Since: 30.07.2013
Author: Vitaliy Demidov (vitaliy@scalr.com)
Exemple #1
0
 /**
  * Gets all Resources
  *
  * This method describes all available resources
  *
  * @return  \ArrayObject Returns array looks like array(
  *                resource_id => array(name, description, resourceGroup, [array(permission_id => description)]))
  *                Third value of array is optional and determines unique permissions for specified
  *                resource which can be allowed or forbidden separately.
  */
 public static function getAll($raw = false)
 {
     $allows = 'Allows ';
     if (!isset(self::$list)) {
         self::$rawList = array(Acl::RESOURCE_FARMS => array('Farms', $allows . 'access to farm designer.', Acl::GROUP_FARMS, array(Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH => $allows . 'to launch farms.', Acl::PERM_FARMS_TERMINATE => $allows . 'to terminate farms.', Acl::PERM_FARMS_NOT_OWNED_FARMS => $allows . 'to manage not owned farms.')), Acl::RESOURCE_FARMS_ALERTS => array('Alerts', $allows . 'access to alerts.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_SERVERS => array('Servers', $allows . 'access to servers.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_EVENTS_AND_NOTIFICATIONS => array('Events and notifications', $allows . 'access to events and notifications.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_STATISTICS => array('Statistics', $allows . 'access to statistics.', Acl::GROUP_FARMS), Acl::RESOURCE_FARMS_ROLES => array('Roles', $allows . 'access to roles.', Acl::GROUP_FARMS, array(Acl::PERM_FARMS_ROLES_CREATE => $allows . 'to create (build/import) roles.', Acl::PERM_FARMS_ROLES_MANAGE => $allows . 'to manage (edit/delete) roles.', Acl::PERM_FARMS_ROLES_CLONE => $allows . 'to clone roles.', Acl::PERM_FARMS_ROLES_BUNDLETASKS => $allows . 'to bundle tasks (role creation process logs).')), Acl::RESOURCE_FARMS_SCRIPTS => array('Scripts', $allows . 'access to scripts.', Acl::GROUP_FARMS, array(Acl::PERM_FARMS_SCRIPTS_MANAGE => $allows . 'to manage (create/edit/delete) scripts.', Acl::PERM_FARMS_SCRIPTS_EXECUTE => $allows . 'to execute scripts.', Acl::PERM_FARMS_SCRIPTS_FORK => $allows . 'to fork scripts.')), Acl::RESOURCE_CLOUDSTACK_VOLUMES => array('Volumes', $allows . 'access to CloudStack volumes.', Acl::GROUP_CLOUDSTACK), Acl::RESOURCE_CLOUDSTACK_SNAPSHOTS => array('Snapshots', $allows . 'access to CloudStack snapshots.', Acl::GROUP_CLOUDSTACK), Acl::RESOURCE_CLOUDSTACK_PUBLIC_IPS => array('Public IPs', $allows . 'access to CloudStack public IPs.', Acl::GROUP_CLOUDSTACK), Acl::RESOURCE_OPENSTACK_VOLUMES => array('Volumes', $allows . 'access to OpenStack volumes.', Acl::GROUP_OPENSTACK), Acl::RESOURCE_OPENSTACK_SNAPSHOTS => array('Snapshots', $allows . 'access to OpenStack snapshots.', Acl::GROUP_OPENSTACK), Acl::RESOURCE_OPENSTACK_PUBLIC_IPS => array('Public IPs', $allows . 'access to OpenStack public IPs.', Acl::GROUP_OPENSTACK), Acl::RESOURCE_AWS_CLOUDWATCH => array('CloudWatch', $allows . 'access to AWS CloudWatch.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_ELASTIC_IPS => array('Elastic IPs', $allows . 'access to AWS Elastic IPs.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_ELB => array('Elastic Load Balancing (ELB)', $allows . 'access to AWS Elastic Load Balancing.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_IAM => array('Identity and Access Management (IAM)', $allows . 'access to AWS Identity and Access Management.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_RDS => array('Relational Database Service (RDS)', $allows . 