Browse Source

Merge pull request #61 from jonathangreen/6.x

Updated SecurityClass to properly search XACML
pull/62/merge
Jonathan Green 13 years ago
parent
commit
75cb2607dd
  1. 33
      SecurityClass.inc

33
SecurityClass.inc

@ -34,7 +34,6 @@ class SecurityClass {
$objectHelper = new ObjectHelper(); $objectHelper = new ObjectHelper();
// get the childsecurity policy from the collection. // get the childsecurity policy from the collection.
$policyStream = $objectHelper->getStream($collection_pid, SECURITYCLASS :: $SECURITY_CLASS_SECURITY_STREAM, FALSE); $policyStream = $objectHelper->getStream($collection_pid, SECURITYCLASS :: $SECURITY_CLASS_SECURITY_STREAM, FALSE);
if ($policyStream == NULL) { if ($policyStream == NULL) {
// no child policy stream so collection is wide open to anyone to ingest, that has the permission ingest in Drupal. // no child policy stream so collection is wide open to anyone to ingest, that has the permission ingest in Drupal.
// maybe we should return FALSE here?? would be more secure. // maybe we should return FALSE here?? would be more secure.
@ -79,34 +78,20 @@ class SecurityClass {
} }
$xml->registerXPathNamespace('default', 'urn:oasis:names:tc:xacml:1.0:policy'); $xml->registerXPathNamespace('default', 'urn:oasis:names:tc:xacml:1.0:policy');
$conditions = $xml->xpath("//default:Condition"); $roles = $xml->xpath('//default:SubjectAttributeDesignator[@AttributeId="fedoraRole"]/../default:Apply/default:AttributeValue');
$users = $xml->xpath('//default:SubjectAttributeDesignator[@AttributeId="urn:fedora:names:fedora:2.1:subject:loginId"]/../default:Apply/default:AttributeValue');
foreach ($conditions as $condition) {
$designator = $condition->Apply->SubjectAttributeDesignator;
if (empty($designator)) {//$disignator may be wrapped by an or
$designator = $condition->Apply->Apply->SubjectAttributeDesignator;
}
$attributeId = strip_tags($designator['AttributeId']);
if ($attributeId == "fedoraRole") { foreach($roles as $role) {
foreach ($condition->Apply->Apply->AttributeValue as $attributeValue) { $allowedRoles[] = (string)$role;
$allowedRoles[] = strip_tags($attributeValue->asXML());
}
foreach ($condition->Apply->Apply->Apply->AttributeValue as $attributeValue) {
$allowedRoles[] = strip_tags($attributeValue->asXML());
}
}
if ($attributeId == "urn:fedora:names:fedora:2.1:subject:loginId") {
foreach ($condition->Apply->Apply->AttributeValue as $attributeValue) {
$allowedUsers[] = strip_tags($attributeValue->asXML());
}
foreach ($condition->Apply->Apply->Apply->AttributeValue as $attributeValue) {
$allowedUsers[] = strip_tags($attributeValue->asXML());
}
} }
foreach($users as $user) {
$allowedUsers[] = (string)$user;
} }
$usersAndRoles['users'] = $allowedUsers; $usersAndRoles['users'] = $allowedUsers;
$usersAndRoles['roles'] = $allowedRoles; $usersAndRoles['roles'] = $allowedRoles;
dd($usersAndRoles);
return $usersAndRoles; return $usersAndRoles;
} }

Loading…
Cancel
Save