/** * Short description of method remove * * @access public * @author Jehan Bihin, <*****@*****.**> * @param string roleUri * @param string accessUri * @return mixed */ public function remove($roleUri, $accessUri) { $uri = explode('#', $accessUri); list($type, $ext, $mod, $act) = explode('_', $uri[1]); $role = new core_kernel_classes_Class($roleUri); $actionAccessProperty = new core_kernel_classes_Property(funcAcl_models_classes_AccessService::PROPERTY_ACL_GRANTACCESS); $module = new core_kernel_classes_Resource($this->makeEMAUri($ext, $mod)); $controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri()); // access via controller? $controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controllerClassName); if (in_array($roleUri, $controllerAccess['module'])) { // remove access to controller funcAcl_models_classes_ModuleAccessService::singleton()->remove($roleUri, $module->getUri()); // add access to all other actions foreach (funcAcl_helpers_Model::getActions($module) as $action) { if ($action->getUri() != $accessUri) { $this->add($roleUri, $action->getUri()); $this->getEventManager()->trigger(new AccessRightAddedEvent($roleUri, $action->getUri())); } } } elseif (isset($controllerAccess['actions'][$act]) && in_array($roleUri, $controllerAccess['actions'][$act])) { // remove action only $role->removePropertyValues($actionAccessProperty, array('pattern' => $accessUri)); $this->getEventManager()->trigger(new AccessRightRemovedEvent($roleUri, $accessUri)); funcAcl_helpers_Cache::flushControllerAccess($controllerClassName); } }
/** * (non-PHPdoc) * @see \oat\tao\model\accessControl\func\FuncAccessControl::accessPossible() */ public function accessPossible(User $user, $controller, $action) { $userRoles = $user->getRoles(); try { $controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controller); $allowedRoles = isset($controllerAccess['actions'][$action]) ? array_merge($controllerAccess['module'], $controllerAccess['actions'][$action]) : $controllerAccess['module']; $accessAllowed = count(array_intersect($userRoles, $allowedRoles)) > 0; if (!$accessAllowed) { common_Logger::i('Access denied to ' . $controller . '@' . $action . ' for user \'' . $user->getIdentifier() . '\''); } } catch (ReflectionException $e) { common_Logger::i('Unknown controller ' . $controller); $accessAllowed = false; } return (bool) $accessAllowed; }
public function testACLCache() { $moduleCache = funcAcl_helpers_Cache::getControllerAccess('tao_actions_Users'); $this->assertTrue(is_array($moduleCache)); }
/** * Shows the access to the actions of a controller for a specific role * * @throws Exception */ public function getActions() { if (!tao_helpers_Request::isAjax()) { throw new Exception("wrong request mode"); } else { $role = new core_kernel_classes_Resource($this->getRequestParameter('role')); $included = array(); foreach (tao_models_classes_RoleService::singleton()->getIncludedRoles($role) as $includedRole) { $included[] = $includedRole->getUri(); } $module = new core_kernel_classes_Resource($this->getRequestParameter('module')); $controllerClassName = funcAcl_helpers_Map::getControllerFromUri($module->getUri()); $controllerAccess = funcAcl_helpers_Cache::getControllerAccess($controllerClassName); $actions = array(); foreach (ControllerHelper::getActions($controllerClassName) as $actionName) { $uri = funcAcl_helpers_Map::getUriForAction($controllerClassName, $actionName); $part = explode('#', $uri); list($type, $extId, $modId, $actId) = explode('_', $part[1]); $allowedRoles = isset($controllerAccess['actions'][$actionName]) ? array_merge($controllerAccess['module'], $controllerAccess['actions'][$actionName]) : $controllerAccess['module']; $access = count(array_intersect($included, $allowedRoles)) > 0 ? self::ACCESS_INHERITED : (in_array($role->getUri(), $allowedRoles) ? self::ACCESS_FULL : self::ACCESS_NONE); $actions[$actId] = array('uri' => $uri, 'access' => $access); } ksort($actions); $this->returnJson($actions); } }