'access to Amazon Relational Database Service.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_SNAPSHOTS => array('Snapshots', $allows . 'access to AWS snapshots.', Acl::GROUP_AWS), Acl::RESOURCE_AWS_VOLUMES => array('Volumes', $allows . 'access to AWS Volumes.', Acl::GROUP_AWS), Acl::RESOURCE_SECURITY_AWS_SECURITY_GROUPS => array('AWS security groups', $allows . 'access to AWS security groups.', Acl::GROUP_SECURITY), Acl::RESOURCE_SECURITY_RETRIEVE_WINDOWS_PASSWORDS => array('Retrieve Windows passwords', $allows . 'access to retrieve passwords for windows.', Acl::GROUP_SECURITY), Acl::RESOURCE_SECURITY_SSH_KEYS => array('SSH keys', $allows . 'access to SSH keys.', Acl::GROUP_SECURITY), Acl::RESOURCE_LOGS_API_LOGS => array('API logs', $allows . 'access to API logs.', Acl::GROUP_LOGS), Acl::RESOURCE_LOGS_SCRIPTING_LOGS => array('Scripting logs', $allows . 'access to scripting logs.', Acl::GROUP_LOGS), Acl::RESOURCE_LOGS_SYSTEM_LOGS => array('System logs', $allows . 'access to system logs.', Acl::GROUP_LOGS), Acl::RESOURCE_SERVICES_APACHE => array('Apache', $allows . 'access to apache.', Acl::GROUP_SERVICES), Acl::RESOURCE_SERVICES_CHEF => array('Chef', $allows . 'access to chef.', Acl::GROUP_SERVICES), Acl::RESOURCE_SERVICES_SSL => array('SSL', $allows . 'access to SSL.', Acl::GROUP_SERVICES), Acl::RESOURCE_SERVICES_RABBITMQ => array('RabbitMQ', $allows . 'access to RabbitMQ.', Acl::GROUP_SERVICES), Acl::RESOURCE_GENERAL_CUSTOM_EVENTS => array('Custom events', $allows . 'access to custom events.', Acl::GROUP_GENERAL), Acl::RESOURCE_GENERAL_CUSTOM_SCALING_METRICS => array('Custom scaling metrics', $allows . 'access to custom scaling metrics.', Acl::GROUP_GENERAL), Acl::RESOURCE_GENERAL_GLOBAL_VARIABLES => array('Global variables (environment level)', $allows . 'access to global variables of environment level.', Acl::GROUP_GENERAL), Acl::RESOURCE_GENERAL_SCHEDULERTASKS => array('Tasks scheduler', $allows . 'access to tasks scheduler.', Acl::GROUP_GENERAL), Acl::RESOURCE_DB_BACKUPS => array('Backups', $allows . 'access to backups.', Acl::GROUP_DATABASES, array(Acl::PERM_DB_BACKUPS_REMOVE => $allows . 'to remove database backups.')), Acl::RESOURCE_DB_DATABASE_STATUS => array('Database status', $allows . 'access to database status.', Acl::GROUP_DATABASES, array(Acl::PERM_DB_DATABASE_STATUS_PMA => $allows . 'access to PMA.')), Acl::RESOURCE_DB_SERVICE_CONFIGURATION => array('Service configuration', $allows . 'access to service configuration.', Acl::GROUP_DATABASES), Acl::RESOURCE_DEPLOYMENTS_APPLICATIONS => array('Applications', $allows . 'access to applications.', Acl::GROUP_DEPLOYMENTS), Acl::RESOURCE_DEPLOYMENTS_SOURCES => array('Sources', $allows . 'access to sources.', Acl::GROUP_DEPLOYMENTS), Acl::RESOURCE_DEPLOYMENTS_TASKS => array('Tasks', $allows . 'access to tasks.', Acl::GROUP_DEPLOYMENTS), Acl::RESOURCE_DNS_ZONES => array('Zones', $allows . 'access to DNS zones.', Acl::GROUP_DNS), Acl::RESOURCE_ADMINISTRATION_BILLING => array('Billing', $allows . 'access to billing.', Acl::GROUP_ADMINISTRATION), Acl::RESOURCE_ADMINISTRATION_GOVERNANCE => array('Governance', $allows . 'access to governance.', Acl::GROUP_ADMINISTRATION), Acl::RESOURCE_ADMINISTRATION_ENV_CLOUDS => array('Setup clouds', $allows . 'to manage cloud credentials for environments in which this user is a team member', Acl::GROUP_ADMINISTRATION));
         //Removes disabled resources
         foreach (Acl::getDisabledResources() as $resourceId) {
             if (isset(self::$rawList[$resourceId])) {
