~drizzle-trunk/drizzle/development

« back to all changes in this revision

Viewing changes to drizzled/plugin/authorization.cc

  • Committer: Monty Taylor
  • Date: 2010-04-15 19:13:57 UTC
  • mto: This revision was merged to the branch mainline in revision 1476.
  • Revision ID: mordred@inaugust.com-20100415191357-alvsmwpe1dql9ll5
Updated Authorization plugin interface to use new Schema|TableIdentifier
code.
Also - fixed Authorization::pruneSchemaNames to use stl's remove_if and
erase to properly trim down the set.

Show diffs side-by-side

added added

removed removed

Lines of Context:
24
24
 
25
25
#include "drizzled/plugin/authorization.h"
26
26
#include "drizzled/security_context.h"
 
27
#include "drizzled/table_identifier.h"
27
28
#include "drizzled/error.h"
28
29
#include "drizzled/session.h"
29
30
#include "drizzled/plugin/registry.h"
61
62
  public unary_function<plugin::Authorization *, bool>
62
63
{
63
64
  const SecurityContext &user_ctx;
64
 
  const string &schema;
 
65
  SchemaIdentifier &schema;
65
66
public:
66
67
  RestrictDbFunctor(const SecurityContext &user_ctx_arg,
67
 
                    const string &schema_arg) :
 
68
                    SchemaIdentifier &schema_arg) :
68
69
    unary_function<plugin::Authorization *, bool>(),
69
70
    user_ctx(user_ctx_arg),
70
71
    schema(schema_arg)
80
81
  public unary_function<plugin::Authorization *, bool>
81
82
{
82
83
  const SecurityContext &user_ctx;
83
 
  const string &schema;
84
 
  const string &table;
 
84
  TableIdentifier &table;
85
85
public:
86
86
  RestrictTableFunctor(const SecurityContext &user_ctx_arg,
87
 
                       const string &schema_arg,
88
 
                       const string &table_arg) :
 
87
                       TableIdentifier &table_arg) :
89
88
    unary_function<plugin::Authorization *, bool>(),
90
89
    user_ctx(user_ctx_arg),
91
 
    schema(schema_arg),
92
90
    table(table_arg)
93
91
  { }
94
92
 
95
93
  inline result_type operator()(argument_type auth)
96
94
  {
97
 
    return auth->restrictTable(user_ctx, schema, table);
 
95
    return auth->restrictTable(user_ctx, table);
98
96
  }
99
97
};
100
98
 
117
115
  }
118
116
};
119
117
 
 
118
class PruneSchemaFunctor :
 
119
  public unary_function<SchemaIdentifier&, bool>
 
120
{
 
121
  const SecurityContext &user_ctx;
 
122
public:
 
123
  PruneSchemaFunctor(const SecurityContext &user_ctx_arg) :
 
124
    unary_function<SchemaIdentifier&, bool>(),
 
125
    user_ctx(user_ctx_arg)
 
126
  { }
 
127
 
 
128
  inline result_type operator()(argument_type auth)
 
129
  {
 
130
    return not plugin::Authorization::isAuthorized(user_ctx, auth, false);
 
131
  }
 
132
};
 
133
 
120
134
} /* namespace */
121
135
 
122
136
bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
131
145
  vector<plugin::Authorization *>::const_iterator iter=
132
146
    find_if(authorization_plugins.begin(),
133
147
            authorization_plugins.end(),
134
 
            RestrictDbFunctor(user_ctx, schema_identifier.getPath()));
 
148
            RestrictDbFunctor(user_ctx, schema_identifier));
 
149
 
135
150
 
136
151
  /*
137
152
   * If iter is == end() here, that means that all of the plugins returned
153
168
}
154
169
 
155
170
bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
156
 
                                         const string &schema,
157
 
                                         const string &table,
 
171
                                         TableIdentifier &table,
158
172
                                         bool send_error)
159
173
{
160
174
  /* If we never loaded any authorization plugins, just return true */
165
179
  vector<plugin::Authorization *>::const_iterator iter=
166
180
    find_if(authorization_plugins.begin(),
167
181
            authorization_plugins.end(),
168
 
            RestrictTableFunctor(user_ctx, schema, table));
 
182
            RestrictTableFunctor(user_ctx, table));
169
183
 
170
184
  /*
171
185
   * If iter is == end() here, that means that all of the plugins returned
179
193
      my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
180
194
               user_ctx.getUser().c_str(),
181
195
               user_ctx.getIp().c_str(),
182
 
               schema.c_str());
 
196
               table.getSQLPath().c_str());
183
197
    }
184
198
    return false;
185
199
  }
222
236
void plugin::Authorization::pruneSchemaNames(const SecurityContext &user_ctx,
223
237
                                             SchemaIdentifierList &set_of_schemas)
224
238
{
225
 
  SchemaIdentifierList pruned_set_of_names;
226
 
 
227
239
  /* If we never loaded any authorization plugins, just return true */
228
240
  if (authorization_plugins.empty())
229
241
    return;
230
242
 
231
 
  /**
232
 
   * @TODO: It would be stellar if we could find a way to do this with a
233
 
   * functor and an STL algoritm
234
 
   */
235
 
  for (SchemaIdentifierList::iterator iter; iter != set_of_schemas.end(); iter++)
236
 
  {
237
 
    if (not plugin::Authorization::isAuthorized(user_ctx, *iter, false))
238
 
    {
239
 
      iter= pruned_set_of_names.erase(iter);
240
 
    }
241
 
  }
242
 
  set_of_schemas.swap(pruned_set_of_names);
 
243
  set_of_schemas.erase(remove_if(set_of_schemas.begin(),
 
244
                                 set_of_schemas.end(),
 
245
                                 PruneSchemaFunctor(user_ctx)),
 
246
                       set_of_schemas.end());
243
247
}
244
248
 
245
249
} /* namespace drizzled */