/**
* Gets all Resources
*
* This method describes all available resources
*
* @return \ArrayObject Returns array looks like array(
* resource_id => array(name, description, resourceGroup, [array(permission_id => description)]))
* Third value of array is optional and determines unique permissions for specified
* resource which can be allowed or forbidden separately.
*/
public static function getAll($raw = false)
{
$allows = 'Allows ';
if (!isset(self::$list)) {
self::$rawList = array(Acl::RESOURCE_FARMS => array('Farms', $allows . 'access to farm designer.', Acl::GROUP_FARMS, array(Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH => $allows . 'to launch farms.', Acl::PERM_FARMS_TERMINATE => $allows . 'to terminate farms.', Acl::PERM_FARMS_NOT_OWNED_FARMS => $allows . 'to manage not owned farms.')), Acl::RESOURCE_FARMS_ALERTS => array('Alerts', $allows . 'access to alerts.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_SERVERS => array('Servers', $allows . 'access to servers.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_EVENTS_AND_NOTIFICATIONS => array('Events and notifications', $allows . 'access to events and notifications.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_STATISTICS => array('Statistics', $allows . 'access to statistics.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_ROLES => array('Roles', $allows . 'access to roles.', Acl::GROUP_FARMS, array(Acl::PERM_FARMS_ROLES_CREATE => $allows . 'to create (build/import) roles.', Acl::PERM_FARMS_ROLES_MANAGE => $allows . 'to manage (edit/delete) roles.', Acl::PERM_FARMS_ROLES_CLONE => $allows . 'to clone roles.', Acl::PERM_FARMS_ROLES_BUNDLETASKS => $allows . 'to bundle tasks (role creation process logs).')), Acl::RESOURCE_FARMS_SCRIPTS => array('Scripts', $allows . 'access to scripts.', Acl::GROUP_FARMS, array(Acl::PERM_FARMS_SCRIPTS_MANAGE => $allows . 'to manage (create/edit/delete) scripts.', Acl::PERM_FARMS_SCRIPTS_EXECUTE => $allows . 'to execute scripts.', Acl::PERM_FARMS_SCRIPTS_FORK => $allows . 'to fork scripts.')), Acl::RESOURCE_CLOUDSTACK_VOLUMES => array('Volumes', $allows . 'access to CloudStack volumes.', Acl::GROUP_CLOUDSTACK), Acl::RESOURCE_CLOUDSTACK_SNAPSHOTS => array('Snapshots', $allows . 'access to CloudStack snapshots.', Acl::GROUP_CLOUDSTACK), Acl::RESOURCE_CLOUDSTACK_PUBLIC_IPS => array('Public IPs', $allows . 'access to CloudStack public IPs.', Acl::GROUP_CLOUDSTACK), Acl::RESOURCE_OPENSTACK_VOLUMES => array('Volumes', $allows . 'access to OpenStack volumes.', Acl::GROUP_OPENSTACK), Acl::RESOURCE_OPENSTACK_SNAPSHOTS => array('Snapshots', $allows . 'access to OpenStack snapshots.', Acl::GROUP_OPENSTACK), Acl::RESOURCE_OPENSTACK_PUBLIC_IPS => array('Public IPs', $allows . 'access to OpenStack public IPs.', Acl::GROUP_OPENSTACK), Acl::RESOURCE_AWS_CLOUDWATCH => array('CloudWatch', $allows . 'access to AWS CloudWatch.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_ELASTIC_IPS => array('Elastic IPs', $allows . 'access to AWS Elastic IPs.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_ELB => array('Elastic Load Balancing (ELB)', $allows . 'access to AWS Elastic Load Balancing.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_IAM => array('Identity and Access Management (IAM)', $allows . 'access to AWS Identity and Access Management.