                 unset(self::$rawList[$resourceId]);
             }
         }
         //Initializes set of the resources
         self::$list = new \ArrayObject(array());
         self::$idx = array();
         foreach (self::$rawList as $resourceId => $optionsArray) {
             $resourceDefinition = new ResourceObject($resourceId, $optionsArray);
             self::$list[$resourceId] = $resourceDefinition;
             if (!isset(self::$idx[$resourceDefinition->getGroup()])) {
                 self::$idx[$resourceDefinition->getGroup()] = array();
             }
             self::$idx[$resourceDefinition->getGroup()][] = $resourceId;
         }
     }
     return $raw ? self::$rawList : self::$list;
 }
Exemple #2
0
 /**
  * Gets all Resources
  *
  * This method describes all available resources
  *
  * @return  \ArrayObject Returns array looks like [
  *                resource_id => [name, description, resourceGroup, [[permission_id => description)]]]
  *                Third value of array is optional and determines unique permissions for specified
  *                resource which can be allowed or forbidden separately.
  */
 public static function getAll($raw = false)
 {
     $allows = 'Allows ';
     if (!isset(self::$list)) {
         self::$rawList = [Acl::RESOURCE_FARMS => ['All Farms', $allows . 'access to farms and servers.', Acl::GROUP_FARMS_SERVERS, [Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH_TERMINATE => $allows . 'to launch/terminate farms.', Acl::PERM_FARMS_CHANGE_OWNERSHIP => $allows . 'to change owner or team', Acl::PERM_FARMS_SERVERS => $allows . 'to manage servers', Acl::PERM_FARMS_STATISTICS => $allows . 'to access statistics']], Acl::RESOURCE_TEAM_FARMS => ['Farms Your Teams Own', $allows . 'access to farms and servers.', Acl::GROUP_FARMS_SERVERS, [Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH_TERMINATE => $allows . 'to launch/terminate farms.', Acl::PERM_FARMS_CHANGE_OWNERSHIP => $allows . 'to change owner or team', Acl::PERM_FARMS_SERVERS => $allows . 'to manage servers', Acl::PERM_FARMS_STATISTICS => $allows . 'to access statistics']], Acl::RESOURCE_OWN_FARMS => ['Farms You Own', $allows . 'access to farms and servers.', Acl::GROUP_FARMS_SERVERS, [Acl::PERM_FARMS_MANAGE => $allows . 'to manage (create/configure/delete) farms.', Acl::PERM_FARMS_CLONE => $allows . 'to clone farms.', Acl::PERM_FARMS_LAUNCH_TERMINATE => $allows . 'to launch/terminate farms.', Acl::PERM_FARMS_CHANGE_OWNERSHIP => $allows . 'to change owner or team', Acl::PERM_FARMS_SERVERS => $allows . 'to manage servers', Acl::PERM_FARMS_STATISTICS => $allows . 'to access statistics']], Acl::RESOURCE_FARMS_ROLES => ['Roles', $allows . 'access to roles.', Acl::GROUP_ROLES_IMAGES, [Acl::PERM_FARMS_ROLES_CREATE => $allows . 'to create (build/import) roles.', Acl::PERM_FARMS_ROLES_MANAGE => $allows . 'to manage (edit/delete) roles.', Acl::PERM_FARMS_ROLES_CLONE => $allows . 'to clone roles.', Acl::PERM_FARMS_ROLES_BUNDLETASKS => $allows . 'to bundle tasks (role creation process logs).']], Acl::RESOURCE_FARMS_IMAGES => ['Images', $allows . 'access to images.', Acl::GROUP_ROLES_IMAGES, [Acl::PERM_FARMS_ROLES_CREATE => $allows . 'to create (build/import) images.', Acl::PERM_FARMS_ROLES_MANAGE => $allows . 'to manage (edit/delete) images.']], Acl::RESOURCE_GCE_STATIC_IPS => ['Static IPs', $allows . 'access to GCE static IPs.', Acl::GROUP_GCE], Acl::RESOURCE_GCE_PERSISTENT_DISKS => ['Persistent disks', $allows . 