It looks in the config.
public static getDisabledResources ( ) : array | ||
return | array | Returns array of the disabled ACL resources |
/** * Gets all Resources * * This method describes all available resources * * @return \ArrayObject Returns array looks like array( * resource_id => array(name, description, resourceGroup, [array(permission_id => description)])) * Third value of array is optional and determines unique permissions for specified * resource which can be allowed or forbidden separately. */ public static function getAll($raw = false) { $allows = 'Allows '; if (!isset(self::$list)) { self::$rawList = array(Acl::RESOURCE_FARMS => array('Farms', $allows . 'access to farm designer.', Acl::GROUP_FARMS, array(Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH => $allows . 'to launch farms.', Acl::PERM_FARMS_TERMINATE => $allows . 'to terminate farms.', Acl::PERM_FARMS_NOT_OWNED_FARMS => $allows . 'to manage not owned farms.')), Acl::RESOURCE_FARMS_ALERTS => array('Alerts', $allows . 'access to alerts.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_SERVERS => array('Servers', $allows . 'access to servers.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_EVENTS_AND_NOTIFICATIONS => array('Events and notifications', $allows . 'access to events and notifications.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_STATISTICS => array('Statistics', $allows . 'access to statistics.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_ROLES => array('Roles', $allows . 'access to roles.', Acl::GROUP_FARMS, array(Acl::PERM_FARMS_ROLES_CREATE => $allows . 'to create (build/import) roles.', Acl::PERM_FARMS_ROLES_MANAGE => $allows . 'to manage (edit/delete) roles.', Acl::PERM_FARMS_ROLES_CLONE => $allows . 'to clone roles.', Acl::PERM_FARMS_ROLES_BUNDLETASKS => $allows . 'to bundle tasks (role creation process logs).')), Acl::RESOURCE_FARMS_SCRIPTS => array('Scripts', $allows . 'access to scripts.', Acl::GROUP_FARMS, array(Acl::PERM_FARMS_SCRIPTS_MANAGE => $allows . 'to manage (create/edit/delete) scripts.', Acl::PERM_FARMS_SCRIPTS_EXECUTE => $allows . 'to execute scripts.', Acl::PERM_FARMS_SCRIPTS_FORK => $allows . 'to fork scripts.')), Acl::RESOURCE_CLOUDSTACK_VOLUMES => array('Volumes', $allows . 'access to CloudStack volumes.', Acl::GROUP_CLOUDSTACK), Acl::RESOURCE_CLOUDSTACK_SNAPSHOTS => array('Snapshots', $allows . 'access to CloudStack snapshots.', Acl::GROUP_CLOUDSTACK), Acl::RESOURCE_CLOUDSTACK_PUBLIC_IPS => array('Public IPs', $allows . 'access to CloudStack public IPs.', Acl::GROUP_CLOUDSTACK), Acl::RESOURCE_OPENSTACK_VOLUMES => array('Volumes', $allows . 'access to OpenStack volumes.', Acl::GROUP_OPENSTACK), Acl::RESOURCE_OPENSTACK_SNAPSHOTS => array('Snapshots', $allows . 'access to OpenStack snapshots.', Acl::GROUP_OPENSTACK), Acl::RESOURCE_OPENSTACK_PUBLIC_IPS => array('Public IPs', $allows . 'access to OpenStack public IPs.', Acl::GROUP_OPENSTACK), Acl::RESOURCE_AWS_CLOUDWATCH => array('CloudWatch', $allows . 'access to AWS CloudWatch.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_ELASTIC_IPS => array('Elastic IPs', $allows . 'access to AWS Elastic IPs.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_ELB => array('Elastic Load Balancing (ELB)', $allows . 'access to AWS Elastic Load Balancing.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_IAM => array('Identity and Access Management (IAM)', $allows . 'access to AWS Identity and Access Management.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_RDS => array('Relational Database Service (RDS)', $allows . 