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_RDS => array('Relational Database Service (RDS)', $allows . 'access to Amazon Relational Database Service.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_SNAPSHOTS => array('Snapshots', $allows . 'access to AWS snapshots.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_VOLUMES => array('Volumes', $allows . 'access to AWS Volumes.', Acl::GROUP_AWS), Acl::RESOURCE_SECURITY_AWS_SECURITY_GROUPS => array('AWS security groups', $allows . 'access to AWS security groups.', Acl::GROUP_SECURITY), Acl::RESOURCE_SECURITY_RETRIEVE_WINDOWS_PASSWORDS => array('Retrieve Windows passwords', $allows . 'access to retrieve passwords for windows.', Acl::GROUP_SECURITY), Acl::RESOURCE_SECURITY_SSH_KEYS => array('SSH keys', $allows . 'access to SSH keys.', Acl::GROUP_SECURITY), Acl::RESOURCE_LOGS_API_LOGS => array('API logs', $allows . 'access to API logs.', Acl::GROUP_LOGS), Acl::RESOURCE_LOGS_SCRIPTING_LOGS => array('Scripting logs', $allows . 'access to scripting logs.', Acl::GROUP_LOGS), Acl::RESOURCE_LOGS_SYSTEM_LOGS => array('System logs', $allows . 'access to system logs.', Acl::GROUP_LOGS), Acl::RESOURCE_SERVICES_APACHE => array('Apache', $allows . 'access to apache.', Acl::GROUP_SERVICES), Acl::RESOURCE_SERVICES_CHEF => array('Chef', $allows . 'access to chef.', Acl::GROUP_SERVICES), Acl::RESOURCE_SERVICES_SSL => array('SSL', $allows . 'access to SSL.', Acl::GROUP_SERVICES), Acl::RESOURCE_SERVICES_RABBITMQ => array('RabbitMQ', $allows . 'access to RabbitMQ.', Acl::GROUP_SERVICES), Acl::RESOURCE_GENERAL_CUSTOM_EVENTS => array('Custom events', $allows . 'access to custom events.', Acl::GROUP_GENERAL), Acl::RESOURCE_GENERAL_CUSTOM_SCALING_METRICS => array('Custom scaling metrics', $allows . 'access to custom scaling metrics.', Acl::GROUP_GENERAL), Acl::RESOURCE_GENERAL_GLOBAL_VARIABLES => array('Global variables (environment level)', $allows . 'access to global variables of environment level.', Acl::GROUP_GENERAL), Acl::RESOURCE_GENERAL_SCHEDULERTASKS => array('Tasks scheduler', $allows . 'access to tasks scheduler.', Acl::GROUP_GENERAL), Acl::RESOURCE_DB_BACKUPS => array('Backups', $allows . 'access to backups.', Acl::GROUP_DATABASES, array(Acl::PERM_DB_BACKUPS_REMOVE => $allows . 'to remove database backups.')), Acl::RESOURCE_DB_DATABASE_STATUS => array('Database status', $allows . 'access to database status.', Acl::GROUP_DATABASES, array(Acl::PERM_DB_DATABASE_STATUS_PMA => $allows . 'access to PMA.')), Acl::RESOURCE_DB_SERVICE_CONFIGURATION => array('Service configuration', $allows . 'access to service configuration.', Acl::GROUP_DATABASES), Acl::RESOURCE_DEPLOYMENTS_APPLICATIONS => array('Applications', $allows . 'access to applications.', Acl::GROUP_DEPLOYMENTS), Acl::RESOURCE_DEPLOYMENTS_SOURCES => array('Sources', $allows . 'access to sources.', Acl::GROUP_DEPLOYMENTS), Acl::RESOURCE_DEPLOYMENTS_TASKS => array('Tasks', $allows . 'access to tasks.', Acl::GROUP_DEPLOYMENTS), Acl::RESOURCE_DNS_ZONES => array('Zones', $allows . 'access to DNS zones.', Acl::GROUP_DNS), Acl::RESOURCE_ADMINISTRATION_BILLING => array('Billing', $allows . 'access to billing.', Acl::GROUP_ADMINISTRATION), Acl::RESOURCE_ADMINISTRATION_GOVERNANCE => array('Governance', $allows . 'access to governance.', Acl::GROUP_ADMINISTRATION), Acl::RESOURCE_ADMINISTRATION_ENV_CLOUDS => array('Setup clouds', $allows . 'to manage cloud credentials for environments in which this user is a team member', Acl::GROUP_ADMINISTRATION));
