Beispiel #1
0
 /**
  * (non-PHPdoc)
  * @see Zend_Application_Resource_ResourceAbstract#init()
  */
 public function init()
 {
     $this->_acl = new Zend_Acl();
     // static roles
     $this->_acl->addRole(new Zend_Acl_Role('all'));
     $this->_acl->addRole(new Zend_Acl_Role('anonymous'), 'all');
     $this->_acl->addRole(new Zend_Acl_Role('identified'), 'all');
     // dinamic roles
     foreach ($this->_roles as $roleName) {
         if (!$this->_acl->hasRole($roleName)) {
             $this->_acl->addRole(new Zend_Acl_Role($roleName), 'identified');
         }
     }
     //        var_dump($this->_resources);exit;
     // rules
     foreach ($this->_resources as $module => $grants) {
         $module = strtolower($module);
         $this->_acl->add(new Zend_Acl_Resource($module));
         foreach ($grants as $controller => $grant) {
             $controller = strtolower($controller);
             foreach ($grant as $action => $roles) {
                 $resource = $controller . self::RESOURCE_SEPARATOR . $action;
                 foreach (explode(',', $roles) as $role) {
                     if (!empty($role)) {
                         $this->_acl->allow(trim($role), $module, $resource);
                     }
                 }
             }
         }
     }
     Zend_Registry::set('acl', $this->_acl);
     return $this->_acl;
 }
Beispiel #2
0
 public function checkAccess(Zend_Controller_Request_Abstract $request)
 {
     $resource = new User_Model_Acl_Resource();
     $resource->getPrivileges($request);
     if (!$resource->privileges || !$resource->resource_id) {
         //error in getting resource privileges or nobody is allowed access, deny access and redirect to forbidden
         return false;
     }
     $acl = new Zend_Acl();
     $acl->add(new Zend_Acl_Resource($resource->resource_id));
     foreach ($resource->privileges as $key => $privilege) {
         if (!$acl->hasRole($privilege["role_id"])) {
             $acl->addRole(new Zend_Acl_Role($privilege["role_id"]));
             $acl->allow($privilege["role_id"], $resource->resource_id);
         }
     }
     $authorization = Zend_Auth::getInstance();
     if ($authorization->hasIdentity()) {
         $user = $authorization->getIdentity();
         if ($acl->hasRole($user['role_id']) && $acl->isAllowed($user['role_id'], $resource->resource_id)) {
             //role has access
             return true;
         }
         //user role does not have access to this resource
         return false;
     } else {
         $aclrole = new User_Model_Acl_Role();
         $aclrole->getDefaultRole();
         if (!$aclrole->default_role || !$acl->hasRole($aclrole->default_role) || !$acl->isAllowed($aclrole->default_role, $resource->resource_id)) {
             //redirect to login
             return false;
         }
     }
     return true;
 }
Beispiel #3
0
 /**
  * @covers System_Acl_Loader_Options::load
  * @covers System_Acl_Loader_Options::<protected>
  */
 public function testLoadRoles()
 {
     $this->object->setOptions($this->optionsHelper(System_Acl_Loader_Options::ROLES, array('test' => null, 'test1' => 'test')));
     $this->object->load();
     self::assertTrue($this->acl->hasRole('test'));
     self::assertTrue($this->acl->hasRole('test1'));
     self::assertTrue($this->acl->inheritsRole('test1', 'test', true));
 }
Beispiel #4
0
 /**
  * @covers System_Acl_Loader_Db::load
  * @covers System_Acl_Loader_Db::<protected>
  */
 public function testLoadRoles()
 {
     $this->createTableMocks('AclResource');
     $this->createTableMocks('AclRule');
     $this->createTableMocks('AclRole', array(array('name' => 'test', 'parent' => null), array('name' => 'test1', 'parent' => 'test')));
     $this->object->load();
     self::assertTrue($this->acl->hasRole('test'));
     self::assertTrue($this->acl->hasRole('test1'));
     self::assertTrue($this->acl->inheritsRole('test1', 'test', true));
 }
Beispiel #5
0
 private function _addRoleById(array $roles, $roleId)
 {
     foreach ($roles as $roleName => $properties) {
         // If the properties aren't set as an array, then we will consider
         // the value as the role ID.
