From a2c4b5d374c344093807c35959bab07c1b88cc60 Mon Sep 17 00:00:00 2001 From: ppound Date: Tue, 10 Apr 2012 09:15:35 -0300 Subject: [PATCH] Connectionhelper is session aware SecurityClass now uses xacml api --- ConnectionHelper.inc | 2 +- SecurityClass.inc | 27 +++++++++++++++------------ 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/ConnectionHelper.inc b/ConnectionHelper.inc index 71a83bc9..4dce9a0d 100644 --- a/ConnectionHelper.inc +++ b/ConnectionHelper.inc @@ -95,10 +95,10 @@ class ConnectionHelper { try { //we need to make a call to set the cookie this extra call would only happen once per session $client->__soapCall('describeRepository', array()); + $_SESSION['islandora_soapcookies'] = $client->_cookies; } catch (exception $e) { //connection is tested elsewhere so eat this for now here we just want the cookie } - $_SESSION['islandora_soapcookies'] = $client->_cookies; } diff --git a/SecurityClass.inc b/SecurityClass.inc index 970b108b..ced11ba7 100644 --- a/SecurityClass.inc +++ b/SecurityClass.inc @@ -22,15 +22,17 @@ class SecurityClass { drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL); } - /** - * canIngestHere ?? - * @global type $user - * @param type $collection_pid - * @return type + /** + * reads the specified stream of the parent object to see if the user can ingest in this collection. + * + * @global object $user + * @param string $collection_pid + * @return boolean */ function canIngestHere($collection_pid) { global $user; module_load_include('inc', 'fedora_repository', 'ObjectHelper'); + module_load_include('inc', 'islandora_xacml_api', 'Xacml'); $objectHelper = new ObjectHelper(); // get the childsecurity policy from the collection. $policyStream = $objectHelper->getStream($collection_pid, SECURITYCLASS :: $SECURITY_CLASS_SECURITY_STREAM, FALSE); @@ -39,13 +41,9 @@ class SecurityClass { // maybe we should return FALSE here?? would be more secure. return TRUE; } - $allowedUsersAndRoles = $this->getAllowedUsersAndRoles($policyStream); - if (!$allowedUsersAndRoles) { - // error processing stream so don't let them ingest here. - return FALSE; - } - $allowedUsers = $allowedUsersAndRoles["users"]; - $allowedRoles = $allowedUsersAndRoles["roles"]; + $xacml = new Xacml($policyStream); + $allowedUsers = $xacml->managementRule->getUsers(); + $allowedRoles = $xacml->managementRule->getRoles(); foreach ($user->roles as $role) { if (in_array($role, $allowedRoles)) { @@ -60,7 +58,10 @@ class SecurityClass { } /** + * Depracated should use the xacml api for this + * * parses our simple xacml policies checking for users or roles that are allowed to ingest + * * @param type $policyStream * @return type */ @@ -153,6 +154,8 @@ class SecurityClass { } /** + * Depracated should use the xacml api for this + * * Add a list of allowed users and roles to the given policy stream and return it. * * @param string $policy_stream