public function aclAction() { echo 'this is acl test!<br>'; $acl = new AclList(); $acl->setDefaultAction(Acl::DENY); // 创建角色 // The first parameter is the name, the second parameter is an optional description. $roleAdmins = new Role("Administrators"); $roleEditors = new Role("Editors"); // 添加 "Guests" 角色到ACL $acl->addRole($roleAdmins); $acl->addRole($roleEditors); // 添加"Designers"到ACL, 仅使用此字符串。 //$acl->addRole("Designers"); // 定义 "Customers" 资源 $customersResource = new Resource("Customers"); $acl->addResource($customersResource, "search"); $acl->addResource($customersResource, array("create", "update")); // 设置角色对资源的访问级别 $acl->allow("Administrators", "Customers", "search"); $acl->allow("Administrators", "Customers", "create"); $acl->deny("Editors", "Customers", "update"); var_dump($acl); exit; // 查询角色是否有访问权限 var_dump($acl->isAllowed("Administrators", "Customers", "search")); exit; }
public function _getAcl() { if (!isset($this->persistent->acl)) { $acl = new Memory(); $acl->setDefaultAction(Acl::ALLOW); //Register roles $roles = array('admin' => new Acl\Role('Administrator'), 'manager' => new Acl\Role('Manager'), 'staff' => new Acl\Role('Staff')); $acl->addRole($roles['staff']); $acl->addRole($roles['manager']); $acl->addRole($roles['admin']); // admin inherits staff // resources that sales are denied $staffResources = array("reports" => array("index")); // add resources for sales foreach ($staffResources as $resource => $actions) { $acl->addResource(new Resource($resource), $actions); foreach ($actions as $action) { $acl->deny($roles['staff']->getName(), $resource, $action); } // $acl->allow($roles['staff']->getName(), $resource, '*'); } //The acl is stored in session, APC would be useful here too $this->persistent->acl = $acl; } return $this->persistent->acl; }
/** * Returns an existing or new access control list * * @returns AclList */ public function getAcl() { if (!isset($this->persistent->acl)) { $acl = new AclList(); $acl->setDefaultAction(Acl::DENY); $config = $this->getDI()->get('config')->acl; //Register roles foreach ($config->roles as $role => $inheritance) { $role = new Role($role); if ($acl->isRole($inheritance) && !is_null($inheritance)) { $inheritance = new Role($inheritance); } $acl->addRole($role, $inheritance); } //Register resources foreach ($config->resources as $resource => $actions) { $acl->addResource(new Resource($resource), $actions->toArray()); } //Privileges foreach ($config->privilege as $role => $methodList) { foreach ($methodList as $method => $levels) { foreach ($levels as $resource => $accessList) { foreach ($accessList as $access) { if ($method == 'allow') { $acl->allow($role, $resource, $access); } else { $acl->deny($role, $resource, $access); } } } } } //The acl is stored in session, APC would be useful here too $this->persistent->acl = $acl; } return $this->persistent->acl; }
use Mocks\Examples\User; use Ovide\Libs\Mvc\Rest\App; use Phalcon\Acl; use Ovide\Libs\Mvc\Rest\ContentType\XmlEncoder; App::reset(); $app = App::instance(); $handlers = $app->getHandlers(); $accept = $handlers[\Ovide\Libs\Mvc\Rest\HeaderHandler\Accept::HEADER]; $accept->setAcceptable(XmlEncoder::CONTENT_TYPE, XmlEncoder::class); $app->mountResource(User::class); $app->di->set('acl', function () { $guest = new Acl\Role('guest'); $user = new Acl\Role('user'); $root = new Acl\Role('root'); $users = new Acl\Resource('users'); $acl = new Acl\Adapter\Memory(); $acl->addRole($guest); $acl->addRole($user, $guest); $acl->addRole($root, $user); $acl->addResource($users, ['delete', 'get', 'getOne', 'post', 'put', 'putSelf', 'getSelf', 'deleteSelf']); $acl->allow('guest', 'users', ['post']); $acl->allow('user', 'users', ['getSelf', 'deleteSelf', 'putSelf']); $acl->deny('user', 'users', 'post'); $acl->allow('root', 'users', '*'); $acl->setDefaultAction(Acl::DENY); //Sets 'gest' as active role $acl->isAllowed('guest', '', ''); return $acl; }, true); return $app;
