public static function authorize_list($identity = null, $accessType, $blueprintKey, $where = null)
{
$tag = "Guardian::authorize_list()";
Log::debug("{$tag} <identity={$identity}, accessType={$accessType}, blueprintKey={$blueprintKey}, where={$where}>");
if ($accessType != "SELECT") {
Log::warning("{$tag}: accessType != SELECT");
throw new Exception("{$tag}: accessType != SELECT");
}
$instance = Guardian::instance();
// Convenience variables
$xml = $instance->xml;
list($guardian_identity_table, , ) = explode(".", BPConfig::$guardian_identity_blueprint);
Log::debug("* Identity Table = {$guardian_identity_table}");
// Sanitize arguments
if ($identity != null) {
if (empty($identity) || !is_numeric($identity)) {
Log::debug("! Setting identity to null");
$identity = null;
}
}
/*
// LAST MINUTE PROCESSING
// Define a placeholder $listRows to hold results of GuardianListDrafter:initListRows() (if necessary)
*/
$listRows = null;
// Search Resources for a block matching the requested blueprintKey
foreach ($xml->Resource as $resource) {
$key = (string) $resource["key"];
Log::debug("{$tag}: Considering Resource with key '{$key}'");
if ($key == "*" || $key == $blueprintKey || strpos($key, "*") !== false && strpos($blueprintKey, substr($key, 0, strpos($key, "*"))) === 0) {
Log::debug("{$tag}: Resource matches requested blueprint key");
foreach ($resource->AccessGroup as $accessGroup) {
$type = (string) $accessGroup["type"];
Log::debug("{$tag}: Considering AccessGroup of type '{$type}'");
if ($type == "*" || strpos($type, $accessType) !== false) {
Log::debug("{$tag}: AccessGroup includes requested access type");
// The requestor must pass ALL rules in an <AccessGroup> to be granted access
$flag_failure = false;
foreach ($accessGroup->children() as $rule) {
$kind = $rule->getName();
Log::debug("{$tag}: Evaluating rule '{$kind}'");
if ($kind != "Ownership") {
if ($instance->test_access_rule($rule, $identity, null) === false) {
Log::debug("{$tag}: Failed rule '{$kind}'. No access under this group");
$flag_failure = true;
// Immediately stop checking rules under this AccessGroup, and move on to the next AccessGroup
break;
}
} else {
// LAST MINUTE PROCESSING; init ListDrafter
if ($listRows == null) {
Log::debug("{$tag}: Initializing GuardianListDrafter to build a list of entities for ownership testing");
try {
$entityBP = BlueprintReader::read($blueprintKey . ".entity.xml");
if ($where != null) {
$params = array("where" => $where);
} else {
$params = null;
}
$listDrafter = new GuardianListDrafter($entityBP, null, $params);
$listRows = $listDrafter->getListRows();
} catch (Exception $e) {
Log::error("{$tag}: Caught: " . $e->getMessage());
throw $e;
}
}
if ($instance->test_access_list_rule_ownership($rule, $identity, $listRows) === false) {
Log::debug("{$tag}: Failed rule '{$kind}'. No access under this group");
$flag_failure = true;
// Immediately stop checking rules under this AccessGroup, and move on to the next AccessGroup
break;
}
}
}
if ($flag_failure === false) {
Log::debug("{$tag}: Passed all rules of access group");
return true;
} else {
// continue with next AccessGruop
}
} else {
Log::debug("{$tag}: AccessGroup does not include requested access type");
}
}
// END: foreach($resource->AccessGroup as $accessGroup)
} else {
Log::debug("{$tag}: Resource does not match requested blueprint key");
}
}
// END: foreach($xml->Resource as $resource)
return false;
}
