/**
* returns the actions of a module from the ontology
*
* @access public
* @author Jerome Bogaerts, <*****@*****.**>
* @param Resource module
* @return array
*/
public static function getActions(core_kernel_classes_Resource $module)
{
$returnValue = array();
$controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri());
try {
foreach (ControllerHelper::getActions($controllerClassName) as $actionName) {
$uri = funcAcl_helpers_Map::getUriForAction($controllerClassName, $actionName);
$returnValue[$uri] = new core_kernel_classes_Resource($uri);
}
} catch (ReflectionException $e) {
// unknown controller, no actions returned
}
return (array) $returnValue;
}
/**
* (non-PHPdoc)
* @see \oat\tao\model\accessControl\AccessControl::hasAccess()
*/
public function hasAccess(User $user, $controller, $action, $parameters)
{
$required = array();
try {
foreach (ControllerHelper::getRequiredRights($controller, $action) as $paramName => $privileges) {
if (isset($parameters[$paramName])) {
if (preg_match('/^[a-z]*_2_/', $parameters[$paramName]) != 0) {
common_Logger::w('url encoded parameter detected for ' . $paramName);
$cleanName = \tao_helpers_Uri::decode($parameters[$paramName]);
} else {
$cleanName = $parameters[$paramName];
}
$required[$cleanName] = $privileges;
} else {
throw new \Exception('Missing parameter ' . $paramName . ' for ' . $controller . '/' . $action);
}
}
} catch (ActionNotFoundException $e) {
// action not found, no access
return false;
}
return empty($required) ? true : self::hasPrivileges($user, $required);
}
public static function flushExtensionAccess($extensionId)
{
self::getCacheImplementation()->remove(self::CACHE_PREFIX_EXTENSION . $extensionId);
foreach (ControllerHelper::getControllers($extensionId) as $controllerClassName) {
self::flushControllerAccess($controllerClassName);
}
}
/**
* compulte permissions for a node against actions
* @param array[] $actions the actions data with context, name and the resolver
* @param User $user the user
* @param array $node a tree node
* @return array the node augmented with permissions
*/
private function computePermissions($actions, $user, $node)
{
if (isset($node['attributes']['data-uri'])) {
foreach ($actions as $action) {
if ($node['type'] == $action['context'] || $action['context'] == 'resource') {
$resolver = $action['resolver'];
try {
if ($node['type'] == 'class') {
$params = array('classUri' => $node['attributes']['data-uri']);
} else {
$params = array();
foreach ($node['attributes'] as $key => $value) {
if (substr($key, 0, strlen('data-')) == 'data-') {
$params[substr($key, strlen('data-'))] = $value;
}
}
}
$params['id'] = $node['attributes']['data-uri'];
$required = array_keys(ControllerHelper::getRequiredRights($resolver->getController(), $resolver->getAction()));
if (count(array_diff($required, array_keys($params))) == 0) {
$node['permissions'][$action['id']] = AclProxy::hasAccess($user, $resolver->getController(), $resolver->getAction(), $params);
} else {
common_Logger::d('Unable to determine access to ' . $action['id'], 'ACL');
}
//@todo should be a checked exception!
} catch (Exception $e) {
common_Logger::w('Unable to resolve permission for action ' . $action['id'] . ' : ' . $e->getMessage());
}
}
}
}
if (isset($node['children'])) {
foreach ($node['children'] as $index => $child) {
$node['children'][$index] = $this->computePermissions($actions, $user, $child);
}
}
return $node;
}
private function whiteListExtension($extensionId)
{
foreach (ControllerHelper::getControllers($extensionId) as $controllerClassName) {
$this->whiteListController($controllerClassName);
}
}
/**
* Shows the access to the actions of a controller for a specific role
*
* @throws Exception
*/
public function getActions()
{
if (!tao_helpers_Request::isAjax()) {
throw new Exception("wrong request mode");
} else {
$role = new core_kernel_classes_Resource($this->getRequestParameter('role'));
$included = array();
foreach (tao_models_classes_RoleService::singleton()->getIncludedRoles($role) as $includedRole) {
$included[] = $includedRole->getUri();
}
$module = new core_kernel_classes_Resource($this->getRequestParameter('module'));
$controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri());
$controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controllerClassName);
$actions = array();
foreach (ControllerHelper::getActions($controllerClassName) as $actionName) {
$uri = funcAcl_helpers_Map::getUriForAction($controllerClassName, $actionName);
$part = explode('#', $uri);
list($type, $extId, $modId, $actId) = explode('_', $part[1]);
$allowedRoles = isset($controllerAccess['actions'][$actionName]) ? array_merge($controllerAccess['module'], $controllerAccess['actions'][$actionName]) : $controllerAccess['module'];
$access = count(array_intersect($included, $allowedRoles)) > 0 ? self::ACCESS_INHERITED : (in_array($role->getUri(), $allowedRoles) ? self::ACCESS_FULL : self::ACCESS_NONE);
$actions[$actId] = array('uri' => $uri, 'access' => $access);
}
ksort($actions);
$this->returnJson($actions);
}
}
