diff --git a/authzgroups.php b/authzgroups.php index 5732223..d5460ba 100644 --- a/authzgroups.php +++ b/authzgroups.php @@ -120,6 +120,87 @@ class authzgroups return $ressource[$object]; } + /** Return TRUE if the user right allow to see the object + Return a 403 Exception if the user don't have the right + Return a 401 Exception if the user is not connected */ + public function accessRight ($module, $user, $object) + { + if ($this->dbObject === null) + throw new Exception ("Can't use authzgroups\\accessRight without ". + "connected database", 500); + if ($module === null || ! is_string ($module) || trim ($module) === "") + throw new Exception ("Module not provided to authzgroups\\accessRight", + 500); + if ($user === null || ! is_string ($user) || trim ($user) === "") + throw new Exception ("User not provided to authzgroups\\accessright", + 500); + if ($object === null || ! is_string ($object)) + throw new Exception ("Object not provided to authzgroups\\accessRight", + 500); + $rc = $this->allow ($module, $user, "/$object"); + trigger_error ("authzgroups : accessRight ('$module','$user','/$object')". + "=$rc", E_USER_NOTICE); + if ($rc !== "NO") + return TRUE; + if ($user === "anonymous") + throw new Exception (_("Anonymous not allowed"), 401); + throw new Exception (_("Access forbidden"), 403); + } + + /** Return TRUE if the user right allow to edit the object + Return a 403 Exception if the user don't have the right + Return a 401 Exception if the user is not connected */ + public function accessWrite ($module, $user, $object) + { + if ($this->dbObject === null) + throw new Exception ("Can't use authzgroups\\accessWrite without ". + "connected database", 500); + if ($module === null || ! is_string ($module) || trim ($module) === "") + throw new Exception ("Module not provided to authzgroups\\accessWrite", + 500); + if ($user === null || ! is_string ($user) || trim ($user) === "") + throw new Exception ("User not provided to authzgroups\\accessWrite", + 500); + if ($object === null || ! is_string ($object)) + throw new Exception ("Object not provided to authzgroups\\accessWrite", + 500); + $rc = $this->allow ($module, $user, "/$object"); + trigger_error ("authzgroups : accessWrite ('$module','$user','/$object')". + "=$rc", E_USER_NOTICE); + if ($rc === "RW") + return TRUE; + if ($user === "anonymous") + throw new Exception (_("Anonymous not allowed"), 401); + throw new Exception (_("Modification forbidden"), 403); + } + + /** Return TRUE if the user right allow to see but without modification + the object + Return a 403 Exception if the user don't have the right + Return a 401 Exception if the user is not connected */ + public function accessReadOnly ($module, $user, $object) + { + if ($this->dbObject === null) + throw new Exception ("Can't use authzgroups\\accessReadOnly without ". + "connected database", 500); + if ($module === null || ! is_string ($module) || trim ($module) === "") + throw new Exception ("Module not provided to authzgroups\\accessReadOnly", + 500); + if ($user === null || ! is_string ($user) || trim ($user) === "") + throw new Exception ("User not provided to authzgroups\\accessReadOnly", + 500); + if ($object === null || ! is_string ($object)) + throw new Exception ("Object not provided to authzgroups\\accessReadOnly", + 500); + $rc = $this->allow ($module, $user, "/$object"); + trigger_error ("authzgroups : accessReadOnly ('$module','$user','/$object')" + ."=$rc", E_USER_NOTICE); + if ($rc === "RO") + return TRUE; + if ($user === "anonymous") + throw new Exception (_("Anonymous not allowed"), 401); + throw new Exception (_("Access forbidden"), 403); + } ///////////////////////// // DATABASE STORAGE // /////////////////////////