public function __construct() { $acl = new Zend_Acl(); //ролі $acl->addRole(new Zend_Acl_Role('guest')); //user наслідує усі параметри guest $acl->addRole(new Zend_Acl_Role('user'), 'guest'); $acl->addRole(new Zend_Acl_Role('admin')); //ресурси - доступні контролери $acl->add(new Zend_Acl_Resource('users')); $acl->add(new Zend_Acl_Resource('index')); //дозвіл $acl->deny(); //заборонити доступ всім $acl->allow('admin', null); //дозволити доступ admin-у до всього //users це resource - контролер // далі $privilege - екшн $acl->allow('guest', 'users', array('login', 'registration', 'confirm')); $acl->allow('guest', 'index'); $acl->allow('user', 'users', array('logout')); $acl->deny('user', 'users', array('login', 'registration')); //глобальний доступ до змінної //щоб використати у видах Zend_Registry::set('acl', $acl); /* //isAllowed() - чи має доступ $role до $resourse і $privilege //$resource - контролер //$privilege - екшн if($acl->isAllowed($role, $resource, $privilege)){ } */ }
public function getAcl() { $acl = new Zend_Acl(); // Add roles. $acl->addRole('super'); // Admins inherit privileges from super users. $acl->addRole('admin', 'super'); $acl->addRole('researcher'); // Contributors inherit privileges from researchers. $acl->addRole('contributor', 'researcher'); // Add resources, corresponding to Omeka controllers. $resources = array('Items', 'Collections', 'ElementSets', 'Files', 'Plugins', 'Settings', 'Security', 'Upgrade', 'Tags', 'Themes', 'SystemInfo', 'ItemTypes', 'Users', 'Search', 'Appearance', 'Elements'); foreach ($resources as $resource) { $acl->addResource($resource); } // Define allow rules for everyone. // Everyone can view and browse these resources. $acl->allow(null, array('Items', 'ItemTypes', 'Tags', 'Collections', 'Search', 'ElementSets', 'Elements'), array('index', 'browse', 'show', 'home', 'print-cart')); // Everyone can view an item's tags and use the item search. $acl->allow(null, array('Items'), array('tags', 'search')); // Everyone can view files. $acl->allow(null, 'Files', 'show'); // Non-authenticated users can access the upgrade script, for logistical reasons. $acl->allow(null, 'Upgrade'); // Deny privileges from admin users $acl->deny('admin', array('Settings', 'Plugins', 'Themes', 'ElementSets', 'Security', 'SystemInfo', 'Appearance')); // Assert ownership for certain privileges. // Owners can edit and delete items and collections. $acl->allow(null, array('Items', 'Collections'), array('edit', 'delete'), new Omeka_Acl_Assert_Ownership()); // Owners can edit files. $acl->allow(null, 'Files', 'edit', new Omeka_Acl_Assert_Ownership()); // Define allow rules for specific roles. // Super users have full privileges. $acl->allow('super'); // Researchers can view and search items and collections that are not public. $acl->allow('researcher', array('Items', 'Collections', 'Search'), 'showNotPublic'); // Contributors can add and tag items, edit or delete their own items, and see // their items that are not public. $acl->allow('contributor', 'Items', array('add', 'tag', 'batch-edit', 'batch-edit-save', 'change-type', 'delete-confirm', 'editSelf', 'deleteSelf', 'showSelfNotPublic')); // Contributors can edit their own files. $acl->allow('contributor', 'Files', 'editSelf'); // Contributors have access to tag autocomplete. $acl->allow('contributor', 'Tags', array('autocomplete')); // Contributors can add collections, edit or delete their own collections, and // see their collections that are not public. $acl->allow('contributor', 'Collections', array('add', 'delete-confirm', 'editSelf', 'deleteSelf', 'showSelfNotPublic')); $acl->allow('contributor', 'Elements', 'element-form'); // Define deny rules. // Deny admins from accessing some resources allowed to super users. $acl->deny('admin', array('Settings', 'Plugins', 'Themes', 'ElementSets', 'Security', 'SystemInfo')); // Deny admins from deleting item types and item type elements. $acl->deny('admin', 'ItemTypes', array('delete', 'delete-element')); // Deny Users to admins since they normally have all the super permissions. $acl->deny(null, 'Users'); $acl->allow(array('super', 'admin', 'contributor', 'researcher'), 'Users', null, new Omeka_Acl_Assert_User()); // Always allow users to login, logout and send forgot-password notifications. $acl->allow(array(null, 'admin'), 'Users', array('login', 'logout', 'forgot-password', 'activate')); return $acl; }
protected function setUp() { \Zend_Controller_Front::getInstance()->resetInstance(); $this->request = new \Zend_Controller_Request_Http(); \Zend_Session::$_unitTestEnabled = true; $this->acl = new \Zend_Acl(); $this->acl->deny(); $this->acl->addRole(new \Zend_Acl_Role(Acl::ROLE_GUEST)); $this->acl->addRole(new \Zend_Acl_Role(Acl::ROLE_AUTHENTICATED), Acl::ROLE_GUEST); parent::setUp(); }
