/** * Short description of method remove * * @access public * @author Jehan Bihin, <*****@*****.**> * @param string roleUri * @param string accessUri * @return mixed */ public function remove($roleUri, $accessUri) { $uri = explode('#', $accessUri); list($type, $ext, $mod, $act) = explode('_', $uri[1]); $role = new core_kernel_classes_Class($roleUri); $actionAccessProperty = new core_kernel_classes_Property(funcAcl_models_classes_AccessService::PROPERTY_ACL_GRANTACCESS); $module = new core_kernel_classes_Resource($this->makeEMAUri($ext, $mod)); $controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri()); // access via controller? $controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controllerClassName); if (in_array($roleUri, $controllerAccess['module'])) { // remove access to controller funcAcl_models_classes_ModuleAccessService::singleton()->remove($roleUri, $module->getUri()); // add access to all other actions foreach (funcAcl_helpers_Model::getActions($module) as $action) { if ($action->getUri() != $accessUri) { $this->add($roleUri, $action->getUri()); $this->getEventManager()->trigger(new AccessRightAddedEvent($roleUri, $action->getUri())); } } } elseif (isset($controllerAccess['actions'][$act]) && in_array($roleUri, $controllerAccess['actions'][$act])) { // remove action only $role->removePropertyValues($actionAccessProperty, array('pattern' => $accessUri)); $this->getEventManager()->trigger(new AccessRightRemovedEvent($roleUri, $accessUri)); funcAcl_helpers_Cache::flushControllerAccess($controllerClassName); } }
/** * returns the actions of a module from the ontology * * @access public * @author Jerome Bogaerts, <*****@*****.**> * @param Resource module * @return array */ public static function getActions(core_kernel_classes_Resource $module) { $returnValue = array(); $controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri()); try { foreach (ControllerHelper::getActions($controllerClassName) as $actionName) { $uri = funcAcl_helpers_Map::getUriForAction($controllerClassName, $actionName); $returnValue[$uri] = new core_kernel_classes_Resource($uri); } } catch (ReflectionException $e) { // unknown controller, no actions returned } return (array) $returnValue; }
/** * Return the cached description of the roles * that have access to this controller * * @param string $controllerClassName * @return array */ public static function getControllerAccess($controllerClassName) { try { $returnValue = self::getCacheImplementation()->get(self::SERIAL_PREFIX_MODULE . $controllerClassName); } catch (common_cache_Exception $e) { $extId = funcAcl_helpers_Map::getExtensionFromController($controllerClassName); $extension = funcAcl_helpers_Map::getUriForExtension($extId); $module = funcAcl_helpers_Map::getUriForController($controllerClassName); $roleClass = new core_kernel_classes_Class(CLASS_ROLE); $accessProperty = new core_kernel_classes_Property(funcAcl_models_classes_AccessService::PROPERTY_ACL_GRANTACCESS); $returnValue = array('module' => array(), 'actions' => array()); // roles by extensions $roles = $roleClass->searchInstances(array($accessProperty->getUri() => $extension), array('recursive' => true, 'like' => false)); foreach ($roles as $grantedRole) { $returnValue['module'][] = $grantedRole->getUri(); } // roles by controller $filters = array($accessProperty->getUri() => $module); $options = array('recursive' => true, 'like' => false); foreach ($roleClass->searchInstances($filters, $options) as $grantedRole) { $returnValue['module'][] = $grantedRole->getUri(); } // roles by action foreach (ControllerHelper::getActions($controllerClassName) as $actionName) { $actionUri = funcAcl_helpers_Map::getUriForAction($controllerClassName, $actionName); $rolesForAction = $roleClass->searchInstances(array($accessProperty->getUri() => $actionUri), array('recursive' => true, 'like' => false)); if (!empty($rolesForAction)) { $actionName = funcAcl_helpers_Map::getActionFromUri($actionUri); $returnValue['actions'][$actionName] = array(); foreach ($rolesForAction as $roleResource) { $returnValue['actions'][$actionName][] = $roleResource->getUri(); } } } self::getCacheImplementation()->put($returnValue, self::SERIAL_PREFIX_MODULE . $controllerClassName); } return $returnValue; }