'access to Amazon Relational Database Service.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_SNAPSHOTS => array('Snapshots', $allows . 'access to AWS snapshots.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_VOLUMES => array('Volumes', $allows . 'access to AWS Volumes.', Acl::GROUP_AWS), Acl::RESOURCE_SECURITY_AWS_SECURITY_GROUPS => array('AWS security groups', $allows . 'access to AWS security groups.', Acl::GROUP_SECURITY), Acl::RESOURCE_SECURITY_RETRIEVE_WINDOWS_PASSWORDS => array('Retrieve Windows passwords', $allows . 'access to retrieve passwords for windows.', Acl::GROUP_SECURITY), Acl::RESOURCE_SECURITY_SSH_KEYS => array('SSH keys', $allows . 'access to SSH keys.', Acl::GROUP_SECURITY), Acl::RESOURCE_LOGS_API_LOGS => array('API logs', $allows . 'access to API logs.', Acl::GROUP_LOGS), Acl::RESOURCE_LOGS_SCRIPTING_LOGS => array('Scripting logs', $allows . 'access to scripting logs.', Acl::GROUP_LOGS), Acl::RESOURCE_LOGS_SYSTEM_LOGS => array('System logs', $allows . 'access to system logs.', Acl::GROUP_LOGS), Acl::RESOURCE_SERVICES_APACHE => array('Apache', $allows . 'access to apache.', Acl::GROUP_SERVICES), Acl::RESOURCE_SERVICES_CHEF => array('Chef', $allows . 'access to chef.', Acl::GROUP_SERVICES), Acl::RESOURCE_SERVICES_SSL => array('SSL', $allows . 'access to SSL.', Acl::GROUP_SERVICES), Acl::RESOURCE_SERVICES_RABBITMQ => array('RabbitMQ', $allows . 'access to RabbitMQ.', Acl::GROUP_SERVICES), Acl::RESOURCE_GENERAL_CUSTOM_EVENTS => array('Custom events', $allows . 'access to custom events.', Acl::GROUP_GENERAL), Acl::RESOURCE_GENERAL_CUSTOM_SCALING_METRICS => array('Custom scaling metrics', $allows . 'access to custom scaling metrics.', Acl::GROUP_GENERAL), Acl::RESOURCE_GENERAL_GLOBAL_VARIABLES => array('Global variables (environment level)', $allows . 'access to global variables of environment level.', Acl::GROUP_GENERAL), Acl::RESOURCE_GENERAL_SCHEDULERTASKS => array('Tasks scheduler', $allows . 'access to tasks scheduler.', Acl::GROUP_GENERAL), Acl::RESOURCE_DB_BACKUPS => array('Backups', $allows . 'access to backups.', Acl::GROUP_DATABASES, array(Acl::PERM_DB_BACKUPS_REMOVE => $allows . 'to remove database backups.')), Acl::RESOURCE_DB_DATABASE_STATUS => array('Database status', $allows . 'access to database status.', Acl::GROUP_DATABASES, array(Acl::PERM_DB_DATABASE_STATUS_PMA => $allows . 'access to PMA.')), Acl::RESOURCE_DB_SERVICE_CONFIGURATION => array('Service configuration', $allows . 'access to service configuration.', Acl::GROUP_DATABASES), Acl::RESOURCE_DEPLOYMENTS_APPLICATIONS => array('Applications', $allows . 'access to applications.', Acl::GROUP_DEPLOYMENTS), Acl::RESOURCE_DEPLOYMENTS_SOURCES => array('Sources', $allows . 'access to sources.', Acl::GROUP_DEPLOYMENTS), Acl::RESOURCE_DEPLOYMENTS_TASKS => array('Tasks', $allows . 'access to tasks.', Acl::GROUP_DEPLOYMENTS), Acl::RESOURCE_DNS_ZONES => array('Zones', $allows . 'access to DNS zones.', Acl::GROUP_DNS), Acl::RESOURCE_ADMINISTRATION_BILLING => array('Billing', $allows . 'access to billing.', Acl::GROUP_ADMINISTRATION), Acl::RESOURCE_ADMINISTRATION_GOVERNANCE => array('Governance', $allows . 'access to governance.', Acl::GROUP_ADMINISTRATION), Acl::RESOURCE_ADMINISTRATION_ENV_CLOUDS => array('Setup clouds', $allows . 'to manage cloud credentials for environments in which this user is a team member', Acl::GROUP_ADMINISTRATION)); //Removes disabled resources foreach (Acl::getDisabledResources() as $resourceId) { if (isset(self::$rawList[$resourceId])) { unset(self::$rawList[$resourceId]); } } //Initializes set of the resources self::$list = new \ArrayObject(array()); self::$idx = array(); foreach (self::$rawList as $resourceId => $optionsArray) { $resourceDefinition = new ResourceObject($resourceId, $optionsArray); self::$list[$resourceId] = $resourceDefinition; if (!isset(self::$idx[$resourceDefinition->getGroup()])) { self::$idx[$resourceDefinition->getGroup()] = array(); } self::$idx[$resourceDefinition->getGroup()][] = $resourceId; } } return $raw ? self::$rawList : self::$list; }