/** * */ public function buildAcl() { if (is_null($this->acl)) { $this->acl = new Zend_Acl(); } $this->acl->removeAll(); $permissions = $this->getPermissionList(); $resources = $this->getResourceList(); $resourceParents = $this->getResourceParentList(); $roles = $this->getRoleList(); $roleParents = $this->getRoleParentList(); $rolesTmp = array(); foreach ($roles as $role) { $roleId = $role['role_id']; $roleName = $role['role_name']; $rolesTmp[$roleId] = array('name' => $roleId, 'parents' => array()); $rolesTmp[$roleName] = array('name' => $roleName, 'parents' => array($roleId)); } foreach ($roleParents as $roleParent) { $roleId = $roleParent['role_id']; $roleIdParent = $roleParent['role_id_parent']; $rolesTmp[$roleId]['parents'][] = $roleIdParent; } foreach ($rolesTmp as $role) { $this->acl->addRole($role['name'], $role['parents']); } #echo '<pre>'; $resourcesTmp = array(); foreach ($resources as $resource) { $resourceId = $resource['resource_id']; $resourceName = $resource['resource_name']; $resourcesTmp[$resourceId] = array('name' => $resourceId, 'parent' => null); $resourcesTmp[$resourceName] = array('name' => $resourceName, 'parent' => $resourceId); } foreach ($resourceParents as $resourceParent) { $resourceId = $resourceParent['resource_id']; $resourceIdParent = $resourceParent['resource_id_parent']; $resourcesTmp[$resourceId]['parent'] = $resourceIdParent; } foreach ($resourcesTmp as $resource) { $this->acl->addResource($resource['name'], $resource['parent']); } foreach ($permissions as $permission) { if (empty($permission['allowed'])) { $this->acl->deny($permission['role_id'], $permission['resource_id']); } else { $this->acl->allow($permission['role_id'], $permission['resource_id']); } } }
protected function _initAlc() { // Создаём объект Zend_Acl $acl = new Zend_Acl(); //$acl->removeAll(); // указываем, что у нас есть ресурсы //$acl->addResource(new Zend_Acl_Resource('error')); $acl->addResource(new Zend_Acl_Resource('auth')); $acl->addResource(new Zend_Acl_Resource('index')); $acl->addResource(new Zend_Acl_Resource('models-generator')); $acl->addResource(new Zend_Acl_Resource('slugify')); $acl->addResource(new Zend_Acl_Resource('sefurl')); $acl->addResource(new Zend_Acl_Resource('search-index')); $acl->addResource(new Zend_Acl_Resource('test')); $acl->addResource(new Zend_Acl_Resource('xml-catalog-generator')); $acl->addResource(new Zend_Acl_Resource('csv-catalog-generator')); $acl->addResource(new Zend_Acl_Resource('cache-manager')); $acl->addResource(new Zend_Acl_Resource('update-image-catalog')); $acl->addResource(new Zend_Acl_Resource('products-draft')); // далее переходим к созданию ролей, которых у нас 2: // гость (неавторизированный пользователь) $acl->addRole('guest'); // администратор, который наследует доступ от гостя $acl->addRole('admin', 'guest'); $acl->deny(); //$acl->allow('guest', array('default', 'catalog', 'error')); $acl->allow('guest', 'auth'); $acl->allow('admin'); // получаем экземпляр главного контроллера $fc = Zend_Controller_Front::getInstance(); // регистрируем плагин с названием AclUtils, в который передаём // на ACL и экземпляр Zend_Auth $fc->registerPlugin(new Plugin_AclUtils($acl, Zend_Auth::getInstance())); }
public function __construct() { $acl = new Zend_Acl(); // добавляем роли $acl->addRole(new Zend_Acl_Role('guest')); $acl->addRole(new Zend_Acl_Role('admin')); // добавляем ресурсы $acl->add(new Zend_Acl_Resource('sites')); $acl->add(new Zend_Acl_Resource('index')); $acl->add(new Zend_Acl_Resource('logs')); $acl->add(new Zend_Acl_Resource('auth')); $acl->add(new Zend_Acl_Resource('maps')); $acl->add(new Zend_Acl_Resource('best')); $acl->add(new Zend_Acl_Resource('news')); // если нет роли то все запрещаем $acl->deny(); // админу по умолчанию разрешено все $acl->allow('admin', null); // гостю только контроллер с экшеном для входа $acl->allow('guest', 'auth', array('index', 'check')); $acl->allow('guest', 'maps', array('cronmaps')); $acl->allow('guest', array('module' => 'best', 'controller' => 'news'), array('scan', 'redirect')); // если надо запретить экшены в разрешенном контроллере /*$acl->deny('user', 'users', array( 'login', 'registration' )); * */ Zend_Registry::set('acl', $acl); }
/** * @group ZF-9643 */ public function testRemoveDenyWithNullResourceAppliesToAllResources() { $this->_acl->addRole('guest'); $this->_acl->addResource('blogpost'); $this->_acl->addResource('newsletter'); $this->_acl->allow(); $this->_acl->deny('guest', 'blogpost', 'read'); $this->_acl->deny('guest', 'newsletter', 'read'); $this->assertFalse($this->_acl->isAllowed('guest', 'blogpost', 'read')); $this->assertFalse($this->_acl->isAllowed('guest', 'newsletter', 'read')); $this->_acl->removeDeny('guest', 'newsletter', 'read'); $this->assertFalse($this->_acl->isAllowed('guest', 'blogpost', 'read')); $this->assertTrue($this->_acl->isAllowed('guest', 'newsletter', 'read')); $this->_acl->removeDeny('guest', null, 'read'); $this->assertTrue($this->_acl->isAllowed('guest', 'blogpost', 'read')); $this->assertTrue($this->_acl->isAllowed('guest', 'newsletter', 'read')); // ensure deny null/all resources works $this->_acl->deny('guest', null, 'read'); $this->assertFalse($this->_acl->isAllowed('guest', 'blogpost', 'read')); $this->assertFalse($this->_acl->isAllowed('guest', 'newsletter', 'read')); }
