/**
* Short description of method remove
*
* @access public
* @author Jehan Bihin, <*****@*****.**>
* @param string roleUri
* @param string accessUri
* @return mixed
*/
public function remove($roleUri, $accessUri)
{
$uri = explode('#', $accessUri);
list($type, $ext, $mod, $act) = explode('_', $uri[1]);
$role = new core_kernel_classes_Class($roleUri);
$actionAccessProperty = new core_kernel_classes_Property(funcAcl_models_classes_AccessService::PROPERTY_ACL_GRANTACCESS);
$module = new core_kernel_classes_Resource($this->makeEMAUri($ext, $mod));
$controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri());
// access via controller?
$controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controllerClassName);
if (in_array($roleUri, $controllerAccess['module'])) {
// remove access to controller
funcAcl_models_classes_ModuleAccessService::singleton()->remove($roleUri, $module->getUri());
// add access to all other actions
foreach (funcAcl_helpers_Model::getActions($module) as $action) {
if ($action->getUri() != $accessUri) {
$this->add($roleUri, $action->getUri());
$this->getEventManager()->trigger(new AccessRightAddedEvent($roleUri, $action->getUri()));
}
}
} elseif (isset($controllerAccess['actions'][$act]) && in_array($roleUri, $controllerAccess['actions'][$act])) {
// remove action only
$role->removePropertyValues($actionAccessProperty, array('pattern' => $accessUri));
$this->getEventManager()->trigger(new AccessRightRemovedEvent($roleUri, $accessUri));
funcAcl_helpers_Cache::flushControllerAccess($controllerClassName);
}
}
/**
* returns the actions of a module from the ontology
*
* @access public
* @author Jerome Bogaerts, <*****@*****.**>
* @param Resource module
* @return array
*/
public static function getActions(core_kernel_classes_Resource $module)
{
$returnValue = array();
$controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri());
try {
foreach (ControllerHelper::getActions($controllerClassName) as $actionName) {
$uri = funcAcl_helpers_Map::getUriForAction($controllerClassName, $actionName);
$returnValue[$uri] = new core_kernel_classes_Resource($uri);
}
} catch (ReflectionException $e) {
// unknown controller, no actions returned
}
return (array) $returnValue;
}
/**
* Return the cached description of the roles
* that have access to this controller
*
* @param string $controllerClassName
* @return array
*/
public static function getControllerAccess($controllerClassName)
{
try {
$returnValue = self::getCacheImplementation()->get(self::SERIAL_PREFIX_MODULE . $controllerClassName);
} catch (common_cache_Exception $e) {
$extId = funcAcl_helpers_Map::getExtensionFromController($controllerClassName);
$extension = funcAcl_helpers_Map::getUriForExtension($extId);
$module = funcAcl_helpers_Map::getUriForController($controllerClassName);
$roleClass = new core_kernel_classes_Class(CLASS_ROLE);
$accessProperty = new core_kernel_classes_Property(funcAcl_models_classes_AccessService::PROPERTY_ACL_GRANTACCESS);
$returnValue = array('module' => array(), 'actions' => array());
// roles by extensions
$roles = $roleClass->searchInstances(array($accessProperty->getUri() => $extension), array('recursive' => true, 'like' => false));
foreach ($roles as $grantedRole) {
$returnValue['module'][] = $grantedRole->getUri();
}
// roles by controller
$filters = array($accessProperty->getUri() => $module);
$options = array('recursive' => true, 'like' => false);
foreach ($roleClass->searchInstances($filters, $options) as $grantedRole) {
$returnValue['module'][] = $grantedRole->getUri();
}
// roles by action
foreach (ControllerHelper::getActions($controllerClassName) as $actionName) {
$actionUri = funcAcl_helpers_Map::getUriForAction($controllerClassName, $actionName);
$rolesForAction = $roleClass->searchInstances(array($accessProperty->getUri() => $actionUri), array('recursive' => true, 'like' => false));
if (!empty($rolesForAction)) {
$actionName = funcAcl_helpers_Map::getActionFromUri($actionUri);
$returnValue['actions'][$actionName] = array();
foreach ($rolesForAction as $roleResource) {
$returnValue['actions'][$actionName][] = $roleResource->getUri();
}
}
}
self::getCacheImplementation()->put($returnValue, self::SERIAL_PREFIX_MODULE . $controllerClassName);
}
return $returnValue;
}
/**
* Evaluate the mask to ACL components
*
* @param mixed $mask
* @return string[] tao ACL components
*/
public function evalFilterMask($mask)
{
// string masks
if (is_string($mask)) {
if (strpos($mask, '@') !== false) {
list($controller, $action) = explode('@', $mask, 2);
} else {
$controller = $mask;
$action = null;
}
if (class_exists($controller)) {
$extension = funcAcl_helpers_Map::getExtensionFromController($controller);
