[ Index ]

PHP Cross Reference of ACL Module

title

Body

[close]

/components/strategies/nestedSet/pathMaterialization/models/ -> PmAro.php (source)

   1  <?php
   2  
   3  /**

   4   *

   5   * The specific class for Access Request Objects providing the rights-

   6   * management specific to this strategy

   7   *

   8   * @author dispy <dispyfree@googlemail.com>

   9   * @license LGPLv2

  10   * @package acl.strategies.nestedSet.pathMaterialiization

  11   *

  12   * The followings are the available columns in table '{{aco}}':

  13   * @property string $id

  14   * @property integer $collection_id

  15   * @property string $path

  16   */
  17  class PmAro extends PmAclObject
  18  {
  19      
  20      /**

  21       * Grants the given actions to the given object

  22       * @param mixed $obj any valid identifier

  23       * @param mixed $actions the actions to grant

  24       * @param bool  $byPassCheck    Whether to bypass the additional grant-check

  25       * @return type 

  26       */
  27      public function grant($obj, $actions, $byPassCheck){
  28          $obj = $this->loadObject($obj, 'Aco');
  29          $actions = Action::translateActions($obj, $actions);
  30          
  31          //Check for the grant-Permission (if enabled)

  32          $enableGrantCheck = Strategy::get('enableGrantRestriction');
  33          if((!$byPassCheck) && $enableGrantCheck){
  34              if(!$this->may($obj, 'grant'))
  35                  throw new RuntimeException(Yii::t('app', 'You are not permitted to grant on this object'));
  36              
  37              //Extended check, if enabled

  38              $enableSpecificCheck = Strategy::get('enableSpecificGrantRestriction');
  39              if($enableSpecificCheck){
  40                  foreach($actions as $action){
  41                      $actionName = 'grant_'.$action;
  42                      if(!$this->may($obj, $actionName))
  43                          throw new RuntimeException(Yii::t('app', 'You are not permitted to grant this action on this object'));
  44                  }
  45              }
  46          }
  47          
  48          //Load all nodes of this object

  49          $aroNodes = $this->getNodes();
  50          $acoNodes = $obj->getNodes();
  51          
  52          foreach($actions as $action){
  53              //First check: does that already exist?

  54              
  55              $aroIn = Util::generateInStatement(Util::getIdsOfObjects($aroNodes));
  56              $acoIn = Util::generateInStatement(Util::getIdsOfObjects($acoNodes));
  57              
  58              $action = Action::model()->find('name = :name', array(':name' => $action));
  59              
  60              if($action === NULL)
  61                  throw new RuntimeException('Invalid action');
  62              
  63              $permission = Permission::model()->find('action_id = :action_id AND  aco_id '.$acoIn.' AND aro_id '.$aroIn,
  64                      array(':action_id' => $action->id));
  65              //Only grant if it's not yet granted

  66              if($permission === NULL){
  67                  foreach($aroNodes as $aroNode){
  68                      foreach($acoNodes as $acoNode){
  69                          
  70                          $perm = new Permission();
  71                          $perm->aro_id = $aroNode->id;
  72                          $perm->aro_path = $aroNode->getOwnPath();
  73                          $perm->aco_id = $acoNode->id;
  74                          $perm->aco_path = $acoNode->getOwnPath();
  75                          $perm->action_id = $action->id;
  76                          
  77                          if(!$perm->save())
  78                              throw new RuntimeException('Unable to grant permission of '.$action->name.' from '
  79                                      .$aroNode->id.' to '.$acoNode->id);
  80                      }
  81                  }
  82              }
  83              
  84          }
  85      }
  86      
  87      /**

  88       * Denies the given actions to the given object

  89       * @param mixed $obj any valid identifier

  90       * @param mixed $actions the actions to deny

  91       * @return type 

  92       */
  93      public function deny($obj, $actions){
  94          $obj = $this->loadObject($obj, 'Aco');
  95          $actions = Action::translateActions($obj, $actions);
  96          
  97          $aroNodes = $this->getNodes();
  98          $acoNodes = $obj->getNodes();
  99          
 100          $aroIn = Util::generateInStatement(Util::getIdsOfObjects($aroNodes));
 101          $acoIn = Util::generateInStatement(Util::getIdsOfObjects($acoNodes));
 102          
 103          foreach($actions as $action){
 104              
 105              $action = Action::model()->find('name = :name', array(':name' => $action));
 106              
 107              if($action === NULL)
 108                  throw new RuntimeException('Invalid action');
 109              
 110              //Now, delete all the rows

