/** * All defined constants for resources in Scalr\Acl\Acl class must be also * defined in the Scalr\Acl\Resource\Definition class * * @test * @dataProvider providerGet */ public function testGet($resourceId) { $resourceDefinition = new Definition(); $resource = $resourceDefinition->get($resourceId); $this->assertInstanceOf('Scalr\\Acl\\Resource\\ResourceObject', $resource, sprintf("Resource (0x%x) must be defined in the Scalr\\Acl\\Resource\\Definition class", $resourceId)); $this->assertEquals($resourceId, $resource->getResourceId()); $this->assertNotEmpty($resource->getName(), sprintf("Name of the resource (0x%x) must be defined", $resourceId)); $this->assertNotEmpty($resource->getDescription(), sprintf("Description of the resource (0x%x) must be defined", $resourceId)); $resource->getPermissions(); }
/** * Gets associative group which the resource belongs to. * * @return string */ public function getGroup() { return Definition::get($this->resourceId)->getGroup(); }
/** * Loads permissions into role object * * @param Role\RoleObject $role A role object */ protected function loadRolePermissions(Role\RoleObject $role) { $sAcc = $role instanceof Role\AccountRoleObject ? 'account_' : ''; $res = $this->db->Execute("\n SELECT\n rr.`" . $sAcc . "role_id` as `role_id`,\n rr.`resource_id`, rr.`granted`, rp.`perm_id`,\n rp.`granted` AS `perm_granted`\n FROM `acl_" . $sAcc . "role_resources` rr\n LEFT JOIN `acl_" . $sAcc . "role_resource_permissions` rp\n ON rp.`" . $sAcc . "role_id` = rr.`" . $sAcc . "role_id`\n AND rp.`resource_id` = rr.`resource_id`\n WHERE rr.`" . $sAcc . "role_id` = ?\n ", array($role->getRoleId())); if ($res) { $resources = $role->getResources(); while ($rec = $res->FetchRow()) { if (!isset($resources[$rec['resource_id']])) { //Adds resource to role object $resource = new Role\RoleResourceObject($rec['role_id'], $rec['resource_id'], $rec['granted']); $role->appendResource($resource); } else { $resource = $resources[$rec['resource_id']]; } if ($rec['perm_id'] !== null) { $permission = new Role\RoleResourcePermissionObject($rec['role_id'], $rec['resource_id'], $rec['perm_id'], $rec['perm_granted']); //We should append permission only if it's been declared in the definition. $resourceDefinition = Resource\Definition::get($resource->getResourceId()); if ($resourceDefinition->hasPermission($permission->getPermissionId())) { $resource->appendPermission($permission); } unset($permission); } unset($resource); } } }
/** * Loads permissions into role object * * @param Role\RoleObject $role A role object */ protected function loadRolePermissions(Role\RoleObject $role) { if ($role instanceof Role\AccountRoleObject) { $sAcc = 'account_'; $rmJoin = "LEFT JOIN acl_account_role_resource_modes rm ON rr.`account_role_id` = rm.account_role_id " . " AND rr.`resource_id` = rm.`resource_id`"; } else { $sAcc = ''; $rmJoin = ''; } $disabledResources = Acl::getDisabledResources(); $disabledSql = !empty($disabledResources) ? "AND rr.resource_id NOT IN (" . implode(',', array_fill(0, count($disabledResources), '?')) . ")" : ""; $res = $this->db->Execute("\n SELECT\n rr.`" . $sAcc . "role_id` AS `role_id`,\n rr.`resource_id`, rr.`granted`, rp.`perm_id`,\n rp.`granted` AS `perm_granted`,\n " . (!empty($rmJoin) ? "rm.`mode`" : "NULL AS `mode`") . "\n FROM `acl_" . $sAcc . "role_resources` rr\n " . $rmJoin . "\n LEFT JOIN `acl_" . $sAcc . "role_resource_permissions` rp\n ON rp.`" . $sAcc . "role_id` = rr.`" . $sAcc . "role_id`\n AND rp.`resource_id` = rr.`resource_id`\n WHERE rr.`" . $sAcc . "role_id` = ?\n {$disabledSql}\n ", array_merge((array) $role->getRoleId(), $disabledResources)); if ($res) { $resources = $role->getResources(); while ($rec = $res->FetchRow()) { if (!isset($resources[$rec['resource_id']])) { //Adds resource to role object $resource = new Role\RoleResourceObject($rec['role_id'], $rec['resource_id'], $rec['granted'], $rec['mode']); $role->appendResource($resource); } else { $resource = $resources[$rec['resource_id']]; } if ($rec['perm_id'] !== null) { $permission = new Role\RoleResourcePermissionObject($rec['role_id'], $rec['resource_id'], $rec['perm_id'], $rec['perm_granted']); //We should append permission only if it's been declared in the definition. $resourceDefinition = Resource\Definition::get($resource->getResourceId()); if ($resourceDefinition->hasPermission($permission->getPermissionId())) { $resource->appendPermission($permission); } unset($permission); } unset($resource); } } }
/** * Checks if specified resource is allowed * * @param int $resourceId The ID of the resource. * @param string $permissionId optional The ID of the permission associated with resource. * @return bool|null Returns true if access is allowed. * If resource or permission isn't overridden it returns null. * @throws Exception\RoleObjectException */ public function isAllowed($resourceId, $permissionId = null) { $allowed = null; $resourceDefinition = Resource\Definition::get($resourceId); if ($resourceDefinition === null) { throw new Exception\RoleObjectException(sprintf("%s ACL resource (0x%x).", in_array($resourceId, Acl::getDisabledResources()) ? 'Disabled' : 'Unknown', intval($resourceId))); } if (!empty($permissionId) && !$resourceDefinition->hasPermission($permissionId)) { throw new Exception\RoleObjectException(sprintf("Unknown permission (%s) for resource '%s' (0x%x).", $permissionId, $resourceDefinition->getName(), intval($resourceId))); } //Checks if resource is defined for the role $resource = $this->getResource($resourceId); if ($permissionId !== null && $resource !== null) { //If resource is defined we can check unique permission. //Checks if permission is defined $permission = $resource->getPermission($permissionId); //Checks access to unuque permission of the specified resource for the role. //If resource isn't allowed it automatically forbids all related permissions. $allowed = $permission !== null && $resource->isGranted() !== null ? $resource->isGranted() && $permission->isGranted() : null; } else { //Checks access to the resource for the role $allowed = $resource !== null ? $resource->isGranted() : null; } return $allowed; }
/** * Gets the Mode for the specified ACL Resource * * @param int $resouceId Identifier of the ACL Resource * @return int|null Returns the Mode for the specified ACL Resource */ public function getResourceMode($resouceId) { $mode = null; foreach ($this->getIterator() as $role) { /* @var $role AccountRoleObject */ $resource = $role->getResource($resouceId); //If ACL Resource is turned off we should disregard its mode because it can be set to the default value. if ($role->isAllowed($resouceId)) { //If there are no resource than default mode is applied $m = $resource ? $resource->getMode() : null; //NULL is considered to be the most priority value if ($m === null) { break; } //Lesser value has more priority $mode = $mode === null ? $m : min($mode, $m); } } if ($mode === null) { //Check if default value is defined for the specified ACL Resource $modeDefinition = Definition::get($resouceId)->getMode(); if ($modeDefinition instanceof ModeInterface) { $mode = $modeDefinition->getDefault(); } } return $mode; }