Checks if the user is Scalr admin
| public isScalrAdmin ( ) : boolean | ||
| return | boolean | Returns true if user is Scalr Admin |
/**
* Checks if access to ACL resource or unique permission is allowed
*
* Usage:
* --
* use \Scalr\Acl\Acl;
*
* The ID of the ACL resource; The ID of the unique permission which is related to specified resource
* $this->request->isAllowed(Acl::RESOURCE_FARMS, Acl::PERM_FARMS_EDIT);
*
* Array of IDs of the ACL resource (check if user have any permission); The ID of the unique permission which is related to specified resource
* $this->request->isAllowed([Acl::RESOURCE_FARMS, Acl::RESOURCE_OWN_FARMS], Acl::PERM_FARMS_EDIT);
*
* Mnemonic constants: resource, permission
* Method interprets $resourceMnemonic as RESOURCE_$resourceMnemonic_$scope, $permissionMnemonic as PERM_$resourceMnemonic_$scope_$permissionMnemonic
* For example, call(ROLES, MANAGE) on account scope will check RESOURCE_ROLES_ACCOUNT, PERM_ROLES_ACCOUNT_MANAGE
* $this->request->isAllowed('ROLES', 'MANAGE');
*
* @param int|string|array $resourceId The ID or Name of the ACL resource or array of resources
* @param string $permissionId optional The ID or Name of the unique permission which is
* related to specified resource.
* @return bool Returns TRUE if access is allowed
*/
public function isAllowed($resourceId, $permissionId = null)
{
if ($this->user->isScalrAdmin()) {
// we don't have permissions on scalr scope
return true;
}
if (is_string($resourceId)) {
$resourceMnemonic = $resourceId;
$resourceId = Acl::getResourceIdByMnemonic($resourceMnemonic, $this->getScope());
$permissionId = $permissionId ? Acl::getPermissionIdByMnemonic($resourceMnemonic, $permissionId, $this->getScope()) : null;
}
if (is_array($resourceId)) {
foreach ($resourceId as $id) {
if (\Scalr::getContainer()->acl->isUserAllowedByEnvironment($this->getUser(), $this->getEnvironment(), $id, $permissionId)) {
return true;
}
}
return false;
} else {
return \Scalr::getContainer()->acl->isUserAllowedByEnvironment($this->getUser(), $this->getEnvironment(), $resourceId, $permissionId);
}
}
/**
* Checks if specified resource is allowed for superposition of the roles.
*
* If access permission is allowed at least in one role it is considered to be allowed.
* Current exclude filter will be applied
*
* @param int $resourceId The ID of the resource.
* @param string $permissionId optional The ID of the permission associated with resource.
* @return bool|null Returns true if access is allowed.
* If resource or permission isn't overridden it returns null.
* @throws Exception\RoleObjectException
*/
public function isAllowed($resourceId, $permissionId = null)
{
$allowed = false;
if ($this->user) {
if ($this->user->isAccountOwner() || $this->user->isScalrAdmin()) {
//Scalr Admin and Account Owner is allowed for everything, without any ACL defined for them.
return true;
} else {
if ($resourceId === Acl::RESOURCE_ENVADMINISTRATION_ENV_CLOUDS && $permissionId === null && $this->user->canManageAcl()) {
//Account Admin should be able to manage all relatings between environments and teams
return true;
}
}
}
$iterator = $this->getIterator();
while ($iterator->valid() && !$allowed) {
//If access permission is allowed at least in one role it is considered to be allowed.
$allowed = $allowed || (bool) $iterator->current()->isAllowed($resourceId, $permissionId);
$iterator->next();
}
return $allowed;
}
/**
* Checks wheter access to ACL resource or unique permission is allowed.
*
* @param \Scalr_Account_User $user The user
* @param \Scalr_Environment $environment The client's environment
* @param int $resourceId The ID of the ACL resource or its symbolic name without "RESOURCE_" prefix.
* @param string $permissionId optional The ID of the uniqure permission which is
* related to specified resource.
* @return bool Returns TRUE if access is allowed
*/
public function isUserAllowedByEnvironment(\Scalr_Account_User $user, $environment, $resourceId, $permissionId = null)
{
//Checks wheter environment and user are from the same account.
if ($user->isScalrAdmin()) {
return true;
} else {
if (!$environment instanceof \Scalr_Environment) {
//If environment is not defined it will return false.
return false;
} else {
if ($environment->clientId != $user->getAccountId()) {
return false;
}
}
}
//Scalr-Admin and Account-Owner is allowed for everything
if ($user->isAccountOwner()) {
return true;
}
if (is_string($resourceId)) {
$sName = 'Scalr\\Acl\\Acl::RESOURCE_' . strtoupper($resourceId);
if (defined($sName)) {
$resourceId = constant($sName);
} else {
throw new \InvalidArgumentException(sprintf('Cannot find ACL resource %s by specified symbolic name %s.', $sName, $resourceId));
}
}
return (bool) $user->getAclRolesByEnvironment($environment->id)->isAllowed($resourceId, $permissionId);
}
