X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=SL%2FAuth.pm;h=116d5de681a640758af862ee443a3e4ee7468e31;hb=4cdfbd752ecf4b5d134da8643c62c213b86c69dc;hp=6a69604b6bb2d5773708514b53e9e04903a18a3f;hpb=722fee3c7224fa0b1222b9f5134e2c19dc021c64;p=kivitendo-erp.git diff --git a/SL/Auth.pm b/SL/Auth.pm index 6a69604b6..116d5de68 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -7,6 +7,7 @@ use IO::File; use Time::HiRes qw(gettimeofday); use List::MoreUtils qw(uniq); use YAML; +use Regexp::IPv6 qw($IPv6_re); use SL::Auth::ColumnInformation; use SL::Auth::Constants qw(:all); @@ -19,7 +20,7 @@ use SL::SessionFile; use SL::User; use SL::DBConnect; use SL::DBUpgrade2; -use SL::DBUtils; +use SL::DBUtils qw(do_query do_statement prepare_execute_query prepare_query selectall_array_query selectrow_query); use strict; @@ -32,22 +33,16 @@ use Rose::Object::MakeMethods::Generic ( sub new { - $main::lxdebug->enter_sub(); + my ($type, %params) = @_; + my $self = bless {}, $type; - my $type = shift; - my $self = {}; - - bless $self, $type; - - $self->_read_auth_config(); - $self->reset; - - $main::lxdebug->leave_sub(); + $self->_read_auth_config(%params); + $self->init; return $self; } -sub reset { +sub init { my ($self, %params) = @_; $self->{SESSION} = { }; @@ -55,6 +50,28 @@ sub reset { $self->{RIGHTS} = { }; $self->{unique_counter} = 0; $self->{column_information} = SL::Auth::ColumnInformation->new(auth => $self); +} + +sub reset { + my ($self, %params) = @_; + + $self->{SESSION} = { }; + $self->{FULL_RIGHTS} = { }; + $self->{RIGHTS} = { }; + $self->{unique_counter} = 0; + + if ($self->is_db_connected) { + # reset is called during request shutdown already. In case of a + # completely new auth DB this would fail and generate an error + # message even if the user is currently trying to create said auth + # DB. Therefore only fetch the column information if a connection + # has been established. + $self->{column_information} = SL::Auth::ColumnInformation->new(auth => $self); + $self->{column_information}->_fetch; + } else { + delete $self->{column_information}; + } + $self->{authenticator}->reset; $self->client(undef); @@ -94,21 +111,25 @@ sub mini_error { } else { print STDERR "Error: @msg\n"; } - ::end_of_request(); + $::dispatcher->end_request; } sub _read_auth_config { - $main::lxdebug->enter_sub(); - - my $self = shift; + my ($self, %params) = @_; map { $self->{$_} = $::lx_office_conf{authentication}->{$_} } keys %{ $::lx_office_conf{authentication} }; # Prevent password leakage to log files when dumping Auth instances. $self->{admin_password} = sub { $::lx_office_conf{authentication}->{admin_password} }; - $self->{DB_config} = $::lx_office_conf{'authentication/database'}; - $self->{LDAP_config} = $::lx_office_conf{'authentication/ldap'}; + if ($params{unit_tests_database}) { + $self->{DB_config} = $::lx_office_conf{'testing/database'}; + $self->{module} = 'DB'; + + } else { + $self->{DB_config} = $::lx_office_conf{'authentication/database'}; + $self->{LDAP_config} = $::lx_office_conf{'authentication/ldap'}; + } if ($self->{module} eq 'DB') { $self->{authenticator} = SL::Auth::DB->new($self); @@ -138,8 +159,6 @@ sub _read_auth_config { $self->{session_timeout} *= 1; $self->{session_timeout} = 8 * 60 if (!