/** * @return void */ public function addResource($obj) { if (!is_object($obj) || $this->_acl->has($obj)) { return false; } $nameParts = explode('_', strtolower(get_class($obj))); $simpleName = array_pop($nameParts); if (!$this->_acl->has($simpleName)) { $this->_acl->addResource(new Zend_Acl_Resource($simpleName)); } $this->_acl->addResource($obj->getResourceId(), $simpleName); if ($obj->isPrivate()) { $this->_acl->deny(null, $obj->getResourceId(), null, new Default_Model_Acl_HasPermissionAssertion()); } return true; }
/** * Метод загружающий правила ACL * из хранилища правил в объект Zend_Acl * * @throws Excore_Acl_Rules_Exception * @return void */ protected function _loadRules() { $rules = $this->_rules->getAll(); foreach ($rules as $rule) { if (!in_array($rule['type'], $this->_ruleTypes)) { throw new Excore_Acl_Rules_Exception("Rule type `{$rule['type']}` is invalid rule type for current settings"); } if (!$this->_acl->hasRole(new Zend_Acl_Role($rule['roleId']))) { throw new Excore_Acl_Rules_Exception("Role `{$rule['roleId']}` found in rules storage, but was not in roles storage"); } if (!$this->_acl->has(new Zend_Acl_Resource($rule['resourceId']))) { throw new Excore_Acl_Rules_Exception("Resource `{$rule['resourceId']}` found in rules storage, but was not in resources storage"); } $assert = $rule['assert']; if ($assert !== null) { $assert = new $assert(); } switch ($rule['type']) { case $this->_ruleTypes['TYPE_ALLOW']: $this->_acl->allow(new Zend_Acl_Role($rule['roleId']), new Zend_Acl_Resource($rule['resourceId']), $rule['privileges'], $assert); break; case $this->_ruleTypes['TYPE_DENY']: $this->_acl->deny(new Zend_Acl_Role($rule['roleId']), new Zend_Acl_Resource($rule['resourceId']), $rule['privileges'], $assert); break; } } }
public function testGetSelectAclIntegration() { // Test ItemTable::getSelect() when the ACL is not available. $this->assertEquals("SELECT items.* FROM omeka_items AS items", (string) $this->table->getSelect()); // Test ItemTable::getSelect() when the ACL is available. $acl = new Zend_Acl(); $acl->add(new Zend_Acl_Resource('Items')); $acl->deny(null, 'Items', 'showNotPublic'); Zend_Registry::get('bootstrap')->getContainer()->acl = $acl; $this->assertContains("WHERE (items.public = 1)", (string) $this->table->getSelect()); }
/** * Deny access to this role for a particular permissible object (or globally) * * @param string permission to deny * @param QFrame_Permissible (optional) permissible object to deny access to */ public function deny($permission, QFrame_Permissible $permissible = null) { $resource = $permissible === null ? "GLOBAL" : $permissible->getPermissionID(); if (!$this->acl->hasRole($permission)) { $this->acl->addRole(new Zend_Acl_Role($permission)); } if (!$this->acl->has($resource)) { $this->acl->add(new Zend_Acl_Resource($resource)); } $this->acl->deny($permission, $resource); }
public function __construct() { $acl = new Zend_Acl(); //roles $acl->addRole(new Zend_Acl_Role('guest')); $acl->addRole(new Zend_Acl_Role('user'), 'guest'); $acl->addRole(new Zend_Acl_Role('admin')); //resources $acl->add(new Zend_Acl_Resource('users')); $acl->add(new Zend_Acl_Resource('index')); //permissions $acl->deny(); $acl->allow('admin', null); //Guest rights $acl->allow('guest', 'users', array('login', 'registration', 'confirm')); $acl->allow('guest', 'index'); //User rights $acl->allow('user', 'users', array('logout')); $acl->deny('user', 'users', array('login', 'registration')); Zend_Registry::set('acl', $acl); }
protected function _loadPermissions() { $acls = Auth_Model_AclMapper::getInstance()->fetchAll(array()); /* @var $acl Auth_Model_Acl */ foreach ($acls as $acl) { if ($acl->get_allowed() == 'yes') { $this->_acl->allow($this->getRoleCode($acl->get_role_id()), $acl->get_resource_code(), $acl->get_privilege_code()); } else { $this->_acl->deny($this->getRoleCode($acl->get_role_id()), $acl->get_resource_code(), $acl->get_privilege_code()); } } }
/** * Hlavni logika ACL * * @param $request */ public function preDispatch(Zend_Controller_Request_Abstract $request) { $controller = $request->getControllerName(); $action = $request->getActionName(); $module = $request->getModuleName(); $auth = Zend_Auth::getInstance(); if ($auth->hasIdentity()) { $acl = new Zend_Acl(); $identity = $auth->getIdentity(); $acl->addRole(new Zend_Acl_Role('user'))->addRole(new Zend_Acl_Role('owner'))->addRole(new Zend_Acl_Role('admin'), 'owner'); if ($identity->owner == true) { $inherit = 'owner'; } elseif ($identity->administrator == true) { $inherit = 'admin'; } else { $inherit = 'user'; } $acl->addRole(new Zend_Acl_Role($identity->email), $inherit); $projekt = $request->getParam('projekt'); // Zakladni resource foreach ($this->_resources as $val => $key) { $acl->add(new Zend_Acl_Resource($key)); } // Prava pro zakladni resource $acl->allow('owner'); $acl->deny('admin', 'account'); $acl->allow('user', array('index', 'project', 'assignment', 'calendar', 'people', 