public function getAuthAssignments($user_id) { if (!isset($this->user_assignments[$user_id])) { $this->user_assignments[$user_id] = parent::getAuthAssignments($user_id); } return $this->user_assignments[$user_id]; }
/** * Removes cache before revoking auth item assignement * @param string $itemName the item name * @param mixed $userId the user ID (see {@link IWebUser::getId}) * @return boolean whether removal is successful * @throws CExeption if the application component could not be loaded. */ public function revoke($itemName, $userId) { if (Yii::app()->getComponent($this->cacheID) !== null) { Yii::app()->getComponent($this->cacheID)->delete($this->cacheID . '_' . $itemName . '_' . $userId); return parent::revoke($itemName, $userId); } else { throw new CException('Application component ' . $this->cacheID . ' could not be loaded.'); } }
public function init() { // Run the parent parent::init(); // Run only if we are not guests if (!Yii::app()->user->isGuest) { // Assign a role to the member only if we didn't assign one yet if (!$this->isAssigned(Yii::app()->user->role, Yii::app()->user->id)) { if ($this->assign(Yii::app()->user->role, Yii::app()->user->id)) { $this->save(); } } } }
/** * Returns the authorization item with the specified name. * Overloads the parent method to allow for runtime caching. * @param string $name the name of the item. * @param boolean $allowCaching whether to accept cached data. * @return CAuthItem the authorization item. Null if the item cannot be found. */ public function getAuthItem($name, $allowCaching = true) { // Get all items if necessary and cache them. if ($allowCaching && $this->_items === array()) { $this->_items = $this->getAuthItems(); } // Get the items from cache if possible. if ($allowCaching && isset($this->_items[$name])) { return $this->_items[$name]; } else { if (($item = parent::getAuthItem($name)) !== null) { return $item; } } // Item does not exist. return null; }
/** * Performs access check for the specified user. * @param string $itemName the name of the operation that need access check. * @param integer $userId the user id. * @param array $params name-value pairs that would be passed to biz rules associated * with the tasks and roles assigned to the user. * @param boolean $allowCaching whether to allow caching the result of access check. * @return boolean whether the operations can be performed by the user. */ public function checkAccess($itemName, $userId, $params = array(), $allowCaching = true) { $cacheKey = $this->resolveCacheKey($itemName, $userId); $key = serialize($params); if ($allowCaching && ($cache = $this->getCache()) !== null) { if (($data = $cache->get($cacheKey)) !== false) { $data = unserialize($data); if (isset($data[$key])) { return $data[$key]; } } } else { $data = array(); } $result = $data[$key] = parent::checkAccess($itemName, $userId, $params); if (isset($cache)) { $cache->set($cacheKey, serialize($data), $this->cachingDuration); } return $result; }
/** * Returns the authorization items of the specific type and user. * Overloads the parent method to allow for sorting. * @param integer $type the item type (0: operation, 1: task, 2: role). Defaults to null, * meaning returning all items regardless of their type. * @param mixed $userId the user ID. Defaults to null, meaning returning all items even if * they are not assigned to a user. * @param boolean $sort whether to sort the items according to their weights. * @return array the authorization items of the specific type. */ public function getAuthItems($type = null, $userId = null, $sort = true) { // We need to sort the items. if ($sort === true) { if ($type === null && $userId === null) { $sql = "SELECT name,t1.type,description,t1.bizrule,t1.data,weight\r\n\t\t\t\t\tFROM {$this->db->quoteTableName($this->itemTable)} t1\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->rightsTable)} t2 ON name=itemname\r\n\t\t\t\t\tORDER BY t1.type DESC, weight ASC"; $command = $this->db->createCommand($sql); } else { if ($userId === null) { $sql = "SELECT name,t1.type,description,t1.bizrule,t1.data,weight\r\n\t\t\t\t\tFROM {$this->db->quoteTableName($this->itemTable)} t1\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->rightsTable)} t2 ON name=itemname\r\n\t\t\t\t\tWHERE t1.type=:type\r\n\t\t\t\t\tORDER BY t1.type DESC, weight ASC"; $command = $this->db->createCommand($sql); $command->bindValue(':type', $type); } else { if ($type === null) { $sql = "SELECT name,t1.type,description,t1.bizrule,t1.data,weight\r\n\t\t\t\t\tFROM {$this->db->quoteTableName($this->itemTable)} t1\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->assignmentTable)} t2 ON name=t2.itemname\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->rightsTable)} t3 ON name=t3.itemname\r\n\t\t\t\t\tWHERE userid=:userid\r\n\t\t\t\t\tORDER BY t1.type DESC, weight ASC"; $command = $this->db->createCommand($sql); $command->bindValue(':userid', $userId); } else { $sql = "SELECT name,t1.type,description,t1.bizrule,t1.data,weight\r\n\t\t\t\t\tFROM {$this->db->quoteTableName($this->itemTable)} t1\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->assignmentTable)} t2 ON name=t2.itemname\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->rightsTable)} t3 ON name=t3.itemname\r\n\t\t\t\t\tWHERE t1.type=:type AND userid=:userid\r\n\t\t\t\t\tORDER BY t1.type DESC, weight ASC"; $command = $this->db->createCommand($sql); $command->bindValue(':type', $type); $command->bindValue(':userid', $userId); } } } $items = array(); foreach ($command->queryAll() as $row) { $items[$row['name']] = new CAuthItem($this, $row['name'], $row['type'], $row['description'], $row['bizrule'], unserialize($row['data'])); } } else { $items = parent::getAuthItems($type, $userId); } return $items; }