//Removes disabled resources
foreach (Acl::getDisabledResources() as $resourceId) {
if (isset(self::$rawList[$resourceId])) {
unset(self::$rawList[$resourceId]);
}
}
//Initializes set of the resources
self::$list = new \ArrayObject(array());
self::$idx = array();
foreach (self::$rawList as $resourceId => $optionsArray) {
$resourceDefinition = new ResourceObject($resourceId, $optionsArray);
self::$list[$resourceId] = $resourceDefinition;
if (!isset(self::$idx[$resourceDefinition->getGroup()])) {
self::$idx[$resourceDefinition->getGroup()] = array();
}
self::$idx[$resourceDefinition->getGroup()][] = $resourceId;
}
}
return $raw ? self::$rawList : self::$list;
}
/**
* Gets all Resources
*
* This method describes all available resources
*
* @return \ArrayObject Returns array looks like [
* resource_id => [name, description, resourceGroup, [[permission_id => description)]]]
* Third value of array is optional and determines unique permissions for specified
* resource which can be allowed or forbidden separately.
*/
public static function getAll($raw = false)
{
$allows = 'Allows ';
if (!isset(self::$list)) {
self::$rawList = [Acl::RESOURCE_FARMS => ['All Farms', $allows . 'access to farms and servers.', Acl::GROUP_FARMS_SERVERS, [Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH_TERMINATE => $allows . 'to launch/terminate farms.', Acl::PERM_FARMS_CHANGE_OWNERSHIP => $allows . 'to change owner or team', Acl::PERM_FARMS_SERVERS => $allows . 'to manage servers', Acl::PERM_FARMS_STATISTICS => $allows . 'to access statistics']], Acl::RESOURCE_TEAM_FARMS => ['Farms Your Teams Own', $allows . 'access to farms and servers.', Acl::GROUP_FARMS_SERVERS, [Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH_TERMINATE => $allows . 'to launch/terminate farms.', Acl::PERM_FARMS_CHANGE_OWNERSHIP => $allows . 'to change owner or team', Acl::PERM_FARMS_SERVERS => $allows . 'to manage servers', Acl::PERM_FARMS_STATISTICS => $allows . 'to access statistics']], Acl::RESOURCE_OWN_FARMS => ['Farms You Own', $allows . 'access to farms and servers.', Acl::GROUP_FARMS_SERVERS, [Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH_TERMINATE => $allows . 'to launch/terminate farms.', Acl::PERM_FARMS_CHANGE_OWNERSHIP => $allows . 'to change owner or team', Acl::PERM_FARMS_SERVERS => $allows . 'to manage servers', Acl::PERM_FARMS_STATISTICS => $allows . 'to access statistics']], Acl::RESOURCE_FARMS_ROLES => ['Roles', $allows . 'access to roles.', Acl::GROUP_ROLES_IMAGES, [Acl::PERM_FARMS_ROLES_CREATE => $allows . 'to create (build/import) roles.', Acl::PERM_FARMS_ROLES_MANAGE => $allows . 'to manage (edit/delete) roles.', Acl::PERM_FARMS_ROLES_CLONE => $allows . 'to clone roles.', Acl::PERM_FARMS_ROLES_BUNDLETASKS => $allows . 'to bundle tasks (role creation process logs).']], Acl::RESOURCE_FARMS_IMAGES => ['Images', $allows . 'access to images.', Acl::GROUP_ROLES_IMAGES, [Acl::PERM_FARMS_ROLES_CREATE => $allows . 'to create (build/import) images.', Acl::PERM_FARMS_ROLES_MANAGE => $allows . 'to manage (edit/delete) images.']], Acl::RESOURCE_GCE_STATIC_IPS => ['Static IPs', $allows . 'access to GCE static IPs.', Acl::GROUP_GCE], Acl::RESOURCE_GCE_PERSISTENT_DISKS => ['Persistent disks', $allows . 'access to GCE persistent disks.', Acl::GROUP_GCE], Acl::RESOURCE_GCE_SNAPSHOTS => ['Snapshots', $allows . 