context-access-admin.inc 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491
  1. <?php
  2. /**
  3. * @file
  4. * Contains administrative screens for the access control plugins.
  5. *
  6. * Access control can be implemented by creating a list of 0 or more access
  7. * plugins, each with settings. This list can be ANDed together or ORed
  8. * together. When testing access, each plugin is tested until success
  9. * or failure can be determined. We use short circuiting techniques to
  10. * ensure we are as efficient as possible.
  11. *
  12. * Access plugins are part of the context system, and as such can require
  13. * contexts to work. That allows the use of access based upon visibility
  14. * of an object, or even more esoteric things such as node type, node language
  15. * etc. Since a lot of access depends on the logged in user, the logged in
  16. * user should always be provided as a context.
  17. *
  18. * In the UI, the user is presented with a table and a 'add access method' select.
  19. * When added, the user will be presented with the config wizard and, when
  20. * confirmed, table will be refreshed via AJAX to show the new access method.
  21. * Each item in the table will have controls to change the settings or remove
  22. * the item. Changing the settings will invoke the modal for update.
  23. *
  24. * Currently the modal is not degradable, but it could be with only a small
  25. * amount of work.
  26. *
  27. * A simple radio
  28. * control is used to let the user pick the and/or logic.
  29. *
  30. * Access control is stored in an array:
  31. * @code
  32. * array(
  33. * 'plugins' => array(
  34. * 0 => array(
  35. * 'name' => 'name of access plugin',
  36. * 'settings' => array(), // These will be set by the form
  37. * ),
  38. * // ... as many as needed
  39. * ),
  40. * 'logic' => 'AND', // or 'OR',
  41. * ),
  42. * @endcode
  43. *
  44. * To add this widget to your UI, you need to do a little bit of setup.
  45. *
  46. * The form will utilize two callbacks, one to get the cached version
  47. * of the access settings, and one to store the cached version of the
  48. * access settings. These will be used from AJAX forms, so they will
  49. * be completely out of the context of this page load and will not have
  50. * knowledge of anything sent to this form (the 'module' and 'argument'
  51. * will be preserved through the URL only).
  52. *
  53. * The 'module' is used to determine the location of the callback. It
  54. * does not strictly need to be a module, so that if your module defines
  55. * multiple systems that use this callback, it can use anything within the
  56. * module's namespace it likes.
  57. *
  58. * When retrieving the cache, the cache may not have already been set up;
  59. * In order to efficiently use cache space, we want to cache the stored
  60. * settings *only* when they have changed. Therefore, the get access cache
  61. * callback should first look for cache, and if it finds nothing, return
  62. * the original settings.
  63. *
  64. * The callbacks:
  65. * - $module . _ctools_access_get($argument) -- get the 'access' settings
  66. * from cache. Must return array($access, $contexts); This callback can
  67. * perform access checking to make sure this URL is not being gamed.
  68. * - $module . _ctools_access_set($argument, $access) -- set the 'access'
  69. * settings in cache.
  70. * - $module . _ctools_access_clear($argument) -- clear the cache.
  71. *
  72. * The ctools_object_cache is recommended for this purpose, but you can use
  73. * any caching mechanism you like. An example:
  74. *
  75. * @code{
  76. * ctools_include('object-cache');
  77. * ctools_object_cache_set("$module:argument", $access);
  78. * }
  79. *
  80. * To utilize this form:
  81. * @code
  82. * ctools_include('context-access-admin');
  83. * $form_state = array(
  84. * 'access' => $access,
  85. * 'module' => 'module name',
  86. * 'callback argument' => 'some string',
  87. * 'contexts' => $contexts, // an array of contexts. Optional if no contexts.
  88. * // 'logged-in-user' will be added if not present as the access system
  89. * // requires this context.
  90. * ),
  91. * $output = drupal_build_form('ctools_access_admin_form', $form_state);
  92. * if (!empty($form_state['executed'])) {
  93. * // save $form_state['access'] however you like.
  94. * }
  95. * @endcode
  96. *
  97. * Additionally, you may add 'no buttons' => TRUE if you wish to embed this
  98. * form into your own, and instead call
  99. *
  100. * @code{
  101. * $form = ctools_access_admin_form($form, $form_state);
  102. * }
  103. *
  104. * You'll be responsible for adding a submit button.
  105. *
  106. * You may use ctools_access($access, $contexts) which will return
  107. * TRUE if access is passed or FALSE if access is not passed.
  108. */
  109. /**
  110. * Administrative form for access control.
