[ Index ] |
PHP Cross Reference of ACL Module |
[Summary view] [Print] [Text view]
1 <?php 2 3 /** 4 * 5 * The specific class for Access Request Objects providing the rights- 6 * management specific to this strategy 7 * 8 * @author dispy <dispyfree@googlemail.com> 9 * @license LGPLv2 10 * @package acl.strategies.nestedSet.pathMaterialiization 11 * 12 * The followings are the available columns in table '{{aco}}': 13 * @property string $id 14 * @property integer $collection_id 15 * @property string $path 16 */ 17 class PmAro extends PmAclObject 18 { 19 20 /** 21 * Grants the given actions to the given object 22 * @param mixed $obj any valid identifier 23 * @param mixed $actions the actions to grant 24 * @param bool $byPassCheck Whether to bypass the additional grant-check 25 * @return type 26 */ 27 public function grant($obj, $actions, $byPassCheck){ 28 $obj = $this->loadObject($obj, 'Aco'); 29 $actions = Action::translateActions($obj, $actions); 30 31 //Check for the grant-Permission (if enabled) 32 $enableGrantCheck = Strategy::get('enableGrantRestriction'); 33 if((!$byPassCheck) && $enableGrantCheck){ 34 if(!$this->may($obj, 'grant')) 35 throw new RuntimeException(Yii::t('app', 'You are not permitted to grant on this object')); 36 37 //Extended check, if enabled 38 $enableSpecificCheck = Strategy::get('enableSpecificGrantRestriction'); 39 if($enableSpecificCheck){ 40 foreach($actions as $action){ 41 $actionName = 'grant_'.$action; 42 if(!$this->may($obj, $actionName)) 43 throw new RuntimeException(Yii::t('app', 'You are not permitted to grant this action on this object')); 44 } 45 } 46 } 47 48 //Load all nodes of this object 49 $aroNodes = $this->getNodes(); 50 $acoNodes = $obj->getNodes(); 51 52 foreach($actions as $action){ 53 //First check: does that already exist? 54 55 $aroIn = Util::generateInStatement(Util::getIdsOfObjects($aroNodes)); 56 $acoIn = Util::generateInStatement(Util::getIdsOfObjects($acoNodes)); 57 58 $action = Action::model()->find('name = :name', array(':name' => $action)); 59 60 if($action === NULL) 61 throw new RuntimeException('Invalid action'); 62 63 $permission = Permission::model()->find('action_id = :action_id AND aco_id '.$acoIn.' AND aro_id '.$aroIn, 64 array(':action_id' => $action->id)); 65 //Only grant if it's not yet granted 66 if($permission === NULL){ 67 foreach($aroNodes as $aroNode){ 68 foreach($acoNodes as $acoNode){ 69 70 $perm = new Permission(); 71 $perm->aro_id = $aroNode->id; 72 $perm->aro_path = $aroNode->getOwnPath(); 73 $perm->aco_id = $acoNode->id; 74 $perm->aco_path = $acoNode->getOwnPath(); 75 $perm->action_id = $action->id; 76 77 if(!$perm->save()) 78 throw new RuntimeException('Unable to grant permission of '.$action->name.' from ' 79 .$aroNode->id.' to '.$acoNode->id); 80 } 81 } 82 } 83 84 } 85 } 86 87 /** 88 * Denies the given actions to the given object 89 * @param mixed $obj any valid identifier 90 * @param mixed $actions the actions to deny 91 * @return type 92 */ 93 public function deny($obj, $actions){ 94 $obj = $this->loadObject($obj, 'Aco'); 95 $actions = Action::translateActions($obj, $actions); 96 97 $aroNodes = $this->getNodes(); 98 $acoNodes = $obj->getNodes(); 99 100 $aroIn = Util::generateInStatement(Util::getIdsOfObjects($aroNodes)); 101 $acoIn = Util::generateInStatement(Util::getIdsOfObjects($acoNodes)); 102 103 foreach($actions as $action){ 104 105 $action = Action::model()->find('name = :name', array(':name' => $action)); 106 107 if($action === NULL) 108 throw new RuntimeException('Invalid action'); 109 110 //Now, delete all the rows 111 $suc = Permission::model()->deleteAll('aco_id '.