This solution is mostly based on Zend_Acl (c) Zend Technologies USA Inc. (http://www.zend.com), new BSD license
private function defineRelationships(Permission $authorizator)
{
$authorizator->allow('employee', 'listing', Permission::ALL, [$this, 'isOwner']);
$authorizator->allow('employee', 'message', ['send', 'remove', 'view', 'mark_as_read'], [$this, 'isOwner']);
$authorizator->allow('admin', null, Permission::ALL);
$authorizator->deny('admin', 'message', 'mark_as_read', [$this, 'isNotOwner']);
}
/**
* Ověření zda má uživatelská role potřebné privilegium k práci se zdrojem.
* @param string $role
* @param string $resource
* @param string $privilege
* @return boolean
*/
public function isAllowed($role, $resource, $privilege)
{
if ($this->acl->isAllowed($role, $resource, $privilege)) {
return true;
} else {
return false;
}
}
/**
* Recursivelly returns current and all parent roles
* @param type $role
* @return type
*/
public function getEffectiveRoles($role)
{
$roles = array($role => TRUE);
foreach ($this->acl->getRoleParents($role) as $parent) {
$roles += array_flip($this->getEffectiveRoles($parent));
}
return array_keys($roles);
}
public function isAllowed($role = IAuthorizator::ALL, $resource = IAuthorizator::ALL, $privilege = IAuthorizator::ALL)
{
if (!$this->acl->hasRole($role)) {
$this->onUndefinedRole($role);
}
if (!$this->acl->hasResource($resource)) {
$this->onUndefinedResource($resource);
}
return $this->acl->isAllowed($role, $resource, $privilege);
}
public function check($resource, $privilege)
{
if ($this->user->isInRole(static::ROOT_ROLE)) {
return true;
}
if (!array_reduce($this->user->getRoles(), function ($prev, $role) use($resource, $privilege) {
return $this->acl->hasRole($role) && $this->acl->hasResource($resource) && $this->acl->isAllowed($role, $resource, $privilege) || $prev;
}, false)) {
throw new \AclException("Unauthorized access to resource '{$resource}' privilege '{$privilege}' :(", 403);
}
}
public function startup()
{
parent::startup();
// redirect if not logged in
(new \App\Tools\UserAuxFactory($this))->testLoginStatus();
$role = $this->user->getIdentity()->getData()['role'];
if (!$this->_permission->isAllowed($role, 'Admin:Article:Insert')) {
$this->flashMessage('Přístup odmítnut!');
$this->redirect('Homepage:Default');
}
}
public static function createAuthorizator()
{
$perm = new Permission();
$perm->addRole("guest");
$perm->addRole("user", "guest");
$perm->addRole("admin", "user");
$perm->addResource('clip');
$perm->addResource('comment');
$perm->deny();
$perm->allow("admin");
$perm->allow("user", "comment", "add");
return $perm;
}
public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege = self::ALL)
{
if ($resource !== self::ALL && !$this->hasResource($resource)) {
$this->addResource($resource);
}
return parent::isAllowed($role, $resource, $privilege);
}
public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege = self::ALL)
{
if (in_array($resource, $this->getResources())) {
return parent::isAllowed($role, $resource, $privilege);
} else {
return false;
}
}
/**
* Denies one or more Roles access to [certain $privileges upon] the specified Resource(s).
* If $assertion is provided, then it must return TRUE in order for rule to apply.