'access to GCE persistent disks.', Acl::GROUP_GCE], Acl::RESOURCE_GCE_SNAPSHOTS => ['Snapshots', $allows . 'access to GCE snapshots.', Acl::GROUP_GCE], Acl::RESOURCE_CLOUDSTACK_VOLUMES => ['Volumes', $allows . 'access to CloudStack volumes.', Acl::GROUP_CLOUDSTACK], Acl::RESOURCE_CLOUDSTACK_SNAPSHOTS => ['Snapshots', $allows . 'access to CloudStack snapshots.', Acl::GROUP_CLOUDSTACK], Acl::RESOURCE_CLOUDSTACK_PUBLIC_IPS => ['Public IPs', $allows . 'access to CloudStack public IPs.', Acl::GROUP_CLOUDSTACK], Acl::RESOURCE_OPENSTACK_VOLUMES => ['Volumes', $allows . 'access to OpenStack volumes.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_OPENSTACK_SNAPSHOTS => ['Snapshots', $allows . 'access to OpenStack snapshots.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_OPENSTACK_PUBLIC_IPS => ['Public IPs', $allows . 'access to OpenStack public IPs.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_OPENSTACK_ELB => ['Load Balancing (LBaaS)', $allows . 'access to load balancing service.', Acl::GROUP_OPENSTACK], Acl::RESOURCE_AWS_S3 => ['S3 and Cloudfront', $allows . 'access to AWS S3 and Cloudfront.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_CLOUDWATCH => ['CloudWatch', $allows . 'access to AWS CloudWatch.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_ELASTIC_IPS => ['Elastic IPs', $allows . 'access to AWS Elastic IPs.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_ELB => ['Elastic Load Balancing (ELB)', $allows . 'access to AWS Elastic Load Balancing.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_IAM => ['Identity and Access Management (IAM)', $allows . 'access to AWS Identity and Access Management.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_RDS => ['Relational Database Service (RDS)', $allows . 'access to Amazon Relational Database Service.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_SNAPSHOTS => ['Snapshots', $allows . 'access to AWS snapshots.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_VOLUMES => ['Volumes', $allows . 'access to AWS Volumes.', Acl::GROUP_AWS], Acl::RESOURCE_AWS_ROUTE53 => ['Route53', $allows . 'access to AWS Route53.', Acl::GROUP_AWS], Acl::RESOURCE_SECURITY_SECURITY_GROUPS => ['Security groups', $allows . 'access to security groups.', Acl::GROUP_SECURITY], Acl::RESOURCE_SECURITY_RETRIEVE_WINDOWS_PASSWORDS => ['Retrieve Windows passwords', $allows . 'access to retrieve passwords for windows.', Acl::GROUP_SECURITY], Acl::RESOURCE_SECURITY_SSH_KEYS => ['SSH keys', $allows . 'access to SSH keys.', Acl::GROUP_SECURITY], Acl::RESOURCE_LOGS_EVENT_LOGS => ['Event Log', $allows . 'access to the Event Log.', Acl::GROUP_LOGS], Acl::RESOURCE_LOGS_SYSTEM_LOGS => ['System Log', $allows . 'access to the System Log.', Acl::GROUP_LOGS], Acl::RESOURCE_LOGS_SCRIPTING_LOGS => ['Scripting Log', $allows . 'access to the Scripting Log.', Acl::GROUP_LOGS], Acl::RESOURCE_LOGS_API_LOGS => ['API Log', $allows . 'access to the API Log.', Acl::GROUP_LOGS], Acl::RESOURCE_SERVICES_APACHE => ['Apache', $allows . 'access to apache.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_ENVADMINISTRATION_CHEF => ['Chef (environment scope)', $allows . 'to manage chef servers in the environment scope.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_ADMINISTRATION_CHEF => ['Chef (account scope)', $allows . 'to manage chef servers in the account scope.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_SSL => ['SSL', $allows . 'access to SSL.', Acl::GROUP_SERVICES], Acl::RESOURCE_SERVICES_RABBITMQ => ['RabbitMQ', $allows . 'access to RabbitMQ.', Acl::GROUP_SERVICES], Acl::RESOURCE_GENERAL_CUSTOM_EVENTS => ['Custom events', $allows . 