  111. */
  112. function ctools_access_admin_form($form, &$form_state) {
  113. ctools_include('context');
  114. $argument = isset($form_state['callback argument']) ? $form_state['callback argument'] : '';
  115. $fragment = $form_state['module'];
  116. if ($argument) {
  117. $fragment .= '-' . $argument;
  118. }
  119. $contexts = isset($form_state['contexts']) ? $form_state['contexts'] : array();
  120. $form['access_table'] = array(
  121. '#markup' => ctools_access_admin_render_table($form_state['access'], $fragment, $contexts),
  122. );
  123. $form['add-button'] = array(
  124. '#theme' => 'ctools_access_admin_add',
  125. );
  126. // This sets up the URL for the add access modal.
  127. $form['add-button']['add-url'] = array(
  128. '#attributes' => array('class' => array("ctools-access-add-url")),
  129. '#type' => 'hidden',
  130. '#value' => url("ctools/context/ajax/access/add/$fragment", array('absolute' => TRUE)),
  131. );
  132. $plugins = ctools_get_relevant_access_plugins($contexts);
  133. $options = array();
  134. foreach ($plugins as $id => $plugin) {
  135. $options[$id] = $plugin['title'];
  136. }
  137. asort($options);
  138. $form['add-button']['type'] = array(
  139. // This ensures that the form item is added to the URL.
  140. '#attributes' => array('class' => array("ctools-access-add-url")),
  141. '#type' => 'select',
  142. '#options' => $options,
  143. '#required' => FALSE,
  144. );
  145. $form['add-button']['add'] = array(
  146. '#type' => 'submit',
  147. '#attributes' => array('class' => array('ctools-use-modal')),
  148. '#id' => "ctools-access-add",
  149. '#value' => t('Add'),
  150. );
  151. $form['logic'] = array(
  152. '#type' => 'radios',
  153. '#options' => array(
  154. 'and' => t('All criteria must pass.'),
  155. 'or' => t('Only one criteria must pass.'),
  156. ),
  157. '#default_value' => isset($form_state['access']['logic']) ? $form_state['access']['logic'] : 'and',
  158. );
  159. if (empty($form_state['no buttons'])) {
  160. $form['buttons']['save'] = array(
  161. '#type' => 'submit',
  162. '#value' => t('Save'),
  163. '#submit' => array('ctools_access_admin_form_submit'),
  164. );
  165. }
  166. return $form;
  167. }
  168. /**
  169. * Render the table. This is used both to render it initially and to rerender
  170. * it upon ajax response.
  171. */
  172. function ctools_access_admin_render_table($access, $fragment, $contexts) {
  173. ctools_include('ajax');
  174. ctools_include('modal');
  175. $rows = array();
  176. if (empty($access['plugins'])) {
  177. $access['plugins'] = array();
  178. }
  179. foreach ($access['plugins'] as $id => $test) {
  180. $row = array();
  181. $plugin = ctools_get_access_plugin($test['name']);
  182. $title = isset($plugin['title']) ? $plugin['title'] : t('Broken/missing access plugin %plugin', array('%plugin' => $test['name']));
  183. $row[] = array('data' => $title, 'class' => array('ctools-access-title'));
  184. $description = ctools_access_summary($plugin, $contexts, $test);
  185. $row[] = array('data' => $description, 'class' => array('ctools-access-description'));
  186. $operations = ctools_modal_image_button(ctools_image_path('icon-configure.png'), "ctools/context/ajax/access/configure/$fragment/$id", t('Configure settings for this item.'));
  187. $operations .= ctools_ajax_image_button(ctools_image_path('icon-delete.png'), "ctools/context/ajax/access/delete/$fragment/$id", t('Remove this item.'));
  188. $row[] = array('data' => $operations, 'class' => array('ctools-access-operations'), 'align' => 'right');
  189. $rows[] = $row;
  190. }
  191. $header = array(
  192. array('data' => t('Title'), 'class' => array('ctools-access-title')),
  193. array('data' => t('Description'), 'class' => array('ctools-access-description')),
  194. array('data' => '', 'class' => array('ctools-access-operations'), 'align' => 'right'),
  195. );
  196. if (empty($rows)) {
  197. $rows[] = array(array('data' => t('No criteria selected, this test will pass.'), 'colspan' => count($header)));
  198. }
  199. ctools_modal_add_js();
  200. return theme('table', array('header' => $header, 'rows' => $rows, 'attributes' => array('id' => 'ctools-access-table')));
  201. }
  202. /**
  203. * Theme the 'add' portion of the access form into a table.