$self->{session_timeout}); - - $main::lxdebug->leave_sub(); } sub has_access_to_client { @@ -160,56 +179,44 @@ SQL } sub authenticate_root { - $main::lxdebug->enter_sub(); - my ($self, $password) = @_; my $session_root_auth = $self->get_session_value(SESSION_KEY_ROOT_AUTH()); if (defined $session_root_auth && $session_root_auth == OK) { - $::lxdebug->leave_sub; return OK; } if (!defined $password) { - $::lxdebug->leave_sub; return ERR_PASSWORD; } - $password = SL::Auth::Password->hash(login => 'root', password => $password); my $admin_password = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $self->{admin_password}->()); + $password = SL::Auth::Password->hash(login => 'root', password => $password, stored_password => $admin_password); my $result = $password eq $admin_password ? OK : ERR_PASSWORD; $self->set_session_value(SESSION_KEY_ROOT_AUTH() => $result); - $::lxdebug->leave_sub; return $result; } sub authenticate { - $main::lxdebug->enter_sub(); - my ($self, $login, $password) = @_; if (!$self->client || !$self->has_access_to_client($login)) { - $::lxdebug->leave_sub; return ERR_PASSWORD; } my $session_auth = $self->get_session_value(SESSION_KEY_USER_AUTH()); if (defined $session_auth && $session_auth == OK) { - $::lxdebug->leave_sub; return OK; } if (!defined $password) { - $::lxdebug->leave_sub; return ERR_PASSWORD; } my $result = $login ? $self->{authenticator}->authenticate($login, $password) : ERR_USER; $self->set_session_value(SESSION_KEY_USER_AUTH() => $result, login => $login, client_id => $self->client->{id}); - - $::lxdebug->leave_sub; return $result; } @@ -232,13 +239,10 @@ sub get_stored_password { } sub dbconnect { - $main::lxdebug->enter_sub(2); - my $self = shift; my $may_fail = shift; if ($self->{dbh}) { - $main::lxdebug->leave_sub(2); return $self->{dbh}; } @@ -251,33 +255,31 @@ sub dbconnect { $main::lxdebug->message(LXDebug->DEBUG1, "Auth::dbconnect DSN: $dsn"); - $self->{dbh} = SL::DBConnect->connect($dsn, $cfg->{user}, $cfg->{password}, { pg_enable_utf8 => $::locale->is_utf8, AutoCommit => 1 }); + $self->{dbh} = SL::DBConnect->connect($dsn, $cfg->{user}, $cfg->{password}, { pg_enable_utf8 => 1, AutoCommit => 1 }); if (!$may_fail && !$self->{dbh}) { + delete $self->{dbh}; $main::form->error($main::locale->text('The connection to the authentication database failed:') . "\n" . $DBI::errstr); } - $main::lxdebug->leave_sub(2); - return $self->{dbh}; } sub dbdisconnect { - $main::lxdebug->enter_sub(); - my $self = shift; if ($self->{dbh}) { $self->{dbh}->disconnect(); delete $self->{dbh}; } +} - $main::lxdebug->leave_sub(); +sub is_db_connected { + my ($self) = @_; + return !!$self->{dbh}; } sub check_tables { - $main::lxdebug->enter_sub(); - my ($self, $dbh) = @_; $dbh ||= $self->dbconnect(); @@ -285,26 +287,18 @@ sub check_tables { my ($count) = $dbh->selectrow_array($query); - $main::lxdebug->leave_sub(); - return $count > 0; } sub check_database { - $main::lxdebug->enter_sub(); - my $self = shift; my $dbh = $self->dbconnect(1); - $main::lxdebug->leave_sub(); - return $dbh ? 1 : 0; } sub create_database { - $main::lxdebug->enter_sub(); - my $self = shift; my %params = @_; @@ -326,18 +320,13 @@ sub create_database { $main::lxdebug->message(LXDebug->DEBUG1(), "Auth::create_database DSN: $dsn"); - my $charset = $::lx_office_conf{system}->{dbcharset}; - $charset ||= Common::DEFAULT_CHARSET; - my $encoding = $Common::charset_to_db_encoding{$charset}; - $encoding ||= 'UNICODE'; - - my $dbh = SL::DBConnect->connect($dsn, $params{superuser}, $params{superuser_password}, { pg_enable_utf8 => scalar($charset =~ m/^utf-?8$/i) }); + my $dbh = SL::DBConnect->connect($dsn, $params{superuser}, $params{superuser_password}, { pg_enable_utf8 => 1 }); if (!$dbh) { $main::form->error($main::locale->text('The connection to the template database failed:') . "\n" . $DBI::errstr); } - my $query = qq|CREATE DATABASE "$cfg->{db}" OWNER "$cfg->{user}" TEMPLATE "$params{template}" ENCODING '$encoding'|; + my $query = qq|CREATE DATABASE "$cfg->{db}" OWNER "$cfg->{user}" TEMPLATE "$params{template}" ENCODING 'UNICODE'|; $main::lxdebug->message(LXDebug->DEBUG1(), "Auth::create_database query: $query"); @@ -349,8 +338,8 @@ sub create_database { $query = qq|SELECT pg_encoding_to_char(encoding) FROM pg_database WHERE datname = 'template0'|; my ($cluster_encoding) = $dbh->selectrow_array($query); - if ($cluster_encoding && ($cluster_encoding =~ m/^(?:UTF-?8|UNICODE)$/i) && ($encoding !