'access to custom events.', Acl::GROUP_GENERAL, [Acl::PERM_GENERAL_CUSTOM_EVENTS_FIRE => $allows . 'to fire custom events.']], Acl::RESOURCE_GENERAL_CUSTOM_SCALING_METRICS => ['Custom scaling metrics', $allows . 'access to custom scaling metrics.', Acl::GROUP_GENERAL], Acl::RESOURCE_GENERAL_SCHEDULERTASKS => ['Tasks scheduler', $allows . 'access to tasks scheduler.', Acl::GROUP_GENERAL], Acl::RESOURCE_DB_BACKUPS => ['Backups', $allows . 'access to backups.', Acl::GROUP_DATABASES, [Acl::PERM_DB_BACKUPS_REMOVE => $allows . 'to remove database backups.']], Acl::RESOURCE_DB_DATABASE_STATUS => ['Database status', $allows . 'access to database status.', Acl::GROUP_DATABASES, [Acl::PERM_DB_DATABASE_STATUS_PMA => $allows . 'access to PMA.']], Acl::RESOURCE_DB_SERVICE_CONFIGURATION => ['Service configuration', $allows . 'access to service configuration.', Acl::GROUP_DATABASES], Acl::RESOURCE_DEPLOYMENTS_APPLICATIONS => ['Applications', $allows . 'access to applications.', Acl::GROUP_DEPLOYMENTS], Acl::RESOURCE_DEPLOYMENTS_SOURCES => ['Sources', $allows . 'access to sources.', Acl::GROUP_DEPLOYMENTS], Acl::RESOURCE_DEPLOYMENTS_TASKS => ['Tasks', $allows . 'access to tasks.', Acl::GROUP_DEPLOYMENTS], Acl::RESOURCE_DNS_ZONES => ['Zones', $allows . 'access to DNS zones.', Acl::GROUP_DNS], Acl::RESOURCE_ADMINISTRATION_BILLING => ['Billing', $allows . 'access to billing.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ADMINISTRATION_ORCHESTRATION => ['Orchestration (account scope)', $allows . 'access to orchestration in the account scope.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ADMINISTRATION_GLOBAL_VARIABLES => ['Global variables (account scope)', $allows . 'access to global variables in the account scope.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ADMINISTRATION_SCRIPTS => ['Scripts (account scope)', $allows . 'access to scripts.', Acl::GROUP_ADMINISTRATION, [Acl::PERM_ADMINISTRATION_SCRIPTS_MANAGE => $allows . 'to manage (create/edit/delete) scripts.', Acl::PERM_ADMINISTRATION_SCRIPTS_EXECUTE => $allows . 'to execute scripts.', Acl::PERM_ADMINISTRATION_SCRIPTS_FORK => $allows . 'to fork scripts.']], Acl::RESOURCE_ADMINISTRATION_WEBHOOKS => ['Webhooks (account scope)', $allows . 'to manage webhooks in the account scope.', Acl::GROUP_ADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_ENV_CLOUDS => ['Setup clouds', $allows . 'to manage cloud credentials for environments in which this user is a team member', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_GOVERNANCE => ['Governance', $allows . 'access to governance.', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_GLOBAL_VARIABLES => ['Global variables (environment scope)', $allows . 'access to global variables in the environment scope.', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ENVADMINISTRATION_WEBHOOKS => ['Webhooks (environment scope)', $allows . 'to manage webhooks in the environment scope.', Acl::GROUP_ENVADMINISTRATION], Acl::RESOURCE_ANALYTICS_PROJECTS => ['Cost Analytics Projects', $allows . ' account users to create a new projects for cost analytics', Acl::GROUP_ANALYTICS], Acl::RESOURCE_ADMINISTRATION_ANALYTICS => ['Cost Analytics (account scope)', $allows . ' access to Cost Analytics in the account scope', Acl::GROUP_ADMINISTRATION, [Acl::PERM_ADMINISTRATION_ANALYTICS_MANAGE_PROJECTS => $allows . 'to edit/create projects in the account scope.', Acl::PERM_ADMINISTRATION_ANALYTICS_ALLOCATE_BUDGET => $allows . "to set/edit projects' budgets in the account scope."]], Acl::RESOURCE_ENVADMINISTRATION_ANALYTICS => ['Cost Analytics (environment scope)', $allows . ' access to Cost Analytics in the environment scope', Acl::GROUP_ENVADMINISTRATION]];
