public function getAuthAssignments($user_id)
{
if (!isset($this->user_assignments[$user_id])) {
$this->user_assignments[$user_id] = parent::getAuthAssignments($user_id);
}
return $this->user_assignments[$user_id];
}
/**
* Removes cache before revoking auth item assignement
* @param string $itemName the item name
* @param mixed $userId the user ID (see {@link IWebUser::getId})
* @return boolean whether removal is successful
* @throws CExeption if the application component could not be loaded.
*/
public function revoke($itemName, $userId)
{
if (Yii::app()->getComponent($this->cacheID) !== null) {
Yii::app()->getComponent($this->cacheID)->delete($this->cacheID . '_' . $itemName . '_' . $userId);
return parent::revoke($itemName, $userId);
} else {
throw new CException('Application component ' . $this->cacheID . ' could not be loaded.');
}
}
public function init()
{
// Run the parent
parent::init();
// Run only if we are not guests
if (!Yii::app()->user->isGuest) {
// Assign a role to the member only if we didn't assign one yet
if (!$this->isAssigned(Yii::app()->user->role, Yii::app()->user->id)) {
if ($this->assign(Yii::app()->user->role, Yii::app()->user->id)) {
$this->save();
}
}
}
}
/**
* Returns the authorization item with the specified name.
* Overloads the parent method to allow for runtime caching.
* @param string $name the name of the item.
* @param boolean $allowCaching whether to accept cached data.
* @return CAuthItem the authorization item. Null if the item cannot be found.
*/
public function getAuthItem($name, $allowCaching = true)
{
// Get all items if necessary and cache them.
if ($allowCaching && $this->_items === array()) {
$this->_items = $this->getAuthItems();
}
// Get the items from cache if possible.
if ($allowCaching && isset($this->_items[$name])) {
return $this->_items[$name];
} else {
if (($item = parent::getAuthItem($name)) !== null) {
return $item;
}
}
// Item does not exist.
return null;
}
/**
* Performs access check for the specified user.
* @param string $itemName the name of the operation that need access check.
* @param integer $userId the user id.
* @param array $params name-value pairs that would be passed to biz rules associated
* with the tasks and roles assigned to the user.
* @param boolean $allowCaching whether to allow caching the result of access check.
* @return boolean whether the operations can be performed by the user.
*/
public function checkAccess($itemName, $userId, $params = array(), $allowCaching = true)
{
$cacheKey = $this->resolveCacheKey($itemName, $userId);
$key = serialize($params);
if ($allowCaching && ($cache = $this->getCache()) !== null) {
if (($data = $cache->get($cacheKey)) !== false) {
$data = unserialize($data);
if (isset($data[$key])) {
return $data[$key];
}
}
} else {
$data = array();
}
$result = $data[$key] = parent::checkAccess($itemName, $userId, $params);
if (isset($cache)) {
$cache->set($cacheKey, serialize($data), $this->cachingDuration);
}
return $result;
}
/**
* Returns the authorization items of the specific type and user.
* Overloads the parent method to allow for sorting.
* @param integer $type the item type (0: operation, 1: task, 2: role). Defaults to null,
* meaning returning all items regardless of their type.
* @param mixed $userId the user ID. Defaults to null, meaning returning all items even if
* they are not assigned to a user.
* @param boolean $sort whether to sort the items according to their weights.
* @return array the authorization items of the specific type.
*/
public function getAuthItems($type = null, $userId = null, $sort = true)
{
// We need to sort the items.
if ($sort === true) {
if ($type === null && $userId === null) {
$sql = "SELECT name,t1.type,description,t1.bizrule,t1.data,weight\r\n\t\t\t\t\tFROM {$this->db->quoteTableName($this->itemTable)} t1\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->rightsTable)} t2 ON name=itemname\r\n\t\t\t\t\tORDER BY t1.type DESC, weight ASC";
$command = $this->db->createCommand($sql);
} else {
if ($userId === null) {
$sql = "SELECT name,t1.type,description,t1.bizrule,t1.data,weight\r\n\t\t\t\t\tFROM {$this->db->quoteTableName($this->itemTable)} t1\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->rightsTable)} t2 ON name=itemname\r\n\t\t\t\t\tWHERE t1.type=:type\r\n\t\t\t\t\tORDER BY t1.type DESC, weight ASC";
$command = $this->db->createCommand($sql);
$command->bindValue(':type', $type);
} else {
if ($type === null) {
$sql = "SELECT name,t1.type,description,t1.bizrule,t1.data,weight\r\n\t\t\t\t\tFROM {$this->db->quoteTableName($this->itemTable)} t1\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->assignmentTable)} t2 ON name=t2.itemname\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->rightsTable)} t3 ON name=t3.itemname\r\n\t\t\t\t\tWHERE userid=:userid\r\n\t\t\t\t\tORDER BY t1.type DESC, weight ASC";
$command = $this->db->createCommand($sql);
$command->bindValue(':userid', $userId);
} else {
$sql = "SELECT name,t1.type,description,t1.bizrule,t1.data,weight\r\n\t\t\t\t\tFROM {$this->db->quoteTableName($this->itemTable)} t1\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->assignmentTable)} t2 ON name=t2.itemname\r\n\t\t\t\t\tLEFT JOIN {$this->db->quoteTableName($this->rightsTable)} t3 ON name=t3.itemname\r\n\t\t\t\t\tWHERE t1.type=:type AND userid=:userid\r\n\t\t\t\t\tORDER BY t1.type DESC, weight ASC";
$command = $this->db->createCommand($sql);
$command->bindValue(':type', $type);
$command->bindValue(':userid', $userId);
}
}
}
$items = array();
foreach ($command->queryAll() as $row) {
$items[$row['name']] = new CAuthItem($this, $row['name'], $row['type'], $row['description'], $row['bizrule'], unserialize($row['data']));
}
} else {
$items = parent::getAuthItems($type, $userId);
}
return $items;
}
/**
* Access check function.
