public static function authorize_list($identity = null, $accessType, $blueprintKey, $where = null) { $tag = "Guardian::authorize_list()"; Log::debug("{$tag} <identity={$identity}, accessType={$accessType}, blueprintKey={$blueprintKey}, where={$where}>"); if ($accessType != "SELECT") { Log::warning("{$tag}: accessType != SELECT"); throw new Exception("{$tag}: accessType != SELECT"); } $instance = Guardian::instance(); // Convenience variables $xml = $instance->xml; list($guardian_identity_table, , ) = explode(".", BPConfig::$guardian_identity_blueprint); Log::debug("* Identity Table = {$guardian_identity_table}"); // Sanitize arguments if ($identity != null) { if (empty($identity) || !is_numeric($identity)) { Log::debug("! Setting identity to null"); $identity = null; } } /* // LAST MINUTE PROCESSING // Define a placeholder $listRows to hold results of GuardianListDrafter:initListRows() (if necessary) */ $listRows = null; // Search Resources for a block matching the requested blueprintKey foreach ($xml->Resource as $resource) { $key = (string) $resource["key"]; Log::debug("{$tag}: Considering Resource with key '{$key}'"); if ($key == "*" || $key == $blueprintKey || strpos($key, "*") !== false && strpos($blueprintKey, substr($key, 0, strpos($key, "*"))) === 0) { Log::debug("{$tag}: Resource matches requested blueprint key"); foreach ($resource->AccessGroup as $accessGroup) { $type = (string) $accessGroup["type"]; Log::debug("{$tag}: Considering AccessGroup of type '{$type}'"); if ($type == "*" || strpos($type, $accessType) !== false) { Log::debug("{$tag}: AccessGroup includes requested access type"); // The requestor must pass ALL rules in an <AccessGroup> to be granted access $flag_failure = false; foreach ($accessGroup->children() as $rule) { $kind = $rule->getName(); Log::debug("{$tag}: Evaluating rule '{$kind}'"); if ($kind != "Ownership") { if ($instance->test_access_rule($rule, $identity, null) === false) { Log::debug("{$tag}: Failed rule '{$kind}'. No access under this group"); $flag_failure = true; // Immediately stop checking rules under this AccessGroup, and move on to the next AccessGroup break; } } else { // LAST MINUTE PROCESSING; init ListDrafter if ($listRows == null) { Log::debug("{$tag}: Initializing GuardianListDrafter to build a list of entities for ownership testing"); try { $entityBP = BlueprintReader::read($blueprintKey . ".entity.xml"); if ($where != null) { $params = array("where" => $where); } else { $params = null; } $listDrafter = new GuardianListDrafter($entityBP, null, $params); $listRows = $listDrafter->getListRows(); } catch (Exception $e) { Log::error("{$tag}: Caught: " . $e->getMessage()); throw $e; } } if ($instance->test_access_list_rule_ownership($rule, $identity, $listRows) === false) { Log::debug("{$tag}: Failed rule '{$kind}'. No access under this group"); $flag_failure = true; // Immediately stop checking rules under this AccessGroup, and move on to the next AccessGroup break; } } } if ($flag_failure === false) { Log::debug("{$tag}: Passed all rules of access group"); return true; } else { // continue with next AccessGruop } } else { Log::debug("{$tag}: AccessGroup does not include requested access type"); } } // END: foreach($resource->AccessGroup as $accessGroup) } else { Log::debug("{$tag}: Resource does not match requested blueprint key"); } } // END: foreach($xml->Resource as $resource) return false; }