~ m/^(?:UTF-?8|UNICODE)$/i)) { - $error = $main::locale->text('Your PostgreSQL installationen uses UTF-8 as its encoding. Therefore you have to configure kivitendo to use UTF-8 as well.'); + if ($cluster_encoding && ($cluster_encoding !~ m/^(?:UTF-?8|UNICODE)$/i)) { + $error = $::locale->text('Your PostgreSQL installationen does not use Unicode as its encoding. This is not supported anymore.'); } $dbh->disconnect(); @@ -359,28 +348,17 @@ sub create_database { } $dbh->disconnect(); - - $main::lxdebug->leave_sub(); } sub create_tables { - $main::lxdebug->enter_sub(); - my $self = shift; my $dbh = $self->dbconnect(); - my $charset = $::lx_office_conf{system}->{dbcharset}; - $charset ||= Common::DEFAULT_CHARSET; - $dbh->rollback(); - SL::DBUpgrade2->new(form => $::form)->process_query($dbh, 'sql/auth_db.sql', undef, $charset); - - $main::lxdebug->leave_sub(); + SL::DBUpgrade2->new(form => $::form)->process_query($dbh, 'sql/auth_db.sql'); } sub save_user { - $main::lxdebug->enter_sub(); - my $self = shift; my $login = shift; my %params = @_; @@ -417,8 +395,6 @@ sub save_user { } $dbh->commit(); - - $main::lxdebug->leave_sub(); } sub can_change_password { @@ -428,20 +404,14 @@ sub can_change_password { } sub change_password { - $main::lxdebug->enter_sub(); - my ($self, $login, $new_password) = @_; my $result = $self->{authenticator}->change_password($login, $new_password); - $main::lxdebug->leave_sub(); - return $result; } sub read_all_users { - $main::lxdebug->enter_sub(); - my $self = shift; my $dbh = $self->dbconnect(); @@ -474,14 +444,10 @@ sub read_all_users { $sth->finish(); - $main::lxdebug->leave_sub(); - return %users; } sub read_user { - $main::lxdebug->enter_sub(); - my ($self, %params) = @_; my $dbh = $self->dbconnect(); @@ -521,35 +487,30 @@ sub read_user { $sth->finish(); - $main::lxdebug->leave_sub(); - return %user_data; } sub get_user_id { - $main::lxdebug->enter_sub(); - my $self = shift; my $login = shift; my $dbh = $self->dbconnect(); my ($id) = selectrow_query($main::form, $dbh, qq|SELECT id FROM auth."user" WHERE login = ?|, $login); - $main::lxdebug->leave_sub(); - return $id; } sub delete_user { - $::lxdebug->enter_sub; - my $self = shift; my $login = shift; my $dbh = $self->dbconnect; my $id = $self->get_user_id($login); - $dbh->rollback and return $::lxdebug->leave_sub if (!$id); + if (!$id) { + $dbh->rollback; + return; + } $dbh->begin_work; @@ -561,8 +522,6 @@ sub delete_user { # do_query($::form, $u_dbh, qq|UPDATE employee SET deleted = 't' WHERE login = ?|, $login) if $u_dbh && $user_db_exists; $dbh->commit; - - $::lxdebug->leave_sub; } # -------------------------------------- @@ -570,8 +529,6 @@ sub delete_user { my $session_id; sub restore_session { - $main::lxdebug->enter_sub(); - my $self = shift; $session_id = $::request->{cgi}->cookie($self->get_session_cookie_name()); @@ -580,7 +537,6 @@ sub restore_session { $self->{SESSION} = { }; if (!$session_id) { - $main::lxdebug->leave_sub(); return $self->session_restore_result(SESSION_NONE()); } @@ -588,9 +544,8 @@ sub restore_session { $form = $main::form; - # Don't fail if the auth DB doesn't yet. + # Don't fail if the auth DB doesn't exist yet. if (!( $dbh = $self->dbconnect(1) )) { - $::lxdebug->leave_sub; return $self->session_restore_result(SESSION_NONE()); } @@ -600,7 +555,6 @@ sub restore_session { if (!($sth = $dbh->prepare($query)) || !