/** * Gets all Resources * * This method describes all available resources * * @return \ArrayObject Returns array looks like [ * resource_id => [name, description, resourceGroup, [[permission_id => description)]]] * Third value of array is optional and determines unique permissions for specified * resource which can be allowed or forbidden separately. */ public static function getAll($raw = false) { $allows = 'Allows '; if (!isset(self::$list)) { self::$rawList = [Acl::RESOURCE_FARMS => ['All Farms', $allows . 'access to farms and servers.', Acl::GROUP_FARMS_SERVERS, [Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH_TERMINATE => $allows . 'to launch/terminate farms.', Acl::PERM_FARMS_CHANGE_OWNERSHIP => $allows . 'to change owner or team', Acl::PERM_FARMS_SERVERS => $allows . 'to manage servers', Acl::PERM_FARMS_STATISTICS => $allows . 'to access statistics']], Acl::RESOURCE_TEAM_FARMS => ['Farms Your Teams Own', $allows . 'access to farms and servers.', Acl::GROUP_FARMS_SERVERS, [Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH_TERMINATE => $allows . 'to launch/terminate farms.', Acl::PERM_FARMS_CHANGE_OWNERSHIP => $allows . 'to change owner or team', Acl::PERM_FARMS_SERVERS => $allows . 'to manage servers', Acl::PERM_FARMS_STATISTICS => $allows . 'to access statistics']], Acl::RESOURCE_OWN_FARMS => ['Farms You Own', $allows . 'access to farms and servers.', Acl::GROUP_FARMS_SERVERS, [Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH_TERMINATE => $allows . 'to launch/terminate farms.', Acl::PERM_FARMS_CHANGE_OWNERSHIP => $allows . 'to change owner or team', Acl::PERM_FARMS_SERVERS => $allows . 'to manage servers', Acl::PERM_FARMS_STATISTICS => $allows . 'to access statistics']], Acl::RESOURCE_FARMS_ROLES => ['Roles', $allows . 'access to roles.', Acl::GROUP_ROLES_IMAGES, [Acl::PERM_FARMS_ROLES_CREATE => $allows . 'to create (build/import) roles.', Acl::PERM_FARMS_ROLES_MANAGE => $allows . 'to manage (edit/delete) roles.', Acl::PERM_FARMS_ROLES_CLONE => $allows . 'to clone roles.', Acl::PERM_FARMS_ROLES_BUNDLETASKS => $allows . 'to bundle tasks (role creation process logs).']], Acl::RESOURCE_FARMS_IMAGES => ['Images', $allows . 'access to images.', Acl::GROUP_ROLES_IMAGES, [Acl::PERM_FARMS_ROLES_CREATE => $allows . 'to create (build/import) images.', Acl::PERM_FARMS_ROLES_MANAGE => $allows . 'to manage (edit/delete) images.']], Acl::RESOURCE_GCE_STATIC_IPS => ['Static IPs', $allows . 'access to GCE static IPs.', Acl::GROUP_GCE], Acl::RESOURCE_GCE_PERSISTENT_DISKS => ['Persistent disks', $allows . 'access to GCE persistent disks.', Acl::GROUP_GCE], Acl::RESOURCE_GCE_SNAPSHOTS => ['Snapshots', $allows . 'access to GCE snapshots.', Acl::GROUP_GCE], Acl::RESOURCE_CLOUDSTACK_VOLUMES => ['Volumes', $allows . 'access to CloudStack volumes.', Acl::GROUP_CLOUDSTACK], Acl::RESOURCE_CLOUDSTACK_SNAPSHOTS => ['Snapshots', $allows . 'access to CloudStack snapshots.', Acl::GROUP_CLOUDSTACK], Acl::RESOURCE_CLOUDSTACK_PUBLIC_IPS => ['Public IPs', $allows . 'access to CloudStack public IPs.', Acl::GROUP_CLOUDSTACK], Acl::RESOURCE_OPENSTACK_VOLUMES => ['Volumes', $allows . 