- new realization of permission checking (Eugene)

git-svn-id: svn://svn.zabbix.com/trunk@2741 97f52cf1-0a1b-0410-bd0e-c28be96e8082

1 files changed, 176 insertions, 0 deletions

diff --git a/frontends/php/include/perm.inc.php b/frontends/php/include/perm.inc.php
new file mode 100644
index 00000000..7b2ffe73
--- /dev/null
+++ b/frontends/php/include/perm.inc.php
@@ -0,0 +1,176 @@
+<?php
+/*
+** ZABBIX
+** Copyright (C) 2000-2005 SIA Zabbix
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+**/
+?>
+<?php
+
+
+define("ANY_ELEMENT_RIGHT",	-1);
+define("GROUP_RIGHT",		0);
+
+	function	check_authorisation()
+	{
+		global	$page;
+		global	$PHP_AUTH_USER,$PHP_AUTH_PW;
+		global	$USER_DETAILS;
+		global	$USER_RIGHTS;
+		global	$_COOKIE;
+		global	$_REQUEST;
+
+		if(isset($_COOKIE["sessionid"]))	$sessionid = $_COOKIE["sessionid"];
+		else					unset($sessionid);
+
+		if(isset($sessionid))
+		{
+			$sql = "select u.* from sessions s,users u".
+				" where s.sessionid=".zbx_dbstr($sessionid)." and s.userid=u.userid".
+				" and ((s.lastaccess+u.autologout>".time().") or (u.autologout=0))";
+		} else {
+			$sql = "select u.* from users u where u.alias='guest'";
+		}
+
+                $db_users = DBselect($sql);
+		if(DBnum_rows($db_users) == 1)
+		{
+			if(isset($sessionid))
+			{
+				setcookie("sessionid",$sessionid);
+				DBexecute("update sessions set lastaccess=".time()." where sessionid=".zbx_dbstr($sessionid));
+			}
+
+			$USER_DETAILS = DBfetch($db_users);
+			$USER_RIGHTS = array();
+
+			$db_rights = DBselect("select * from rights where userid=".$USER_DETAILS["userid"]);
+			while($db_right = DBfetch($db_rights))
+			{
+				$usr_right = array(
+					"name"=>	$db_right["name"],
+					"id"=>		$db_right["id"],
+					"permission"=>	$db_right["permission"]
+					);
+
+				array_push($USER_RIGHTS,$usr_right);
+			}
+
+			return;
+		} 
+
+// Incorrect login
+
+		if(isset($sessionid))
+		{
+			setcookie("sessionid",$sessionid,time()-3600);
+			unset($_COOKIE["sessionid"]);
+		}
+
+		//TODO make a javascript function for redirection!!!
+		if($page["file"]!="index.php")
+		{
+			echo "<meta http-equiv=\"refresh\" content=\"0; url=index.php\">";
+		}
+		show_header("Login",0,1,1);
+		show_error_message("Login name or password is incorrect");
+		insert_login_form();
+		show_page_footer();
+		
+		//Redirect("index.php"); //TODO make a javascript function for redirection!!!
+		//END TODO
+		exit;
+	}
+
+	function	permission2int($permission)
+	{
+		$int_rights = array(
+			"A" => 3,
+			"U" => 2,
+			"R" => 1,
+			"H" => 0
+			);
+
+		if(isset($int_rights[$permission])) 
+			return ($int_rights[$permission]);
+
+		return ($int_rights["R"]);
+	}
+
+	function	permission_min($permission1, $permission2) // NOTE: only for integer permissions !!! see: permission2int
+	{
+		if(is_null($permission1) && is_null($permission2)) return NULL;
+		if(is_null($permission1))	return $permission2;
+		if(is_null($permission2))	return $permission1;
+		return min($permission1,$permission2);
+	}
+	function	permission_max($permission1, $permission2) // NOTE: only for integer permissions !!! see: permission2int
+	{
+		if(is_null($permission1) && is_null($permission2)) return NULL;
+		if(is_null($permission1))	return $permission2;
+		if(is_null($permission2))	return $permission1;
+		return max($permission1,$permission2);
+	}
+
+	function	check_right($right,$permission,$id = GROUP_RIGHT)
+	{
+		global $USER_RIGHTS;
+
+		$default_permission = permission2int("H");
+		$group_permission = NULL;
+		$id_permission = NULL;
+		$any_permission = NULL;
+
+		$permission = permission2int($permission);
+
+		if(count($USER_RIGHTS) > 0)
+		{
+			foreach($USER_RIGHTS as $usr_right)
+			{
+				$int_permision = permission2int($usr_right["permission"]);
+				if($usr_right["name"] == $right) {
+
+					if($usr_right["id"] == $id)
+						$id_permission = permission_max($id_permission, $int_permision);
+					if($usr_right["id"] == GROUP_RIGHT)
+						$group_permission = permission_max($group_permission, $int_permision);
+					else
+						$any_permission = permission_max($any_permission, $int_permision);
+				}
+				if($usr_right["name"] == 'Default permission') 
+				{
+					$default_permission = permission_max($default_permission, $int_permision);
+				}
+			}
+		}
+
+		$access = permission_min($default_permission,$group_permission);
+		if($id == ANY_ELEMENT_RIGHT)
+			$access = permission_min($access,$any_permission);
+		else
+			$access = permission_min($access,$id_permission);
+
+//SDI($right.": ".$access." >= ".$permission);
+		return (($access >= $permission) ? 1 : 0);
+	}
+
+	function	check_anyright($right,$permission)
+	{
+		return check_right($right,$permission, ANY_ELEMENT_RIGHT);
+	}
+
+
+?>