         if (!is_array($properties)) {
             $properties = array('id' => $properties);
         }
         $id = $properties['id'];
         $parents = array();
         if (is_null($id) || empty($id)) {
             throw new Zend_Application_Resource_Exception(sprintf($this->_missingPropertyMessage, 'ID', 'role', $roleName));
         }
         if (isset($properties['parents']) && !empty($properties['parents'])) {
             $parents = explode(',', $properties['parents']);
         }
         if ($id == $roleId) {
             if ($this->_acl->hasRole($roleId)) {
                 return;
             }
             foreach ($parents as $parent) {
                 if (!$this->_acl->hasRole($parent)) {
                     $this->_addRoleById($roles, $parent);
                 }
             }
             $this->_acl->addRole(new Zend_Acl_Role($roleId), $parents);
             // Since we've finished adding the specified role, let's break
             // from our loop.
             break;
         }
     }
 }
Beispiel #6
0
 /**
  * Ensures that removal of all Roles works
  *
  * @return void
  */
 public function testRoleRegistryRemoveAll()
 {
     $roleGuest = new Zend_Acl_Role('guest');
     $this->_acl->addRole($roleGuest)
                ->removeRoleAll();
     $this->assertFalse($this->_acl->hasRole($roleGuest));
 }
Beispiel #7
0
 /**
  * Метод загружающий правила ACL
  * из хранилища правил в объект Zend_Acl
  * 
  * @throws Excore_Acl_Rules_Exception
  * @return void
  */
 protected function _loadRules()
 {
     $rules = $this->_rules->getAll();
     foreach ($rules as $rule) {
         if (!in_array($rule['type'], $this->_ruleTypes)) {
             throw new Excore_Acl_Rules_Exception("Rule type `{$rule['type']}` is invalid rule type for current settings");
         }
         if (!$this->_acl->hasRole(new Zend_Acl_Role($rule['roleId']))) {
             throw new Excore_Acl_Rules_Exception("Role `{$rule['roleId']}` found in rules storage, but was not in roles storage");
         }
         if (!$this->_acl->has(new Zend_Acl_Resource($rule['resourceId']))) {
             throw new Excore_Acl_Rules_Exception("Resource `{$rule['resourceId']}` found in rules storage, but was not in resources storage");
         }
         $assert = $rule['assert'];
         if ($assert !== null) {
             $assert = new $assert();
         }
         switch ($rule['type']) {
             case $this->_ruleTypes['TYPE_ALLOW']:
                 $this->_acl->allow(new Zend_Acl_Role($rule['roleId']), new Zend_Acl_Resource($rule['resourceId']), $rule['privileges'], $assert);
                 break;
             case $this->_ruleTypes['TYPE_DENY']:
                 $this->_acl->deny(new Zend_Acl_Role($rule['roleId']), new Zend_Acl_Resource($rule['resourceId']), $rule['privileges'], $assert);
                 break;
         }
     }
 }
Beispiel #8
0
 /**
  * Deny access to this role for a particular permissible object (or globally)
  *
  * @param  string           permission to deny
  * @param  QFrame_Permissible (optional) permissible object to deny access to
  */
 public function deny($permission, QFrame_Permissible $permissible = null)
 {
     $resource = $permissible === null ? "GLOBAL" : $permissible->getPermissionID();
     if (!$this->acl->hasRole($permission)) {
         $this->acl->addRole(new Zend_Acl_Role($permission));
     }
     if (!$this->acl->has($resource)) {
         $this->acl->add(new Zend_Acl_Resource($resource));
     }
     $this->acl->deny($permission, $resource);
 }
Beispiel #9
0
 public function hasRole($role)
 {
     if (preg_match('/^((group|role)_[0-9]+_[0-9]+)|(profile_[0-9]+)$/', $role)) {
         return parent::hasRole($role);
     } elseif (preg_match('/^(group|role)_([0-9]+)$/', $role, $matches)) {
         $modelName = ucfirst($matches[1]);
         $model = new $modelName();
         $role = $model->findOne($matches[2]);
         return parent::hasRole($matches[1] . '_' . (int) $role->priority . '_' . $matches[2]);
     } else {
         return false;
     }
 }
 public function buildAcl()
 {
     if ($this->_acl !== null) {
         return $this->_acl;
     }
     $aclDefinition = Zym_Message_Dispatcher::get()->post('buildAcl')->getResult('buildAcl');
     $acl = new Zend_Acl();
     foreach ($aclDefinition as $module) {
         if (!$acl->has($module['resource'])) {
             $acl->addResource($module['resource']);
         }
         foreach ($module['rules'] as $key => $rule) {
             if (!$acl->hasRole($key)) {
                 $acl->addRole($key);
             }
             $acl->setRule('OP_ADD', $rule['allPrivileges']['type'], $key, $module['resource']);
         }
     }
     $this->_acl = $acl;
     return $this->_acl;
 }
Beispiel #11
0
 /**
  * initAcl() - Initialize common ACL and save to cache.