'access to GCE snapshots.', Acl::GROUP_GCE], Acl::RESOURCE_CLOUDSTACK_VOLUMES => ['Volumes', $allows . 'access to CloudStack volumes.', Acl::GROUP_CLOUDSTACK], Acl::RESOURCE_CLOUDSTACK_SNAPSHOTS => ['Snapshots', $allows . 'access to CloudStack snapshots.', Acl::GROUP_CLOUDSTACK], Acl::RESOURCE_CLOUDSTACK_PUBLIC_IPS => ['Public IPs', $allows . 'access to CloudStack public IPs.', Acl::GROUP_CLOUDSTACK], Acl::RESOURCE_OPENSTACK_VOLUMES => ['Volumes', $allows . 'access to OpenStack volumes.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_OPENSTACK_SNAPSHOTS => ['Snapshots', $allows . 'access to OpenStack snapshots.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_OPENSTACK_PUBLIC_IPS => ['Public IPs', $allows . 'access to OpenStack public IPs.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_OPENSTACK_ELB => ['Load Balancing (LBaaS)', $allows . 'access to load balancing service.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_AWS_S3 => ['S3 and Cloudfront', $allows . 'access to AWS S3 and Cloudfront.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_CLOUDWATCH => ['CloudWatch', $allows . 'access to AWS CloudWatch.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_ELASTIC_IPS => ['Elastic IPs', $allows . 'access to AWS Elastic IPs.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_ELB => ['Elastic Load Balancing (ELB)', $allows . 'access to AWS Elastic Load Balancing.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_IAM => ['Identity and Access Management (IAM)', $allows . 'access to AWS Identity and Access Management.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_RDS => ['Relational Database Service (RDS)', $allows . 'access to Amazon Relational Database Service.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_SNAPSHOTS => ['Snapshots', $allows . 'access to AWS snapshots.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_VOLUMES => ['Volumes', $allows . 'access to AWS Volumes.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_ROUTE53 => ['Route53', $allows . 'access to AWS Route53.', Acl::GROUP_AWS], Acl::RESOURCE_SECURITY_SECURITY_GROUPS => ['Security groups', $allows . 'access to security groups.', Acl::GROUP_SECURITY], Acl::RESOURCE_SECURITY_RETRIEVE_WINDOWS_PASSWORDS => ['Retrieve Windows passwords', $allows . 'access to retrieve passwords for windows.', Acl::GROUP_SECURITY], Acl::RESOURCE_SECURITY_SSH_KEYS => ['SSH keys', $allows . 'access to SSH keys.', Acl::GROUP_SECURITY], Acl::RESOURCE_LOGS_EVENT_LOGS => ['Event Log', $allows . 'access to the Event Log.', Acl::GROUP_LOGS], Acl::RESOURCE_LOGS_SYSTEM_LOGS => ['System Log', $allows . 'access to the System Log.', Acl::GROUP_LOGS], Acl::RESOURCE_LOGS_SCRIPTING_LOGS => ['Scripting Log', $allows . 'access to the Scripting Log.', Acl::GROUP_LOGS], Acl::RESOURCE_LOGS_API_LOGS => ['API Log', $allows . 'access to the API Log.', Acl::GROUP_LOGS], Acl::RESOURCE_SERVICES_APACHE => ['Apache', $allows . 'access to apache.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_ENVADMINISTRATION_CHEF => ['Chef (environment scope)', $allows . 'to manage chef servers in the environment scope.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_ADMINISTRATION_CHEF => ['Chef (account scope)', $allows . 'to manage chef servers in the account scope.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_SSL => ['SSL', $allows . 