pictcode / lib / Cake / Model / Permission.php @ 26d1f852
履歴 | 表示 | アノテート | ダウンロード (6.44 KB)
1 |
<?php
|
---|---|
2 |
/**
|
3 |
* CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
|
4 |
* Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
5 |
*
|
6 |
* Licensed under The MIT License
|
7 |
* For full copyright and license information, please see the LICENSE.txt
|
8 |
* Redistributions of files must retain the above copyright notice.
|
9 |
*
|
10 |
* @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
11 |
* @link http://cakephp.org CakePHP(tm) Project
|
12 |
* @package Cake.Model
|
13 |
* @since CakePHP(tm) v 0.2.9
|
14 |
* @license http://www.opensource.org/licenses/mit-license.php MIT License
|
15 |
*/
|
16 |
|
17 |
App::uses('AppModel', 'Model'); |
18 |
|
19 |
/**
|
20 |
* Permissions linking AROs with ACOs
|
21 |
*
|
22 |
* @package Cake.Model
|
23 |
*/
|
24 |
class Permission extends AppModel { |
25 |
|
26 |
/**
|
27 |
* Explicitly disable in-memory query caching
|
28 |
*
|
29 |
* @var bool
|
30 |
*/
|
31 |
public $cacheQueries = false; |
32 |
|
33 |
/**
|
34 |
* Override default table name
|
35 |
*
|
36 |
* @var string
|
37 |
*/
|
38 |
public $useTable = 'aros_acos'; |
39 |
|
40 |
/**
|
41 |
* Permissions link AROs with ACOs
|
42 |
*
|
43 |
* @var array
|
44 |
*/
|
45 |
public $belongsTo = array('Aro', 'Aco'); |
46 |
|
47 |
/**
|
48 |
* No behaviors for this model
|
49 |
*
|
50 |
* @var array
|
51 |
*/
|
52 |
public $actsAs = null; |
53 |
|
54 |
/**
|
55 |
* Constructor, used to tell this model to use the
|
56 |
* database configured for ACL
|
57 |
*/
|
58 |
public function __construct() { |
59 |
$config = Configure::read('Acl.database'); |
60 |
if (!empty($config)) { |
61 |
$this->useDbConfig = $config; |
62 |
} |
63 |
parent::__construct();
|
64 |
} |
65 |
|
66 |
/**
|
67 |
* Checks if the given $aro has access to action $action in $aco
|
68 |
*
|
69 |
* @param string $aro ARO The requesting object identifier.
|
70 |
* @param string $aco ACO The controlled object identifier.
|
71 |
* @param string $action Action (defaults to *)
|
72 |
* @return bool Success (true if ARO has access to action in ACO, false otherwise)
|
73 |
*/
|
74 |
public function check($aro, $aco, $action = '*') { |
75 |
if (!$aro || !$aco) { |
76 |
return false; |
77 |
} |
78 |
|
79 |
$permKeys = $this->getAcoKeys($this->schema()); |
80 |
$aroPath = $this->Aro->node($aro); |
81 |
$acoPath = $this->Aco->node($aco); |
82 |
|
83 |
if (!$aroPath) { |
84 |
$this->log(__d('cake_dev', |
85 |
"%s - Failed ARO node lookup in permissions check. Node references:\nAro: %s\nAco: %s",
|
86 |
'DbAcl::check()',
|
87 |
print_r($aro, true), |
88 |
print_r($aco, true)), |
89 |
E_USER_WARNING
|
90 |
); |
91 |
return false; |
92 |
} |
93 |
|
94 |
if (!$acoPath) { |
95 |
$this->log(__d('cake_dev', |
96 |
"%s - Failed ACO node lookup in permissions check. Node references:\nAro: %s\nAco: %s",
|
97 |
'DbAcl::check()',
|
98 |
print_r($aro, true), |
99 |
print_r($aco, true)), |
100 |
E_USER_WARNING
|
101 |
); |
102 |
return false; |
103 |
} |
104 |
|
105 |
if ($action !== '*' && !in_array('_' . $action, $permKeys)) { |
106 |
$this->log(__d('cake_dev', "ACO permissions key %s does not exist in %s", $action, 'DbAcl::check()'), E_USER_NOTICE); |
107 |
return false; |
108 |
} |
109 |
|
110 |
$inherited = array(); |
111 |
$acoIDs = Hash::extract($acoPath, '{n}.' . $this->Aco->alias . '.id'); |
112 |
|
113 |
$count = count($aroPath); |
114 |
for ($i = 0; $i < $count; $i++) { |
115 |
$permAlias = $this->alias; |
116 |
|
117 |
$perms = $this->find('all', array( |
118 |
'conditions' => array( |
119 |
"{$permAlias}.aro_id" => $aroPath[$i][$this->Aro->alias]['id'], |
120 |
"{$permAlias}.aco_id" => $acoIDs |
121 |
), |
122 |
'order' => array($this->Aco->alias . '.lft' => 'desc'), |
123 |
'recursive' => 0 |
124 |
)); |
125 |
|
126 |
if (empty($perms)) { |
127 |
continue;
|
128 |
} |
129 |
$perms = Hash::extract($perms, '{n}.' . $this->alias); |
130 |
foreach ($perms as $perm) { |
131 |
if ($action === '*') { |
132 |
|
133 |
foreach ($permKeys as $key) { |
134 |
if (!empty($perm)) { |
135 |
if ($perm[$key] == -1) { |
136 |
return false; |
137 |
} elseif ($perm[$key] == 1) { |
138 |
$inherited[$key] = 1; |
139 |
} |
140 |
} |
141 |
} |
142 |
|
143 |
if (count($inherited) === count($permKeys)) { |
144 |
return true; |
145 |
} |
146 |
} else {
|
147 |
switch ($perm['_' . $action]) { |
148 |
case -1: |
149 |
return false; |
150 |
case 0: |
151 |
continue;
|
152 |
case 1: |
153 |
return true; |
154 |
} |
155 |
} |
156 |
} |
157 |
} |
158 |
return false; |
159 |
} |
160 |
|
161 |
/**
|
162 |
* Allow $aro to have access to action $actions in $aco
|
163 |
*
|
164 |
* @param string $aro ARO The requesting object identifier.
