/**
* @param $user
*
*/
protected static function set_rules($user)
{
// Always get again the rules
// To comment if rules should be placed in session
// (will need logout / login) to set new rules.
// self::on_logout();
// Rules : From Session
if (self::$session->userdata('authority_rules')) {
$rules = self::$session->userdata('authority_rules');
} else {
// Models
self::$ci->load->model(array('role_model', 'rule_model'), '', TRUE);
// Roles rules
$rules = self::$ci->rule_model->get_from_role($user->get_role());
// To Session
self::$session->set_userdata('authority_rules', $rules);
}
// Check for Super Admin role
foreach ($rules as $rule) {
if ($rule['resource'] == 'all') {
self::$has_all = TRUE;
Authority::allow('manage', 'all');
break;
}
}
// Other role
if (!self::$has_all) {
foreach ($rules as $rule) {
// Read action
$rule['permission'] == 1 ? Authority::allow('access', $rule['resource']) : Authority::deny('access', $rule['resource']);
// Other actions
if (!empty($rule['actions'])) {
$actions = explode(',', $rule['actions']);
foreach ($actions as $action) {
$rule['permission'] == 1 ? Authority::allow($action, $rule['resource']) : Authority::deny($action, $rule['resource']);
}
}
}
}
}
// The logged in user is an admin, we allow him to perform manage actions (create, read, update, delete) on "all" "Resources".
Authority::allow('manage', 'all');
// Let's say we want to "Deny" the admin from adding accounts if his age is below 21 (i don't mean to discriminate ;)
// Since we have the User object, and it has an "age" property, we can make a simple if statement.
if ($user->age < 21) {
// Too young! we "deny" the user to create users, i'm sorry...
Authority::deny('create', 'User');
}
// Let's make it a little harder, we don't want the admin to be able to delete his own User account, but has to be allowed to delete other Users.
// We only know that the "Resource" is a User, But we don't know the User id, we can send that information to the Rule Closure, in the Closure below, the argument is called $that_user.
// We also pass in the logged in user, since the Closure is outside of the scope where this comment is in.
Authority::deny('delete', 'User', function ($that_user) use($user) {
// If the id of the User that we are trying to delete is equal to our logged in user, we return true, meaning the Deny Rule will be set.
return (int) $that_user->id === (int) $user->id;
});
}
if ($user->has_role('store_owner')) {
// What if the logged in User has the role "store_owner", let's allow the user to manage his own store
Authority::allow('manage', 'Store', function ($store) use($user) {
return is_null(DB::table('stores')->where_id($store->id)->where_user_id($user->id)->first());
});
// We can also allow "Actions" on certain "Resources" by results we get from somewhere else, look closely at the next example
foreach (DB::table('permissions')->where_user_id($user->id)->get() as $permission) {
if ($permission->type === 'allow') {
Authority::allow($permission->action, $permission->resource);
} else {
Authority::deny($permission->action, $permission->resource);
}
}
}
});