/** * Evaluate the mask to ACL components * * @param mixed $mask * @return string[] tao ACL components */ public function evalFilterMask($mask) { // string masks if (is_string($mask)) { if (strpos($mask, '@') !== false) { list($controller, $action) = explode('@', $mask, 2); } else { $controller = $mask; $action = null; } if (class_exists($controller)) { $extension = funcAcl_helpers_Map::getExtensionFromController($controller); $shortName = strpos($controller, '\\') !== false ? substr($controller, strrpos($controller, '\\') + 1) : substr($controller, strrpos($controller, '_') + 1); if (is_null($action)) { // grant controller return array($extension, $shortName); } else { // grant action return array($extension, $shortName, $action); } } else { common_Logger::w('Unknown controller ' . $controller); } /// array masks } elseif (is_array($mask)) { if (isset($mask['act']) && isset($mask['mod']) && isset($mask['ext'])) { return array($mask['ext'], $mask['mod'], $mask['act']); } elseif (isset($mask['mod']) && isset($mask['ext'])) { return array($mask['ext'], $mask['mod']); } elseif (isset($mask['ext'])) { return array($mask['ext']); } elseif (isset($mask['controller'])) { $extension = funcAcl_helpers_Map::getExtensionFromController($mask['controller']); $shortName = strpos($mask['controller'], '\\') !== false ? substr($mask['controller'], strrpos($mask['controller'], '\\') + 1) : substr($mask['controller'], strrpos($mask['controller'], '_') + 1); return array($extension, $shortName); } elseif (isset($mask['act']) && strpos($mask['act'], '@') !== false) { list($controller, $action) = explode('@', $mask['act'], 2); $extension = funcAcl_helpers_Map::getExtensionFromController($controller); $shortName = strpos($controller, '\\') !== false ? substr($controller, strrpos($controller, '\\') + 1) : substr($controller, strrpos($controller, '_') + 1); return array($extension, $shortName, $action); } else { common_Logger::w('Uninterpretable filter in ' . __CLASS__); } } else { common_Logger::w('Uninterpretable filtertype ' . gettype($mask)); } return array(); }
/** * Shows the access to the actions of a controller for a specific role * * @throws Exception */ public function getActions() { if (!tao_helpers_Request::isAjax()) { throw new Exception("wrong request mode"); } else { $role = new core_kernel_classes_Resource($this->getRequestParameter('role')); $included = array(); foreach (tao_models_classes_RoleService::singleton()->getIncludedRoles($role) as $includedRole) { $included[] = $includedRole->getUri(); } $module = new core_kernel_classes_Resource($this->getRequestParameter('module')); $controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri()); $controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controllerClassName); $actions = array(); foreach (ControllerHelper::getActions($controllerClassName) as $actionName) { $uri = funcAcl_helpers_Map::getUriForAction($controllerClassName, $actionName); $part = explode('#', $uri); list($type, $extId, $modId, $actId) = explode('_', $part[1]); $allowedRoles = isset($controllerAccess['actions'][$actionName]) ? array_merge($controllerAccess['module'], $controllerAccess['actions'][$actionName]) : $controllerAccess['module']; $access = count(array_intersect($included, $allowedRoles)) > 0 ? self::ACCESS_INHERITED : (in_array($role->getUri(), $allowedRoles) ? self::ACCESS_FULL : self::ACCESS_NONE); $actions[$actId] = array('uri' => $uri, 'access' => $access); } ksort($actions); $this->returnJson($actions); } }
public function revokeRule(AccessRule $rule) { if ($rule->isGrant()) { $accessService = funcAcl_models_classes_AccessService::singleton(); $filter = $rule->getMask(); if (isset($filter['act']) && isset($filter['mod']) && isset($filter['ext'])) { $accessService->revokeActionAccess($rule->getRole(), $filter['ext'], $filter['mod'], $filter['act']); } elseif (isset($filter['mod']) && isset($filter['ext'])) { $accessService->revokeModuleAccess($rule->getRole(), $filter['ext'], $filter['mod']); } elseif (isset($filter['ext'])) { $accessService->revokeExtensionAccess($rule->getRole(), $filter['ext']); } elseif (isset($filter['controller'])) { $extension = funcAcl_helpers_Map::getExtensionFromController($filter['controller']); $shortName = strpos($filter['controller'], '\\') !== false ? substr($filter['controller'], strrpos($filter['controller'], '\\') + 1) : substr($filter['controller'], strrpos($filter['controller'], '_') + 1); $accessService->revokeModuleAccess($rule->getRole(), $extension, $shortName); } elseif (isset($filter['act']) && strpos($filter['act'], '@') !== false) { list($controller, $action) = explode('@', $mask['act'], 2); $extension = funcAcl_helpers_Map::getExtensionFromController($controller); $shortName = strpos($controller, '\\') !== false ? substr($controller, strrpos($controller, '\\') + 1) : substr($controller, strrpos($controller, '_') + 1); $accessService->revokeActionAccess($rule->getRole(), $extension, $shortName, $action); } else { common_Logger::w('Uninterpretable filter in ' . __CLASS__); } } else { common_Logger::w('Only grant rules accepted in ' . __CLASS__); } }