'auth', 'redir')); $acl->deny('user', 'account'); $acl->deny('user', 'project', $this->_create); $acl->deny('user', 'people', $this->_create); $acl->deny('user', 'project', $this->_manage); $acl->deny('user', 'people', $this->_manage); if ($request->id == $identity->iduser) { $acl->allow('user', 'people', $this->_manage); } // Resource pro projektovou podsekci $this->_projectAcl($acl, $identity); Zend_Registry::set('acl', $acl); if ($identity->administrator == 1) { $isAllowed = true; } elseif (in_array($projekt . '|' . $request->getControllerName(), $this->_resources)) { $isAllowed = $acl->isAllowed($identity->email, $projekt . '|' . $request->getControllerName(), $request->getActionName()); } elseif (in_array($request->getControllerName(), $this->_resources)) { $isAllowed = $acl->isAllowed($identity->email, $request->getControllerName(), $request->getActionName()); } else { $isAllowed = false; } $error = $request->getParam('error_handler'); if (is_null($error)) { if (!$isAllowed) { $module = $this->_noacl['module']; $controller = $this->_noacl['controller']; $action = $this->_noacl['action']; } } $request->setModuleName($module); $request->setControllerName($controller); $request->setActionName($action); } }
public function __construct() { $acl = new Zend_Acl(); $acl->addRole(new Zend_Acl_Role('guest')); $acl->addRole(new Zend_Acl_Role('admin')); $acl->add(new Zend_Acl_Resource('admin')); $acl->add(new Zend_Acl_Resource('index')); $acl->deny(); $acl->allow('admin', null); $acl->allow('guest', 'admin', array('login')); $acl->allow('guest', 'index'); Zend_Registry::set('acl', $acl); }
/** * @group ZF-10649 */ public function testAllowAndDenyWithNullForResourcesWillApplyToAllResources() { $this->_acl->addRole('guest'); $this->_acl->addResource('blogpost'); $this->_acl->allow('guest'); $this->assertTrue($this->_acl->isAllowed('guest')); $this->assertTrue($this->_acl->isAllowed('guest', 'blogpost')); $this->assertTrue($this->_acl->isAllowed('guest', 'blogpost', 'read')); $this->_acl->deny('guest'); $this->assertFalse($this->_acl->isAllowed('guest')); $this->assertFalse($this->_acl->isAllowed('guest', 'blogpost')); $this->assertFalse($this->_acl->isAllowed('guest', 'blogpost', 'read')); }
protected function _initAcl() { $this->bootstrap('frontController'); $front = $this->getResource('frontController'); $acl = new \Zend_Acl(); $acl->deny(); $acl->addRole(new \Zend_Acl_Role(Acl::ROLE_GUEST)); $acl->addRole(new \Zend_Acl_Role(Acl::ROLE_AUTHENTICATED), Acl::ROLE_GUEST); $aclConfig = new \Zend_Config_Ini(APPLICATION_PATH . '/configs/acl.ini'); foreach ($aclConfig as $resourceName => $role) { $acl->addResource($resourceName); $acl->allow($role, $resourceName); } $front->registerPlugin(new Acl($acl)); }
public function setUp() { $acl = new Zend_Acl(); // Add resources and roles $acl->addResource('profile'); $acl->addRole('admin'); $acl->addRole('user'); // Deny everything by default $acl->deny(); // Admins can create and edit users but normal users are only // allowed to edit their own profile $acl->allow('admin', 'profile', array('create', 'read', 'update')); $acl->allow('user', 'profile', array('read', 'update'), new App_Acl_Assert_SameUser()); $this->_acl = $acl; }
public function preDispatch(Zend_Controller_Request_Abstract $request) { $acl = new Zend_Acl(); $acl->addResource("page"); $acl->addResource("forum"); $acl->addResource("catalog"); $acl->addRole("administrator"); $acl->addRole("moderator"); $acl->allow("administrator"); $acl->deny("moderator"); $acl->allow("moderator", "forum", array("answer", "edit-own")); Zend_Registry::set('acl', $acl); if (!Zend_Auth::getInstance()->hasIdentity()) { $request->setControllerName('index')->setActionName('login'); } }
/** * @group ZF2-3454 */ public function testAclResourcePermissionsAreInheritedWithMultilevelResourcesAndDenyPolicy() { $this->_acl->addRole('guest'); $this->_acl->addResource('blogposts'); $this->_acl->addResource('feature', 'blogposts'); $this->_acl->addResource('post_1', 'feature'); $this->_acl->addResource('post_2', 'feature'); // Allow a guest to read feature posts and // comment on everything except feature posts. $this->_acl->deny(); $this->_acl->allow('guest', 'feature', 'read'); $this->_acl->allow('guest', null, 'comment'); $this->_acl->deny('guest', 'feature', 'comment'); $this->assertFalse($this->_acl->isAllowed('guest', 'feature', 'write')); $this->assertTrue($this->_acl->isAllowed('guest', 'post_1', 'read')); $this->assertTrue($this->_acl->isAllowed('guest', 'post_2', 'read')); $this->assertFalse($this->_acl->isAllowed('guest', 'post_1', 'comment')); $this->assertFalse($this->_acl->isAllowed('guest', 'post_2', 'comment')); }
/** * Tworzy ARO i ACO */ public function init() { $acl = new Zend_Acl(); $aro = $acl->aroRegistry(); $aro->add('guest'); $aro->add('ankieter', $aro->guest); $aro->add('administrator'); // Zabieramy prawa, a potem jak trzeba, przyznajemy je. $acl->deny(); // gość $acl->index->allow($aro->guest); $acl->ankieta->allow($aro->guest); // ankieter $acl->ankieter->allow($aro->ankieter); $acl->raport->allow($aro->ankieter); $acl->ankieta->allow($aro->ankieter); // admin $acl->allow($aro->administrator); $this->acl = $acl; }