*
* @param string|array|Permission::ALL $roles
* @param string|array|Permission::ALL $resources
* @param string|array|Permission::ALL $privileges
* @param callable $assertion
* @return self
*/
public function deny($roles = self::ALL, $resources = self::ALL, $privileges = self::ALL, $assertion = null)
{
if ($assertion !== null) {
$assertion = function () use($assertion) {
return Callback::invoke($assertion, $this->identity, $this->getQueriedResource(), $this->getQueriedRole());
};
}
return parent::deny($roles, $resources, $privileges, $assertion);
}
/**
* @param null $role
* @param null $resource
* @param null $privilege
* @return bool|null
*/
public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege = self::ALL)
{
if ($role == "root") {
return TRUE;
}
try {
$this->Init($role);
return $this->acl->isAllowed($role, $resource, $privilege);
} catch (InvalidStateException $e) {
return FALSE;
}
}
public static function createAuthorizator()
{
$perm = new Permission;
$perm->addRole("guest");
$perm->addRole("user", "guest");
$perm->addRole("admin", "user");
$perm->deny();
$perm->allow("admin");
return $perm;
}
/** @return Nette\Security\Permission */
public function create()
{
if (!$this->cmsInstalled) {
return new Nette\Security\Permission();
}
$acl = $this->cache->load('acl');
if ($acl === NULL) {
$acl = new Nette\Security\Permission();
try {
foreach ($this->roleService->findAll() as $role) {
$acl->addRole($role->name, $role->parent === NULL ? NULL : $role->parent->name);
}
} catch (Kdyby\Doctrine\DBALException $ex) {
return new Nette\Security\Permission();
}
foreach ($this->resourceService->findAll() as $resource) {
$acl->addResource($resource->name);
}
foreach ($this->aclService->findAll() as $aclEntry) {
if ($aclEntry->allow) {
$acl->allow($aclEntry->role->name, $aclEntry->permission->resource->name, $aclEntry->permission->privilege->name);
} else {
$acl->deny($aclEntry->role->name, $aclEntry->permission->resource->name, $aclEntry->permission->privilege->name);
}
}
$this->cache->save('acl', $acl, [Nette\Caching\Cache::TAGS => self::CACHE_TAG]);
}
return $acl;
}
/**
* Funkce pro kontrolu oprávnění přístupu ke zvolenému zdroji
* @param string|Permission::ALL|IRole role
* @param string|Permission::ALL|IResource resource
* @param string|Permission::ALL privilege
* @throws \Nette\InvalidStateException
* @return bool
*/
public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege = self::ALL)
{
/*if ($resource instanceof IOwnerResource){
if ($role instanceof OwnerRole){
//TODO kontrola oprávnění...
return ($role->getUserId()==$resource->getUserId());
}else{
return false;
}
}*/
//vrácení standartních oprávnění...
return parent::isAllowed($role, $resource, $privilege);
}
public function __construct()
{
$acl = new Nette\Security\Permission();
// definice rolí
$acl->addRole('guest');
$acl->addRole('demo', 'guest');
// demo dědí od guest
$acl->addRole('admin', 'demo');
// a od něj dědí admin
// seznam zdrojů, ke kterým mohou uživatelé přistupovat
$acl->addResource('Admin:Admin');
$acl->addResource('Front');
// pravidla, určující, kdo co může s čím dělat
$acl->allow('guest', 'Front', self::READ);
$acl->allow('demo', 'Admin:Admin', self::READ);
$acl->allow('admin', Permission::ALL, Permission::ALL);
// Nastaveno!
$this->acl = $acl;
}
public function isAllowed($role = \Nette\Security\Permission::ALL, $resource = \Nette\Security\Permission::ALL, $privilege = \Nette\Security\Permission::ALL)
{
if (is_array($resource)) {
@(list($resource, $type) = $resource);
// @ intentionally
} else {
$type = NULL;
}
if ($resource instanceof IResourceEntity) {
$resource = $resource->getClassName();
$type = $type ?: 'entities';
}
try {
if ($type && !$this->hasResource($type)) {
throw new Nette\InvalidStateException();
}
return parent::isAllowed($role, $resource, $privilege);
} catch (Nette\InvalidStateException $e) {
$this->addMissingRole($role);
$this->addMissingResource($resource, $type);
}
return parent::isAllowed($role, $resource, $privilege);
}
/**
* Is user allowed to acces this presenter and action.