         //Removes disabled resources
         foreach (Acl::getDisabledResources() as $resourceId) {
             if (isset(self::$rawList[$resourceId])) {
                 unset(self::$rawList[$resourceId]);
             }
         }
         //Initializes set of the resources
         self::$list = new \ArrayObject([]);
         self::$idx = [];
         foreach (self::$rawList as $resourceId => $optionsArray) {
             $resourceDefinition = new ResourceObject($resourceId, $optionsArray);
             self::$list[$resourceId] = $resourceDefinition;
             if (!isset(self::$idx[$resourceDefinition->getGroup()])) {
                 self::$idx[$resourceDefinition->getGroup()] = [];
             }
             self::$idx[$resourceDefinition->getGroup()][] = $resourceId;
         }
     }
     return $raw ? self::$rawList : self::$list;
 }
Exemple #3
0
 /**
  * Provider method for testGet() test
  */
 public function providerGet()
 {
     $refl = new \ReflectionClass('Scalr\\Acl\\Acl');
     $arguments = array();
     //Fetches all resources which have been defined in the Acl class except excluded
     foreach (Acl::getResourcesMnemonic() as $resourceId => $mnemonicName) {
         $arguments[] = array($resourceId);
     }
     return $arguments;
 }
Exemple #4
0
 public function viewAction()
 {
     $users = array();
     foreach ($this->env->getTeams() as $teamId) {
         $team = Scalr_Account_Team::init()->loadById($teamId);
         foreach ($team->getUsers() as $user) {
             if (!isset($users[$user['id']])) {
                 $users[$user['id']] = array('id' => $user['id'], 'name' => !empty($user['fullname']) ? $user['fullname'] : $user['email'], 'email' => $user['email'], 'teams' => array());
             }
             $users[$user['id']]['teams'][] = array('id' => $team->id, 'name' => $team->name);
         }
     }
     $this->response->page('ui/account2/environments/accessmap.js', array('definitions' => Acl::getResources(true), 'users' => array_values($users), 'env' => array('id' => $this->env->id, 'name' => $this->env->name)));
 }
Exemple #5
0
 /**
  * Checks if access to ACL resource or unique permission is allowed
  *
  * Usage:
  * --
  * use \Scalr\Acl\Acl;
  *
  * The ID of the ACL resource; The ID of the unique permission which is related to specified resource
  * $this->request->isAllowed(Acl::RESOURCE_FARMS, Acl::PERM_FARMS_EDIT);
  *
  * Array of IDs of the ACL resource (check if user have any permission); The ID of the unique permission which is related to specified resource
  * $this->request->isAllowed([Acl::RESOURCE_FARMS, Acl::RESOURCE_OWN_FARMS], Acl::PERM_FARMS_EDIT);
  *
  * Mnemonic constants: resource, permission
  * Method interprets $resourceMnemonic as RESOURCE_$resourceMnemonic_$scope, $permissionMnemonic as PERM_$resourceMnemonic_$scope_$permissionMnemonic
  * For example, call(ROLES, MANAGE) on account scope will check RESOURCE_ROLES_ACCOUNT, PERM_ROLES_ACCOUNT_MANAGE
  * $this->request->isAllowed('ROLES', 'MANAGE');
  *
  * @param   int|string|array    $resourceId             The ID or Name of the ACL resource or array of resources
  * @param   string              $permissionId optional  The ID or Name of the unique permission which is
  *                                                      related to specified resource.
