ACL Extension  0.3
 All Data Structures Namespaces Files Functions Variables
RestrictedActiveRecord Class Reference
Inheritance diagram for RestrictedActiveRecord:
RestrictedTreeActiveRecord

Public Member Functions

 find ($conditions= '', $params=array())
 findByAttributes ($attributes, $conditions= '', $params=array())
 findByPk ($pk, $conditions= '', $params=array())
 findBySQL ($sql, $params=array())
 findAll ($conditions= '', $params=array())
 findAllByAttributes ($attributes, $conditions= '', $params=array())
 findAllByPk ($pk, $conditions= '', $params=array())
 findAllBySQL ($sql, $params=array())
 getDirectlyPermitted ($actions= '*')
 beforeSave ()
 beforeDelete ()
 afterSave ()
 grants ($permission)

Static Public Member Functions

static getUser ()

Static Public Attributes

static $byPassCheck = false
static $inAttendance = NULL
static $model = 'User'
static $possibleActions = NULL
static $defaultOptions

Protected Member Functions

 generateAccessCheck ($conditions= '', $params=array(), $options=array())

Detailed Description

This class is intended as a base for objects which have restrictions on their access It automatically checks, if the current user has the permissions to commit the regular CRUD-tasks

Definition at line 17 of file RestrictedActiveRecord.php.


Member Function Documentation

afterSave ( )

This method takes care to assign individual rights to newly created objects

Parameters:
CEvent$evt

Reimplemented in RestrictedTreeActiveRecord.

Definition at line 253 of file RestrictedActiveRecord.php.

{
if($this->isNewRecord){
$aro = self::getUser();
//As the object is newly created, it needs a representation
//If strict mode is disabled, this is not necessary
$class = Strategy::getClass('Aco');
$aco = new $class();
$aco->model = get_class($this);
$aco->foreign_key = $this->getPrimaryKey();
if(!$aco->save()){
throw new RuntimeException('Unable to create corresponding Aco for new '.get_class($this));
}
$aro->grant($aco, '*');
}
}
beforeDelete ( )

This method checks whether the user has the right to delete the current record

Definition at line 229 of file RestrictedActiveRecord.php.

{
$aro = self::getUser();
if(!$aro->may($this, 'delete'))
throw new RuntimeException('You are not allowed to delete this record');
//Ok he has the right to do that - remove all the ACL-objects associated with this object
$class = Strategy::getClass('Aco');
$aco = $class::model()->find('model = :model AND foreign_key = :key', array(':model' => get_class($this), ':key' => $this->id));
if(!$aco)
throw new RuntimeException('No associated Aco!');
if(!$aco->delete())
throw new RuntimeException('Unable to delete associated Aco');
return true;
}
beforeSave ( )

This method checks whether the user has the right to update the current record By default, it's always allowed to create a new object. This object is automatically assigned to the user who created it with full permissions

Definition at line 212 of file RestrictedActiveRecord.php.

{
//The Record is updated
if(!$this->isNewRecord){
$aro = self::getUser();
if(!$aro->may($this, 'update'))
throw new RuntimeException('You are not allowed to update this record');
}
return true;
}
find (   $conditions = '',
  $params = array() 
)

Definition at line 135 of file RestrictedActiveRecord.php.

{
return parent::find($this->generateAccessCheck($conditions, $params));
}
findAll (   $conditions = '',
  $params = array() 
)

Definition at line 152 of file RestrictedActiveRecord.php.

{
return parent::findAll($this->generateAccessCheck($conditions, $params));
}
findAllByAttributes (   $attributes,
  $conditions = '',
  $params = array() 
)

Definition at line 156 of file RestrictedActiveRecord.php.

{
return parent::findAllByAttributes($attributes, $this->generateAccessCheck($conditions, $params));
}
findAllByPk (   $pk,
  $conditions = '',
  $params = array() 
)

Definition at line 160 of file RestrictedActiveRecord.php.

{
return parent::findAllByPk($pk, $this->generateAccessCheck($conditions, $params));
}
findAllBySQL (   $sql,
  $params = array() 
)

Definition at line 164 of file RestrictedActiveRecord.php.

{
return parent::findAll($this->generateAccessCheck($sql, $params));
}
findByAttributes (   $attributes,
  $conditions = '',
  $params = array() 
)

Definition at line 139 of file RestrictedActiveRecord.php.

{
return parent::findByAttributes($attributes, $this->generateAccessCheck($conditions, $params));
}
findByPk (   $pk,
  $conditions = '',
  $params = array() 
)

Definition at line 143 of file RestrictedActiveRecord.php.

{
return parent::findByPk($pk, $this->generateAccessCheck($conditions, $params));
}
findBySQL (   $sql,
  $params = array() 
)

Definition at line 147 of file RestrictedActiveRecord.php.

{
return parent::find($this->generateAccessCheck($sql, $params));
}
generateAccessCheck (   $conditions = '',
  $params = array(),
  $options = array() 
)
protected

The following functions generates the CDbCriteria necessary to filter all accessable rows The CDbCriteria is solely passsed to the wrapped methods

Parameters:
sql$conditionsthe conditions being passed to the real method
array$paramsthe params being passed to the real method
array$optionsoptions to be used by the method itself (keys: disableInheritance)
Returns:
CDbCriteria the criteria assuring that the user only gets what he has access to

Definition at line 58 of file RestrictedActiveRecord.php.