  204. */
  205. function theme_ctools_access_admin_add($vars) {
  206. $rows = array(array(drupal_render_children($vars['form'])));
  207. $output = '<div class="container-inline">';
  208. $output .= theme('table', array('rows' => $rows));
  209. $output .= '</div>';
  210. return $output;
  211. }
  212. function ctools_access_admin_form_submit($form, &$form_state) {
  213. $form_state['access']['logic'] = $form_state['values']['logic'];
  214. $function = $form_state['module'] . '_ctools_access_clear';
  215. if (function_exists($function)) {
  216. $function($form_state['callback argument']);
  217. }
  218. }
  219. // --------------------------------------------------------------------------
  220. // AJAX menu entry points.
  221. /**
  222. * AJAX callback to add a new access test to the list.
  223. */
  224. function ctools_access_ajax_add($fragment = NULL, $name = NULL) {
  225. ctools_include('ajax');
  226. ctools_include('modal');
  227. ctools_include('context');
  228. if (empty($fragment) || empty($name)) {
  229. ctools_ajax_render_error();
  230. }
  231. $plugin = ctools_get_access_plugin($name);
  232. if (empty($plugin)) {
  233. ctools_ajax_render_error();
  234. }
  235. // Separate the fragment into 'module' and 'argument'.
  236. if (strpos($fragment, '-') === FALSE) {
  237. $module = $fragment;
  238. $argument = NULL;
  239. }
  240. else {
  241. list($module, $argument) = explode('-', $fragment, 2);
  242. }
  243. $function = $module . '_ctools_access_get';
  244. if (!function_exists($function)) {
  245. ctools_ajax_render_error(t('Missing callback hooks.'));
  246. }
  247. list($access, $contexts) = $function($argument);
  248. // Make sure we have the logged in user context.
  249. if (!isset($contexts['logged-in-user'])) {
  250. $contexts['logged-in-user'] = ctools_access_get_loggedin_context();
  251. }
  252. if (empty($access['plugins'])) {
  253. $access['plugins'] = array();
  254. }
  255. $test = ctools_access_new_test($plugin);
  256. $id = $access['plugins'] ? max(array_keys($access['plugins'])) + 1 : 0;
  257. $access['plugins'][$id] = $test;
  258. $form_state = array(
  259. 'plugin' => $plugin,
  260. 'id' => $id,
  261. 'test' => &$access['plugins'][$id],
  262. 'access' => &$access,
  263. 'contexts' => $contexts,
  264. 'title' => t('Add criteria'),
  265. 'ajax' => TRUE,
  266. 'modal' => TRUE,
  267. 'modal return' => TRUE,
  268. );
  269. $output = ctools_modal_form_wrapper('ctools_access_ajax_edit_item', $form_state);
  270. $access = $form_state['access'];
  271. $access['plugins'][$id] = $form_state['test'];
  272. if (!isset($output[0])) {
  273. $function = $module . '_ctools_access_set';
  274. if (function_exists($function)) {
  275. $function($argument, $access);
  276. }
  277. $table = ctools_access_admin_render_table($access, $fragment, $contexts);
  278. $output = array();
  279. $output[] = ajax_command_replace('table#ctools-access-table', $table);
  280. $output[] = ctools_modal_command_dismiss();
  281. }
  282. print ajax_render($output);
  283. }
  284. /**
  285. * AJAX callback to edit an access test in the list.
  286. */
  287. function ctools_access_ajax_edit($fragment = NULL, $id = NULL) {
  288. ctools_include('ajax');
  289. ctools_include('modal');
  290. ctools_include('context');
  291. if (empty($fragment) || !isset($id)) {
  292. ctools_ajax_render_error();
  293. }
  294. // Separate the fragment into 'module' and 'argument'.
  295. if (strpos($fragment, '-') === FALSE) {
  296. $module = $fragment;
  297. $argument = NULL;
  298. }
  299. else {
  300. list($module, $argument) = explode('-', $fragment, 2);
  301. }
  302. $function = $module . '_ctools_access_get';
  303. if (!function_exists($function)) {
  304. ctools_ajax_render_error(t('Missing callback hooks.'));
  305. }
  306. list($access, $contexts) = $function($argument);
  307. if (empty($access['plugins'][$id])) {
  308. ctools_ajax_render_error();
  309. }
  310. // Make sure we have the logged in user context.
