/** * Check if the role of the current user is allowed to access this page * otherwise redirect to the access denied page. * first we check if user has permission on whole using has_access method * then we check if acl for current resource action combination is defined and * check for it * lastly we resolve standard action names to valid resource-action combinations * and check for them */ protected function acl_filter() { $resource = $this->request->controller(); $acl = Acl::instance(); if (!$acl->has_access($resource)) { $this->redirect_after_filter('error/access_denied'); } // check if current acl for current controller-action is defined in permissions $action = $this->request->action(); $repr_key = Acl::repr_key($resource, $action); if ($acl->acl_exists($repr_key) && !$acl->is_allowed($repr_key)) { $this->redirect_after_filter('error/access_denied'); } // check for standard action names $std_actions = array('index' => 'view', 'add' => 'create', 'edit' => 'edit', 'delete' => 'delete'); if (isset($std_actions[$action]) && !$acl->is_allowed(Acl::repr_key($resource, $std_actions[$action]))) { $this->redirect_after_filter('error/access_denied'); } // if it reaches here, we assume the user has permission to this resource-level // any other checking will have to be done in the controller action }
public function action_permissions() { $view = View::factory('role/permissions')->bind('acl', $acl)->set('action', URL::site('role/permissions'))->bind('role_id', $role_id)->bind('is_current_role', $is_current_role)->bind('role_name', $role_name)->set('cancel', URL::site('role')); $post = array(); if ($this->request->method() === 'POST' && $this->request->post()) { $post = $this->request->post(); $role_id = $post['role_id']; $role = ORM::factory('role', $role_id); $role->permissions = serialize($post['acl']); $role->save(); Session::instance()->set('success', 'User permissions saved successfully.'); Request::current()->redirect('role/index'); } $role_id = $this->request->param('params'); $role = ORM::factory('role', $role_id); $role_name = $role->name; $permissions = $role->permissions && $role->permissions !== NULL ? unserialize($role->permissions) : array(); $acl_array = Acl::acl_array($permissions); ${$acl} = array(); foreach ($acl_array as $resource => $levels) { $acl[$resource] = array(); $text_resource = Kohana::message('acl', $resource); foreach ($levels as $level => $permission) { $acl[$resource][$level] = array('resource' => $text_resource, 'level' => Inflector::humanize($level), 'permission' => $permission, 'repr_key' => Acl::repr_key($resource, $level)); } } // check whether the role being edited is the role of the current user // if yes, show a warning before user tries to deny all permissions $user_role_id = Auth::instance()->get_user()->roles->find()->id; $is_current_role = $role_id == $user_role_id; Breadcrumbs::add(array('Role', Url::site('role'))); Breadcrumbs::add(array('Set Permission', Url::site('role/permissions/' . $role_id))); $this->content = $view; }
public function test_repr_key() { $this->assertEquals('user_create', Acl::repr_key('user', 'create')); $this->assertEquals('role_permissions', Acl::repr_key('role', 'permissions')); }