/** * Access check function. * * Checks access and attempts to speed up all future access checks using * caching and storage of the variable within {@link _access}. * * Note, only if parameters are empty will permissions caching or storage * in {@link _access} be effective, because parameters (i.e. the assignment * of a record based on the value of its assignedTo field) are expected to * vary. For example, in record-specific permission items checked for * multiple records. That is why $params be empty for any shortcuts to be * taken. * * @param string $itemName Name of the auth item for which access is being checked * @param integer $userId ID of the user for which to check access * @param array $params Parameters to pass to business rules * @return boolean */ public function checkAccess($itemName, $userId, $params = array()) { if (!isset($params['userId'])) { $params['userId'] = $userId; } if (!isset($this->_access)) { $this->_access = array(); } if (isset($this->_access[$userId][$itemName]) && !empty($this->_access[$userId][$itemName])) { $checkParams = $this->getCacheParams($params); if ($checkParams !== false) { $checkParams = json_encode($checkParams); // Shortcut 1: return data stored in the component's property if (isset($this->_access[$userId][$itemName][$checkParams])) { return $this->_access[$userId][$itemName][$checkParams]; } } } else { if ($this->caching) { // Shortcut 2: load the auth cache data and return if a result was found if (!isset($this->_access[$userId])) { $this->_access[$userId] = Yii::app()->authCache->loadAuthCache($userId); } if (isset($this->_access[$userId][$itemName]) && !empty($this->_access[$userId][$itemName])) { $checkParams = $this->getCacheParams($params); if ($checkParams !== false) { $checkParams = json_encode($checkParams); if (isset($this->_access[$userId][$itemName][$checkParams])) { return $this->_access[$userId][$itemName][$checkParams]; } } } } } if (!isset($this->_access[$userId])) { $this->_access[$userId] = array(); } if (!isset($this->_access[$userId][$itemName])) { $this->_access[$userId][$itemName] = array(); } // Get assignments via roles. // // In X2Engine's system, x2_auth_assignment doesn't refer to users, but // to roles. Hence, the ID of each role is sent to // parent::getAuthAssignments rather than a user ID, which would be // meaningless in light of how x2_auth_assignment stores roles. if (isset($this->_assignments[$userId])) { $assignments = $this->_assignments[$userId]; } else { $roles = Roles::getUserRoles($userId); $assignments = array(); foreach ($roles as $roleId) { $assignments = array_merge($assignments, parent::getAuthAssignments($roleId)); } $this->_assignments[$userId] = $assignments; } // Prepare the username for the session-agnostic permissions check: if (!isset($this->_usernames[$userId])) { if ($userId == Yii::app()->getSuId()) { $user = Yii::app()->getSuModel(); } else { $user = User::model()->findByPk($userId); } if ($user instanceof User) { $this->_usernames[$userId] = $user->username; } else { $this->_usernames[$userId] = 'Guest'; } } // Get whether the user has access: $hasAccess = parent::checkAccessRecursive($itemName, $userId, $params, $assignments); // Store locally. $cacheParams = $this->getCacheParams($params); if ($cacheParams !== false) { $this->_access[$userId][$itemName][json_encode($cacheParams)] = $hasAccess; // Cache if ($this->caching) { Yii::app()->authCache->addResult($userId, $itemName, $hasAccess, $cacheParams); } } return $hasAccess; }
/** * Removes all authorization data. */ public function clearAll() { parent::clearAll(); $this->db->createCommand("DELETE FROM {$this->pathTable}")->execute(); }
public function getAuthItem($name) { if (array_key_exists($name, $this->_authItems)) { if ($this->_authItems[$name] == null) { return null; } return new CAuthItem($this, $this->_authItems[$name]['name'], $this->_authItems[$name]['type'], $this->_authItems[$name]['description'], $this->_authItems[$name]['bizrule'], $this->_authItems[$name]['data']); } $item = parent::getAuthItem($name); if ($item == null) { $this->_authItems[$name] = null; } else { $this->_authItems[$name]['name'] = $item->getName(); $this->_authItems[$name]['type'] = $item->getType(); $this->_authItems[$name]['description'] = $item->getDescription(); $this->_authItems[$name]['bizrule'] = $item->getBizRule(); $this->_authItems[$name]['data'] = $item->getData(); } return $item; }
protected function checkGroupAccess($itemName, $userId, $params) { $user = Yii::app()->getUser(); if (!$user->isGuest) { $ugroups = Profile::model()->with('groups')->findByPk($userId); foreach ($ugroups->groups as $group) { if (parent::checkAccess($itemName, $group->id, $params)) { return true; } } } return false; }
/** * Revoce authorization assignment from a user * * @param string $itemName if null, all user assignments are revoked * @param int $userId * @return boolean */ public function revoke($itemName, $userId) { if ($itemName != NULL) { return parent::revoke($itemName, $userId); } else { $sql = "DELETE FROM {$this->assignmentTable} WHERE userid=:userid"; $command = $this->db->createCommand($sql); $command->bindValue(':userid', $userId); return $command->execute() > 0; } }