pictcode / app / Config / acl.php @ f4745fee
履歴 | 表示 | アノテート | ダウンロード (4.817 KB)
1 | 635eef61 | spyder1211 | <?php
|
---|---|---|---|
2 | /**
|
||
3 | * This is the PHP base ACL configuration file.
|
||
4 | *
|
||
5 | * Use it to configure access control of your CakePHP application.
|
||
6 | *
|
||
7 | * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
|
||
8 | * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
||
9 | *
|
||
10 | * Licensed under The MIT License
|
||
11 | * For full copyright and license information, please see the LICENSE.txt
|
||
12 | * Redistributions of files must retain the above copyright notice.
|
||
13 | *
|
||
14 | * @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
||
15 | * @link http://cakephp.org CakePHP(tm) Project
|
||
16 | * @package app.Config
|
||
17 | * @since CakePHP(tm) v 2.1
|
||
18 | * @license http://www.opensource.org/licenses/mit-license.php MIT License
|
||
19 | */
|
||
20 | |||
21 | /**
|
||
22 | * Example
|
||
23 | * -------
|
||
24 | *
|
||
25 | * Assumptions:
|
||
26 | *
|
||
27 | * 1. In your application you created a User model with the following properties:
|
||
28 | * username, group_id, password, email, firstname, lastname and so on.
|
||
29 | * 2. You configured AuthComponent to authorize actions via
|
||
30 | * $this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers/'),...)
|
||
31 | *
|
||
32 | * Now, when a user (i.e. jeff) authenticates successfully and requests a controller action (i.e. /invoices/delete)
|
||
33 | * that is not allowed by default (e.g. via $this->Auth->allow('edit') in the Invoices controller) then AuthComponent
|
||
34 | * will ask the configured ACL interface if access is granted. Under the assumptions 1. and 2. this will be
|
||
35 | * done via a call to Acl->check() with
|
||
36 | *
|
||
37 | * ```
|
||
38 | * array('User' => array('username' => 'jeff', 'group_id' => 4, ...))
|
||
39 | * ```
|
||
40 | *
|
||
41 | * as ARO and
|
||
42 | *
|
||
43 | * ```
|
||
44 | * '/controllers/invoices/delete'
|
||
45 | * ```
|
||
46 | *
|
||
47 | * as ACO.
|
||
48 | *
|
||
49 | * If the configured map looks like
|
||
50 | *
|
||
51 | * ```
|
||
52 | * $config['map'] = array(
|
||
53 | * 'User' => 'User/username',
|
||
54 | * 'Role' => 'User/group_id',
|
||
55 | * );
|
||
56 | * ```
|
||
57 | *
|
||
58 | * then PhpAcl will lookup if we defined a role like User/jeff. If that role is not found, PhpAcl will try to
|
||
59 | * find a definition for Role/4. If the definition isn't found then a default role (Role/default) will be used to
|
||
60 | * check rules for the given ACO. The search can be expanded by defining aliases in the alias configuration.
|
||
61 | * E.g. if you want to use a more readable name than Role/4 in your definitions you can define an alias like
|
||
62 | *
|
||
63 | * ```
|
||
64 | * $config['alias'] = array(
|
||
65 | * 'Role/4' => 'Role/editor',
|
||
66 | * );
|
||
67 | * ```
|
||
68 | *
|
||
69 | * In the roles configuration you can define roles on the lhs and inherited roles on the rhs:
|
||
70 | *
|
||
71 | * ```
|
||
72 | * $config['roles'] = array(
|
||
73 | * 'Role/admin' => null,
|
||
74 | * 'Role/accountant' => null,
|
||
75 | * 'Role/editor' => null,
|
||
76 | * 'Role/manager' => 'Role/editor, Role/accountant',
|
||
77 | * 'User/jeff' => 'Role/manager',
|
||
78 | * );
|
||
79 | * ```
|
||
80 | *
|
||
81 | * In this example manager inherits all rules from editor and accountant. Role/admin doesn't inherit from any role.
|
||
82 | * Lets define some rules:
|
||
83 | *
|
||
84 | * ```
|
||
85 | * $config['rules'] = array(
|
||
86 | * 'allow' => array(
|
||
87 | * '*' => 'Role/admin',
|
||
88 | * 'controllers/users/(dashboard|profile)' => 'Role/default',
|
||
89 | * 'controllers/invoices/*' => 'Role/accountant',
|
||
90 | * 'controllers/articles/*' => 'Role/editor',
|
||
91 | * 'controllers/users/*' => 'Role/manager',
|
||
92 | * 'controllers/invoices/delete' => 'Role/manager',
|
||
93 | * ),
|
||
94 | * 'deny' => array(
|
||
95 | * 'controllers/invoices/delete' => 'Role/accountant, User/jeff',
|
||
96 | * 'controllers/articles/(delete|publish)' => 'Role/editor',
|
||
97 | * ),
|
||
98 | * );
|
||
99 | * ```
|
||
100 | *
|
||
101 | * Ok, so as jeff inherits from Role/manager he's matched every rule that references User/jeff, Role/manager,
|
||
102 | * Role/editor, and Role/accountant. However, for jeff, rules for User/jeff are more specific than
|
||
103 | * rules for Role/manager, rules for Role/manager are more specific than rules for Role/editor and so on.
|
||
104 | * This is important when allow and deny rules match for a role. E.g. Role/accountant is allowed
|
||
105 | * controllers/invoices/* but at the same time controllers/invoices/delete is denied. But there is a more
|
||
106 | * specific rule defined for Role/manager which is allowed controllers/invoices/delete. However, the most specific
|
||
107 | * rule denies access to the delete action explicitly for User/jeff, so he'll be denied access to the resource.
|
||
108 | *
|
||
109 | * If we would remove the role definition for User/jeff, then jeff would be granted access as he would be resolved
|
||
110 | * to Role/manager and Role/manager has an allow rule.
|
||
111 | */
|
||
112 | |||
113 | /**
|
||
114 | * The role map defines how to resolve the user record from your application
|
||
115 | * to the roles you defined in the roles configuration.
|
||
116 | */
|
||
117 | $config['map'] = array( |
||
118 | 'User' => 'User/username', |
||
119 | 'Role' => 'User/group_id', |
||
120 | ); |
||
121 | |||
122 | /**
|
||
123 | * define aliases to map your model information to
|
||
124 | * the roles defined in your role configuration.
|
||
125 | */
|
||
126 | $config['alias'] = array( |
||
127 | 'Role/4' => 'Role/editor', |
||
128 | ); |
||
129 | |||
130 | /**
|
||
131 | * role configuration
|
||
132 | */
|
||
133 | $config['roles'] = array( |
||
134 | 'Role/admin' => null, |
||
135 | ); |
||
136 | |||
137 | /**
|
||
138 | * rule configuration
|
||
139 | */
|
||
140 | $config['rules'] = array( |
||
141 | 'allow' => array( |
||
142 | '*' => 'Role/admin', |
||
143 | ), |
||
144 | 'deny' => array(), |
||
145 | ); |