'access to OpenStack volumes.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_OPENSTACK_SNAPSHOTS => ['Snapshots', $allows . 'access to OpenStack snapshots.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_OPENSTACK_PUBLIC_IPS => ['Public IPs', $allows . 'access to OpenStack public IPs.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_OPENSTACK_ELB => ['Load Balancing (LBaaS)', $allows . 'access to load balancing service.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_AWS_S3 => ['S3 and Cloudfront', $allows . 'access to AWS S3 and Cloudfront.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_CLOUDWATCH => ['CloudWatch', $allows . 'access to AWS CloudWatch.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_ELASTIC_IPS => ['Elastic IPs', $allows . 'access to AWS Elastic IPs.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_ELB => ['Elastic Load Balancing (ELB)', $allows . 'access to AWS Elastic Load Balancing.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_IAM => ['Identity and Access Management (IAM)', $allows . 'access to AWS Identity and Access Management.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_RDS => ['Relational Database Service (RDS)', $allows . 'access to Amazon Relational Database Service.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_SNAPSHOTS => ['Snapshots', $allows . 'access to AWS snapshots.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_VOLUMES => ['Volumes', $allows . 'access to AWS Volumes.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_ROUTE53 => ['Route53', $allows . 'access to AWS Route53.', Acl::GROUP_AWS], Acl::RESOURCE_SECURITY_SECURITY_GROUPS => ['Security groups', $allows . 'access to security groups.', Acl::GROUP_SECURITY], Acl::RESOURCE_SECURITY_RETRIEVE_WINDOWS_PASSWORDS => ['Retrieve Windows passwords', $allows . 'access to retrieve passwords for windows.', Acl::GROUP_SECURITY], Acl::RESOURCE_SECURITY_SSH_KEYS => ['SSH keys', $allows . 'access to SSH keys.', Acl::GROUP_SECURITY], Acl::RESOURCE_LOGS_EVENT_LOGS => ['Event Log', $allows . 'access to the Event Log.', Acl::GROUP_LOGS], Acl::RESOURCE_LOGS_SYSTEM_LOGS => ['System Log', $allows . 'access to the System Log.', Acl::GROUP_LOGS], Acl::RESOURCE_LOGS_SCRIPTING_LOGS => ['Scripting Log', $allows . 'access to the Scripting Log.', Acl::GROUP_LOGS], Acl::RESOURCE_LOGS_API_LOGS => ['API Log', $allows . 'access to the API Log.', Acl::GROUP_LOGS], Acl::RESOURCE_SERVICES_APACHE => ['Apache', $allows . 'access to apache.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_ENVADMINISTRATION_CHEF => ['Chef (environment scope)', $allows . 'to manage chef servers in the environment scope.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_ADMINISTRATION_CHEF => ['Chef (account scope)', $allows . 'to manage chef servers in the account scope.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_SSL => ['SSL', $allows . 'access to SSL.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_RABBITMQ => ['RabbitMQ', $allows . 'access to RabbitMQ.', Acl::GROUP_SERVICES], Acl::RESOURCE_GENERAL_CUSTOM_EVENTS => ['Custom events', $allows . 'access to custom events.', Acl::GROUP_GENERAL, [Acl::PERM_GENERAL_CUSTOM_EVENTS_FIRE => $allows . 'to fire custom events.']], Acl::RESOURCE_GENERAL_CUSTOM_SCALING_METRICS => ['Custom scaling metrics', $allows . 'access to custom scaling metrics.', Acl::GROUP_GENERAL], Acl::RESOURCE_GENERAL_SCHEDULERTASKS => ['Tasks scheduler', $allows . 'access to tasks scheduler.', Acl::GROUP_GENERAL], Acl::RESOURCE_DB_BACKUPS => ['Backups', $allows . 