  *
  * @return Zend_Acl
  */
 protected static function initAcl()
 {
     $cache = self::getCache();
     $db = self::getDb();
     $selectRes = new Zend_Db_Select($db);
     $roleResources = $selectRes->from('mod_role_resource')->query(Zend_Db::FETCH_GROUP)->fetchAll();
     //Zend_Registry::get ( 'logger' )->notice ( 'Role and Resources:' );
     //Zend_Registry::get ( 'logger' )->debug ( $roleResources );
     $acl = new Zend_Acl();
     $dbRoles = array(self::GUEST);
     $acl->addRole(self::GUEST);
     foreach ($roleResources as $roleKey => $resources) {
         $role = strtolower($roleKey);
         if (!(self::GUEST === $role)) {
             if (!$acl->hasRole($role)) {
                 $acl->addRole($role, self::GUEST);
                 $dbRoles[] = $role;
             } else {
                 Zend_Registry::get('logger')->debug('Duplicate role : "' . $role . '"');
             }
         }
         foreach ($resources as $key => $resource) {
             $res = strtolower($resource['module_id'] . '_' . $resource['controller_id'] . '_' . $resource['action_id']);
             if (!$acl->has($res)) {
                 $acl->addResource($res);
             }
             $acl->allow($role, $res);
         }
     }
     $commonAcl = array('acl' => $acl, 'dbRoles' => $dbRoles);
     $cache->save($commonAcl, 'commonAcl');
     Zend_Registry::get('logger')->debug('Common ACL cached.');
     return $commonAcl;
 }
Beispiel #12
0
 /**
  * Confirm that deleting a role after allowing access to all roles
  * raise undefined index error
  *
  * @group ZF-5700
  */
 public function testRemovingRoleAfterItWasAllowedAccessToAllResourcesGivesError()
 {
     $acl = new Zend_Acl();
     $acl->addRole(new Zend_Acl_Role('test0'));
     $acl->addRole(new Zend_Acl_Role('test1'));
     $acl->addRole(new Zend_Acl_Role('test2'));
     $acl->addResource(new Zend_Acl_Resource('Test'));
     $acl->allow(null, 'Test', 'xxx');
     // error test
     $acl->removeRole('test0');
     // Check after fix
     $this->assertFalse($acl->hasRole('test0'));
 }
Beispiel #13
0
 protected function _initAcl()
 {
     $acl = new Zend_Acl();
     $acl->addRole(Kaltura_AclHelper::ROLE_GUEST);
     $currentRole = Kaltura_AclHelper::getCurrentRole();
     $currentPermissions = Kaltura_AclHelper::getCurrentPermissions();
     if (!$acl->hasRole($currentRole)) {
         $acl->addRole($currentRole);
     }
     $accessItems = Zend_Registry::get('config')->access;
     $allAccess = array();
     foreach ($accessItems as $resource => $accessConfig) {
         if (!$accessConfig instanceof Zend_Config) {
             $requiredPermissions = $accessConfig;
         } else {
             if (isset($accessConfig->all)) {
                 $requiredPermissions = $accessConfig->all;
             } else {
                 continue;
             }
         }
         $acl->addResource(new Zend_Acl_Resource($resource));
         if ($requiredPermissions) {
             $allow = true;
             if ($requiredPermissions != '*') {
                 $allAccess[$resource] = $requiredPermissions;
                 $requiredPermissions = array_map('trim', explode(',', $requiredPermissions));
                 foreach ($requiredPermissions as $required) {
                     if (!in_array($required, $currentPermissions, true)) {
                         $allow = false;
                         break;
                     }
                 }
             }
             if ($allow) {
                 $acl->allow($currentRole, $resource);
             } else {
                 $acl->deny($currentRole, $resource);
             }
         }
     }
     foreach ($accessItems as $resource => $accessConfig) {
         if ($accessConfig instanceof Zend_Config) {
             foreach ($accessConfig as $action => $requiredPermissions) {
                 if ($action == 'all') {
                     continue;
                 }
                 $acl->addResource(new Zend_Acl_Resource($resource . $action), $resource);
                 $allow = true;
                 if ($requiredPermissions != '*') {
                     if (isset($allAccess[$resource])) {
