/app/Config/acl.php - アノテート - pictcode - Redmine

spyder1211

<?php

2

/**

3

 * This is the PHP base ACL configuration file.

4

5

 * Use it to configure access control of your CakePHP application.

6

7

 * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)

8

 * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)

9

10

 * Licensed under The MIT License

11

 * For full copyright and license information, please see the LICENSE.txt

12

 * Redistributions of files must retain the above copyright notice.

13

14

 * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)

15

 * @link          http://cakephp.org CakePHP(tm) Project

16

 * @package       app.Config

17

 * @since         CakePHP(tm) v 2.1

18

 * @license       http://www.opensource.org/licenses/mit-license.php MIT License

19

*/

20

21

/**

22

 * Example

23

 * -------

24

25

 * Assumptions:

26

27

 * 1. In your application you created a User model with the following properties:

28

 *    username, group_id, password, email, firstname, lastname and so on.

29

 * 2. You configured AuthComponent to authorize actions via

30

 *    $this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers/'),...)

31

32

 * Now, when a user (i.e. jeff) authenticates successfully and requests a controller action (i.e. /invoices/delete)

33

 * that is not allowed by default (e.g. via $this->Auth->allow('edit') in the Invoices controller) then AuthComponent

34

 * will ask the configured ACL interface if access is granted. Under the assumptions 1. and 2. this will be

35

 * done via a call to Acl->check() with

36

37

 * ```

38

 * array('User' => array('username' => 'jeff', 'group_id' => 4, ...))

39

 * ```

40

41

 * as ARO and

42

43

 * ```

44

 * '/controllers/invoices/delete'

45

 * ```

46

47

 * as ACO.

48

49

 * If the configured map looks like

50

51

 * ```

52

 * $config['map'] = array(

53

 *    'User' => 'User/username',

54

 *    'Role' => 'User/group_id',

55

 * );

56

 * ```

57

58

 * then PhpAcl will lookup if we defined a role like User/jeff. If that role is not found, PhpAcl will try to

59

 * find a definition for Role/4. If the definition isn't found then a default role (Role/default) will be used to

60

 * check rules for the given ACO. The search can be expanded by defining aliases in the alias configuration.

61

 * E.g. if you want to use a more readable name than Role/4 in your definitions you can define an alias like

62

63

 * ```

64

 * $config['alias'] = array(

65

 *    'Role/4' => 'Role/editor',

66

 * );

67

 * ```

68

69

 * In the roles configuration you can define roles on the lhs and inherited roles on the rhs:

70

71

 * ```

72

 * $config['roles'] = array(

73

 *    'Role/admin' => null,

74

 *    'Role/accountant' => null,

75

 *    'Role/editor' => null,

76

 *    'Role/manager' => 'Role/editor, Role/accountant',

77

 *    'User/jeff' => 'Role/manager',

78

 * );

79

 * ```

80

81

 * In this example manager inherits all rules from editor and accountant. Role/admin doesn't inherit from any role.

82

 * Lets define some rules:

83

84

 * ```

85

 * $config['rules'] = array(

86

 *    'allow' => array(

87

 *        '*' => 'Role/admin',

88

 *        'controllers/users/(dashboard|profile)' => 'Role/default',

89

 *        'controllers/invoices/*' => 'Role/accountant',

90

 *        'controllers/articles/*' => 'Role/editor',

91

 *        'controllers/users/*'  => 'Role/manager',

92

 *        'controllers/invoices/delete'  => 'Role/manager',

93

 *    ),

94

 *    'deny' => array(

95

 *        'controllers/invoices/delete' => 'Role/accountant, User/jeff',

96

 *        'controllers/articles/(delete|publish)' => 'Role/editor',

97

 *    ),

98

 * );

99

 * ```

100

101

 * Ok, so as jeff inherits from Role/manager he's matched every rule that references User/jeff, Role/manager,

102

 * Role/editor, and Role/accountant. However, for jeff, rules for User/jeff are more specific than

103

 * rules for Role/manager, rules for Role/manager are more specific than rules for Role/editor and so on.

104

 * This is important when allow and deny rules match for a role. E.g. Role/accountant is allowed

105

 * controllers/invoices/* but at the same time controllers/invoices/delete is denied. But there is a more

106

 * specific rule defined for Role/manager which is allowed controllers/invoices/delete. However, the most specific

107

 * rule denies access to the delete action explicitly for User/jeff, so he'll be denied access to the resource.

108

109

 * If we would remove the role definition for User/jeff, then jeff would be granted access as he would be resolved

110

 * to Role/manager and Role/manager has an allow rule.

111

*/

112

113

/**

114

 * The role map defines how to resolve the user record from your application

115

 * to the roles you defined in the roles configuration.

116

*/

117

$config['map'] = array(

118

        'User' => 'User/username',

119

        'Role' => 'User/group_id',

120

);

121

122

/**

123

 * define aliases to map your model information to

124

 * the roles defined in your role configuration.

125

*/

126

$config['alias'] = array(

127

        'Role/4' => 'Role/editor',

128

);

129

130

/**

131

 * role configuration

132

*/

133

$config['roles'] = array(

134

        'Role/admin' => null,

135

);

136

137

/**

138

 * rule configuration

139

*/

140

$config['rules'] = array(

141

        'allow' => array(

142

                '*' => 'Role/admin',

143

),

144

        'deny' => array(),

145

);

pictcode

pictcode / app / Config / acl.php @ 0b1b8047