'access to backups.', Acl::GROUP_DATABASES, [Acl::PERM_DB_BACKUPS_REMOVE => $allows . 'to remove database backups.']], Acl::RESOURCE_DB_DATABASE_STATUS => ['Database status', $allows . 'access to database status.', Acl::GROUP_DATABASES, [Acl::PERM_DB_DATABASE_STATUS_PMA => $allows . 'access to PMA.']], Acl::RESOURCE_DB_SERVICE_CONFIGURATION => ['Service configuration', $allows . 'access to service configuration.', Acl::GROUP_DATABASES], Acl::RESOURCE_DEPLOYMENTS_APPLICATIONS => ['Applications', $allows . 'access to applications.', Acl::GROUP_DEPLOYMENTS], Acl::RESOURCE_DEPLOYMENTS_SOURCES => ['Sources', $allows . 'access to sources.', Acl::GROUP_DEPLOYMENTS], Acl::RESOURCE_DEPLOYMENTS_TASKS => ['Tasks', $allows . 'access to tasks.', Acl::GROUP_DEPLOYMENTS], Acl::RESOURCE_DNS_ZONES => ['Zones', $allows . 'access to DNS zones.', Acl::GROUP_DNS], Acl::RESOURCE_ADMINISTRATION_BILLING => ['Billing', $allows . 'access to billing.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ADMINISTRATION_ORCHESTRATION => ['Orchestration (account scope)', $allows . 'access to orchestration in the account scope.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ADMINISTRATION_GLOBAL_VARIABLES => ['Global variables (account scope)', $allows . 'access to global variables in the account scope.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ADMINISTRATION_SCRIPTS => ['Scripts (account scope)', $allows . 'access to scripts.', Acl::GROUP_ADMINISTRATION, [Acl::PERM_ADMINISTRATION_SCRIPTS_MANAGE => $allows . 'to manage (create/edit/delete) scripts.', Acl::PERM_ADMINISTRATION_SCRIPTS_EXECUTE => $allows . 'to execute scripts.', Acl::PERM_ADMINISTRATION_SCRIPTS_FORK => $allows . 'to fork scripts.']], Acl::RESOURCE_ADMINISTRATION_WEBHOOKS => ['Webhooks (account scope)', $allows . 'to manage webhooks in the account scope.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_ENV_CLOUDS => ['Setup clouds', $allows . 'to manage cloud credentials for environments in which this user is a team member', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_GOVERNANCE => ['Governance', $allows . 'access to governance.', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_GLOBAL_VARIABLES => ['Global variables (environment scope)', $allows . 'access to global variables in the environment scope.', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_WEBHOOKS => ['Webhooks (environment scope)', $allows . 'to manage webhooks in the environment scope.', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ANALYTICS_PROJECTS => ['Cost Analytics Projects', $allows . ' account users to create a new projects for cost analytics', Acl::GROUP_ANALYTICS], Acl::RESOURCE_ADMINISTRATION_ANALYTICS => ['Cost Analytics (account scope)', $allows . ' access to Cost Analytics in the account scope', Acl::GROUP_ADMINISTRATION, [Acl::PERM_ADMINISTRATION_ANALYTICS_MANAGE_PROJECTS => $allows . 'to edit/create projects in the account scope.', Acl::PERM_ADMINISTRATION_ANALYTICS_ALLOCATE_BUDGET => $allows . "to set/edit projects' budgets in the account scope."]], Acl::RESOURCE_ENVADMINISTRATION_ANALYTICS => ['Cost Analytics (environment scope)', $allows . ' access to Cost Analytics in the environment scope', Acl::GROUP_ENVADMINISTRATION]]; //Removes disabled resources foreach (Acl::getDisabledResources() as $resourceId) { if (isset(self::$rawList[$resourceId])) { unset(self::$rawList[$resourceId]); } } //Initializes set of the resources self::$list = new \ArrayObject([]); self::$idx = []; foreach (self::$rawList as $resourceId => $optionsArray) { $resourceDefinition = new ResourceObject($resourceId, $optionsArray); self::$list[$resourceId] = $resourceDefinition; if (!isset(self::$idx[$resourceDefinition->getGroup()])) { self::$idx[$resourceDefinition->getGroup()] = []; } self::$idx[$resourceDefinition->getGroup()][] = $resourceId; } } return $raw ? self::$rawList : self::$list; }
