/**
* (non-PHPdoc)
* @see \oat\tao\model\accessControl\func\FuncAccessControl::accessPossible()
*/
public function accessPossible(User $user, $controller, $action)
{
$userRoles = $user->getRoles();
try {
$controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controller);
$allowedRoles = isset($controllerAccess['actions'][$action]) ? array_merge($controllerAccess['module'], $controllerAccess['actions'][$action]) : $controllerAccess['module'];
$accessAllowed = count(array_intersect($userRoles, $allowedRoles)) > 0;
if (!$accessAllowed) {
common_Logger::i('Access denied to ' . $controller . '@' . $action . ' for user \'' . $user->getIdentifier() . '\'');
}
} catch (ReflectionException $e) {
common_Logger::i('Unknown controller ' . $controller);
$accessAllowed = false;
}
return (bool) $accessAllowed;
}
public static function run()
{
// We get all the management roles and the extension they belong to.
$managementRoleClass = new core_kernel_classes_Class(CLASS_MANAGEMENTROLE);
$foundManagementRoles = $managementRoleClass->getInstances(true);
$managementRolesByExtension = array();
foreach (common_ext_ExtensionsManager::singleton()->getInstalledExtensions() as $extension) {
$managementRole = $extension->getManagementRole();
if (empty($managementRole)) {
// try to discover it.
foreach ($foundManagementRoles as $mR) {
$moduleURIs = $mR->getPropertyValues(new core_kernel_classes_Property(PROPERTY_ACL_GRANTACCESS));
foreach ($moduleURIs as $moduleURI) {
$uri = explode('#', $moduleURI);
list($type, $extId) = explode('_', $uri[1]);
if ($extId == $extension->getId()) {
$managementRole = $mR;
break 2;
}
}
}
}
if (!empty($managementRole)) {
$managementRolesByExtension[$extension->getId()] = $managementRole;
}
}
funcAcl_helpers_Cache::flush();
foreach (common_ext_ExtensionsManager::singleton()->getInstalledExtensions() as $extension) {
if ($extension->getId() != 'generis') {
// 2. Grant access to Management Role.
if (!empty($managementRolesByExtension[$extension->getId()])) {
$extAccessService = funcAcl_models_classes_ExtensionAccessService::singleton();
$extAccessService->add($managementRolesByExtension[$extension->getId()]->getUri(), $extAccessService->makeEMAUri($extension->getId()));
} else {
common_Logger::i('Management Role not found for extension ' . $extension->getId());
}
}
}
}
/**
* Short description of method remove
*
* @access public
* @author Jehan Bihin, <*****@*****.**>
* @param string roleUri
* @param string accessUri
* @return mixed
*/
public function remove($roleUri, $accessUri)
{
$uri = explode('#', $accessUri);
list($type, $extId) = explode('_', $uri[1]);
// Remove the access to the extension for this role.
$extManager = common_ext_ExtensionsManager::singleton();
$extension = $extManager->getExtensionById($extId);
$role = new core_kernel_classes_Resource($roleUri);
$role->removePropertyValues(new core_kernel_classes_Property(PROPERTY_ACL_GRANTACCESS), array('pattern' => $accessUri));
funcAcl_helpers_Cache::flushExtensionAccess($extId);
// also remove access to all the controllers
$moduleAccessProperty = new core_kernel_classes_Property(PROPERTY_ACL_GRANTACCESS);
$moduleAccessService = funcAcl_models_classes_ModuleAccessService::singleton();
$grantedModules = $role->getPropertyValues($moduleAccessProperty);
foreach ($grantedModules as $gM) {
$gM = new core_kernel_classes_Resource($gM);
$uri = explode('#', $gM->getUri());
list($type, $ext) = explode('_', $uri[1]);
if ($extId == $ext) {
$moduleAccessService->remove($role->getUri(), $gM->getUri());
}
}
}
/**
* Short description of method remove
*
* @access public
* @author Jehan Bihin, <*****@*****.**>
* @param string $roleUri
* @param string $accessUri
* @return mixed
*/
public function remove($roleUri, $accessUri)
{
$module = new core_kernel_classes_Resource($accessUri);
$role = new core_kernel_classes_Class($roleUri);
$accessProperty = new core_kernel_classes_Property(funcAcl_models_classes_AccessService::PROPERTY_ACL_GRANTACCESS);
// Retrieve the module ID.
$uri = explode('#', $module->getUri());
list($type, $extId, $modId) = explode('_', $uri[1]);
// access via extension?
