:2.1:subject:loginId') {
$applies = $condition->getElementsByTagName('Apply');
foreach ($applies as $apply) {
$functionId = $apply->getAttribute('FunctionId');
if ($functionId == 'urn:oasis:names:tc:xacml:1.0:function:string-bag') {
$newAttributeValue = $doc->createElement('AttributeValue', $user->name);
$newAttributeValue->setAttribute('DataType', 'http://www.w3.org/2001/XMLSchema#string');
//$newAttributeValue->setAttribute('MustBePresent', 'FALSE');
$apply->appendChild($newAttributeValue);
}
}
}
}
}
return $doc; //NULL; //$xml;
}
/**
* Add a list of allowed users and roles to the given policy stream and return it.
*
* @param string $policy_stream
* @param array $users_and_roles
* @return DOMDocument
*/
function set_allowed_users_and_roles(&$policy_stream, $users_and_roles) {
$allowed_roles = $users_and_roles['roles'];
$allowed_users = $users_and_roles['users'];
$dom = new DOMDocument();
$dom->loadXML($policy_stream);
$conditions = $dom->getElementsByTagName('Condition');
foreach ($conditions as $condition) {
$designator = $condition->getElementsByTagName('SubjectAttributeDesignator');
foreach ($designator as $des) {
$attributeId = $des->getAttribute('AttributeId');
if ($attributeId == 'fedoraRole') {
// $applies = $condition->getElementsByTagName('Apply');
$applies = $des->parentNode->getElementsByTagName('Apply');
foreach ($applies as $apply) {
$functionId = $apply->getAttribute('FunctionId');
if ($functionId == 'urn:oasis:names:tc:xacml:1.0:function:string-bag') {
foreach ($allowed_roles as $role) {
if (!($role == 'authenticated user' || $role == 'administrator')) { //don't want authenticated user included administrator already is included'
$newAttributeValue = $dom->createElement('AttributeValue', $role);
$newAttributeValue->setAttribute('DataType', 'http://www.w3.org/2001/XMLSchema#string');
//$newAttributeValue->setAttribute('MustBePresent', 'FALSE');
$apply->appendChild($newAttributeValue);
}
}
}
}
}
if ($attributeId == 'urn:fedora:names:fedora:2.1:subject:loginId') {
// $applies = $condition->getElementsByTagName('Apply');
$applies = $des->parentNode->getElementsByTagName('Apply');
foreach ($applies as $apply) {
$functionId = $apply->getAttribute('FunctionId');
if ($functionId == 'urn:oasis:names:tc:xacml:1.0:function:string-bag') {
foreach ($allowed_users as $username) {
$newAttributeValue = $dom->createElement('AttributeValue', $username);
$newAttributeValue->setAttribute('DataType', 'http://www.w3.org/2001/XMLSchema#string');
//$newAttributeValue->setAttribute('MustBePresent', 'FALSE');
$apply->appendChild($newAttributeValue);
}
}
}
}
}
}
// $this->collection_policy_stream = $dom->saveXML();
return $dom->saveXML();
}
}