 111              $suc = Permission::model()->deleteAll('aco_id '.$acoIn.' AND aro_id '.$aroIn.' AND action_id = :action_id',
 112                      array(':action_id' => $action->id));
 113              
 114              if($suc === false)
 115                  throw new RuntimeException('Unabel to deny permission '.$action->id.' of '.$this->id.' to '.$obj->id);
 116          }
 117      }
 118      
 119      /**

 120       * Checks whether the this object may perform all of the given actions 

 121       * on the given object

 122       * @param mixed $obj

 123       * @param mixed $actions 

 124       * @param boolean true if it may, otherwise false

 125       */
 126      public function may($originalObj, $actions){
 127  
 128          $obj = $this->loadObject($originalObj, 'Aco');
 129          $actions = Action::translateActions($obj, $actions);
 130          
 131          $aroPaths = $this->getPaths();
 132          $aroCondition = $this->addPositionCheck($aroPaths, 'aro');
 133          
 134          $acoPaths = $obj->getPaths();
 135          $acoCondition = $this->addPositionCheck($acoPaths, 'aco');
 136          
 137          foreach($actions as $action){
 138              //First fetch the action

 139              $action = Action::model()->find('name = :name', array(':name' => $action));       
 140              if($action === NULL)
 141                  throw new RuntimeException('Invalid action');
 142              
 143              //An action which is not possible is never allowed

 144              if(isset($obj::$possibleActions) && !in_array($action, $possibleActions))
 145                      return false;
 146              
 147              //Perform general check

 148              if(RestrictedActiveRecord::mayGenerally($originalObj, $action))
 149                  return true;
 150          
 151          
 152              //Do we have to consider business-rules?

 153              $enableBir = Strategy::get('enableBusinessRules');
 154              
 155              $condition = 'action_id = :action_id AND '.$aroCondition.' AND '.$acoCondition;
 156              $params = array(':action_id' => $action->id);
 157              //First, check the regular ACL

 158                  $perm = Permission::model()->find($condition,$params);
 159  
 160                  if($perm === NULL && !$enableBir)
 161                      return false;
 162                  
 163              //Only check if the permission has not already been granted by 

 164              //the regular ACL check

 165              if((!$perm) && $enableBir){
 166                  $conditions = array(
 167                    'aroCondition' => $aroCondition,
 168                    'acoCondition' => $acoCondition,
 169                  );
 170                  if(!RestrictedActiveRecord::checkBirPermission($conditions, $params))
 171                      return false;
 172              }
 173          }
 174          
 175          return true;
 176      }
 177      
 178      
 179      /**

 180       * Returns the static model of the specified AR class.

 181       * @param string $className active record class name.

 182       * @return PM_Aco the static model class

 183       */
 184      public static function model($className=__CLASS__)
 185      {
 186          return parent::model($className);
 187      }
 188  
 189      /**

 190       * @return string the associated database table name

 191       */
 192      public function tableName()
 193      {
 194          return '{{aro_collection}}';
 195      }
 196  
 197      /**

 198       * @return array validation rules for model attributes.

 199       */
 200      public function rules()
 201      {
 202          // NOTE: you should only define rules for those attributes that

 203          // will receive user inputs.

 204          return array(
 205          );
 206      }
 207  
 208      /**

 209       * @return array relational rules.

 210       */
 211      public function relations()
 212      {
 213          // NOTE: you may need to adjust the relation name and the related

 214          // class name for the relations automatically generated below.

 215          return array(
 216              'aroNodes' => array(static::HAS_MANY, 'PmAroNode', 'collection_id'),
 217              'permissions' => array(static::HAS_MANY, 'Permission', 'aro_id')
 218          );
 219      }
 220  
 221      /**

 222       * @return array customized attribute labels (name=>label)

 223       */
 224      public function attributeLabels()
 225      {
 226          return array(
 227              'id' => 'ID',
 228              'alias' => 'Alias',
 229              'model' => 'Model',
 230              'foreign_key' => 'Foreign Key',
 231              'created' => 'Created'
 232          );
 233      }
 234  } 
 235  ?>


Generated: Sun Jul 1 19:24:45 2012 Cross-referenced by PHPXref 0.7.1