/**
* Check if the role of the current user is allowed to access this page
* otherwise redirect to the access denied page.
* first we check if user has permission on whole using has_access method
* then we check if acl for current resource action combination is defined and
* check for it
* lastly we resolve standard action names to valid resource-action combinations
* and check for them
*/
protected function acl_filter()
{
$resource = $this->request->controller();
$acl = Acl::instance();
if (!$acl->has_access($resource)) {
$this->redirect_after_filter('error/access_denied');
}
// check if current acl for current controller-action is defined in permissions
$action = $this->request->action();
$repr_key = Acl::repr_key($resource, $action);
if ($acl->acl_exists($repr_key) && !$acl->is_allowed($repr_key)) {
$this->redirect_after_filter('error/access_denied');
}
// check for standard action names
$std_actions = array('index' => 'view', 'add' => 'create', 'edit' => 'edit', 'delete' => 'delete');
if (isset($std_actions[$action]) && !$acl->is_allowed(Acl::repr_key($resource, $std_actions[$action]))) {
$this->redirect_after_filter('error/access_denied');
}
// if it reaches here, we assume the user has permission to this resource-level
// any other checking will have to be done in the controller action
}
public function action_permissions()
{
$view = View::factory('role/permissions')->bind('acl', $acl)->set('action', URL::site('role/permissions'))->bind('role_id', $role_id)->bind('is_current_role', $is_current_role)->bind('role_name', $role_name)->set('cancel', URL::site('role'));
$post = array();
if ($this->request->method() === 'POST' && $this->request->post()) {
$post = $this->request->post();
$role_id = $post['role_id'];
$role = ORM::factory('role', $role_id);
$role->permissions = serialize($post['acl']);
$role->save();
Session::instance()->set('success', 'User permissions saved successfully.');
Request::current()->redirect('role/index');
}
$role_id = $this->request->param('params');
$role = ORM::factory('role', $role_id);
$role_name = $role->name;
$permissions = $role->permissions && $role->permissions !== NULL ? unserialize($role->permissions) : array();
$acl_array = Acl::acl_array($permissions);
${$acl} = array();
foreach ($acl_array as $resource => $levels) {
$acl[$resource] = array();
$text_resource = Kohana::message('acl', $resource);
foreach ($levels as $level => $permission) {
$acl[$resource][$level] = array('resource' => $text_resource, 'level' => Inflector::humanize($level), 'permission' => $permission, 'repr_key' => Acl::repr_key($resource, $level));
}
}
// check whether the role being edited is the role of the current user
// if yes, show a warning before user tries to deny all permissions
$user_role_id = Auth::instance()->get_user()->roles->find()->id;
$is_current_role = $role_id == $user_role_id;
Breadcrumbs::add(array('Role', Url::site('role')));
Breadcrumbs::add(array('Set Permission', Url::site('role/permissions/' . $role_id)));
$this->content = $view;
}
public function test_repr_key()
{
$this->assertEquals('user_create', Acl::repr_key('user', 'create'));
$this->assertEquals('role_permissions', Acl::repr_key('role', 'permissions'));
}