*
* @throws Nette\InvalidStateException
* @return bool
*/
protected function isAllowed()
{
$role = $this->user->isLoggedIn() ? $this->user->getIdentity()->role : $this->user->guestRole;
$resource = $this->getResource();
return $this->acl->isAllowed($role, $resource);
}
/**
* Setup permission by role
*
* @param Permission $permission
* @param string $role
* @return Permission
*/
protected function setPermissionsByRole(Permission $permission, $role)
{
if ($role == 'admin') {
$permission->allow('admin', Permission::ALL);
return $permission;
}
if ($this->checkConnection->invoke()) {
$roleEntity = $this->roleRepository->findOneByName($role);
if ($roleEntity) {
if ($roleEntity->parent) {
$this->setPermissionsByRole($permission, $roleEntity->parent->name);
}
if ($roleEntity && !$permission->hasRole($role)) {
$permission->addRole($role, $roleEntity->parent ? $roleEntity->parent->name : NULL);
}
// allow/deny
foreach ($roleEntity->permissions as $perm) {
if ($permission->hasResource($perm->resource)) {
if ($perm->allow) {
$permission->allow($role, $perm->resource, $perm->privilege ? $perm->privilege : NULL);
} else {
$permission->deny($role, $perm->resource, $perm->privilege ? $perm->privilege : NULL);
}
}
}
}
}
return $permission;
}
private function loadPermissions(Permission $acl)
{
$permissions = $this->em->createQuery('SELECT p, pr FROM ' . \Users\Authorization\Permission::class . ' p
LEFT JOIN p.privilege pr')->execute();
/** @var \Users\Authorization\Permission $permission */
foreach ($permissions as $permission) {
if ($permission->isAllowed() === true) {
$acl->allow($permission->getRoleName(), $permission->getResourceName(), $permission->getPrivilegeName());
} else {
$acl->deny($permission->getRoleName(), $permission->getResourceName(), $permission->getPrivilegeName());
}
}
$acl->allow(Role::GOD, IAuthorizator::ALL, IAuthorizator::ALL);
}
function isAllowed($role, $resource, $privilege)
{
return $this->acl->isAllowed($role, $resource, $privilege);
}
public function getRoles()
{
$roles = parent::getRoles();
return array_combine($roles, $roles);
}
public function startup()
{
parent::startup();
if ($this->getName() != 'Admin:Sign' && !$this->user->isLoggedIn()) {
$this->redirect('Sign:default');
}
//nastavim prava
foreach ($this->roles->getAll() as $role) {
$this->acl->addRole($role['system_name']);
}
foreach ($this->resources->getAll() as $resource) {
$this->acl->addResource($resource['system_name']);
}
foreach ($this->permissions->getAll() as $permission) {
$this->acl->allow($permission->role->system_name, $permission->resource->system_name, $permission->privilege->system_name);
}
$this->acl->addRole('super_admin');
$this->acl->allow('super_admin');
//homepage a sign maji pristup vsichni
$this->acl->addResource('homepage');
$this->acl->allow(\App\AdminModule\Components\Authorizator::ALL, 'homepage');
$this->acl->addResource('sign');
$this->acl->allow(\App\AdminModule\Components\Authorizator::ALL, 'sign');
//vychozi role
$this->acl->addRole('guest');
//kontrola prav
if ($this->getName() != 'Admin:Image' && $this->getAction() != 'ordering' && $this->getAction() != 'orderingCategory' && $this->getAction() != 'deleteImage' && $this->getAction() != 'changePassword' && $this->getAction() != 'getCity' && $this->getAction() != 'download') {
if (!$this->getUser()->isAllowed($this->getNameSimple(), $this->getAction())) {
$this->flashMessage($this->translator->translate('admin.login.noAccess'), 'error');
$this->redirect('Homepage:default');
}
}
//projedu vsek moduly a pokusim se najit presentery
$presenters = array();
$vsekDir = dirname(__FILE__) . '/../../../';
$ch = opendir($vsekDir);
while (($file = readdir($ch)) !== false) {
if (!in_array($file, array('.', '..'))) {
if (file_exists($vsekDir . $file . '/src/setting.xml')) {
$xml = simplexml_load_file($vsekDir . $file . '/src/setting.xml');
if (isset($xml->presenter)) {
$this->menuModules[] = array('name' => (string) $xml->presenter->name, 'resource' => (string) $xml->presenter->resource);
}
}
}
}
closedir($ch);
}
/**
* Helping function to add roles from database, for roles which parents was not defined yet
* @param string $role
* @param mixed $parent
*/
public function addRole($role, $parents = null)
{
if ($this->hasRole($role)) {
return $this;
}
$parents = array();
if (isset($this->rolesRels[$role]) && is_array($this->rolesRels[$role])) {
foreach ($this->rolesRels[$role] as $parent) {
if (!$this->hasRole($parent)) {
$this->addRole($parent);
}
$parents[$role] = $parent;
}
} else {
$parents[$role] = null;
}
return parent::addRole($role, isset($parents[$role]) ? $parents[$role] : null);
}
private function setRules(Permission $p)
{
try {
$rules = $this->rulesService->getRules();
} catch (Exceptions\DataErrorException $e) {
$this->logError($e->getMessage());
}
foreach ($rules as $r) {
if ($r->isPermit()) {
$p->allow($r->getRole()->getName(), $r->hasResource() ? $r->getResource() : Permission::ALL, $r->hasPrivilege() ? $r->getPrivileges() : Permission::ALL);
} else {
$p->deny($r->getRole()->getName(), $r->hasResource() ? $r->getResource() : Permission::ALL, $r->hasPrivilege() ? $r->getPrivileges() : Permission::ALL);
}
}
}