  * @return  bool       Returns TRUE if access is allowed
  */
 public function isAllowed($resourceId, $permissionId = null)
 {
     if ($this->user->isScalrAdmin()) {
         // we don't have permissions on scalr scope
         return true;
     }
     if (is_string($resourceId)) {
         $resourceMnemonic = $resourceId;
         $resourceId = Acl::getResourceIdByMnemonic($resourceMnemonic, $this->getScope());
         $permissionId = $permissionId ? Acl::getPermissionIdByMnemonic($resourceMnemonic, $permissionId, $this->getScope()) : null;
     }
     if (is_array($resourceId)) {
         foreach ($resourceId as $id) {
             if (\Scalr::getContainer()->acl->isUserAllowedByEnvironment($this->getUser(), $this->getEnvironment(), $id, $permissionId)) {
                 return true;
             }
         }
         return false;
     } else {
         return \Scalr::getContainer()->acl->isUserAllowedByEnvironment($this->getUser(), $this->getEnvironment(), $resourceId, $permissionId);
     }
 }
Exemple #6
0
 public function viewAction()
 {
     $this->response->page('ui/account2/roles/view.js', array('definitions' => Acl::getResources(true)), array('ui/account2/dataconfig.js'), array('ui/account2/roles/view.css'), array('account.roles', 'base.roles'));
 }
Exemple #7
0
 /**
  * Loads permissions into role object
  *
  * @param   Role\RoleObject $role  A role object
  */
 protected function loadRolePermissions(Role\RoleObject $role)
 {
     if ($role instanceof Role\AccountRoleObject) {
         $sAcc = 'account_';
         $rmJoin = "LEFT JOIN acl_account_role_resource_modes rm ON rr.`account_role_id` = rm.account_role_id " . " AND rr.`resource_id` = rm.`resource_id`";
     } else {
         $sAcc = '';
         $rmJoin = '';
     }
     $disabledResources = Acl::getDisabledResources();
     $disabledSql = !empty($disabledResources) ? "AND rr.resource_id NOT IN (" . implode(',', array_fill(0, count($disabledResources), '?')) . ")" : "";
     $res = $this->db->Execute("\n            SELECT\n                rr.`" . $sAcc . "role_id` AS `role_id`,\n                rr.`resource_id`, rr.`granted`, rp.`perm_id`,\n                rp.`granted` AS `perm_granted`,\n                " . (!empty($rmJoin) ? "rm.`mode`" : "NULL AS `mode`") . "\n            FROM `acl_" . $sAcc . "role_resources` rr\n            " . $rmJoin . "\n            LEFT JOIN `acl_" . $sAcc . "role_resource_permissions` rp\n                ON rp.`" . $sAcc . "role_id` = rr.`" . $sAcc . "role_id`\n                AND rp.`resource_id` = rr.`resource_id`\n            WHERE rr.`" . $sAcc . "role_id` = ?\n            {$disabledSql}\n        ", array_merge((array) $role->getRoleId(), $disabledResources));
     if ($res) {
         $resources = $role->getResources();
         while ($rec = $res->FetchRow()) {
             if (!isset($resources[$rec['resource_id']])) {
                 //Adds resource to role object
                 $resource = new Role\RoleResourceObject($rec['role_id'], $rec['resource_id'], $rec['granted'], $rec['mode']);
                 $role->appendResource($resource);
             } else {
                 $resource = $resources[$rec['resource_id']];
             }
             if ($rec['perm_id'] !== null) {
                 $permission = new Role\RoleResourcePermissionObject($rec['role_id'], $rec['resource_id'], $rec['perm_id'], $rec['perm_granted']);
                 //We should append permission only if it's been declared in the definition.
