/** * @param $user * */ protected static function set_rules($user) { // Always get again the rules // To comment if rules should be placed in session // (will need logout / login) to set new rules. // self::on_logout(); // Rules : From Session if (self::$session->userdata('authority_rules')) { $rules = self::$session->userdata('authority_rules'); } else { // Models self::$ci->load->model(array('role_model', 'rule_model'), '', TRUE); // Roles rules $rules = self::$ci->rule_model->get_from_role($user->get_role()); // To Session self::$session->set_userdata('authority_rules', $rules); } // Check for Super Admin role foreach ($rules as $rule) { if ($rule['resource'] == 'all') { self::$has_all = TRUE; Authority::allow('manage', 'all'); break; } } // Other role if (!self::$has_all) { foreach ($rules as $rule) { // Read action $rule['permission'] == 1 ? Authority::allow('access', $rule['resource']) : Authority::deny('access', $rule['resource']); // Other actions if (!empty($rule['actions'])) { $actions = explode(',', $rule['actions']); foreach ($actions as $action) { $rule['permission'] == 1 ? Authority::allow($action, $rule['resource']) : Authority::deny($action, $rule['resource']); } } } } }
// The logged in user is an admin, we allow him to perform manage actions (create, read, update, delete) on "all" "Resources". Authority::allow('manage', 'all'); // Let's say we want to "Deny" the admin from adding accounts if his age is below 21 (i don't mean to discriminate ;) // Since we have the User object, and it has an "age" property, we can make a simple if statement. if ($user->age < 21) { // Too young! we "deny" the user to create users, i'm sorry... Authority::deny('create', 'User'); } // Let's make it a little harder, we don't want the admin to be able to delete his own User account, but has to be allowed to delete other Users. // We only know that the "Resource" is a User, But we don't know the User id, we can send that information to the Rule Closure, in the Closure below, the argument is called $that_user. // We also pass in the logged in user, since the Closure is outside of the scope where this comment is in. Authority::deny('delete', 'User', function ($that_user) use($user) { // If the id of the User that we are trying to delete is equal to our logged in user, we return true, meaning the Deny Rule will be set. return (int) $that_user->id === (int) $user->id; }); } if ($user->has_role('store_owner')) { // What if the logged in User has the role "store_owner", let's allow the user to manage his own store Authority::allow('manage', 'Store', function ($store) use($user) { return is_null(DB::table('stores')->where_id($store->id)->where_user_id($user->id)->first()); }); // We can also allow "Actions" on certain "Resources" by results we get from somewhere else, look closely at the next example foreach (DB::table('permissions')->where_user_id($user->id)->get() as $permission) { if ($permission->type === 'allow') { Authority::allow($permission->action, $permission->resource); } else { Authority::deny($permission->action, $permission->resource); } } } });