$acoIn.' AND aro_id '.$aroIn.' AND action_id = :action_id', 112 array(':action_id' => $action->id)); 113 114 if($suc === false) 115 throw new RuntimeException('Unabel to deny permission '.$action->id.' of '.$this->id.' to '.$obj->id); 116 } 117 } 118 119 /** 120 * Checks whether the this object may perform all of the given actions 121 * on the given object 122 * @param mixed $obj 123 * @param mixed $actions 124 * @param boolean true if it may, otherwise false 125 */ 126 public function may($originalObj, $actions){ 127 128 $obj = $this->loadObject($originalObj, 'Aco'); 129 $actions = Action::translateActions($obj, $actions); 130 131 $aroPaths = $this->getPaths(); 132 $aroCondition = $this->addPositionCheck($aroPaths, 'aro'); 133 134 $acoPaths = $obj->getPaths(); 135 $acoCondition = $this->addPositionCheck($acoPaths, 'aco'); 136 137 foreach($actions as $action){ 138 //First fetch the action 139 $action = Action::model()->find('name = :name', array(':name' => $action)); 140 if($action === NULL) 141 throw new RuntimeException('Invalid action'); 142 143 //An action which is not possible is never allowed 144 if(isset($obj::$possibleActions) && !in_array($action, $possibleActions)) 145 return false; 146 147 //Perform general check 148 if(RestrictedActiveRecord::mayGenerally($originalObj, $action)) 149 return true; 150 151 152 //Do we have to consider business-rules? 153 $enableBir = Strategy::get('enableBusinessRules'); 154 155 $condition = 'action_id = :action_id AND '.$aroCondition.' AND '.$acoCondition; 156 $params = array(':action_id' => $action->id); 157 //First, check the regular ACL 158 $perm = Permission::model()->find($condition,$params); 159 160 if($perm === NULL && !$enableBir) 161 return false; 162 163 //Only check if the permission has not already been granted by 164 //the regular ACL check 165 if((!$perm) && $enableBir){ 166 $conditions = array( 167 'aroCondition' => $aroCondition, 168 'acoCondition' => $acoCondition, 169 ); 170 if(!RestrictedActiveRecord::checkBirPermission($conditions, $params)) 171 return false; 172 } 173 } 174 175 return true; 176 } 177 178 179 /** 180 * Returns the static model of the specified AR class. 181 * @param string $className active record class name. 182 * @return PM_Aco the static model class 183 */ 184 public static function model($className=__CLASS__) 185 { 186 return parent::model($className); 187 } 188 189 /** 190 * @return string the associated database table name 191 */ 192 public function tableName() 193 { 194 return '{{aro_collection}}'; 195 } 196 197 /** 198 * @return array validation rules for model attributes. 199 */ 200 public function rules() 201 { 202 // NOTE: you should only define rules for those attributes that 203 // will receive user inputs. 204 return array( 205 ); 206 } 207 208 /** 209 * @return array relational rules. 210 */ 211 public function relations() 212 { 213 // NOTE: you may need to adjust the relation name and the related 214 // class name for the relations automatically generated below. 215 return array( 216 'aroNodes' => array(static::HAS_MANY, 'PmAroNode', 'collection_id'), 217 'permissions' => array(static::HAS_MANY, 'Permission', 'aro_id') 218 ); 219 } 220 221 /** 222 * @return array customized attribute labels (name=>label) 223 */ 224 public function attributeLabels() 225 { 226 return array( 227 'id' => 'ID', 228 'alias' => 'Alias', 229 'model' => 'Model', 230 'foreign_key' => 'Foreign Key', 231 'created' => 'Created' 232 ); 233 } 234 } 235 ?>
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated: Sun Jul 1 19:24:45 2012 | Cross-referenced by PHPXref 0.7.1 |