*
* Checks access and attempts to speed up all future access checks using
* caching and storage of the variable within {@link _access}.
*
* Note, only if parameters are empty will permissions caching or storage
* in {@link _access} be effective, because parameters (i.e. the assignment
* of a record based on the value of its assignedTo field) are expected to
* vary. For example, in record-specific permission items checked for
* multiple records. That is why $params be empty for any shortcuts to be
* taken.
*
* @param string $itemName Name of the auth item for which access is being checked
* @param integer $userId ID of the user for which to check access
* @param array $params Parameters to pass to business rules
* @return boolean
*/
public function checkAccess($itemName, $userId, $params = array())
{
if (!isset($params['userId'])) {
$params['userId'] = $userId;
}
if (!isset($this->_access)) {
$this->_access = array();
}
if (isset($this->_access[$userId][$itemName]) && !empty($this->_access[$userId][$itemName])) {
$checkParams = $this->getCacheParams($params);
if ($checkParams !== false) {
$checkParams = json_encode($checkParams);
// Shortcut 1: return data stored in the component's property
if (isset($this->_access[$userId][$itemName][$checkParams])) {
return $this->_access[$userId][$itemName][$checkParams];
}
}
} else {
if ($this->caching) {
// Shortcut 2: load the auth cache data and return if a result was found
if (!isset($this->_access[$userId])) {
$this->_access[$userId] = Yii::app()->authCache->loadAuthCache($userId);
}
if (isset($this->_access[$userId][$itemName]) && !empty($this->_access[$userId][$itemName])) {
$checkParams = $this->getCacheParams($params);
if ($checkParams !== false) {
$checkParams = json_encode($checkParams);
if (isset($this->_access[$userId][$itemName][$checkParams])) {
return $this->_access[$userId][$itemName][$checkParams];
}
}
}
}
}
if (!isset($this->_access[$userId])) {
$this->_access[$userId] = array();
}
if (!isset($this->_access[$userId][$itemName])) {
$this->_access[$userId][$itemName] = array();
}
// Get assignments via roles.
//
// In X2Engine's system, x2_auth_assignment doesn't refer to users, but
// to roles. Hence, the ID of each role is sent to
// parent::getAuthAssignments rather than a user ID, which would be
// meaningless in light of how x2_auth_assignment stores roles.
if (isset($this->_assignments[$userId])) {
$assignments = $this->_assignments[$userId];
} else {
$roles = Roles::getUserRoles($userId);
$assignments = array();
foreach ($roles as $roleId) {
$assignments = array_merge($assignments, parent::getAuthAssignments($roleId));
}
$this->_assignments[$userId] = $assignments;
}
// Prepare the username for the session-agnostic permissions check:
if (!isset($this->_usernames[$userId])) {
if ($userId == Yii::app()->getSuId()) {
$user = Yii::app()->getSuModel();
} else {
$user = User::model()->findByPk($userId);
}
if ($user instanceof User) {
$this->_usernames[$userId] = $user->username;
} else {
$this->_usernames[$userId] = 'Guest';
}
}
// Get whether the user has access:
$hasAccess = parent::checkAccessRecursive($itemName, $userId, $params, $assignments);
// Store locally.
$cacheParams = $this->getCacheParams($params);
if ($cacheParams !== false) {
$this->_access[$userId][$itemName][json_encode($cacheParams)] = $hasAccess;
// Cache
if ($this->caching) {
Yii::app()->authCache->addResult($userId, $itemName, $hasAccess, $cacheParams);
}
}
return $hasAccess;
}
/**
* Removes all authorization data.
*/
public function clearAll()
{
parent::clearAll();
$this->db->createCommand("DELETE FROM {$this->pathTable}")->execute();
}
public function getAuthItem($name)
{
if (array_key_exists($name, $this->_authItems)) {
if ($this->_authItems[$name] == null) {
return null;
}
return new CAuthItem($this, $this->_authItems[$name]['name'], $this->_authItems[$name]['type'], $this->_authItems[$name]['description'], $this->_authItems[$name]['bizrule'], $this->_authItems[$name]['data']);
}
$item = parent::getAuthItem($name);
if ($item == null) {
$this->_authItems[$name] = null;
} else {
$this->_authItems[$name]['name'] = $item->getName();
$this->_authItems[$name]['type'] = $item->getType();
$this->_authItems[$name]['description'] = $item->getDescription();
$this->_authItems[$name]['bizrule'] = $item->getBizRule();
$this->_authItems[$name]['data'] = $item->getData();
}
return $item;
}
protected function checkGroupAccess($itemName, $userId, $params)
{
$user = Yii::app()->getUser();
if (!$user->isGuest) {
$ugroups = Profile::model()->with('groups')->findByPk($userId);
foreach ($ugroups->groups as $group) {
if (parent::checkAccess($itemName, $group->id, $params)) {
return true;
}
}
}
return false;
}
/**
* Revoce authorization assignment from a user
*
* @param string $itemName if null, all user assignments are revoked
* @param int $userId
* @return boolean
*/
public function revoke($itemName, $userId)
{
if ($itemName != NULL) {
return parent::revoke($itemName, $userId);
} else {
$sql = "DELETE FROM {$this->assignmentTable} WHERE userid=:userid";
$command = $this->db->createCommand($sql);
$command->bindValue(':userid', $userId);
return $command->execute() > 0;
}
}