$sth->execute($session_id)) { $sth->finish if $sth; - $::lxdebug->leave_sub; return $self->session_restore_result(SESSION_NONE()); } @@ -610,16 +564,15 @@ sub restore_session { # The session ID provided is valid in the following cases: # 1. session ID exists in the database # 2. hasn't expired yet - # 3. if form field '{AUTH}api_token' is given: form field must equal database column 'auth.session.api_token' for the session ID - # 4. if form field '{AUTH}api_token' is NOT given then: the requestee's IP address must match the stored IP address + # 3. if cookie for the API token is given: the cookie's value equal database column 'auth.session.api_token' for the session ID + # 4. if cookie for the API token is NOT given then: the requestee's IP address must match the stored IP address $self->{api_token} = $cookie->{api_token} if $cookie; my $api_token_cookie = $self->get_api_token_cookie; my $cookie_is_bad = !$cookie || $cookie->{is_expired}; $cookie_is_bad ||= $api_token_cookie && ($api_token_cookie ne $cookie->{api_token}) if $api_token_cookie; - $cookie_is_bad ||= $cookie->{ip_address} ne $ENV{REMOTE_ADDR} if !$api_token_cookie; + $cookie_is_bad ||= $cookie->{ip_address} ne $ENV{REMOTE_ADDR} if !$api_token_cookie && $ENV{REMOTE_ADDR} !~ /^$IPv6_re$/; if ($cookie_is_bad) { $self->destroy_session(); - $main::lxdebug->leave_sub(); return $self->session_restore_result($cookie ? SESSION_EXPIRED() : SESSION_NONE()); } @@ -629,8 +582,6 @@ sub restore_session { $self->_load_without_auto_restore_column($dbh, $session_id); } - $main::lxdebug->leave_sub(); - return $self->session_restore_result(SESSION_OK()); } @@ -669,52 +620,39 @@ SQL sub _load_with_auto_restore_column { my ($self, $dbh, $session_id) = @_; - my $auto_restore_keys = join ', ', map { "'${_}'" } qw(login password rpw); + my %auto_restore_keys = map { $_ => 1 } qw(login password rpw client_id), SESSION_KEY_ROOT_AUTH, SESSION_KEY_USER_AUTH; my $query = <fetchrow_hashref) { - my $value = SL::Auth::SessionValue->new(auth => $self, - key => $ref->{sess_key}, - value => $ref->{sess_value}, - auto_restore => $ref->{auto_restore}, - raw => 1); - $self->{SESSION}->{ $ref->{sess_key} } = $value; - - next if defined $::form->{$ref->{sess_key}}; - - my $data = $value->get; - $::form->{$ref->{sess_key}} = $data if $value->{auto_restore} || !ref $data; + if ($ref->{auto_restore} || $auto_restore_keys{$ref->{sess_key}}) { + my $value = SL::Auth::SessionValue->new(auth => $self, + key => $ref->{sess_key}, + value => $ref->{sess_value}, + auto_restore => $ref->{auto_restore}, + raw => 1); + $self->{SESSION}->{ $ref->{sess_key} } = $value; + + next if defined $::form->{$ref->{sess_key}}; + + my $data = $value->get; + $::form->{$ref->{sess_key}} = $data if $value->{auto_restore} || !ref $data; + } else { + my $value = SL::Auth::SessionValue->new(auth => $self, + key => $ref->{sess_key}); + $self->{SESSION}->{ $ref->{sess_key} } = $value; + } } $sth->finish; - - $query = <fetchrow_hashref) { - my $value = SL::Auth::SessionValue->new(auth => $self, - key => $ref->{sess_key}); - $self->{SESSION}->{ $ref->{sess_key} } = $value; - } } sub destroy_session { - $main::lxdebug->enter_sub(); - my $self = shift; if ($session_id) { @@ -732,8 +670,6 @@ sub destroy_session { $session_id = undef; $self->{SESSION} = { }; } - - $main::lxdebug->leave_sub(); } sub active_session_ids { @@ -748,11 +684,9 @@ sub active_session_ids { } sub expire_sessions { - $main::lxdebug->enter_sub(); - my $self = shift; - $main::lxdebug->leave_sub and return if !$self->session_tables_present; + return if !