'access to SSL.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_RABBITMQ => ['RabbitMQ', $allows . 'access to RabbitMQ.', Acl::GROUP_SERVICES], Acl::RESOURCE_GENERAL_CUSTOM_EVENTS => ['Custom events', $allows . 'access to custom events.', Acl::GROUP_GENERAL, [Acl::PERM_GENERAL_CUSTOM_EVENTS_FIRE => $allows . 'to fire custom events.']], Acl::RESOURCE_GENERAL_CUSTOM_SCALING_METRICS => ['Custom scaling metrics', $allows . 'access to custom scaling metrics.', Acl::GROUP_GENERAL], Acl::RESOURCE_GENERAL_SCHEDULERTASKS => ['Tasks scheduler', $allows . 'access to tasks scheduler.', Acl::GROUP_GENERAL], Acl::RESOURCE_DB_BACKUPS => ['Backups', $allows . 'access to backups.', Acl::GROUP_DATABASES, [Acl::PERM_DB_BACKUPS_REMOVE => $allows . 'to remove database backups.']], Acl::RESOURCE_DB_DATABASE_STATUS => ['Database status', $allows . 'access to database status.', Acl::GROUP_DATABASES, [Acl::PERM_DB_DATABASE_STATUS_PMA => $allows . 'access to PMA.']], Acl::RESOURCE_DB_SERVICE_CONFIGURATION => ['Service configuration', $allows . 'access to service configuration.', Acl::GROUP_DATABASES], Acl::RESOURCE_DEPLOYMENTS_APPLICATIONS => ['Applications', $allows . 'access to applications.', Acl::GROUP_DEPLOYMENTS], Acl::RESOURCE_DEPLOYMENTS_SOURCES => ['Sources', $allows . 'access to sources.', Acl::GROUP_DEPLOYMENTS], Acl::RESOURCE_DEPLOYMENTS_TASKS => ['Tasks', $allows . 'access to tasks.', Acl::GROUP_DEPLOYMENTS], Acl::RESOURCE_DNS_ZONES => ['Zones', $allows . 'access to DNS zones.', Acl::GROUP_DNS], Acl::RESOURCE_ADMINISTRATION_BILLING => ['Billing', $allows . 'access to billing.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ADMINISTRATION_ORCHESTRATION => ['Orchestration (account scope)', $allows . 'access to orchestration in the account scope.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ADMINISTRATION_GLOBAL_VARIABLES => ['Global variables (account scope)', $allows . 'access to global variables in the account scope.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ADMINISTRATION_SCRIPTS => ['Scripts (account scope)', $allows . 'access to scripts.', Acl::GROUP_ADMINISTRATION, [Acl::PERM_ADMINISTRATION_SCRIPTS_MANAGE => $allows . 'to manage (create/edit/delete) scripts.', Acl::PERM_ADMINISTRATION_SCRIPTS_EXECUTE => $allows . 'to execute scripts.', Acl::PERM_ADMINISTRATION_SCRIPTS_FORK => $allows . 'to fork scripts.']], Acl::RESOURCE_ADMINISTRATION_WEBHOOKS => ['Webhooks (account scope)', $allows . 'to manage webhooks in the account scope.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_ENV_CLOUDS => ['Setup clouds', $allows . 'to manage cloud credentials for environments in which this user is a team member', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_GOVERNANCE => ['Governance', $allows . 'access to governance.', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_GLOBAL_VARIABLES => ['Global variables (environment scope)', $allows . 'access to global variables in the environment scope.', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_WEBHOOKS => ['Webhooks (environment scope)', $allows . 'to manage webhooks in the environment scope.', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ANALYTICS_PROJECTS => ['Cost Analytics Projects', $allows . ' account users to create a new projects for cost analytics', Acl::GROUP_ANALYTICS], Acl::RESOURCE_ADMINISTRATION_ANALYTICS => ['Cost Analytics (account scope)', $allows . ' access to Cost Analytics in the account scope', Acl::GROUP_ADMINISTRATION, [Acl::PERM_ADMINISTRATION_ANALYTICS_MANAGE_PROJECTS => $allows . 