  311. if (!isset($contexts['logged-in-user'])) {
  312. $contexts['logged-in-user'] = ctools_access_get_loggedin_context();
  313. }
  314. $plugin = ctools_get_access_plugin($access['plugins'][$id]['name']);
  315. $form_state = array(
  316. 'plugin' => $plugin,
  317. 'id' => $id,
  318. 'test' => &$access['plugins'][$id],
  319. 'access' => &$access,
  320. 'contexts' => $contexts,
  321. 'title' => t('Edit criteria'),
  322. 'ajax' => TRUE,
  323. 'modal' => TRUE,
  324. 'modal return' => TRUE,
  325. );
  326. $output = ctools_modal_form_wrapper('ctools_access_ajax_edit_item', $form_state);
  327. $access = $form_state['access'];
  328. $access['plugins'][$id] = $form_state['test'];
  329. if (!isset($output[0])) {
  330. $function = $module . '_ctools_access_set';
  331. if (function_exists($function)) {
  332. $function($argument, $access);
  333. }
  334. $table = ctools_access_admin_render_table($access, $fragment, $contexts);
  335. $output = array();
  336. $output[] = ajax_command_replace('table#ctools-access-table', $table);
  337. $output[] = ctools_modal_command_dismiss();
  338. }
  339. print ajax_render($output);
  340. }
  341. /**
  342. * Form to edit the settings of an access test.
  343. */
  344. function ctools_access_ajax_edit_item($form, &$form_state) {
  345. $test = &$form_state['test'];
  346. $plugin = &$form_state['plugin'];
  347. if (isset($plugin['required context'])) {
  348. $form['context'] = ctools_context_selector($form_state['contexts'], $plugin['required context'], $test['context']);
  349. }
  350. $form['settings'] = array('#tree' => TRUE);
  351. if ($function = ctools_plugin_get_function($plugin, 'settings form')) {
  352. $form = $function($form, $form_state, $test['settings']);
  353. }
  354. $form['not'] = array(
  355. '#type' => 'checkbox',
  356. '#title' => t('Reverse (NOT)'),
  357. '#default_value' => !empty($test['not']),
  358. );
  359. $form['save'] = array(
  360. '#type' => 'submit',
  361. '#value' => t('Save'),
  362. );
  363. return $form;
  364. }
  365. /**
  366. * Validate handler for argument settings.
  367. */
  368. function ctools_access_ajax_edit_item_validate($form, &$form_state) {
  369. if ($function = ctools_plugin_get_function($form_state['plugin'], 'settings form validate')) {
  370. $function($form, $form_state);
  371. }
  372. }
  373. /**
  374. * Submit handler for argument settings.
  375. */
  376. function ctools_access_ajax_edit_item_submit($form, &$form_state) {
  377. if ($function = ctools_plugin_get_function($form_state['plugin'], 'settings form submit')) {
  378. $function($form, $form_state);
  379. }
  380. $form_state['test']['settings'] = $form_state['values']['settings'];
  381. if (isset($form_state['values']['context'])) {
  382. $form_state['test']['context'] = $form_state['values']['context'];
  383. }
  384. $form_state['test']['not'] = !empty($form_state['values']['not']);
  385. }
  386. /**
  387. * AJAX command to remove an access control item.
  388. */
  389. function ctools_access_ajax_delete($fragment = NULL, $id = NULL) {
  390. ctools_include('ajax');
  391. ctools_include('modal');
  392. ctools_include('context');
  393. if (empty($fragment) || !isset($id)) {
  394. ajax_render_error();
  395. }
  396. // Separate the fragment into 'module' and 'argument'.
  397. if (strpos($fragment, '-') === FALSE) {
  398. $module = $fragment;
  399. $argument = NULL;
  400. }
  401. else {
  402. list($module, $argument) = explode('-', $fragment, 2);
  403. }
  404. $function = $module . '_ctools_access_get';
  405. if (!function_exists($function)) {
  406. ajax_render_error(t('Missing callback hooks.'));
  407. }
  408. list($access, $contexts) = $function($argument);
  409. if (isset($access['plugins'][$id])) {
  410. unset($access['plugins'][$id]);
  411. }
  412. // re-cache.
  413. $function = $module . '_ctools_access_set';
  414. if (function_exists($function)) {
  415. $function($argument, $access);
  416. }
  417. $table = ctools_access_admin_render_table($access, $fragment, $contexts);
  418. $output = array();
  419. $output[] = ajax_command_replace('table#ctools-access-table', $table);
  420. print ajax_render($output);
  421. }