/** * @return void */ public function addAllPermissions() { // First of all deny everything. parent::deny(); $query = Doctrine_Query::create()->select('module.name, acontroller.name, controller.name, action.name, service.id, role.id, story.id, permission.*, story.name')->from('Model_Entity_Service service')->leftJoin('service.Resource controller')->leftJoin('controller.Module module')->leftJoin('service.Action action')->leftJoin('action.Controller acontroller')->leftJoin('service.Story story')->leftJoin('story.Permission permission')->leftJoin('permission.Role role')->useQueryCache(Kebab_Cache_Query::isEnable()); $services = $query->execute(); if (count($services->toArray()) > 0) { foreach ($services as $service) { $action = !isset($service->Action->name) ? null : $service->Action->name; $resource = isset($service->Resource) ? $service->Resource->Module->name . '_' . $service->Resource->name : null; $resource = is_null($resource) && isset($service->Action->Controller) ? $service->Action->Controller->Module->name . '_' . $service->Action->Controller->name : $resource; if (isset($service->Story)) { foreach ($service->Story->Permission->toArray() as $permission) { if (count($permission) > 0) { Zend_Registry::get('logging')->log($permission['Role']['id'] . '-' . $resource . '-' . $action, Zend_Log::DEBUG); parent::allow($permission['Role']['id'], $resource, $action); } } } } } }
/** * Carrega todos os menus cadastrados no sistema negando o acesso */ protected function carregaMenus() { $oAcoes = Administrativo_Model_Acao::getAll(); foreach ($oAcoes as $oAcao) { $sModulo = $oAcao->getControle()->getModulo()->getIdentidade(); $sControle = $oAcao->getControle()->getIdentidade(); $oAcoesExtra = explode(',', trim($oAcao->getSubAcoes())); $aAcoesExtra = array_merge($oAcoesExtra, array($oAcao->getAcaoAcl())); $oResource = new Zend_Acl_Resource($sModulo . ":" . $sControle); if (!$this->_acl->has($oResource->getResourceId())) { $this->_acl->addResource($oResource->getResourceId()); } foreach ($aAcoesExtra as $sAcao) { if (empty($sAcao)) { continue; } if (!$oAcao->getControle()->getVisivel()) { $this->_acl->allow('Usuario', $oResource->getResourceId(), $sAcao); } else { $this->_acl->deny('Usuario', $oResource->getResourceId(), $sAcao); } } } }
/** * Implementa os roles, resources e privileges * no objeto Zend_Acl levantado * * Para que assim começamos a definir os objetos a serem * exibidos na tela * * @param string $module */ private function loadAcl($module) { /** * Resgata o cache * Define o id do acl * * Verifica se existe no cache um acl para o módulo * recebido por esta função */ $cache = $this->getObjectCache(); $idCache = 'acl_' . strtolower($module); $data = $cache->load($idCache); $this->_moduleLoaded = $module; if (!$data) { $_privilege = $this->_getPrivilege(); $privileges = $_privilege->getPrivileges($module); foreach ($privileges as $privilege) { $this->add($privilege->getRole(), $privilege->getResource(), $privilege->getAccess() == 'A'); } $data = serialize($this->_privileges); $cache->save($data, $idCache); } else { $this->_privileges = unserialize($data); } return true; if (!$data) { $this->_acl = new Zend_Acl(); /** * Adiciona os papeis no ACL * Para que posteriormente seja verificado os recursos */ $role = $this->_getRole(); $roles = $role->getRoles(); foreach ($roles as $row) { /** * Verifica se há existência de um papel pai * se houver temos que adicionar um novo Zend_Acl_Role atribuindo * a ele o nome do papel pai resgatado */ if ($row->getParent() != '') { $this->_acl->addRole(new Zend_Acl_Role($row->getName()), $row->getParent()); } else { $this->_acl->addRole(new Zend_Acl_Role($row->getName())); } } /** * Adiciona os recuros no ACL */ $resource = $this->_getResource(); $resources = $resource->getResources($module); foreach ($resources as $resource) { if ($resource->getParent() != '') { $this->_acl->add(new Zend_Acl_Resource($resource->getName()), $resource->getParent()); } else { $this->_acl->add(new Zend_Acl_Resource($resource->getName())); } } /** * Define as permissões que o usuário terá * negando a ele acessar determinadas telas. * Executar determinadas funções */ $privilege = $this->_getPrivilege(); $privileges = $privilege->getPrivileges($module); foreach ($privileges as $privilege) { if ($privilege->getAccess() == 'A') { $this->_acl->allow($privilege->getRole(), $privilege->getResource()); } else { $this->_acl->deny($privilege->getRole(), $privilege->getResource()); } } $data = serialize($this->_acl); $cache->save($data, $idCache); } else { $this->_acl = unserialize($data); } }
