public function testBuildCanAcceptXMLAsString()
{
$content = file_get_contents(__DIR__ . '/fixtures/test.xml');
$this->object = new AclBuilder(new StringType($content), $this->acl);
$this->assertTrue($this->object->build());
$this->assertTrue($this->acl->hasRole('guest'));
$this->assertTrue($this->acl->hasResource('logout'));
$this->assertTrue($this->acl->isAllowed('guest', 'login'));
$this->assertTrue($this->acl->isAllowed('user', null, 'GET'));
}
/**
*
* @param string $name
* @param string $routename
* @return boolean
*/
public function checkAutorisation($name, $routename)
{
$this->initAcl();
$config = $this->getServiceLocator()->get('Config');
$filePath = $config['auth']['filePath'];
$reader = new Ini();
try {
$usersData = $reader->fromFile($filePath);
} catch (\Exception $e) {
error_log($e->getMessage());
return false;
}
return is_array($usersData) && array_key_exists($name, $usersData) && $this->acl->hasResource($routename) && $this->acl->hasRole($usersData[$name]) && $this->acl->isAllowed($usersData[$name], $routename);
}
/**
* Create the service using the configuration from the modules config-file
*
* @param ServiceLocator $services The ServiceLocator
*
* @see \Zend\ServiceManager\FactoryInterface::createService()
* @return Hybrid_Auth
*/
public function createService(ServiceLocatorInterface $serviceLocator)
{
$config = $serviceLocator->get('config');
$config = $config['acl'];
if (!isset($config['roles']) || !isset($config['resources'])) {
throw new \Exception('Invalid ACL Config found');
}
$roles = $config['roles'];
if (!isset($roles[self::DEFAULT_ROLE])) {
$roles[self::DEFAULT_ROLE] = '';
}
$this->admins = $config['admins'];
if (!isset($this->admins)) {
throw new \UnexpectedValueException('No admin-user set');
}
$acl = new Acl();
foreach ($roles as $name => $parent) {
if (!$acl->hasRole($name)) {
if (empty($parent)) {
$parent = array();
} else {
$parent = explode(',', $parent);
}
$acl->addRole(new Role($name), $parent);
}
}
foreach ($config['resources'] as $permission => $controllers) {
foreach ($controllers as $controller => $actions) {
if ($controller == 'all') {
$controller = null;
} else {
if (!$acl->hasResource($controller)) {
$acl->addResource(new Resource($controller));
}
}
foreach ($actions as $action => $role) {
if ($action == 'all') {
$action = null;
}
$assert = null;
if (is_array($role)) {
$assert = $serviceLocator->get($role['assert']);
$role = $role['role'];
}
$role = explode(',', $role);
foreach ($role as $roleItem) {
if ($permission == 'allow') {
$acl->allow($roleItem, $controller, $action, $assert);
} elseif ($permission == 'deny') {
$acl->deny($roleItem, $controller, $action, $assert);
} else {
continue;
}
}
}
}
}
return $acl;
}
/**
* buildAcl
*
* @return void
*/
public function buildAcl()
{
$this->acl = new Acl();
// roles
$roles = $this->getRoles();
foreach ($roles as $role) {
if ($this->acl->hasRole($role)) {
// @todo throw error?
continue;
}
$this->acl->addRole($role, $role->getParent());
}
}
/**
* @deprecated this method will be removed in BjyAuthorize 2.0.x
*
* @param \Zend\Permissions\Acl\Role\RoleInterface[] $roles
*/
protected function addRoles($roles)
{
if (!is_array($roles) && !$roles instanceof \Traversable) {
$roles = array($roles);
}
/* @var $role Role */
foreach ($roles as $role) {
if ($this->acl->hasRole($role)) {
continue;
}
if ($role->getParent() !== null) {
$this->addRoles(array($role->getParent()));
$this->acl->addRole($role, $role->getParent());
} elseif (!$this->acl->hasRole($role)) {
$this->acl->addRole($role);
}
}
}
protected function addRoleToAcl($role, array $roles, Acl $acl)
{
if (!$acl->hasRole($role)) {
if (array_key_exists($role, $this->addedRoles)) {
//cyclic parents fault handling
$acl->addRole($role);
//add role without its parents to escape cycle
} else {
$this->addedRoles[$role] = true;
foreach ($roles[$role] as $parent) {
//add parent roles first
$this->addRoleToAcl($parent, $roles, $acl);
}
if (!$acl->hasRole($role)) {
//extra check because role could be added in previous cycle
$acl->addRole($role, $roles[$role]);
}
}
}
}
/**
* @param RoleInterface|string|number $role
* @param ResourceInterface|string $resource
* @param string $privilege
* @return bool
*/
public function isAllowed($role = null, $resource = null, $privilege = null)
{
if (is_null($this->acl)) {
$this->init();
}
if (!is_null($role) && !$role instanceof RoleInterface) {
$roleEntity = $this->findRole($role);
} else {
$roleEntity = $role;
}
if (!$this->hasResource($resource)) {
if ($this->moduleOptions->isPermissive()) {
$resource = null;
} else {
return false;
}
}
if ($this->acl->hasRole($roleEntity) || is_null($roleEntity)) {