                         $requiredPermissions .= ',' . $allAccess[$resource];
                     }
                     $requiredPermissions = array_map('trim', explode(',', $requiredPermissions));
                     foreach ($requiredPermissions as $required) {
                         if (!in_array($required, $currentPermissions, true)) {
                             $allow = false;
                             break;
                         }
                     }
                 }
                 if ($allow) {
                     $acl->allow($currentRole, $resource, $action);
                 } else {
                     $acl->deny($currentRole, $resource, $action);
                 }
             }
         }
     }
     Zend_Registry::set('acl', $acl);
 }
 /**
  * Returns true if and only if the Role exists in the registry
  *
  * The $role parameter can either be a Role or a Role identifier.
  *
  * @param  Zend_Acl_Role_Interface|string $role
  * @uses   Zend_Acl::hasRole()
  * @return boolean
  */
 public function hasRole($role)
 {
     if ($this->hasCachingAdapter()) {
         $this->_checkCaching();
     }
     //Wenn die Role angegeben wurde und nicht im Acl-Object existiert
     //und noch kein Ladeversuch unternommen wurde, wird versucht die Role zu laden.
     $roleId = $role instanceof Zend_Acl_Role_Interface ? $role->getRoleId() : (string) $role;
     if (!is_null($roleId) && !parent::hasRole($roleId) && !$this->hasRoleLoaded($roleId)) {
         $arrRoles = $this->_getAdapter()->loadRole($roleId);
         if (count($arrRoles) > 0) {
             foreach ($arrRoles as $arrRole) {
                 if ($this->hasRoleLoaded($arrRole[0])) {
                     continue;
                 }
                 $this->_setRoleLoaded($arrRole[0]);
                 parent::addRole(new Zend_Acl_Role($arrRole[0]), $arrRole[1]);
             }
         } else {
             $this->_setRoleLoaded($roleId);
         }
     }
     return parent::hasRole($roleId);
 }
 /**
  * Roles (papeis)
  */
 protected function _setupResourcesPrivileges()
 {
     if (!$this->_acl->hasRole('Usuario')) {
         $this->_acl->addRole(new Zend_Acl_Role('Usuario'));
     }
 }
 /**
  * get roles and resources from db, build Zend_Acl structure and add permissions
  * @param Zend_Db $db
  */
 protected function makeAcl($db)
 {
     $acl = new Zend_Acl();
     $res = $db->fetchAll('select * from system_role');
     foreach ($res as $obj) {
         if ($obj['inherit_role'] != '') {
             if ($acl->hasRole($obj['inherit_role'])) {
                 $acl->addRole(new Zend_Acl_Role($obj['role']), $obj['inherit_role']);
             } else {
                 /**
                  * @todo very simply system to order roles, add role before inherited role
                  */
                 $res[] = $obj;
                 continue;
             }
         } else {
             $acl->addRole(new Zend_Acl_Role($obj['role']));
         }
     }
     $res = $db->fetchAll('select * from system_resource');
     foreach ($res as $obj) {
         $acl->addResource(new Zend_Acl_Resource($obj['resource']));
     }
     $res = $db->fetchAll('select r.role as role, rs.resource as resource, permission, privilege ' . 'from system_role as r join system_role_has_system_resource as m on ' . '(r.id = m.system_role_id) join system_resource as rs on (m.system_resource_id = rs.id)');
     foreach ($res as $obj) {
         $privilege = explode(',', $obj['privilege']);
         if ($obj['permission'] == 'allow') {
             $acl->allow($obj['role'], $obj['resource'], $privilege);
         } else {
             $acl->deny($obj['role'], $obj['resource'], $privilege);
         }
     }
     return $acl;
 }
Beispiel #17
0
 /**
  * Check if the ACL allows accessing the function or method
  *
  * @param string|object $object Object or class being accessed
  * @param string $function Function or method being accessed
  * @return unknown_type
  */
 protected function _checkAcl($object, $function)
 {
     if (!$this->_acl) {
         return true;
     }
     if ($object) {
         $class = is_object($object) ? get_class($object) : $object;
         if (!$this->_acl->has($class)) {
