public static function isAllowed($model, $action) { // commandline always have full-access if (Context::isTrusted() || $model instanceof Auth && $model->isTrustedAction()) { return true; } $is_allowed = false; $instance = static::getInstance(); $collection_name = $instance->getCollectioName($model); $instance->token = AuthToken::current(); $roles = $instance->getConfig($collection_name, $action); // Ensure array type for roles if (!is_array($roles)) { $roles = array($roles); } foreach ($roles as $role) { // At least one of the configured roles must match if ($is_allowed) { break; } if (in_array($role, $instance->builtInRoles)) { $is_allowed = call_user_func_array(array($instance, 'check' . ucfirst($role)), array($model)); } else { $is_allowed = $instance->checkRole($role); } } return $is_allowed; }
public function delete($name, $_id = null) { $collection = Model\App::collection($name); $success = false; // trusted context: // run a real truncate statement if performing a delete if (Context::isTrusted() && $_id == null && count(Input::get('q')) == 0) { $success = $collection->truncate(); } else { // untrusted context: // remove a single row, or the items from a filter in $query = $_id ? $collection->find($_id) : $collection->filter(Input::get('q')); $success = $query->delete(); } return array('success' => $success); }
/** * Create a new Collection instance. No database operations here. * * @param array $attributes attributes * @return \Model\Collection */ public function create_new(array $attributes = array()) { $instance = null; if (!$this->is_collection) { $instance = new self::$custom_collections[$this->name](); } else { $instance = new Collection(array('table_name' => $this->name)); } $instance->fill($attributes); // Fill '_id' if it's provided and in a trusted context if (isset($attributes['_id']) && Context::isTrusted()) { $instance->_id = $attributes['_id']; } return $instance; }
protected function isUpdateAllowed() { // // Allow updates only when: // - Is using 'server' context. // - Is using 'commandline' context. // - Authenticated user is updating it's own data // return Context::isTrusted() || Role::isAllowed($this, 'update') || $this->isAuthenticated(); }