'to edit/create projects in the account scope.', Acl::PERM_ADMINISTRATION_ANALYTICS_ALLOCATE_BUDGET => $allows . "to set/edit projects' budgets in the account scope."]], Acl::RESOURCE_ENVADMINISTRATION_ANALYTICS => ['Cost Analytics (environment scope)', $allows . ' access to Cost Analytics in the environment scope', Acl::GROUP_ENVADMINISTRATION]];
//Removes disabled resources
foreach (Acl::getDisabledResources() as $resourceId) {
if (isset(self::$rawList[$resourceId])) {
unset(self::$rawList[$resourceId]);
}
}
//Initializes set of the resources
self::$list = new \ArrayObject([]);
self::$idx = [];
foreach (self::$rawList as $resourceId => $optionsArray) {
$resourceDefinition = new ResourceObject($resourceId, $optionsArray);
self::$list[$resourceId] = $resourceDefinition;
if (!isset(self::$idx[$resourceDefinition->getGroup()])) {
self::$idx[$resourceDefinition->getGroup()] = [];
}
self::$idx[$resourceDefinition->getGroup()][] = $resourceId;
}
}
return $raw ? self::$rawList : self::$list;
}
/**
* Provider method for testGet() test
*/
public function providerGet()
{
$refl = new \ReflectionClass('Scalr\\Acl\\Acl');
$arguments = array();
//Fetches all resources which have been defined in the Acl class except excluded
foreach (Acl::getResourcesMnemonic() as $resourceId => $mnemonicName) {
$arguments[] = array($resourceId);
}
return $arguments;
}
public function viewAction()
{
$users = array();
foreach ($this->env->getTeams() as $teamId) {
$team = Scalr_Account_Team::init()->loadById($teamId);
foreach ($team->getUsers() as $user) {
if (!isset($users[$user['id']])) {
$users[$user['id']] = array('id' => $user['id'], 'name' => !empty($user['fullname']) ? $user['fullname'] : $user['email'], 'email' => $user['email'], 'teams' => array());
}
$users[$user['id']]['teams'][] = array('id' => $team->id, 'name' => $team->name);
}
}
$this->response->page('ui/account2/environments/accessmap.js', array('definitions' => Acl::getResources(true), 'users' => array_values($users), 'env' => array('id' => $this->env->id, 'name' => $this->env->name)));
}
/**
* Checks if access to ACL resource or unique permission is allowed
*
* Usage:
* --
* use \Scalr\Acl\Acl;
*
* The ID of the ACL resource; The ID of the unique permission which is related to specified resource
* $this->request->isAllowed(Acl::RESOURCE_FARMS, Acl::PERM_FARMS_EDIT);
*
* Array of IDs of the ACL resource (check if user have any permission); The ID of the unique permission which is related to specified resource
* $this->request->isAllowed([Acl::RESOURCE_FARMS, Acl::RESOURCE_OWN_FARMS], Acl::PERM_FARMS_EDIT);
*
* Mnemonic constants: resource, permission
* Method interprets $resourceMnemonic as RESOURCE_$resourceMnemonic_$scope, $permissionMnemonic as PERM_$resourceMnemonic_$scope_$permissionMnemonic
* For example, call(ROLES, MANAGE) on account scope will check RESOURCE_ROLES_ACCOUNT, PERM_ROLES_ACCOUNT_MANAGE
* $this->request->isAllowed('ROLES', 'MANAGE');
*
* @param int|string|array $resourceId The ID or Name of the ACL resource or array of resources
* @param string $permissionId optional The ID or Name of the unique permission which is
* related to specified resource.