/** * get roles and resources from db, build Zend_Acl structure and add permissions * @param Zend_Db $db */ protected function makeAcl($db) { $acl = new Zend_Acl(); $res = $db->fetchAll('select * from system_role'); foreach ($res as $obj) { if ($obj['inherit_role'] != '') { if ($acl->hasRole($obj['inherit_role'])) { $acl->addRole(new Zend_Acl_Role($obj['role']), $obj['inherit_role']); } else { /** * @todo very simply system to order roles, add role before inherited role */ $res[] = $obj; continue; } } else { $acl->addRole(new Zend_Acl_Role($obj['role'])); } } $res = $db->fetchAll('select * from system_resource'); foreach ($res as $obj) { $acl->addResource(new Zend_Acl_Resource($obj['resource'])); } $res = $db->fetchAll('select r.role as role, rs.resource as resource, permission, privilege ' . 'from system_role as r join system_role_has_system_resource as m on ' . '(r.id = m.system_role_id) join system_resource as rs on (m.system_resource_id = rs.id)'); foreach ($res as $obj) { $privilege = explode(',', $obj['privilege']); if ($obj['permission'] == 'allow') { $acl->allow($obj['role'], $obj['resource'], $privilege); } else { $acl->deny($obj['role'], $obj['resource'], $privilege); } } return $acl; }
protected function _initAcl() { $acl = new Zend_Acl(); // roles: member, user, admin, super admin $acl->addRole(new Zend_Acl_Role(Tools_Security_Acl::ROLE_GUEST)); $acl->addRole(new Zend_Acl_Role(Tools_Security_Acl::ROLE_MEMBER), Tools_Security_Acl::ROLE_GUEST); $acl->addRole(new Zend_Acl_Role(Tools_Security_Acl::ROLE_USER), Tools_Security_Acl::ROLE_MEMBER); $acl->addRole(new Zend_Acl_Role(Tools_Security_Acl::ROLE_ADMIN)); $acl->addRole(new Zend_Acl_Role(Tools_Security_Acl::ROLE_SUPERADMIN)); //resources $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_CONTENT)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_WIDGETS)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_PAGE_PROTECTED)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_PAGE_PUBLIC)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_CACHE_PAGE)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_CODE)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_THEMES)); //resources of admin area $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_ADMINPANEL)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_PAGES)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_MEDIA)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_SEO)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_LAYOUT)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_CONFIG)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_USERS)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_PLUGINS)); $acl->addResource(new Zend_Acl_Resource(Tools_Security_Acl::RESOURCE_PLUGINS_MENU)); //permissions $acl->allow(Tools_Security_Acl::ROLE_GUEST, Tools_Security_Acl::RESOURCE_PAGE_PUBLIC); $acl->allow(Tools_Security_Acl::ROLE_GUEST, Tools_Security_Acl::RESOURCE_CACHE_PAGE); $acl->deny(Tools_Security_Acl::ROLE_MEMBER, Tools_Security_Acl::RESOURCE_CACHE_PAGE); $acl->allow(Tools_Security_Acl::ROLE_MEMBER, Tools_Security_Acl::RESOURCE_PAGE_PROTECTED); $acl->allow(Tools_Security_Acl::ROLE_MEMBER, Tools_Security_Acl::RESOURCE_ADMINPANEL); $acl->allow(Tools_Security_Acl::ROLE_MEMBER, Tools_Security_Acl::RESOURCE_PLUGINS_MENU); //user = copywriter $acl->allow(Tools_Security_Acl::ROLE_USER, Tools_Security_Acl::RESOURCE_PLUGINS); $acl->allow(Tools_Security_Acl::ROLE_USER, Tools_Security_Acl::RESOURCE_ADMINPANEL); $acl->allow(Tools_Security_Acl::ROLE_USER, Tools_Security_Acl::RESOURCE_CONTENT); $acl->allow(Tools_Security_Acl::ROLE_USER, Tools_Security_Acl::RESOURCE_MEDIA); $acl->allow(Tools_Security_Acl::ROLE_USER, Tools_Security_Acl::RESOURCE_PAGES); $acl->allow(Tools_Security_Acl::ROLE_USER, Tools_Security_Acl::RESOURCE_THEMES); $acl->allow(Tools_Security_Acl::ROLE_ADMIN); $acl->deny(Tools_Security_Acl::ROLE_ADMIN, Tools_Security_Acl::RESOURCE_CODE); $acl->deny(Tools_Security_Acl::ROLE_ADMIN, Tools_Security_Acl::RESOURCE_CACHE_PAGE); $acl->allow(Tools_Security_Acl::ROLE_SUPERADMIN); $acl->deny(Tools_Security_Acl::ROLE_SUPERADMIN, Tools_Security_Acl::RESOURCE_CACHE_PAGE); Zend_Registry::set('acl', $acl); }
/** * Proxy to the underlying Zend_Acl's deny() * * We use the controller's name as the resource and the * action name(s) as the privilege(s) * * @param Zend_Acl_Role_Interface|string|array $roles * @param string|array $actions * @uses Zend_Acl::setRule() * @return Expenses_Controller_Action_Helper_Acl Provides a fluent interface */ public function deny($roles = null, $actions = null) { $resource = $this->_action->getRequest()->getControllerName(); $this->_acl->deny($roles, $resource, $actions); return $this; }
/** Proxy to the underlying Zend_Acl's deny() * We use the controller's name as the resource and the * action name(s) as the privilege(s) * @access public * @param Zend_Acl_Role_Interface|string|array $roles * @param string|array $actions * @uses Zend_Acl::setRule() * @return Pas_Controller_Action_Helper_Acl Provides a fluent interface */ public function deny($roles = null, $actions = null) { $resource = $this->_controllerName; $this->_acl->deny($roles, $resource, $actions); return $this; }