             require_once 'Zend/Acl/Resource.php';
             $this->_acl->add(new Zend_Acl_Resource($class));
         }
         $call = array($object, "initAcl");
         if (is_callable($call) && !call_user_func($call, $this->_acl)) {
             // if initAcl returns false, no ACL check
             return true;
         }
     } else {
         $class = null;
     }
     $auth = Zend_Auth::getInstance();
     if ($auth->hasIdentity()) {
         $role = $auth->getIdentity()->role;
     } else {
         if ($this->_acl->hasRole(Zend_Amf_Constants::GUEST_ROLE)) {
             $role = Zend_Amf_Constants::GUEST_ROLE;
         } else {
             require_once 'Zend/Amf/Server/Exception.php';
             throw new Zend_Amf_Server_Exception("Unauthenticated access not allowed");
         }
     }
     if ($this->_acl->isAllowed($role, $class, $function)) {
         return true;
     } else {
         require_once 'Zend/Amf/Server/Exception.php';
         throw new Zend_Amf_Server_Exception("Access not allowed");
     }
 }
 protected function _initAcl()
 {
     $acl = new Zend_Acl();
     $acl->addRole(Infra_AclHelper::ROLE_GUEST);
     $currentRole = Infra_AclHelper::getCurrentRole();
     $currentPermissions = Infra_AclHelper::getCurrentPermissions();
     if (!$acl->hasRole($currentRole)) {
         $acl->addRole($currentRole);
     }
     $accessItems = Zend_Registry::get('config')->access;
     $allAccess = array();
     foreach ($accessItems as $resource => $accessConfig) {
         if (!$accessConfig instanceof Zend_Config) {
             $requiredPermissions = $accessConfig;
         } else {
             if (isset($accessConfig->all)) {
                 $requiredPermissions = $accessConfig->all;
             } else {
                 continue;
             }
         }
         $acl->addResource(new Zend_Acl_Resource($resource));
         if ($requiredPermissions) {
             $allow = true;
             if ($requiredPermissions != '*') {
                 $allAccess[$resource] = $requiredPermissions;
                 $requiredPermissions = array_map('trim', explode(',', $requiredPermissions));
                 foreach ($requiredPermissions as $required) {
                     if (!in_array($required, $currentPermissions, true)) {
                         $allow = false;
                         break;
                     }
                 }
             }
             if ($allow) {
                 $acl->allow($currentRole, $resource);
             } else {
                 $acl->deny($currentRole, $resource);
             }
         }
     }
     foreach ($accessItems as $resource => $accessConfig) {
         if ($accessConfig instanceof Zend_Config) {
             foreach ($accessConfig as $action => $requiredPermissions) {
                 if ($action == 'all') {
                     continue;
                 }
                 $acl->addResource(new Zend_Acl_Resource($resource . $action), $resource);
                 $allow = true;
                 if ($requiredPermissions != '*') {
                     if (isset($allAccess[$resource])) {
                         $requiredPermissions .= ',' . $allAccess[$resource];
                     }
                     $requiredPermissions = array_map('trim', explode(',', $requiredPermissions));
                     foreach ($requiredPermissions as $required) {
                         if (!in_array($required, $currentPermissions, true)) {
                             $allow = false;
                             break;
                         }
                     }
                 } else {
                     //If no special permission is required to view this resource, it should be added to the whitelisted resources
                     $resourceUrl = "{$resource}/{$action}";
                     Infra_AuthPlugin::addToWhitelist($resourceUrl);
                 }
                 if ($allow) {
                     $acl->allow($currentRole, $resource, $action);
                 } else {
                     $acl->deny($currentRole, $resource, $action);
                 }
             }
         }
     }
     Zend_Registry::set('acl', $acl);
 }