$self->session_tables_present; my $dbh = $self->dbconnect(); @@ -777,20 +711,14 @@ sub expire_sessions { $dbh->commit(); } - - $main::lxdebug->leave_sub(); } sub _create_session_id { - $main::lxdebug->enter_sub(); - my @data; map { push @data, int(rand() * 255); } (1..32); my $id = md5_hex(pack 'C*', @data); - $main::lxdebug->leave_sub(); - return $id; } @@ -799,13 +727,12 @@ sub create_or_refresh_session { } sub save_session { - $::lxdebug->enter_sub; my $self = shift; my $provided_dbh = shift; my $dbh = $provided_dbh || $self->dbconnect(1); - $::lxdebug->leave_sub && return unless $dbh && $session_id; + return unless $dbh && $session_id; $dbh->begin_work unless $provided_dbh; @@ -813,7 +740,6 @@ sub save_session { # the admin is just trying to create the auth database. if (!$dbh->do(qq|LOCK auth.session_content|)) { $dbh->rollback unless $provided_dbh; - $::lxdebug->leave_sub; return; } @@ -865,12 +791,9 @@ sub save_session { } $dbh->commit() unless $provided_dbh; - $::lxdebug->leave_sub; } sub set_session_value { - $main::lxdebug->enter_sub(); - my $self = shift; my @params = @_; @@ -891,32 +814,22 @@ sub set_session_value { } } - $main::lxdebug->leave_sub(); - return $self; } sub delete_session_value { - $main::lxdebug->enter_sub(); - my $self = shift; $self->{SESSION} ||= { }; delete @{ $self->{SESSION} }{ @_ }; - $main::lxdebug->leave_sub(); - return $self; } sub get_session_value { - $main::lxdebug->enter_sub(); - my $self = shift; my $data = $self->{SESSION} && $self->{SESSION}->{ $_[0] } ? $self->{SESSION}->{ $_[0] }->get : undef; - $main::lxdebug->leave_sub(); - return $data; } @@ -995,108 +908,61 @@ sub get_api_token_cookie { $::request->{cgi}->cookie($self->get_session_cookie_name(type => 'api_token')); } -sub session_tables_present { - $main::lxdebug->enter_sub(); +sub is_api_token_cookie_valid { + my ($self) = @_; + my $provided_api_token = $self->get_api_token_cookie; + return $self->{api_token} && $provided_api_token && ($self->{api_token} eq $provided_api_token); +} - my $self = shift; +sub _tables_present { + my ($self, @tables) = @_; + my $cache_key = join '_', @tables; # Only re-check for the presence of auth tables if either the check # hasn't been done before of if they weren't present. - if ($self->{session_tables_present}) { - $main::lxdebug->leave_sub(); - return $self->{session_tables_present}; - } + return $self->{"$cache_key\_tables_present"} ||= do { + my $dbh = $self->dbconnect(1); - my $dbh = $self->dbconnect(1); - - if (!$dbh) { - $main::lxdebug->leave_sub(); - return 0; - } + if (!$dbh) { + return 0; + } - my $query = - qq|SELECT COUNT(*) - FROM pg_tables - WHERE (schemaname = 'auth') - AND (tablename IN ('session', 'session_content'))|; + my $query = + qq|SELECT COUNT(*) + FROM pg_tables + WHERE (schemaname = 'auth') + AND (tablename IN (@{[ join ', ', ('?') x @tables ]}))|; - my ($count) = selectrow_query($main::form, $dbh, $query); + my ($count) = selectrow_query($main::form, $dbh, $query, @tables); - $self->{session_tables_present} = 2 == $count; + scalar @tables == $count; + } +} - $main::lxdebug->leave_sub(); +sub session_tables_present { + $_[0]->_tables_present('session', 'session_content'); +} - return $self->{session_tables_present}; +sub master_rights_present { + $_[0]->_tables_present('master_rights'); } # -------------------------------------- sub all_rights_full { - my $locale = $main::locale; - - my @all_rights = ( - ["--crm", $locale->text("CRM optional software")], - ["crm_search", $locale->text("CRM search")], - ["crm_new", $locale->text("CRM create customers, vendors and contacts")], - ["crm_service", $locale->text("CRM services")], - ["crm_admin", $locale->text("CRM admin")], - ["crm_adminuser", $locale->text("CRM user")], - ["crm_adminstatus", $locale->text("CRM status")], - ["crm_email", $locale->text("CRM send email")], - ["crm_termin", $locale->text("CRM