/** * PreDispatch method for ACL Plugin. It checks if current user has privileges for resources requested * @see Zend_Controller_Plugin_Abstract::preDispatch() * @param Zend_Controller_Request_Abstract $request */ public function preDispatch(Zend_Controller_Request_Abstract $request) { try { $frontendOptions = array('lifetime' => 43200, 'automatic_serialization' => true); $backendOptions = array('cache_dir' => APPLICATION_CACHE_PATH); $cache = Zend_Cache::factory('Core', 'File', $frontendOptions, $backendOptions); // fetch the current user $auth = Zend_Auth::getInstance(); if ($auth->hasIdentity()) { $identity = $auth->getIdentity(); $objRole->id = $identity->role_id; // get an instance of Zend_Session_Namespace used by Zend_Auth #$authns = new Zend_Session_Namespace($auth->getStorage()->getNamespace()); // set an expiration on the Zend_Auth namespace where identity is held #$authns->setExpirationSeconds(60 * 30); // expire auth storage after 30 min } else { $objRole->id = 3; # guess } $cacheACL = false; if ($cache->load('cacheACL_' . $objRole->id) && $cache->test('cacheACL_' . $objRole->id)) { $cacheACL = $cache->load('cacheACL_' . $objRole->id); } if ($cacheACL == false) { // set up acl $acl = new Zend_Acl(); $mdlRole = new Acl_Model_Role(); $mdlResource = new Acl_Model_Resource(); $mdlPermission = new Acl_Model_Permission(); #$role = $mdlRole->createRow(); $acl->addRole(new Zend_Acl_Role($objRole->id)); $role = $mdlRole->find($objRole->id)->current(); #var_dump($role, $objRole->id); #die(); if ($role == null) { throw new Zend_Exception('Role not found'); } $select = $mdlRole->select()->order('priority DESC')->limit(1); $childRole = $role->findDependentRowset('Acl_Model_Role', null, $select)->current(); $resources = $mdlResource->getRegisteredList(); #if ( !$resources ) throw new Zend_Exception('Resources not available'); if ($resources->count() > 0) { foreach ($resources as $resource) { $resourceTemp = strtolower($resource->module . ':' . $resource->controller); if (!$acl->has(new Zend_Acl_Resource($resourceTemp))) { $acl->addResource(new Zend_Acl_Resource($resourceTemp)); } } } else { throw new Zend_Exception('Resources not available'); } if ($resources->count() > 0) { foreach ($resources as $resource) { $resourceTemp = strtolower($resource->module . ':' . $resource->controller); $childPrivilege = $childRole ? $mdlPermission->getByResource($resource, $childRole) : null; $rolePrivilege = $mdlPermission->getByResource($resource, $role); if ($objRole->id < 2) { $acl->allow($objRole->id, $resourceTemp, $resource->actioncontroller); } elseif (!$childRole && !$rolePrivilege || strcasecmp($rolePrivilege->privilege, 'deny') == 0 || $childPrivilege && strcasecmp($childPrivilege->privilege, 'deny') == 0 && !$rolePrivilege) { $acl->deny($objRole->id, $resourceTemp, $resource->actioncontroller); } elseif (strcasecmp($rolePrivilege->privilege, 'allow') == 0 || $childPrivilege && strcasecmp($childPrivilege->privilege, 'allow') == 0 && !$rolePrivilege) { $acl->allow($objRole->id, $resourceTemp, $resource->actioncontroller); } } # foreach ( $resources as $resource ) } # if ( $resources->count() > 0 ) $cache->save($acl, 'cacheACL_' . $objRole->id); Zend_Registry::set('ZendACL', $acl); } else { Zend_Registry::set('ZendACL', $cacheACL); } Zend_Registry::set('cacheACL', $cache); } catch (Exception $e) { try { $writer = new Zend_Log_Writer_Stream(APPLICATION_LOG_PATH . 'plugins.log'); $logger = new Zend_Log($writer); $logger->log($e->getMessage(), Zend_Log::ERR); } catch (Exception $e) { } } }
public static function setupAcl() { $acl = new Zend_Acl(); $application = Stuffpress_Application::getInstance(); /* Creating roles */ $acl->addRole(new Zend_Acl_Role('guest'))->addRole(new Zend_Acl_Role('member'), 'guest')->addRole(new Zend_Acl_Role('admin'), 'member'); /* Add the root resource */ $acl->add(new Zend_Acl_Resource('root')); /* Resources for public module */ $acl->add(new Zend_Acl_Resource('public'), 'root'); $acl->add(new Zend_Acl_Resource('public:comments'), 'public'); $acl->add(new Zend_Acl_Resource('public:embed'), 'public'); $acl->add(new Zend_Acl_Resource('public:error'), 'public'); $acl->add(new Zend_Acl_Resource('public:file'), 'public'); $acl->add(new Zend_Acl_Resource('public:index'), 'public'); $acl->add(new Zend_Acl_Resource('public:home'), 'public'); $acl->add(new Zend_Acl_Resource('public:shorturl'), 'public'); $acl->add(new Zend_Acl_Resource('public:story'), 'public'); $acl->add(new Zend_Acl_Resource('public:storymap'), 'public'); $acl->add(new Zend_Acl_Resource('public:mappage'), 'public'); $acl->add(new Zend_Acl_Resource('public:timeline'), 'public'); /* Resources for consolemodule */ $acl->add(new Zend_Acl_Resource('console'), 'root'); $acl->add(new Zend_Acl_Resource('console:stats'), 'console'); /* Resources for admin module */ $acl->add(new Zend_Acl_Resource('admin'), 'root'); $acl->add(new