                 $resourceDefinition = Resource\Definition::get($resource->getResourceId());
                 if ($resourceDefinition->hasPermission($permission->getPermissionId())) {
                     $resource->appendPermission($permission);
                 }
                 unset($permission);
             }
             unset($resource);
         }
     }
 }
Exemple #8
0
 /**
  * This test is used mapping from Fixtures/{self::TEST_DATA_FILE} yaml file
  *
  * @test
  */
 public function testIsImposedRestriction()
 {
     $rm = Acl::getResourcesMnemonic();
     //We have to use provider in this way because of we need to skip test and throw assertion from it
     $providerData = $this->providerIsImposedRestriction();
     foreach ($providerData as $opt) {
         $uri = $opt[0];
         $granted = $opt[1];
         $resourceId = $opt[2];
         $permissionId = isset($opt[3]) ? $opt[3] : null;
         $options = isset($opt[4]) ? $opt[4] : array();
         $this->setCatchOnlyPermission($resourceId, $permissionId);
         $this->assertThatPermission($granted, $uri, $options, sprintf("Resource:%s, Permission:%s, URI:%s", isset($rm[$resourceId]) ? $rm[$resourceId] : $resourceId, isset($permissionId) ? $permissionId : 'null', $uri));
     }
 }
Exemple #9
0
 /**
  * Checks if specified resource is allowed
  *
  * @param   int              $resourceId   The ID of the resource.
  * @param   string           $permissionId optional The ID of the permission associated with resource.
  * @return  bool|null        Returns true if access is allowed.
  *                           If resource or permission isn't overridden it returns null.
  * @throws  Exception\RoleObjectException
  */
 public function isAllowed($resourceId, $permissionId = null)
 {
     $allowed = null;
     $resourceDefinition = Resource\Definition::get($resourceId);
     if ($resourceDefinition === null) {
         throw new Exception\RoleObjectException(sprintf("%s ACL resource (0x%x).", in_array($resourceId, Acl::getDisabledResources()) ? 'Disabled' : 'Unknown', intval($resourceId)));
     }
     if (!empty($permissionId) && !$resourceDefinition->hasPermission($permissionId)) {
         throw new Exception\RoleObjectException(sprintf("Unknown permission (%s) for resource '%s' (0x%x).", $permissionId, $resourceDefinition->getName(), intval($resourceId)));
     }
     //Checks if resource is defined for the role
     $resource = $this->getResource($resourceId);
     if ($permissionId !== null && $resource !== null) {
         //If resource is defined we can check unique permission.
         //Checks if permission is defined
         $permission = $resource->getPermission($permissionId);
         //Checks access to unuque permission of the specified resource for the role.
         //If resource isn't allowed it automatically forbids all related permissions.
         $allowed = $permission !== null && $resource->isGranted() !== null ? $resource->isGranted() && $permission->isGranted() : null;
     } else {
         //Checks access to the resource for the role
         $allowed = $resource !== null ? $resource->isGranted() : null;
     }
     return $allowed;
 }
 /**
  * Gets all resources
  *
  * Current exclude filters will be applied.
  * This method will return all predefined resources with its names
  *
  * @return  array   Returns array looks like
  *                 array(array(
  *                     'id'         => resource_id,
  *                     'name'       => resource_name,
  *                     'group'      => associative_group,
  *                     'granted'    => [1|0] is resource allowed,
  *                     'permissions' => array(
  *                         permissionId => [1|0] is permission allowed
  *                     ),
  *                 ))
  */
 public function getArray()
 {
     $groupOrder = Acl::getGroups();
     $ret = array();
     foreach (Resource\Definition::getAll() as $resource) {
         /* @var $resource Resource\ResourceObject */
         $rec = array('id' => $resource->getResourceId(), 'name' => $resource->getName(), 'group' => $resource->getGroup(), 'groupOrder' => isset($groupOrder[$resource->getGroup()]) ? $groupOrder[$resource->getGroup()] : 0, 'granted' => $this->isAllowed($resource->getResourceId()) ? 1 : 0);
         $permissions = $resource->getPermissions();
         if (!empty($permissions)) {
             $rec['permissions'] = array();
             foreach ($permissions as $permissionId => $description) {
                 $rec['permissions'][$permissionId] = $this->isAllowed($resource->getResourceId(), $permissionId) ? 1 : 0;
             }
         }
         $ret[] = $rec;
     }
     return $ret;
 }
Exemple #11
0
 /**
  * {@inheritdoc}
  * @see GeneratedValueTypeInterface::generateValue()
  */
 public function generateValue($entity = null)
 {
     return Acl::generateAccountRoleId();
 }