|
165 |
* @param string $aco ACO The controlled object identifier.
|
166 |
* @param string $actions Action (defaults to *) Invalid permissions will result in an exception
|
167 |
* @param int $value Value to indicate access type (1 to give access, -1 to deny, 0 to inherit)
|
168 |
* @return bool Success
|
169 |
* @throws AclException on Invalid permission key.
|
170 |
*/
|
171 |
public function allow($aro, $aco, $actions = '*', $value = 1) { |
172 |
$perms = $this->getAclLink($aro, $aco); |
173 |
$permKeys = $this->getAcoKeys($this->schema()); |
174 |
$save = array(); |
175 |
|
176 |
if (!$perms) { |
177 |
$this->log(__d('cake_dev', '%s - Invalid node', 'DbAcl::allow()'), E_USER_WARNING); |
178 |
return false; |
179 |
} |
180 |
if (isset($perms[0])) { |
181 |
$save = $perms[0][$this->alias]; |
182 |
} |
183 |
|
184 |
if ($actions === '*') { |
185 |
$save = array_combine($permKeys, array_pad(array(), count($permKeys), $value)); |
186 |
} else {
|
187 |
if (!is_array($actions)) { |
188 |
$actions = array('_' . $actions); |
189 |
} |
190 |
foreach ($actions as $action) { |
191 |
if ($action{0} !== '_') { |
192 |
$action = '_' . $action; |
193 |
} |
194 |
if (!in_array($action, $permKeys, true)) { |
195 |
throw new AclException(__d('cake_dev', 'Invalid permission key "%s"', $action)); |
196 |
} |
197 |
$save[$action] = $value; |
198 |
} |
199 |
} |
200 |
list($save['aro_id'], $save['aco_id']) = array($perms['aro'], $perms['aco']); |
201 |
|
202 |
if ($perms['link'] && !empty($perms['link'])) { |
203 |
$save['id'] = $perms['link'][0][$this->alias]['id']; |
204 |
} else {
|
205 |
unset($save['id']); |
206 |
$this->id = null; |
207 |
} |
208 |
return ($this->save($save) !== false); |
209 |
} |
210 |
|
211 |
/**
|
212 |
* Get an array of access-control links between the given Aro and Aco
|
213 |
*
|
214 |
* @param string $aro ARO The requesting object identifier.
|
215 |
* @param string $aco ACO The controlled object identifier.
|
216 |
* @return array Indexed array with: 'aro', 'aco' and 'link'
|
217 |
*/
|
218 |
public function getAclLink($aro, $aco) { |
219 |
$obj = array(); |
220 |
$obj['Aro'] = $this->Aro->node($aro); |
221 |
$obj['Aco'] = $this->Aco->node($aco); |
222 |
|
223 |
if (empty($obj['Aro']) || empty($obj['Aco'])) { |
224 |
return false; |
225 |
} |
226 |
$aro = Hash::extract($obj, 'Aro.0.' . $this->Aro->alias . '.id'); |
227 |
$aco = Hash::extract($obj, 'Aco.0.' . $this->Aco->alias . '.id'); |
228 |
$aro = current($aro); |
229 |
$aco = current($aco); |
230 |
|
231 |
return array( |
232 |
'aro' => $aro, |
233 |
'aco' => $aco, |
234 |
'link' => $this->find('all', array('conditions' => array( |
235 |
$this->alias . '.aro_id' => $aro, |
236 |
$this->alias . '.aco_id' => $aco |
237 |
))) |
238 |
); |
239 |
} |
240 |
|
241 |
/**
|
242 |
* Get the crud type keys
|
243 |
*
|
244 |
* @param array $keys Permission schema
|
245 |
* @return array permission keys
|
246 |
*/
|
247 |
public function getAcoKeys($keys) { |
248 |
$newKeys = array(); |
249 |
$keys = array_keys($keys); |
250 |
foreach ($keys as $key) { |
251 |
if (!in_array($key, array('id', 'aro_id', 'aco_id'))) { |
252 |
$newKeys[] = $key; |
253 |
} |
254 |
} |
255 |
return $newKeys; |
256 |
} |
257 |
} |