* @return bool Returns TRUE if access is allowed
*/
public function isAllowed($resourceId, $permissionId = null)
{
if ($this->user->isScalrAdmin()) {
// we don't have permissions on scalr scope
return true;
}
if (is_string($resourceId)) {
$resourceMnemonic = $resourceId;
$resourceId = Acl::getResourceIdByMnemonic($resourceMnemonic, $this->getScope());
$permissionId = $permissionId ? Acl::getPermissionIdByMnemonic($resourceMnemonic, $permissionId, $this->getScope()) : null;
}
if (is_array($resourceId)) {
foreach ($resourceId as $id) {
if (\Scalr::getContainer()->acl->isUserAllowedByEnvironment($this->getUser(), $this->getEnvironment(), $id, $permissionId)) {
return true;
}
}
return false;
} else {
return \Scalr::getContainer()->acl->isUserAllowedByEnvironment($this->getUser(), $this->getEnvironment(), $resourceId, $permissionId);
}
}
public function viewAction()
{
$this->response->page('ui/account2/roles/view.js', array('definitions' => Acl::getResources(true)), array('ui/account2/dataconfig.js'), array('ui/account2/roles/view.css'), array('account.roles', 'base.roles'));
}
/**
* Loads permissions into role object
*
* @param Role\RoleObject $role A role object
*/
protected function loadRolePermissions(Role\RoleObject $role)
{
if ($role instanceof Role\AccountRoleObject) {
$sAcc = 'account_';
$rmJoin = "LEFT JOIN acl_account_role_resource_modes rm ON rr.`account_role_id` = rm.account_role_id " . " AND rr.`resource_id` = rm.`resource_id`";
} else {
$sAcc = '';
$rmJoin = '';
}
$disabledResources = Acl::getDisabledResources();
$disabledSql = !empty($disabledResources) ? "AND rr.resource_id NOT IN (" . implode(',', array_fill(0, count($disabledResources), '?')) . ")" : "";
$res = $this->db->Execute("\n SELECT\n rr.`" . $sAcc . "role_id` AS `role_id`,\n rr.`resource_id`, rr.`granted`, rp.`perm_id`,\n rp.`granted` AS `perm_granted`,\n " . (!empty($rmJoin) ? "rm.`mode`" : "NULL AS `mode`") . "\n FROM `acl_" . $sAcc . "role_resources` rr\n " . $rmJoin . "\n LEFT JOIN `acl_" . $sAcc . "role_resource_permissions` rp\n ON rp.`" . $sAcc . "role_id` = rr.`" . $sAcc . "role_id`\n AND rp.`resource_id` = rr.`resource_id`\n WHERE rr.`" . $sAcc . "role_id` = ?\n {$disabledSql}\n ", array_merge((array) $role->getRoleId(), $disabledResources));
if ($res) {
$resources = $role->getResources();
while ($rec = $res->FetchRow()) {
if (!isset($resources[$rec['resource_id']])) {
//Adds resource to role object
$resource = new Role\RoleResourceObject($rec['role_id'], $rec['resource_id'], $rec['granted'], $rec['mode']);
$role->appendResource($resource);
} else {
$resource = $resources[$rec['resource_id']];
}
if ($rec['perm_id'] !== null) {
$permission = new Role\RoleResourcePermissionObject($rec['role_id'], $rec['resource_id'], $rec['perm_id'], $rec['perm_granted']);
//We should append permission only if it's been declared in the definition.
