/** * Checks if access to ACL resource or unique permission is allowed * * Usage: * -- * use \Scalr\Acl\Acl; * * The ID of the ACL resource; The ID of the unique permission which is related to specified resource * $this->request->isAllowed(Acl::RESOURCE_FARMS, Acl::PERM_FARMS_EDIT); * * Array of IDs of the ACL resource (check if user have any permission); The ID of the unique permission which is related to specified resource * $this->request->isAllowed([Acl::RESOURCE_FARMS, Acl::RESOURCE_OWN_FARMS], Acl::PERM_FARMS_EDIT); * * Mnemonic constants: resource, permission * Method interprets $resourceMnemonic as RESOURCE_$resourceMnemonic_$scope, $permissionMnemonic as PERM_$resourceMnemonic_$scope_$permissionMnemonic * For example, call(ROLES, MANAGE) on account scope will check RESOURCE_ROLES_ACCOUNT, PERM_ROLES_ACCOUNT_MANAGE * $this->request->isAllowed('ROLES', 'MANAGE'); * * @param int|string|array $resourceId The ID or Name of the ACL resource or array of resources * @param string $permissionId optional The ID or Name of the unique permission which is * related to specified resource. * @return bool Returns TRUE if access is allowed */ public function isAllowed($resourceId, $permissionId = null) { if ($this->user->isScalrAdmin()) { // we don't have permissions on scalr scope return true; } if (is_string($resourceId)) { $resourceMnemonic = $resourceId; $resourceId = Acl::getResourceIdByMnemonic($resourceMnemonic, $this->getScope()); $permissionId = $permissionId ? Acl::getPermissionIdByMnemonic($resourceMnemonic, $permissionId, $this->getScope()) : null; } if (is_array($resourceId)) { foreach ($resourceId as $id) { if (\Scalr::getContainer()->acl->isUserAllowedByEnvironment($this->getUser(), $this->getEnvironment(), $id, $permissionId)) { return true; } } return false; } else { return \Scalr::getContainer()->acl->isUserAllowedByEnvironment($this->getUser(), $this->getEnvironment(), $resourceId, $permissionId); } }
/** * Checks if specified resource is allowed for superposition of the roles. * * If access permission is allowed at least in one role it is considered to be allowed. * Current exclude filter will be applied * * @param int $resourceId The ID of the resource. * @param string $permissionId optional The ID of the permission associated with resource. * @return bool|null Returns true if access is allowed. * If resource or permission isn't overridden it returns null. * @throws Exception\RoleObjectException */ public function isAllowed($resourceId, $permissionId = null) { $allowed = false; if ($this->user) { if ($this->user->isAccountOwner() || $this->user->isScalrAdmin()) { //Scalr Admin and Account Owner is allowed for everything, without any ACL defined for them. return true; } else { if ($resourceId === Acl::RESOURCE_ENVADMINISTRATION_ENV_CLOUDS && $permissionId === null && $this->user->canManageAcl()) { //Account Admin should be able to manage all relatings between environments and teams return true; } } } $iterator = $this->getIterator(); while ($iterator->valid() && !$allowed) { //If access permission is allowed at least in one role it is considered to be allowed. $allowed = $allowed || (bool) $iterator->current()->isAllowed($resourceId, $permissionId); $iterator->next(); } return $allowed; }
/** * Checks wheter access to ACL resource or unique permission is allowed. * * @param \Scalr_Account_User $user The user * @param \Scalr_Environment $environment The client's environment * @param int $resourceId The ID of the ACL resource or its symbolic name without "RESOURCE_" prefix. * @param string $permissionId optional The ID of the uniqure permission which is * related to specified resource. * @return bool Returns TRUE if access is allowed */ public function isUserAllowedByEnvironment(\Scalr_Account_User $user, $environment, $resourceId, $permissionId = null) { //Checks wheter environment and user are from the same account. if ($user->isScalrAdmin()) { return true; } else { if (!$environment instanceof \Scalr_Environment) { //If environment is not defined it will return false. return false; } else { if ($environment->clientId != $user->getAccountId()) { return false; } } } //Scalr-Admin and Account-Owner is allowed for everything if ($user->isAccountOwner()) { return true; } if (is_string($resourceId)) { $sName = 'Scalr\\Acl\\Acl::RESOURCE_' . strtoupper($resourceId); if (defined($sName)) { $resourceId = constant($sName); } else { throw new \InvalidArgumentException(sprintf('Cannot find ACL resource %s by specified symbolic name %s.', $sName, $resourceId)); } } return (bool) $user->getAclRolesByEnvironment($environment->id)->isAllowed($resourceId, $permissionId); }