統計
| ブランチ: | リビジョン:

pictcode / app / Config / acl.php @ 93b01961

履歴 | 表示 | アノテート | ダウンロード (4.817 KB)

1
<?php
2
/**
3
 * This is the PHP base ACL configuration file.
4
 *
5
 * Use it to configure access control of your CakePHP application.
6
 *
7
 * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
8
 * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
9
 *
10
 * Licensed under The MIT License
11
 * For full copyright and license information, please see the LICENSE.txt
12
 * Redistributions of files must retain the above copyright notice.
13
 *
14
 * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
15
 * @link          http://cakephp.org CakePHP(tm) Project
16
 * @package       app.Config
17
 * @since         CakePHP(tm) v 2.1
18
 * @license       http://www.opensource.org/licenses/mit-license.php MIT License
19
 */
20

    
21
/**
22
 * Example
23
 * -------
24
 *
25
 * Assumptions:
26
 *
27
 * 1. In your application you created a User model with the following properties:
28
 *    username, group_id, password, email, firstname, lastname and so on.
29
 * 2. You configured AuthComponent to authorize actions via
30
 *    $this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers/'),...)
31
 *
32
 * Now, when a user (i.e. jeff) authenticates successfully and requests a controller action (i.e. /invoices/delete)
33
 * that is not allowed by default (e.g. via $this->Auth->allow('edit') in the Invoices controller) then AuthComponent
34
 * will ask the configured ACL interface if access is granted. Under the assumptions 1. and 2. this will be
35
 * done via a call to Acl->check() with
36
 *
37
 * ```
38
 * array('User' => array('username' => 'jeff', 'group_id' => 4, ...))
39
 * ```
40
 *
41
 * as ARO and
42
 *
43
 * ```
44
 * '/controllers/invoices/delete'
45
 * ```
46
 *
47
 * as ACO.
48
 *
49
 * If the configured map looks like
50
 *
51
 * ```
52
 * $config['map'] = array(
53
 *    'User' => 'User/username',
54
 *    'Role' => 'User/group_id',
55
 * );
56
 * ```
57
 *
58
 * then PhpAcl will lookup if we defined a role like User/jeff. If that role is not found, PhpAcl will try to
59
 * find a definition for Role/4. If the definition isn't found then a default role (Role/default) will be used to
60
 * check rules for the given ACO. The search can be expanded by defining aliases in the alias configuration.
61
 * E.g. if you want to use a more readable name than Role/4 in your definitions you can define an alias like
62
 *
63
 * ```
64
 * $config['alias'] = array(
65
 *    'Role/4' => 'Role/editor',
66
 * );
67
 * ```
68
 *
69
 * In the roles configuration you can define roles on the lhs and inherited roles on the rhs:
70
 *
71
 * ```
72
 * $config['roles'] = array(
73
 *    'Role/admin' => null,
74
 *    'Role/accountant' => null,
75
 *    'Role/editor' => null,
76
 *    'Role/manager' => 'Role/editor, Role/accountant',
77
 *    'User/jeff' => 'Role/manager',
78
 * );
79
 * ```
80
 *
81
 * In this example manager inherits all rules from editor and accountant. Role/admin doesn't inherit from any role.
82
 * Lets define some rules:
83
 *
84
 * ```
85
 * $config['rules'] = array(
86
 *    'allow' => array(
87
 *        '*' => 'Role/admin',
88
 *        'controllers/users/(dashboard|profile)' => 'Role/default',
89
 *        'controllers/invoices/*' => 'Role/accountant',
90
 *        'controllers/articles/*' => 'Role/editor',
91
 *        'controllers/users/*'  => 'Role/manager',
92
 *        'controllers/invoices/delete'  => 'Role/manager',
93
 *    ),
94
 *    'deny' => array(
95
 *        'controllers/invoices/delete' => 'Role/accountant, User/jeff',
96
 *        'controllers/articles/(delete|publish)' => 'Role/editor',
97
 *    ),
98
 * );
99
 * ```
100
 *
101
 * Ok, so as jeff inherits from Role/manager he's matched every rule that references User/jeff, Role/manager,
102
 * Role/editor, and Role/accountant. However, for jeff, rules for User/jeff are more specific than
103
 * rules for Role/manager, rules for Role/manager are more specific than rules for Role/editor and so on.
104
 * This is important when allow and deny rules match for a role. E.g. Role/accountant is allowed
105
 * controllers/invoices/* but at the same time controllers/invoices/delete is denied. But there is a more
106
 * specific rule defined for Role/manager which is allowed controllers/invoices/delete. However, the most specific
107
 * rule denies access to the delete action explicitly for User/jeff, so he'll be denied access to the resource.
108
 *
109
 * If we would remove the role definition for User/jeff, then jeff would be granted access as he would be resolved
110
 * to Role/manager and Role/manager has an allow rule.
111
 */
112

    
113
/**
114
 * The role map defines how to resolve the user record from your application
115
 * to the roles you defined in the roles configuration.
116
 */
117
$config['map'] = array(
118
        'User' => 'User/username',
119
        'Role' => 'User/group_id',
120
);
121

    
122
/**
123
 * define aliases to map your model information to
124
 * the roles defined in your role configuration.
125
 */
126
$config['alias'] = array(
127
        'Role/4' => 'Role/editor',
128
);
129

    
130
/**
131
 * role configuration
132
 */
133
$config['roles'] = array(
134
        'Role/admin' => null,
135
);
136

    
137
/**
138
 * rule configuration
139
 */
140
$config['rules'] = array(
141
        'allow' => array(
142
                '*' => 'Role/admin',
143
        ),
144
        'deny' => array(),
145
);