Right Management¶
Goals¶
Provide a way for administrator to segment usages into profiles of users.
Profiles¶
The Profile
(corresponding to glpi_profiles
table) stores each set of rights.
A profile has a set of base fields independent of sub rights and, so, could:
be defined as default for new users (
is_default
field).force the ticket creation form at the login (
create_ticket_on_login
field).define the interface used (
interface
field):helpdesk (self-service users)
central (technician view)
Rights definition¶
They are defined by the ProfileRight
class (corresponding to glpi_profilerights
table)
Each consists of:
a profile foreign key (
profiles_id
field)a key (
name
field)a value (
right
field)
The keys match the static property $rightname
in the GLPI itemtypes.
Ex: In Computer class, we have a static $rightname = 'computer';
Value is a numeric sum of integer constants.
Values of standard rights can be found in inc/define.php:
<?php
...
define("READ", 1);
define("UPDATE", 2);
define("CREATE", 4);
define("DELETE", 8);
define("PURGE", 16);
define("ALLSTANDARDRIGHT", 31);
define("READNOTE", 32);
define("UPDATENOTE", 64);
define("UNLOCK", 128);
So, for example, to have the right to READ and UPDATE an itemtype, we’ll have a right
value of 3.
As defined in this above block, we have a computation of all standards right = 31:
READ (1)
\+ UPDATE (2)
\+ CREATE (4)
\+ DELETE (8)
\+ PURGE (16)
= 31
If you need to extends the possible values of rights, you need to declare these part into your itemtype, simplified example from Ticket class:
<?php
class Ticket extends CommonITILObject {
...
const READALL = 1024;
const READGROUP = 2048;
...
function getRights($interface = 'central') {
$values = parent::getRights();
$values[self::READGROUP] = array('short' => __('See group ticket'),
'long' => __('See tickets created by my groups'));
$values[self::READASSIGN] = array('short' => __('See assigned'),
'long' => __('See assigned tickets'));
return $values;
}
...
The new rights need to be checked by your own functions, see check rights
Check rights¶
Each itemtype class which inherits from CommonDBTM
will benefit from standard right checks.
See the following methods:
canView
canUpdate
canCreate
canDelete
canPurge
If you need to test a specific rightname
against a possible right, here is how to do:
<?php
if (Session::haveRight(self::$rightname, CREATE)) {
// OK
}
// we can also test a set multiple rights with AND operator
if (Session::haveRightsAnd(self::$rightname, [CREATE, READ])) {
// OK
}
// also with OR operator
if (Session::haveRightsOr(self::$rightname, [CREATE, READ])) {
// OK
}
// check a specific right (not your class one)
if (Session::haveRight('ticket', CREATE)) {
// OK
}
See methods definition:
haveRight
haveRightsAnd
haveRightsOr
All above functions return a boolean. If we want a graceful die of your pages, we have equivalent function but with a check
prefix instead have
:
checkRight
checkRightsAnd
checkRightsOr
If you need to check a right directly in a SQL query, use bitwise & and | operators, ex for users:
<?php
$query = "SELECT `glpi_profiles_users`.`users_id`
FROM `glpi_profiles_users`
INNER JOIN `glpi_profiles`
ON (`glpi_profiles_users`.`profiles_id` = `glpi_profiles`.`id`)
INNER JOIN `glpi_profilerights`
ON (`glpi_profilerights`.`profiles_id` = `glpi_profiles`.`id`)
WHERE `glpi_profilerights`.`name` = 'ticket'
AND `glpi_profilerights`.`rights` & ". (READ | CREATE);
$result = $DB->query($query);
In this snippet, the READ | CREATE
do a bitwise operation to get the sum of these rights and the &
SQL operator do a logical comparison with the current value in the DB.
CommonDBRelation and CommonDBChild specificities¶
These classes permits to manage the relation between items and so have properties to propagate rights from their parents.
<?php
abstract class CommonDBChild extends CommonDBConnexity {
static public $checkParentRights = self::HAVE_SAME_RIGHT_ON_ITEM;
...
}
abstract class CommonDBRelation extends CommonDBConnexity {
static public $checkItem_1_Rights = self::HAVE_SAME_RIGHT_ON_ITEM;
static public $checkItem_2_Rights = self::HAVE_SAME_RIGHT_ON_ITEM;
...
}
possible values for these properties are:
DONT_CHECK_ITEM_RIGHTS
: don’t check the parent, we always have all rights regardless of parent’s rights.HAVE_VIEW_RIGHT_ON_ITEM
: we have all rights (CREATE, UPDATE), if we can view the parent.HAVE_SAME_RIGHT_ON_ITEM
: we have the same rights as the parent class.