<?php /** * Created by PhpStorm. * User: vlad * Date: 8/29/15 * Time: 6:46 AM */ use Phalcon\Acl\Adapter\Memory as AclList; use Phalcon\Acl\Resource; $acl = new AclList(); $acl->setDefaultAction(Phalcon\Acl::ALLOW); $acl->addRole("guest"); $acl->addRole("user"); $acl->addResource(new Resource("sign"), ['up', 'in', 'out']); $acl->addResource(new Resource("projects"), ['create', 'edit', 'delete']); $acl->deny("guest", "sign", ["out"]); $acl->deny("user", "sign", ["up", "in"]); $acl->deny("guest", "projects", ['create', 'edit', 'delete']);
/** * Get acl system * * @return \Phalcon\Acl\Adapter\Memory */ public function getAdapter() { if (!$this->_acl) { $cacheData = false; $acl = null; if ($this->_di->has('cacheData')) { $cacheData = $this->_di->get('cacheData'); $acl = $cacheData->get(self::ACL_CACHE_KEY); } if ($acl === null) { $acl = new AclMemory(); $acl->setDefaultAction(PhAcl::DENY); $aclAdapter = $this->_di->get('aclAdapter'); $aclAdapter->setDefaultAction(PhAcl::DENY); if (!$aclAdapter instanceof \Phalcon\Acl\Adapter) { throw new \Engine\Exception('Acl adapter not instance of Phalcon\\Acl\\Adapter'); } // prepare Roles $aclAdapter->addRole(self::ROLE_TYPE_ADMIN); $roles = $aclAdapter->getRoles(); foreach ($roles as $role) { $acl->addRole($role); } // Defining admin area $adminArea = new AclResource(self::ACL_ADMIN_AREA); // Add "admin area" resource $aclAdapter->addResource($adminArea, '*'); $acl->addResource($adminArea, '*'); $acl->allow(self::ROLE_TYPE_ADMIN, self::ACL_ADMIN_AREA, '*'); $acl->allow(self::ROLE_TYPE_ADMIN, '*', '*'); // Getting objects that is in acl // Looking for all models in modelsDir and check @Acl annotation $config = $this->_di->get('config'); foreach ($this->_di->get('modules') as $module => $enabled) { if (!$enabled) { continue; } $moduleName = ucfirst($module); $controllerPath = $config->application->modulesDir . $moduleName . '/Controller'; if (file_exists($controllerPath)) { $files = scandir($controllerPath); // get all file names foreach ($files as $file) { // iterate files if ($file == "." || $file == "..") { continue; } $controllerClass = ucfirst(str_replace('.php', '', $file)); $controllerClassName = str_replace('Controller', '', $controllerClass); $class = sprintf('\\%s\\Controller\\%s', $moduleName, $controllerClass); $object = $this->getObjectAcl($class); if ($object == null) { continue; } $resource = $this->getResource($moduleName, $controllerClassName); $aclAdapter->addResource($resource, $object->actions); } } } $resources = $aclAdapter->getResources(); foreach ($roles as $role) { $roleName = $role->getName(); foreach ($resources as $resource) { $actions = $aclAdapter->getResourceAccesses($resource); $resourceName = $resource->getName(); $acl->addResource($resource, $actions); foreach ($actions as $action) { if ($aclAdapter->isAllowed($roleName, $resourceName, $action)) { $acl->allow($roleName, $resourceName, $action); } else { $acl->deny($roleName, $resourceName, $action); } } } } if ($cacheData) { $cacheData->save(self::ACL_CACHE_KEY, $acl, 3600); } } $this->_acl = $acl; } return $this->_acl; }
public function deny($roleName, $resourceName, $access) { parent::deny($roleName, $resourceName, $access); }
public function deny($roleName, $resourceName, $access, $func = null) { parent::deny($roleName, $resourceName, $access, $func); }
/** * Tests the negation of inherited roles * * @issue T65 */ public function testNegationOfInheritedRoles_T65() { $acl = new PhAclMem(); $acl->setDefaultAction(PhAcl::DENY); $acl->addRole('Guests'); $acl->addRole('Members', 'Guests'); $acl->addResource('Login', array('index')); $acl->allow('Guests', 'Login', 'index'); $acl->deny('Members', 'Login', 'index'); $actual = (bool) $acl->isAllowed('Members', 'Login', 'index'); $this->assertFalse($actual, 'Negation of inherited roles not correct'); }