/** * Loads permissions into role object * * @param Role\RoleObject $role A role object */ protected function loadRolePermissions(Role\RoleObject $role) { if ($role instanceof Role\AccountRoleObject) { $sAcc = 'account_'; $rmJoin = "LEFT JOIN acl_account_role_resource_modes rm ON rr.`account_role_id` = rm.account_role_id " . " AND rr.`resource_id` = rm.`resource_id`"; } else { $sAcc = ''; $rmJoin = ''; } $disabledResources = Acl::getDisabledResources(); $disabledSql = !empty($disabledResources) ? "AND rr.resource_id NOT IN (" . implode(',', array_fill(0, count($disabledResources), '?')) . ")" : ""; $res = $this->db->Execute("\n SELECT\n rr.`" . $sAcc . "role_id` AS `role_id`,\n rr.`resource_id`, rr.`granted`, rp.`perm_id`,\n rp.`granted` AS `perm_granted`,\n " . (!empty($rmJoin) ? "rm.`mode`" : "NULL AS `mode`") . "\n FROM `acl_" . $sAcc . "role_resources` rr\n " . $rmJoin . "\n LEFT JOIN `acl_" . $sAcc . "role_resource_permissions` rp\n ON rp.`" . $sAcc . "role_id` = rr.`" . $sAcc . "role_id`\n AND rp.`resource_id` = rr.`resource_id`\n WHERE rr.`" . $sAcc . "role_id` = ?\n {$disabledSql}\n ", array_merge((array) $role->getRoleId(), $disabledResources)); if ($res) { $resources = $role->getResources(); while ($rec = $res->FetchRow()) { if (!isset($resources[$rec['resource_id']])) { //Adds resource to role object $resource = new Role\RoleResourceObject($rec['role_id'], $rec['resource_id'], $rec['granted'], $rec['mode']); $role->appendResource($resource); } else { $resource = $resources[$rec['resource_id']]; } if ($rec['perm_id'] !== null) { $permission = new Role\RoleResourcePermissionObject($rec['role_id'], $rec['resource_id'], $rec['perm_id'], $rec['perm_granted']); //We should append permission only if it's been declared in the definition. $resourceDefinition = Resource\Definition::get($resource->getResourceId()); if ($resourceDefinition->hasPermission($permission->getPermissionId())) { $resource->appendPermission($permission); } unset($permission); } unset($resource); } } }
/** * Callback for the array_walk function call of providerIsImposedRestriction method * * @param array|string $aUri * @param string $index * @param array $options */ public function cb($aUri, $index, $options) { if (is_array($aUri)) { $uri = $aUri[0]; $parameters = !empty($aUri[1]) ? $aUri[1] : array(); $allActions = isset($aUri[2]) ? true : false; if ($allActions) { //Resolve all actions foreach ($this->getAllControllerActions($uri) as $actionUri) { $this->cb(array($actionUri, $parameters), $index, $options); } } } else { $uri = $aUri; $parameters = array(); $allActions = false; } $testUserId = $this->getUser()->getId(); $testEnvironmentId = $this->getEnvironment()->id; $match = function ($key) use($uri, $parameters) { if (!empty($parameters) && is_array($parameters)) { foreach ($parameters as $v) { if ('%' . $key . '%' == $v) { return true; } } } return preg_match('~%' . preg_quote($key, '~') . '%~', $uri); }; $replace = function ($key, $value) use(&$uri, &$parameters) { if (!empty($parameters) && is_array($parameters)) { foreach ($parameters as $i => $v) { if ('%' . $key . '%' == $v) { $parameters[$i] = $value; } } } $uri = preg_replace('~%' . preg_quote($key, '~') . '%~', $value, $uri); }; //Translate URI parameters if (strpos($uri, '%') !