return $this->acl->isAllowed($roleEntity, $resource, $privilege);
} else {
return false;
}
}
/**
* Confirm that deleting a role after allowing access to all roles
* raise undefined index error
*
* @group ZF-5700
*/
public function testRemovingRoleAfterItWasAllowedAccessToAllResourcesGivesError()
{
$acl = new Acl\Acl();
$acl->addRole(new Role\GenericRole('test0'));
$acl->addRole(new Role\GenericRole('test1'));
$acl->addRole(new Role\GenericRole('test2'));
$acl->addResource(new Resource\GenericResource('Test'));
$acl->allow(null, 'Test', 'xxx');
// error test
$acl->removeRole('test0');
// Check after fix
$this->assertFalse($acl->hasRole('test0'));
}
public function testBuildItemWillAddRolesToAcl()
{
$this->assertFalse($this->acl->hasRole('guest'));
$this->assertTrue($this->object->buildItem());
$this->assertTrue($this->acl->hasRole('guest'));
}
public function index06Action()
{
$aclObj = new Acl();
$aclObj->addRole("member")->addRole("manager", "member")->addRole("admin", "manager");
//add controller
//module abc
$aclObj->addResource("abc:news")->addResource("def:books");
//it's mean Role member có thể truy cập vào action "info,index" trong controller news
$aclObj->allow("member", "abc:news", array("info", "index"));
$aclObj->allow("member", "def:books", array("info", "index", "edit", "add"));
$role = "member";
$resource = "def:books";
$privileges = array("info", "index", "add", "edit", "delete");
if ($aclObj->hasRole($role)) {
foreach ($privileges as $privilege) {
if ($aclObj->isAllowed($role, $resource, $privilege)) {
echo sprintf("<h3 style='color:red;font-weight:bold'>%s : Được quyền truy cập %s - %s</h3>", $role, $resource, $privilege);
} else {
echo sprintf("<h3 style='color:red;font-weight:bold'>%s : Không được quyền truy cập %s - %s</h3>", $role, $resource, $privilege);
}
}
}
return false;
}
public function initAcl(MvcEvent $e)
{
$application = $e->getApplication();
$sm = $application->getServiceManager();
$acl = new Acl();
$roles = $sm->get("Application\\Model\\RolesBO");
$recursos = $sm->get("Application\\Model\\RecursosBO");
$rolesRecursos = $sm->get("Application\\Model\\RolesRecursosBO");
$usuarios = $sm->get("Application\\Model\\UsuariosBO");
// Se listan todos los recursos y se los agrega a la ACL
foreach ($recursos->obtenerTodos() as $recurso) {
if (!$acl->hasResource($recurso->getRecursosID())) {
$genericResource = new GenericResource($recurso->getRecursosID());
$acl->addResource($genericResource);
}
}
// Se registra el rol en la ACL
$sesion = new Container("CoreAppSesion");
if (!$acl->hasRole($sesion->user_rol_id)) {
$genericRole = new GenericRole($sesion->user_rol_id);
$acl->addRole($genericRole);
}
$services = $application->getServiceManager();
// obtenemos todos los recuersosque tiene la ACL
foreach ($acl->getResources() as $resource) {
// Obtenemos los recursos disponibles para el rol
foreach ($rolesRecursos->obtenerRecursosPorRol($sesion->user_rol_id) as $recursoAsignado) {
// Si el recurso asignado es el mismo recurso de la ACL lo permitimos
if ($resource == $recursoAsignado->getAppRecursosID()) {
$acl->allow($genericRole, $acl->getResource($resource));
}
}
}
// Si el recurso no esta permitido lo denegamos
foreach ($acl->getResources() as $resource) {
if (!$acl->isAllowed($genericRole, $acl->getResource($resource))) {
$acl->deny($genericRole, $acl->getResource($resource));
}
}
$this->acl = $acl;
}
/**
* Check if the ACL allows accessing the function or method
*
* @param string|object $object Object or class being accessed
* @param string $function Function or method being accessed
* @return unknown_type
* @throws Exception\RuntimeException
*/
protected function _checkAcl($object, $function)
{
if (!$this->_acl) {
return true;
}
if ($object) {
$isObject = is_object($object);
$class = $isObject ? get_class($object) : $object;
if (!$this->_acl->hasResource($class)) {
$this->_acl->addResource(new Acl\Resource\GenericResource($class));
}
if (method_exists($object, 'initAcl')) {
// if initAcl returns false, no ACL check
if ($isObject) {
if (!$object->initAcl($this->_acl)) {
return true;
}
} elseif (!$class::initAcl($this->_acl)) {
return true;
}
}
} else {
$class = null;
}
$auth = $this->getAuthService();
if ($auth->hasIdentity()) {
$role = $auth->getIdentity()->role;
} else {
if ($this->_acl->hasRole(Constants::GUEST_ROLE)) {
$role = Constants::GUEST_ROLE;
} else {
throw new Exception\RuntimeException("Unauthenticated access not allowed");
}
}
if ($this->_acl->isAllowed($role, $class, $function)) {
return true;
} else {
throw new Exception\RuntimeException("Access not allowed");
}
}