$resourceDefinition = Resource\Definition::get($resource->getResourceId());
if ($resourceDefinition->hasPermission($permission->getPermissionId())) {
$resource->appendPermission($permission);
}
unset($permission);
}
unset($resource);
}
}
}
/**
* This test is used mapping from Fixtures/{self::TEST_DATA_FILE} yaml file
*
* @test
*/
public function testIsImposedRestriction()
{
$rm = Acl::getResourcesMnemonic();
//We have to use provider in this way because of we need to skip test and throw assertion from it
$providerData = $this->providerIsImposedRestriction();
foreach ($providerData as $opt) {
$uri = $opt[0];
$granted = $opt[1];
$resourceId = $opt[2];
$permissionId = isset($opt[3]) ? $opt[3] : null;
$options = isset($opt[4]) ? $opt[4] : array();
$this->setCatchOnlyPermission($resourceId, $permissionId);
$this->assertThatPermission($granted, $uri, $options, sprintf("Resource:%s, Permission:%s, URI:%s", isset($rm[$resourceId]) ? $rm[$resourceId] : $resourceId, isset($permissionId) ? $permissionId : 'null', $uri));
}
}
/**
* Checks if specified resource is allowed
*
* @param int $resourceId The ID of the resource.
* @param string $permissionId optional The ID of the permission associated with resource.
* @return bool|null Returns true if access is allowed.
* If resource or permission isn't overridden it returns null.
* @throws Exception\RoleObjectException
*/
public function isAllowed($resourceId, $permissionId = null)
{
$allowed = null;
$resourceDefinition = Resource\Definition::get($resourceId);
if ($resourceDefinition === null) {
throw new Exception\RoleObjectException(sprintf("%s ACL resource (0x%x).", in_array($resourceId, Acl::getDisabledResources()) ? 'Disabled' : 'Unknown', intval($resourceId)));
}
if (!empty($permissionId) && !$resourceDefinition->hasPermission($permissionId)) {
throw new Exception\RoleObjectException(sprintf("Unknown permission (%s) for resource '%s' (0x%x).", $permissionId, $resourceDefinition->getName(), intval($resourceId)));
}
//Checks if resource is defined for the role
$resource = $this->getResource($resourceId);
if ($permissionId !== null && $resource !== null) {
//If resource is defined we can check unique permission.
//Checks if permission is defined
$permission = $resource->getPermission($permissionId);
//Checks access to unuque permission of the specified resource for the role.
//If resource isn't allowed it automatically forbids all related permissions.
$allowed = $permission !== null && $resource->isGranted() !== null ? $resource->isGranted() && $permission->isGranted() : null;
} else {
//Checks access to the resource for the role
$allowed = $resource !== null ? $resource->isGranted() : null;
}
return $allowed;
}
/**
* Gets all resources
*
* Current exclude filters will be applied.
* This method will return all predefined resources with its names
*
* @return array Returns array looks like
* array(array(
* 'id' => resource_id,
* 'name' => resource_name,
* 'group' => associative_group,
* 'granted' => [1|0] is resource allowed,
* 'permissions' => array(
* permissionId => [1|0] is permission allowed
* ),
* ))
*/
public function getArray()
{
$groupOrder = Acl::getGroups();
$ret = array();
foreach (Resource\Definition::getAll() as $resource) {
/* @var $resource Resource\ResourceObject */
$rec = array('id' => $resource->getResourceId(), 'name' => $resource->getName(), 'group' => $resource->getGroup(), 'groupOrder' => isset($groupOrder[$resource->getGroup()]) ? $groupOrder[$resource->getGroup()] : 0, 'granted' => $this->isAllowed($resource->getResourceId()) ? 1 : 0);
$permissions = $resource->getPermissions();
if (!empty($permissions)) {
$rec['permissions'] = array();
foreach ($permissions as $permissionId => $description) {
$rec['permissions'][$permissionId] = $this->isAllowed($resource->getResourceId(), $permissionId) ? 1 : 0;
}
}
$ret[] = $rec;
}
return $ret;
}
/**
* {@inheritdoc}
* @see GeneratedValueTypeInterface::generateValue()
*/
public function generateValue($entity = null)
{
return Acl::generateAccountRoleId();
}