== false || !empty($parameters)) { if ($match('ENV_ID')) { $replace('ENV_ID', $this->getEnvironment()->id); } if ($match('OWNED_FARM_ID')) { $ownedFarm = $this->getFarm(true); $this->assertNotNull($ownedFarm, sprintf("User with identifier %s should be owner at least one Farm for this test.", $testUserId)); $replace('OWNED_FARM_ID', $ownedFarm ? $ownedFarm->ID : 0); } elseif ($match('NOT_OWNED_FARM_ID')) { $notOwnedFarm = $this->getFarm(false); $this->assertNotNull($notOwnedFarm, sprintf("Environment with identifier %s should have at least one Farm " . "which is not owned by the User with identifier %s for this test.", $testEnvironmentId, $testUserId)); $replace('NOT_OWNED_FARM_ID', $notOwnedFarm ? $notOwnedFarm->ID : 0); } elseif ($match('OWNED_FARM_ROLE_ID')) { $ownedFarmRole = $this->getFarmRole(true); $this->assertNotNull($ownedFarmRole, sprintf("Environment with identifier %s should have at least one server " . "which has relation to the Farm which is owned by the User with identifier %s for this test.", $testEnvironmentId, $testUserId)); $replace('OWNED_FARM_ROLE_ID', $ownedFarmRole ? $ownedFarmRole->ID : 0); } elseif ($match('NOT_OWNED_FARM_ROLE_ID')) { $notOwnedFarmRole = $this->getFarmRole(false); $this->assertNotNull($notOwnedFarmRole, sprintf("Environment with identifier %s should have at least one server " . "which has relation to the Farm which is not owned by the User with identifier %s for this test.", $testEnvironmentId, $testUserId)); $replace('NOT_OWNED_FARM_ROLE_ID', $notOwnedFarmRole ? $notOwnedFarmRole->ID : 0); } } $resourceId = constant('Scalr\\Acl\\Acl::RESOURCE_' . $options[0]); //Ignores checking disabled resources if (in_array($resourceId, Acl::getDisabledResources())) { return; } $permissionId = isset($options[1]) ? constant('Scalr\\Acl\\Acl::PERM_' . $options[1]) : null; $this->data[] = array($uri, $this->getRoles()->isAllowed($resourceId, $permissionId), $resourceId, $permissionId, $parameters); }
/** * Checks if specified resource is allowed * * @param int $resourceId The ID of the resource. * @param string $permissionId optional The ID of the permission associated with resource. * @return bool|null Returns true if access is allowed. * If resource or permission isn't overridden it returns null. * @throws Exception\RoleObjectException */ public function isAllowed($resourceId, $permissionId = null) { $allowed = null; $resourceDefinition = Resource\Definition::get($resourceId); if ($resourceDefinition === null) { throw new Exception\RoleObjectException(sprintf("%s ACL resource (0x%x).", in_array($resourceId, Acl::getDisabledResources()) ? 'Disabled' : 'Unknown', intval($resourceId))); } if (!empty($permissionId) && !$resourceDefinition->hasPermission($permissionId)) { throw new Exception\RoleObjectException(sprintf("Unknown permission (%s) for resource '%s' (0x%x).", $permissionId, $resourceDefinition->getName(), intval($resourceId))); } //Checks if resource is defined for the role $resource = $this->getResource($resourceId); if ($permissionId !== null && $resource !== null) { //If resource is defined we can check unique permission. //Checks if permission is defined $permission = $resource->getPermission($permissionId); //Checks access to unuque permission of the specified resource for the role. //If resource isn't allowed it automatically forbids all related permissions. $allowed = $permission !== null && $resource->isGranted() !== null ? $resource->isGranted() && $permission->isGranted() : null; } else { //Checks access to the resource for the role $allowed = $resource !== null ? $resource->isGranted() : null; } return $allowed; }