/ucengine/src/models/uce_access.erl
Erlang | 126 lines | 100 code | 7 blank | 19 comment | 8 complexity | d776842eb78e4f4d45eab9aa456855fe MD5 | raw file
1%% 2%% U.C.Engine - Unified Collaboration Engine 3%% Copyright (C) 2011 af83 4%% 5%% This program is free software: you can redistribute it and/or modify 6%% it under the terms of the GNU Affero General Public License as published by 7%% the Free Software Foundation, either version 3 of the License, or 8%% (at your option) any later version. 9%% 10%% This program is distributed in the hope that it will be useful, 11%% but WITHOUT ANY WARRANTY; without even the implied warranty of 12%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13%% GNU Affero General Public License for more details. 14%% 15%% You should have received a copy of the GNU Affero General Public License 16%% along with this program. If not, see <http://www.gnu.org/licenses/>. 17%% 18-module(uce_access). 19 20-export([exists/2, 21 delete/2, 22 assert/5, 23 assert/6, 24 check/5, 25 check/6]). 26 27-include("uce.hrl"). 28 29exists(#uce_access{} = Access, ACL) -> 30 case delete(Access, ACL) of 31 ACL -> 32 false; 33 _ -> 34 true 35 end. 36 37delete(#uce_access{} = Access, ACL) -> 38 lists:filter(fun(#uce_access{} = RoleAccess) -> 39 if 40 RoleAccess#uce_access.object /= Access#uce_access.object -> 41 true; 42 RoleAccess#uce_access.action /= Access#uce_access.action -> 43 true; 44 length(Access#uce_access.conditions) /= 45 length(RoleAccess#uce_access.conditions) -> 46 true; 47 true -> 48 case lists:subtract(Access#uce_access.conditions, 49 RoleAccess#uce_access.conditions) of 50 [] -> 51 false; 52 _ -> 53 true 54 end 55 end 56 end, 57 ACL). 58 59assert(Domain, User, Location, Object, Action) -> 60 assert(Domain, User, Location, Object, Action, []). 61assert(Domain, User, Location, Object, Action, Conditions) -> 62 case check(Domain, User, Location, Object, Action, Conditions) of 63 {ok, false} -> 64 throw({error, unauthorized}); 65 {ok, true} -> 66 {ok, true} 67 end. 68 69check(Domain, User, Location, Object, Action) -> 70 check(Domain, User, Location, Object, Action, []). 71check(Domain, User, Location, Object, Action, Conditions) -> 72 case uce_user:acl(Domain, User, Location) of 73 {ok, []} -> 74 {ok, false}; 75 {ok, ACL} -> 76 FilteredACL = 77 lists:filter(fun(#uce_access{object=AccessObject, 78 action=AccessAction}) -> 79 if 80 AccessObject == "all", 81 AccessAction == "all" -> 82 true; 83 AccessObject == "all", AccessAction == Action -> 84 true; 85 AccessObject == Object, AccessAction == "all" -> 86 true; 87 AccessObject == Object, AccessAction == Action -> 88 true; 89 true -> 90 false 91 end 92 end, 93 ACL), 94 check_conditions(FilteredACL, Conditions) 95 end. 96 97% All the ACL have been checked and none of them satisfied the conditions 98check_conditions([], _) -> 99 {ok, false}; 100% There is no conditions, so the access is authorized 101check_conditions(_, []) -> 102 {ok, true}; 103check_conditions([#uce_access{conditions=Conditions}|Tail], Required) -> 104 case Conditions of 105 [] -> 106 {ok, true}; 107 _ -> 108 case lists:filter(fun({Key, Value}) -> 109 case lists:keyfind(Key, 1, Required) of 110 {Key, Value} -> 111 true; 112 {Key, '_'} -> 113 true; 114 false -> 115 true; 116 _ -> 117 false 118 end 119 end, 120 Conditions) of 121 [] -> 122 check_conditions(Tail, Required); 123 _ -> 124 {ok, true} 125 end 126 end.