termin")], - ["crm_opportunity", $locale->text("CRM opportunity")], - ["crm_knowhow", $locale->text("CRM know how")], - ["crm_follow", $locale->text("CRM follow up")], - ["crm_notices", $locale->text("CRM notices")], - ["crm_other", $locale->text("CRM other")], - ["--master_data", $locale->text("Master Data")], - ["customer_vendor_edit", $locale->text("Create customers and vendors. Edit all vendors. Edit only customers where salesman equals employee (login)")], - ["customer_vendor_all_edit", $locale->text("Create customers and vendors. Edit all vendors. Edit all customers")], - ["part_service_assembly_edit", $locale->text("Create and edit parts, services, assemblies")], - ["project_edit", $locale->text("Create and edit projects")], - ["--ar", $locale->text("AR")], - ["sales_quotation_edit", $locale->text("Create and edit sales quotations")], - ["sales_order_edit", $locale->text("Create and edit sales orders")], - ["sales_delivery_order_edit", $locale->text("Create and edit sales delivery orders")], - ["invoice_edit", $locale->text("Create and edit invoices and credit notes")], - ["dunning_edit", $locale->text("Create and edit dunnings")], - ["sales_all_edit", $locale->text("View/edit all employees sales documents")], - ["edit_prices", $locale->text("Edit prices and discount (if not used, textfield is ONLY set readonly)")], - ["--ap", $locale->text("AP")], - ["request_quotation_edit", $locale->text("Create and edit RFQs")], - ["purchase_order_edit", $locale->text("Create and edit purchase orders")], - ["purchase_delivery_order_edit", $locale->text("Create and edit purchase delivery orders")], - ["vendor_invoice_edit", $locale->text("Create and edit vendor invoices")], - ["--warehouse_management", $locale->text("Warehouse management")], - ["warehouse_contents", $locale->text("View warehouse content")], - ["warehouse_management", $locale->text("Warehouse management")], - ["--general_ledger_cash", $locale->text("General ledger and cash")], - ["general_ledger", $locale->text("Transactions, AR transactions, AP transactions")], - ["datev_export", $locale->text("DATEV Export")], - ["cash", $locale->text("Receipt, payment, reconciliation")], - ["--reports", $locale->text('Reports')], - ["report", $locale->text('All reports')], - ["advance_turnover_tax_return", $locale->text('Advance turnover tax return')], - ["--batch_printing", $locale->text("Batch Printing")], - ["batch_printing", $locale->text("Batch Printing")], - ["--others", $locale->text("Others")], - ["email_bcc", $locale->text("May set the BCC field when sending emails")], - ["config", $locale->text("Change kivitendo installation settings (all menu entries beneath 'System')")], - ["admin", $locale->text("Administration (Used to access instance administration from user logins)")], - ["productivity", $locale->text("Productivity")], - ["display_admin_link", $locale->text("Show administration link")], - ); - - return @all_rights; + my ($self) = @_; + + @{ $self->{master_rights} ||= do { + $self->dbconnect->selectall_arrayref("SELECT name, description, category FROM auth.master_rights ORDER BY position"); + } + } } sub all_rights { - return grep !/^--/, map { $_->[0] } all_rights_full(); + return map { $_->[0] } grep { !$_->[2] } $_[0]->all_rights_full; } sub read_groups { - $main::lxdebug->enter_sub(); - my $self = shift; my $form = $main::form; @@ -1140,18 +1006,14 @@ sub read_groups { $group->{rights}->{$row->{right}} |= $row->{granted}; } - map { $group->{rights}->{$_} = 0 if (!defined $group->{rights}->{$_}); } all_rights(); + map { $group->{rights}->{$_} = 0 if (!defined $group->{rights}->{$_}); } $self->all_rights; } $sth->finish(); - $main::lxdebug->leave_sub(); - return $groups; } sub save_group { - $main::lxdebug->enter_sub(); - my $self = shift; my $group = shift; @@ -1192,13 +1054,9 @@ sub save_group { $sth->finish(); $dbh->commit(); - - $main::lxdebug->leave_sub(); } sub delete_group { - $main::lxdebug->enter_sub(); - my $self = shift; my $id = shift; @@ -1212,13 +1070,9 @@ sub delete_group { do_query($form, $dbh, qq|DELETE FROM auth."group" WHERE id = ?