{
if(is_object($conditions) && get_class($conditions) == 'CDbCriteria'){
$criteria = $conditions;
}
else{
$criteria = new CDbCriteria;
$criteria->mergeWith(array(
'condition' => $conditions,
'params' => $params
));
}
$options = array_merge(RestrictedActiveRecord::$defaultOptions, $options);
//If the check is bypassed, return criteria without check
return $criteria;
$criteria->distinct = true; //Important: there can be multiple locations which grant permission
//Inner join to get the collection associated with this content
$acoClass = Strategy::getClass('Aco');
$collection = 'INNER JOIN `'.$acoClass::model()->tableName().'` AS acoC ON acoC.model = :RAR_model AND acoC.foreign_key = t.id';
$criteria->params[':RAR_model'] = get_class($this);
//Inner join to the associated aco-nodes themselves to get the positions
$acoNodeClass = Strategy::getClass('AcoNode');
$nodes = ' INNER JOIN `'.$acoNodeClass::model()->tableName().'` AS aco ON aco.collection_id = acoC.id';
//But before: fetch the positions of the current user
$aroClass = Strategy::getClass('Aro');
$aro = $aroClass::model()->find('model = :model AND foreign_key = :foreign_key',
array(':model'=> static::$model, ':foreign_key' => $user->id));
//If we are nobody... we are a guest^^
$guest = Strategy::get('guestGroup');
if(!$aro && $guest){
$aro = $aroClass::model()->find('alias = :alias',
array(':alias' => $guest));
//If there's no guest group... we are nobody and we may nothing ;)
if(!$aro)
return array();
}
$aroPositions = $aro->fetchComprisedPositions();
$aroPositionCheck = $aro->addPositionCheck($aroPositions, "aro", "map");
//Get our action :)
$action = Action::model()->find('name = :name', array(':name' => 'read'));
if($action === NULL)
throw new RuntimeException('Unable to find action read');
//Now, join connecting table
$acoCondition = $acoClass::buildTreeQueryCondition(
array('table' => 'aco'),
array('table' => 'map', 'field' => 'aco'),
$options['disableInheritance']
);
$connection = ' INNER JOIN `'.Permission::model()->tableName().'` AS map ON '.$acoCondition.' AND '.$aroPositionCheck.' AND map.action_id = :acl_action_id';
$criteria->params[':acl_action_id'] = $action->id;
$joins = array($collection, $nodes, $connection);
foreach($joins as $join){
$criteria->mergeWith(array('join' => $join), true);
}
return $criteria;
}
getDirectlyPermitted (   $actions = '*')

Gets the Aros who are directly (no inheritance!) permitted to perform one of the specified actions on this object

Parameters:
mixed$actionsthe actions to be considered
Returns:
array All of the objects which have one of the permissions

Definition at line 175 of file RestrictedActiveRecord.php.

{
//First, fetch all of the action Ids
$actions = Action::translateActions($this, $actions);
$actionCondition = Util::generateInStatement($actions);
$actions = Action::model()->findAll('name '.$actionCondition);
$actionIds = array();
foreach($actions as $action){
$actionIds[] = $action->id;
}
$actionIdCondition = Util::generateInStatement($actionIds);
//Get the associated Aco first
$aco = AclObject::loadObjectStatic($this, 'Aco');
//Fetch all of the own positions and build condition
$positions = $aco->fetchComprisedPositions();
$acoCondition = Util::generateInStatement($positions);
$aroNodeClass = Strategy::getClass('AroNode');
$rGroupTable = RGroup::model()->tableName();
$nodeTable = $aroNodeClass::model()->tableName();
$permTable = Permission::model()->tableName();
return Yii::app()->db->createCommand()
->selectDistinct('t.id AS collection_id, t.foreign_key, t.model, p.action_id')
->from($rGroupTable.' t')
->join($nodeTable.' n', 'n.collection_id = t.id')
->join($permTable.' p',
'p.aro_id = n.id AND p.aco_path '.$acoCondition.' AND p.action_id '. $actionIdCondition)
->queryAll()
;
}
static getUser ( )
static

Fetches the Access Request-Object to use (either the current user or an object from self::inAttendance.

See also:
inAttendance
Returns:
AclObject
Exceptions:
RuntimeException

Definition at line 289 of file RestrictedActiveRecord.php.

{
if(self::$inAttendance !== NULL)
$user = Yii::app()->user;
$class = Strategy::getClass('Aro');
$aro = $class::model()->find('model = :model AND foreign_key = :foreign_key',
array('model' => static::$model, 'foreign_key' => $user->id));
if(!$aro)
throw new RuntimeException('Invalid Aro');
return $aro;
}
grants (   $permission)

Checks whether the current ARO has the given permission on this object

Parameters:
string$permission

Definition at line 277 of file RestrictedActiveRecord.php.

{
$aro = self::getUser();
return $aro->may($this, $permission);
}

Field Documentation

$byPassCheck = false
static

Definition at line 24 of file RestrictedActiveRecord.php.

$defaultOptions
static
Initial value:
array(
'disableInheritance' => false,
)

Definition at line 46 of file RestrictedActiveRecord.php.

$inAttendance = NULL
static

Definition at line 31 of file RestrictedActiveRecord.php.

$model = 'User'
static

Definition at line 36 of file RestrictedActiveRecord.php.

$possibleActions = NULL
static

Definition at line 44 of file RestrictedActiveRecord.php.


The documentation for this class was generated from the following file: