private function defineRelationships(Permission $authorizator) { $authorizator->allow('employee', 'listing', Permission::ALL, [$this, 'isOwner']); $authorizator->allow('employee', 'message', ['send', 'remove', 'view', 'mark_as_read'], [$this, 'isOwner']); $authorizator->allow('admin', null, Permission::ALL); $authorizator->deny('admin', 'message', 'mark_as_read', [$this, 'isNotOwner']); }
/** * Ověření zda má uživatelská role potřebné privilegium k práci se zdrojem. * @param string $role * @param string $resource * @param string $privilege * @return boolean */ public function isAllowed($role, $resource, $privilege) { if ($this->acl->isAllowed($role, $resource, $privilege)) { return true; } else { return false; } }
/** * Recursivelly returns current and all parent roles * @param type $role * @return type */ public function getEffectiveRoles($role) { $roles = array($role => TRUE); foreach ($this->acl->getRoleParents($role) as $parent) { $roles += array_flip($this->getEffectiveRoles($parent)); } return array_keys($roles); }
public function isAllowed($role = IAuthorizator::ALL, $resource = IAuthorizator::ALL, $privilege = IAuthorizator::ALL) { if (!$this->acl->hasRole($role)) { $this->onUndefinedRole($role); } if (!$this->acl->hasResource($resource)) { $this->onUndefinedResource($resource); } return $this->acl->isAllowed($role, $resource, $privilege); }
public function check($resource, $privilege) { if ($this->user->isInRole(static::ROOT_ROLE)) { return true; } if (!array_reduce($this->user->getRoles(), function ($prev, $role) use($resource, $privilege) { return $this->acl->hasRole($role) && $this->acl->hasResource($resource) && $this->acl->isAllowed($role, $resource, $privilege) || $prev; }, false)) { throw new \AclException("Unauthorized access to resource '{$resource}' privilege '{$privilege}' :(", 403); } }
public function startup() { parent::startup(); // redirect if not logged in (new \App\Tools\UserAuxFactory($this))->testLoginStatus(); $role = $this->user->getIdentity()->getData()['role']; if (!$this->_permission->isAllowed($role, 'Admin:Article:Insert')) { $this->flashMessage('Přístup odmítnut!'); $this->redirect('Homepage:Default'); } }
public static function createAuthorizator() { $perm = new Permission(); $perm->addRole("guest"); $perm->addRole("user", "guest"); $perm->addRole("admin", "user"); $perm->addResource('clip'); $perm->addResource('comment'); $perm->deny(); $perm->allow("admin"); $perm->allow("user", "comment", "add"); return $perm; }
public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege = self::ALL) { if ($resource !== self::ALL && !$this->hasResource($resource)) { $this->addResource($resource); } return parent::isAllowed($role, $resource, $privilege); }
public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege = self::ALL) { if (in_array($resource, $this->getResources())) { return parent::isAllowed($role, $resource, $privilege); } else { return false; } }
/** * Denies one or more Roles access to [certain $privileges upon] the specified Resource(s). * If $assertion is provided, then it must return TRUE in order for rule to apply. * * @param string|array|Permission::ALL $roles * @param string|array|Permission::ALL $resources * @param string|array|Permission::ALL $privileges * @param callable $assertion * @return self */ public function deny($roles = self::ALL, $resources = self::ALL, $privileges = self::ALL, $assertion = null) { if ($assertion !== null) { $assertion = function () use($assertion) { return Callback::invoke($assertion, $this->identity, $this->getQueriedResource(), $this->getQueriedRole()); }; } return parent::deny($roles, $resources, $privileges, $assertion); }
/** * @param null $role * @param null $resource * @param null $privilege * @return bool|null */ public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege = self::ALL) { if ($role == "root") { return TRUE; } try { $this->Init($role); return $this->acl->isAllowed($role, $resource, $privilege); } catch (InvalidStateException $e) { return FALSE; } }
public static function createAuthorizator() { $perm = new Permission; $perm->addRole("guest"); $perm->addRole("user", "guest"); $perm->addRole("admin", "user"); $perm->deny(); $perm->allow("admin"); return $perm; }
/** @return Nette\Security\Permission */ public function create() { if (!$this->cmsInstalled) { return new Nette\Security\Permission(); } $acl = $this->cache->load('acl'); if ($acl === NULL) { $acl = new Nette\Security\Permission(); try { foreach ($this->roleService->findAll() as $role) { $acl->addRole($role->name, $role->parent === NULL ? NULL : $role->parent->name); } } catch (Kdyby\Doctrine\DBALException $ex) { return new Nette\Security\Permission(); } foreach ($this->resourceService->findAll() as $resource) { $acl->addResource($resource->name); } foreach ($this->aclService->findAll() as $aclEntry) { if ($aclEntry->allow) { $acl->allow($aclEntry->role->name, $aclEntry->permission->resource->name, $aclEntry->permission->privilege->name); } else { $acl->deny($aclEntry->role->name, $aclEntry->permission->resource->name, $aclEntry->permission->privilege->name); } } $this->cache->save('acl', $acl, [Nette\Caching\Cache::TAGS => self::CACHE_TAG]); } return $acl; }
/** * Funkce pro kontrolu oprávnění přístupu ke zvolenému zdroji * @param string|Permission::ALL|IRole role * @param string|Permission::ALL|IResource resource * @param string|Permission::ALL privilege * @throws \Nette\InvalidStateException * @return bool */ public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege = self::ALL) { /*if ($resource instanceof IOwnerResource){ if ($role instanceof OwnerRole){ //TODO kontrola oprávnění... return ($role->getUserId()==$resource->getUserId()); }else{ return false; } }*/ //vrácení standartních oprávnění... return parent::isAllowed($role, $resource, $privilege); }
public function __construct() { $acl = new Nette\Security\Permission(); // definice rolí $acl->addRole('guest'); $acl->addRole('demo', 'guest'); // demo dědí od guest $acl->addRole('admin', 'demo'); // a od něj dědí admin // seznam zdrojů, ke kterým mohou uživatelé přistupovat $acl->addResource('Admin:Admin'); $acl->addResource('Front'); // pravidla, určující, kdo co může s čím dělat $acl->allow('guest', 'Front', self::READ); $acl->allow('demo', 'Admin:Admin', self::READ); $acl->allow('admin', Permission::ALL, Permission::ALL); // Nastaveno! $this->acl = $acl; }
public function isAllowed($role = \Nette\Security\Permission::ALL, $resource = \Nette\Security\Permission::ALL, $privilege = \Nette\Security\Permission::ALL) { if (is_array($resource)) { @(list($resource, $type) = $resource); // @ intentionally } else { $type = NULL; } if ($resource instanceof IResourceEntity) { $resource = $resource->getClassName(); $type = $type ?: 'entities'; } try { if ($type && !$this->hasResource($type)) { throw new Nette\InvalidStateException(); } return parent::isAllowed($role, $resource, $privilege); } catch (Nette\InvalidStateException $e) { $this->addMissingRole($role); $this->addMissingResource($resource, $type); } return parent::isAllowed($role, $resource, $privilege); }
/** * Is user allowed to acces this presenter and action. * * @throws Nette\InvalidStateException * @return bool */ protected function isAllowed() { $role = $this->user->isLoggedIn() ? $this->user->getIdentity()->role : $this->user->guestRole; $resource = $this->getResource(); return $this->acl->isAllowed($role, $resource); }
/** * Setup permission by role * * @param Permission $permission * @param string $role * @return Permission */ protected function setPermissionsByRole(Permission $permission, $role) { if ($role == 'admin') { $permission->allow('admin', Permission::ALL); return $permission; } if ($this->checkConnection->invoke()) { $roleEntity = $this->roleRepository->findOneByName($role); if ($roleEntity) { if ($roleEntity->parent) { $this->setPermissionsByRole($permission, $roleEntity->parent->name); } if ($roleEntity && !$permission->hasRole($role)) { $permission->addRole($role, $roleEntity->parent ? $roleEntity->parent->name : NULL); } // allow/deny foreach ($roleEntity->permissions as $perm) { if ($permission->hasResource($perm->resource)) { if ($perm->allow) { $permission->allow($role, $perm->resource, $perm->privilege ? $perm->privilege : NULL); } else { $permission->deny($role, $perm->resource, $perm->privilege ? $perm->privilege : NULL); } } } } } return $permission; }
private function loadPermissions(Permission $acl) { $permissions = $this->em->createQuery('SELECT p, pr FROM ' . \Users\Authorization\Permission::class . ' p LEFT JOIN p.privilege pr')->execute(); /** @var \Users\Authorization\Permission $permission */ foreach ($permissions as $permission) { if ($permission->isAllowed() === true) { $acl->allow($permission->getRoleName(), $permission->getResourceName(), $permission->getPrivilegeName()); } else { $acl->deny($permission->getRoleName(), $permission->getResourceName(), $permission->getPrivilegeName()); } } $acl->allow(Role::GOD, IAuthorizator::ALL, IAuthorizator::ALL); }
function isAllowed($role, $resource, $privilege) { return $this->acl->isAllowed($role, $resource, $privilege); }
public function getRoles() { $roles = parent::getRoles(); return array_combine($roles, $roles); }
public function startup() { parent::startup(); if ($this->getName() != 'Admin:Sign' && !$this->user->isLoggedIn()) { $this->redirect('Sign:default'); } //nastavim prava foreach ($this->roles->getAll() as $role) { $this->acl->addRole($role['system_name']); } foreach ($this->resources->getAll() as $resource) { $this->acl->addResource($resource['system_name']); } foreach ($this->permissions->getAll() as $permission) { $this->acl->allow($permission->role->system_name, $permission->resource->system_name, $permission->privilege->system_name); } $this->acl->addRole('super_admin'); $this->acl->allow('super_admin'); //homepage a sign maji pristup vsichni $this->acl->addResource('homepage'); $this->acl->allow(\App\AdminModule\Components\Authorizator::ALL, 'homepage'); $this->acl->addResource('sign'); $this->acl->allow(\App\AdminModule\Components\Authorizator::ALL, 'sign'); //vychozi role $this->acl->addRole('guest'); //kontrola prav if ($this->getName() != 'Admin:Image' && $this->getAction() != 'ordering' && $this->getAction() != 'orderingCategory' && $this->getAction() != 'deleteImage' && $this->getAction() != 'changePassword' && $this->getAction() != 'getCity' && $this->getAction() != 'download') { if (!$this->getUser()->isAllowed($this->getNameSimple(), $this->getAction())) { $this->flashMessage($this->translator->translate('admin.login.noAccess'), 'error'); $this->redirect('Homepage:default'); } } //projedu vsek moduly a pokusim se najit presentery $presenters = array(); $vsekDir = dirname(__FILE__) . '/../../../'; $ch = opendir($vsekDir); while (($file = readdir($ch)) !== false) { if (!in_array($file, array('.', '..'))) { if (file_exists($vsekDir . $file . '/src/setting.xml')) { $xml = simplexml_load_file($vsekDir . $file . '/src/setting.xml'); if (isset($xml->presenter)) { $this->menuModules[] = array('name' => (string) $xml->presenter->name, 'resource' => (string) $xml->presenter->resource); } } } } closedir($ch); }
/** * Helping function to add roles from database, for roles which parents was not defined yet * @param string $role * @param mixed $parent */ public function addRole($role, $parents = null) { if ($this->hasRole($role)) { return $this; } $parents = array(); if (isset($this->rolesRels[$role]) && is_array($this->rolesRels[$role])) { foreach ($this->rolesRels[$role] as $parent) { if (!$this->hasRole($parent)) { $this->addRole($parent); } $parents[$role] = $parent; } } else { $parents[$role] = null; } return parent::addRole($role, isset($parents[$role]) ? $parents[$role] : null); }
private function setRules(Permission $p) { try { $rules = $this->rulesService->getRules(); } catch (Exceptions\DataErrorException $e) { $this->logError($e->getMessage()); } foreach ($rules as $r) { if ($r->isPermit()) { $p->allow($r->getRole()->getName(), $r->hasResource() ? $r->getResource() : Permission::ALL, $r->hasPrivilege() ? $r->getPrivileges() : Permission::ALL); } else { $p->deny($r->getRole()->getName(), $r->hasResource() ? $r->getResource() : Permission::ALL, $r->hasPrivilege() ? $r->getPrivileges() : Permission::ALL); } } }