|, $id); $dbh->commit(); - - $main::lxdebug->leave_sub(); } sub evaluate_rights_ary { - $main::lxdebug->enter_sub(2); - my $ary = shift; my $value = 0; @@ -1244,14 +1098,10 @@ sub evaluate_rights_ary { } } - $main::lxdebug->leave_sub(2); - return $value; } sub _parse_rights_string { - $main::lxdebug->enter_sub(2); - my $self = shift; my $login = shift; @@ -1278,7 +1128,6 @@ sub _parse_rights_string { pop @stack; if (!@stack) { - $main::lxdebug->leave_sub(2); return 0; } @@ -1288,20 +1137,16 @@ sub _parse_rights_string { push @{$cur_ary}, $token; } else { - push @{$cur_ary}, $self->{RIGHTS}->{$login}->{$token} * 1; + push @{$cur_ary}, ($self->{RIGHTS}->{$login}->{$token} // 0) * 1; } } my $result = ($access || (1 < scalar @stack)) ? 0 : evaluate_rights_ary($stack[0]); - $main::lxdebug->leave_sub(2); - return $result; } sub check_right { - $main::lxdebug->enter_sub(2); - my $self = shift; my $login = shift; my $right = shift; @@ -1320,17 +1165,13 @@ sub check_right { my $granted = $self->{FULL_RIGHTS}->{$login}->{$right}; $granted = $default if (!defined $granted); - $main::lxdebug->leave_sub(2); - return $granted; } sub assert { - $::lxdebug->enter_sub(2); my ($self, $right, $dont_abort) = @_; if ($self->check_right($::myconfig{login}, $right)) { - $::lxdebug->leave_sub(2); return 1; } @@ -1339,19 +1180,17 @@ sub assert { $::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")); } - $::lxdebug->leave_sub(2); - return 0; } sub load_rights_for_user { - $::lxdebug->enter_sub; - my ($self, $login) = @_; my $dbh = $self->dbconnect; my ($query, $sth, $row, $rights); - $rights = { map { $_ => 0 } all_rights() }; + $rights = { map { $_ => 0 } $self->all_rights }; + + return $rights if !$self->client || !$login; $query = qq|SELECT gr."right", gr.granted @@ -1360,17 +1199,19 @@ sub load_rights_for_user { (SELECT ug.group_id FROM auth.user_group ug LEFT JOIN auth."user" u ON (ug.user_id = u.id) - WHERE u.login = ?)|; + WHERE u.login = ?) + AND group_id IN + (SELECT cg.group_id + FROM auth.clients_groups cg + WHERE cg.client_id = ?)|; - $sth = prepare_execute_query($::form, $dbh, $query, $login); + $sth = prepare_execute_query($::form, $dbh, $query, $login, $self->client->{id}); while ($row = $sth->fetchrow_hashref()) { $rights->{$row->{right}} |= $row->{granted}; } $sth->finish(); - $::lxdebug->leave_sub; - return $rights; } @@ -1385,7 +1226,7 @@ __END__ SL::Auth - Authentication and session handling -=head1 FUNCTIONS +=head1 METHODS =over 4 @@ -1435,7 +1276,7 @@ Stores the session values in the database. This is the only function that actually stores stuff in the database. Neither the various setters nor the deleter access the database. -=item +=item C Stores the content of C<$params{form}> (default: C<$::form>) in the session using L. @@ -1449,7 +1290,7 @@ can be given as an array ref in C<$params{skip_keys}>. Returns the unique key under which the form is stored. -=item +=item C Restores the form from the session into C<$params{form}> (default: C<$::form>). @@ -1460,6 +1301,14 @@ is on by default. Returns C<$self>. +=item C + +C deletes every state information from previous requests, but does not +close the database connection. + +Creating a new database handle on each request can take up to 30% of the +pre-request startup time, so we want to avoid that for fast ajax calls. + =back =head1 BUGS