Zend_Acl_Resource('admin:advanced'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:auth'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:avatar'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:backup'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:bookmarklet'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:design'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:home'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:index'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:pages'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:page'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:password'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:post'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:postemail'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:preferences'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:profile'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:recover'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:register'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:services'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:sns'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:share'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:story'), 'admin'); $acl->add(new Zend_Acl_Resource('admin:widgets'), 'admin'); /* Resources for widgets */ $acl->add(new Zend_Acl_Resource('widgets'), 'root'); $acl->add(new Zend_Acl_Resource('widgets:archives'), 'widgets'); $acl->add(new Zend_Acl_Resource('widgets:bio'), 'widgets'); $acl->add(new Zend_Acl_Resource('widgets:custom'), 'widgets'); $acl->add(new Zend_Acl_Resource('widgets:lastcomments'), 'widgets'); $acl->add(new Zend_Acl_Resource('widgets:links'), 'widgets'); $acl->add(new Zend_Acl_Resource('widgets:logo'), 'widgets'); $acl->add(new Zend_Acl_Resource('widgets:music'), 'widgets'); $acl->add(new Zend_Acl_Resource('widgets:rsslink'), 'widgets'); $acl->add(new Zend_Acl_Resource('widgets:search'), 'widgets'); $acl->add(new Zend_Acl_Resource('widgets:tags'), 'widgets'); $acl->add(new Zend_Acl_Resource('widgets:membersgfc'), 'widgets'); /* Resources for pages */ $acl->add(new Zend_Acl_Resource('pages'), 'root'); $acl->add(new Zend_Acl_Resource('pages:custom'), 'pages'); $acl->add(new Zend_Acl_Resource('pages:dashboard'), 'pages'); $acl->add(new Zend_Acl_Resource('pages:link'), 'pages'); $acl->add(new Zend_Acl_Resource('pages:lifestream'), 'pages'); $acl->add(new Zend_Acl_Resource('pages:nopage'), 'pages'); $acl->add(new Zend_Acl_Resource('pages:pictures'), 'pages'); $acl->add(new Zend_Acl_Resource('pages:stories'), 'pages'); $acl->add(new Zend_Acl_Resource('pages:videos'), 'pages'); $acl->add(new Zend_Acl_Resource('pages:map'), 'pages'); /* Resources for dialogs */ $acl->add(new Zend_Acl_Resource('dialogs'), 'root'); $acl->add(new Zend_Acl_Resource('dialogs:customrss'), 'dialogs'); /* Deny everything to everyone*/ $acl->deny(null); /* Permissions for admins */ $acl->allow('admin', 'console'); /* Permissions for members */ $acl->allow('member', 'public'); $acl->allow('member', 'admin'); $acl->allow('member', 'widgets'); $acl->allow('member', 'pages'); /* Permissions for guests */ $acl->allow('guest', 'public:comments', array('index', 'form', 'add')); $acl->allow('guest', 'public:embed'); $acl->allow('guest', 'public:error'); $acl->allow('guest', 'public:file'); $acl->allow('guest', 'public:home'); $acl->allow('guest', 'public:index'); $acl->allow('guest', 'public:shorturl'); $acl->allow('guest', 'public:story', array('view', 'map')); $acl->allow('guest', 'public:storymap', array('view')); $acl->allow('guest', 'public:mappage'); $acl->allow('guest', 'public:timeline', array('archive', 'search', 'rss', 'selection', 'view', 'tag', 'type', 'slide', 'image')); $acl->allow('guest', 'pages:custom', array('index')); $acl->allow('guest', 'pages:dashboard', array('index')); $acl->allow('guest', 'pages:lifestream', array('index')); $acl->allow('guest', 'pages:link', array('index')); $acl->allow('guest', 'pages:nopage', array('index')); $acl->allow('guest', 'pages:pictures', array('index')); $acl->allow('guest', 'pages:stories', array('index')); $acl->allow('guest', 'pages:videos', array('index')); $acl->allow('guest', 'pages:map', array('index')); $acl->allow('guest', 'widgets:archives', array('index')); $acl->allow('guest', 'widgets:bio', array('index')); $acl->allow('guest', 'widgets:custom', array('index')); $acl->allow('guest', 'widgets:lastcomments', array('index')); $acl->allow('guest', 'widgets:links', array('index')); $acl->allow('guest', 'widgets:logo', array('index')); $acl->allow('guest', 'widgets:music', array('index')); $acl->allow('guest', 'widgets:rsslink', array('index')); $acl->allow('guest', 'widgets:search', array('index')); $acl->allow('guest', 'widgets:tags', array('index')); $acl->allow('guest', 'widgets:membersgfc', array('index')); $acl->allow('guest', 'admin:index'); $acl->allow('guest', 'admin:auth'); $acl->allow('guest', 'admin:home'); $acl->allow('guest', 'admin:page'); $acl->allow('guest', 'admin:register'); $acl->allow('guest', 'admin:recover'); self::$frontController->registerPlugin(new Stuffpress_Controller_Plugin_Acl($acl, $application->role)); }