統計
| ブランチ: | リビジョン:

pictcode / lib / Cake / Console / Templates / skel / Config / acl.php @ 0b1b8047

履歴 | 表示 | アノテート | ダウンロード (4.328 KB)

1
<?php
2
/**
3
 * This is the PHP base ACL configuration file.
4
 *
5
 * Use it to configure access control of your CakePHP application.
6
 *
7
 * @link          http://cakephp.org CakePHP(tm) Project
8
 * @package       app.Config
9
 * @since         CakePHP(tm) v 2.1
10
 */
11

    
12
/**
13
 * Example
14
 * -------
15
 *
16
 * Assumptions:
17
 *
18
 * 1. In your application you created a User model with the following properties:
19
 *    username, group_id, password, email, firstname, lastname and so on.
20
 * 2. You configured AuthComponent to authorize actions via
21
 *    $this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers/'),...)
22
 *
23
 * Now, when a user (i.e. jeff) authenticates successfully and requests a controller action (i.e. /invoices/delete)
24
 * that is not allowed by default (e.g. via $this->Auth->allow('edit') in the Invoices controller) then AuthComponent
25
 * will ask the configured ACL interface if access is granted. Under the assumptions 1. and 2. this will be
26
 * done via a call to Acl->check() with
27
 *
28
 *    array('User' => array('username' => 'jeff', 'group_id' => 4, ...))
29
 *
30
 * as ARO and
31
 *
32
 *    '/controllers/invoices/delete'
33
 *
34
 * as ACO.
35
 *
36
 * If the configured map looks like
37
 *
38
 *    $config['map'] = array(
39
 *       'User' => 'User/username',
40
 *       'Role' => 'User/group_id',
41
 *    );
42
 *
43
 * then PhpAcl will lookup if we defined a role like User/jeff. If that role is not found, PhpAcl will try to
44
 * find a definition for Role/4. If the definition isn't found then a default role (Role/default) will be used to
45
 * check rules for the given ACO. The search can be expanded by defining aliases in the alias configuration.
46
 * E.g. if you want to use a more readable name than Role/4 in your definitions you can define an alias like
47
 *
48
 *    $config['alias'] = array(
49
 *       'Role/4' => 'Role/editor',
50
 *    );
51
 *
52
 * In the roles configuration you can define roles on the lhs and inherited roles on the rhs:
53
 *
54
 *    $config['roles'] = array(
55
 *       'Role/admin' => null,
56
 *       'Role/accountant' => null,
57
 *       'Role/editor' => null,
58
 *       'Role/manager' => 'Role/editor, Role/accountant',
59
 *       'User/jeff' => 'Role/manager',
60
 *    );
61
 *
62
 * In this example manager inherits all rules from editor and accountant. Role/admin doesn't inherit from any role.
63
 * Lets define some rules:
64
 *
65
 *    $config['rules'] = array(
66
 *       'allow' => array(
67
 *               '*' => 'Role/admin',
68
 *               'controllers/users/(dashboard|profile)' => 'Role/default',
69
 *               'controllers/invoices/*' => 'Role/accountant',
70
 *               'controllers/articles/*' => 'Role/editor',
71
 *               'controllers/users/*'  => 'Role/manager',
72
 *               'controllers/invoices/delete'  => 'Role/manager',
73
 *       ),
74
 *       'deny' => array(
75
 *               'controllers/invoices/delete' => 'Role/accountant, User/jeff',
76
 *               'controllers/articles/(delete|publish)' => 'Role/editor',
77
 *       ),
78
 *    );
79
 *
80
 * Ok, so as jeff inherits from Role/manager he's matched every rule that references User/jeff, Role/manager,
81
 * Role/editor, Role/accountant and Role/default. However, for jeff, rules for User/jeff are more specific than
82
 * rules for Role/manager, rules for Role/manager are more specific than rules for Role/editor and so on.
83
 * This is important when allow and deny rules match for a role. E.g. Role/accountant is allowed
84
 * controllers/invoices/* but at the same time controllers/invoices/delete is denied. But there is a more
85
 * specific rule defined for Role/manager which is allowed controllers/invoices/delete. However, the most specific
86
 * rule denies access to the delete action explicitly for User/jeff, so he'll be denied access to the resource.
87
 *
88
 * If we would remove the role definition for User/jeff, then jeff would be granted access as he would be resolved
89
 * to Role/manager and Role/manager has an allow rule.
90
 */
91

    
92
/**
93
 * The role map defines how to resolve the user record from your application
94
 * to the roles you defined in the roles configuration.
95
 */
96
$config['map'] = array(
97
        'User' => 'User/username',
98
        'Role' => 'User/group_id',
99
);
100

    
101
/**
102
 * define aliases to map your model information to
103
 * the roles defined in your role configuration.
104
 */
105
$config['alias'] = array(
106
        'Role/4' => 'Role/editor',
107
);
108

    
109
/**
110
 * role configuration
111
 */
112
$config['roles'] = array(
113
        'Role/admin' => null,
114
);
115

    
116
/**
117
 * rule configuration
118
 */
119
$config['rules'] = array(
120
        'allow' => array(
121
                '*' => 'Role/admin',
122
        ),
123
        'deny' => array(),
124
);