$shortName = strpos($controller, '\\') !== false ? substr($controller, strrpos($controller, '\\') + 1) : substr($controller, strrpos($controller, '_') + 1);
if (is_null($action)) {
// grant controller
return array($extension, $shortName);
} else {
// grant action
return array($extension, $shortName, $action);
}
} else {
common_Logger::w('Unknown controller ' . $controller);
}
/// array masks
} elseif (is_array($mask)) {
if (isset($mask['act']) && isset($mask['mod']) && isset($mask['ext'])) {
return array($mask['ext'], $mask['mod'], $mask['act']);
} elseif (isset($mask['mod']) && isset($mask['ext'])) {
return array($mask['ext'], $mask['mod']);
} elseif (isset($mask['ext'])) {
return array($mask['ext']);
} elseif (isset($mask['controller'])) {
$extension = funcAcl_helpers_Map::getExtensionFromController($mask['controller']);
$shortName = strpos($mask['controller'], '\\') !== false ? substr($mask['controller'], strrpos($mask['controller'], '\\') + 1) : substr($mask['controller'], strrpos($mask['controller'], '_') + 1);
return array($extension, $shortName);
} elseif (isset($mask['act']) && strpos($mask['act'], '@') !== false) {
list($controller, $action) = explode('@', $mask['act'], 2);
$extension = funcAcl_helpers_Map::getExtensionFromController($controller);
$shortName = strpos($controller, '\\') !== false ? substr($controller, strrpos($controller, '\\') + 1) : substr($controller, strrpos($controller, '_') + 1);
return array($extension, $shortName, $action);
} else {
common_Logger::w('Uninterpretable filter in ' . __CLASS__);
}
} else {
common_Logger::w('Uninterpretable filtertype ' . gettype($mask));
}
return array();
}
/**
* Shows the access to the actions of a controller for a specific role
*
* @throws Exception
*/
public function getActions()
{
if (!tao_helpers_Request::isAjax()) {
throw new Exception("wrong request mode");
} else {
$role = new core_kernel_classes_Resource($this->getRequestParameter('role'));
$included = array();
foreach (tao_models_classes_RoleService::singleton()->getIncludedRoles($role) as $includedRole) {
$included[] = $includedRole->getUri();
}
$module = new core_kernel_classes_Resource($this->getRequestParameter('module'));
$controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri());
$controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controllerClassName);
$actions = array();
foreach (ControllerHelper::getActions($controllerClassName) as $actionName) {
$uri = funcAcl_helpers_Map::getUriForAction($controllerClassName, $actionName);
$part = explode('#', $uri);
list($type, $extId, $modId, $actId) = explode('_', $part[1]);
$allowedRoles = isset($controllerAccess['actions'][$actionName]) ? array_merge($controllerAccess['module'], $controllerAccess['actions'][$actionName]) : $controllerAccess['module'];
$access = count(array_intersect($included, $allowedRoles)) > 0 ? self::ACCESS_INHERITED : (in_array($role->getUri(), $allowedRoles) ? self::ACCESS_FULL : self::ACCESS_NONE);
$actions[$actId] = array('uri' => $uri, 'access' => $access);
}
ksort($actions);
$this->returnJson($actions);
}
}
public function revokeRule(AccessRule $rule)
{
if ($rule->isGrant()) {
$accessService = funcAcl_models_classes_AccessService::singleton();
$filter = $rule->getMask();
if (isset($filter['act']) && isset($filter['mod']) && isset($filter['ext'])) {
$accessService->revokeActionAccess($rule->getRole(), $filter['ext'], $filter['mod'], $filter['act']);
} elseif (isset($filter['mod']) && isset($filter['ext'])) {
$accessService->revokeModuleAccess($rule->getRole(), $filter['ext'], $filter['mod']);
} elseif (isset($filter['ext'])) {
$accessService->revokeExtensionAccess($rule->getRole(), $filter['ext']);
} elseif (isset($filter['controller'])) {
$extension = funcAcl_helpers_Map::getExtensionFromController($filter['controller']);
$shortName = strpos($filter['controller'], '\\') !== false ? substr($filter['controller'], strrpos($filter['controller'], '\\') + 1) : substr($filter['controller'], strrpos($filter['controller'], '_') + 1);
$accessService->revokeModuleAccess($rule->getRole(), $extension, $shortName);
} elseif (isset($filter['act']) && strpos($filter['act'], '@') !== false) {
list($controller, $action) = explode('@', $mask['act'], 2);
$extension = funcAcl_helpers_Map::getExtensionFromController($controller);
$shortName = strpos($controller, '\\') !== false ? substr($controller, strrpos($controller, '\\') + 1) : substr($controller, strrpos($controller, '_') + 1);
$accessService->revokeActionAccess($rule->getRole(), $extension, $shortName, $action);
} else {
common_Logger::w('Uninterpretable filter in ' . __CLASS__);
}
} else {
common_Logger::w('Only grant rules accepted in ' . __CLASS__);
}
}