$extAccess = funcAcl_helpers_Cache::getExtensionAccess($extId);
if (in_array($roleUri, $extAccess)) {
// remove access to extension
$extUri = $this->makeEMAUri($extId);
funcAcl_models_classes_ExtensionAccessService::singleton()->remove($roleUri, $extUri);
// add access to all other controllers
foreach (funcAcl_helpers_Model::getModules($extId) as $eModule) {
if (!$module->equals($eModule)) {
$this->add($roleUri, $eModule->getUri());
$this->getEventManager()->trigger(new AccessRightRemovedEvent($roleUri, $eModule->getUri()));
//$role->setPropertyValue($accessProperty, $eModule->getUri());
}
}
//funcAcl_helpers_Cache::flushExtensionAccess($extId);
}
// Remove the access to the module for this role.
$role->removePropertyValue($accessProperty, $module->getUri());
$this->getEventManager()->trigger(new AccessRightRemovedEvent($roleUri, $accessUri));
funcAcl_helpers_Cache::cacheModule($module);
// Remove the access to the actions corresponding to the module for this role.
foreach (funcAcl_helpers_Model::getActions($module) as $actionResource) {
funcAcl_models_classes_ActionAccessService::singleton()->remove($role->getUri(), $actionResource->getUri());
}
funcAcl_helpers_Cache::cacheModule($module);
}
public function testACLCache()
{
$moduleCache = funcAcl_helpers_Cache::getControllerAccess('tao_actions_Users');
$this->assertTrue(is_array($moduleCache));
}
/**
* Short description of method remove
*
* @access public
* @author Jehan Bihin, <*****@*****.**>
* @param string roleUri
* @param string accessUri
* @return mixed
*/
public function remove($roleUri, $accessUri)
{
$uri = explode('#', $accessUri);
list($type, $ext, $mod, $act) = explode('_', $uri[1]);
$role = new core_kernel_classes_Class($roleUri);
$actionAccessProperty = new core_kernel_classes_Property(funcAcl_models_classes_AccessService::PROPERTY_ACL_GRANTACCESS);
$module = new core_kernel_classes_Resource($this->makeEMAUri($ext, $mod));
$controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri());
// access via controller?
$controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controllerClassName);
if (in_array($roleUri, $controllerAccess['module'])) {
// remove access to controller
funcAcl_models_classes_ModuleAccessService::singleton()->remove($roleUri, $module->getUri());
// add access to all other actions
foreach (funcAcl_helpers_Model::getActions($module) as $action) {
if ($action->getUri() != $accessUri) {
$this->add($roleUri, $action->getUri());
$this->getEventManager()->trigger(new AccessRightAddedEvent($roleUri, $action->getUri()));
}
}
} elseif (isset($controllerAccess['actions'][$act]) && in_array($roleUri, $controllerAccess['actions'][$act])) {
// remove action only
$role->removePropertyValues($actionAccessProperty, array('pattern' => $accessUri));
$this->getEventManager()->trigger(new AccessRightRemovedEvent($roleUri, $accessUri));
funcAcl_helpers_Cache::flushControllerAccess($controllerClassName);
}
}
/**
* Shows the access to the actions of a controller for a specific role
*
* @throws Exception
*/
public function getActions()
{
if (!tao_helpers_Request::isAjax()) {
throw new Exception("wrong request mode");
} else {
$role = new core_kernel_classes_Resource($this->getRequestParameter('role'));
$included = array();
foreach (tao_models_classes_RoleService::singleton()->getIncludedRoles($role) as $includedRole) {
$included[] = $includedRole->getUri();
}
$module = new core_kernel_classes_Resource($this->getRequestParameter('module'));
$controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri());
$controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controllerClassName);
$actions = array();
foreach (ControllerHelper::getActions($controllerClassName) as $actionName) {
$uri = funcAcl_helpers_Map::getUriForAction($controllerClassName, $actionName);
$part = explode('#', $uri);
list($type, $extId, $modId, $actId) = explode('_', $part[1]);
$allowedRoles = isset($controllerAccess['actions'][$actionName]) ? array_merge($controllerAccess['module'], $controllerAccess['actions'][$actionName]) : $controllerAccess['module'];
$access = count(array_intersect($included, $allowedRoles)) > 0 ? self::ACCESS_INHERITED : (in_array($role->getUri(), $allowedRoles) ? self::ACCESS_FULL : self::ACCESS_NONE);
$actions[$actId] = array('uri' => $uri, 'access' => $access);
}
ksort($actions);
$this->returnJson($actions);
}
}
