public function aclAction()
{
echo 'this is acl test!<br>';
$acl = new AclList();
$acl->setDefaultAction(Acl::DENY);
// 创建角色
// The first parameter is the name, the second parameter is an optional description.
$roleAdmins = new Role("Administrators");
$roleEditors = new Role("Editors");
// 添加 "Guests" 角色到ACL
$acl->addRole($roleAdmins);
$acl->addRole($roleEditors);
// 添加"Designers"到ACL, 仅使用此字符串。
//$acl->addRole("Designers");
// 定义 "Customers" 资源
$customersResource = new Resource("Customers");
$acl->addResource($customersResource, "search");
$acl->addResource($customersResource, array("create", "update"));
// 设置角色对资源的访问级别
$acl->allow("Administrators", "Customers", "search");
$acl->allow("Administrators", "Customers", "create");
$acl->deny("Editors", "Customers", "update");
var_dump($acl);
exit;
// 查询角色是否有访问权限
var_dump($acl->isAllowed("Administrators", "Customers", "search"));
exit;
}
public function _getAcl()
{
if (!isset($this->persistent->acl)) {
$acl = new Memory();
$acl->setDefaultAction(Acl::ALLOW);
//Register roles
$roles = array('admin' => new Acl\Role('Administrator'), 'manager' => new Acl\Role('Manager'), 'staff' => new Acl\Role('Staff'));
$acl->addRole($roles['staff']);
$acl->addRole($roles['manager']);
$acl->addRole($roles['admin']);
// admin inherits staff
// resources that sales are denied
$staffResources = array("reports" => array("index"));
// add resources for sales
foreach ($staffResources as $resource => $actions) {
$acl->addResource(new Resource($resource), $actions);
foreach ($actions as $action) {
$acl->deny($roles['staff']->getName(), $resource, $action);
}
// $acl->allow($roles['staff']->getName(), $resource, '*');
}
//The acl is stored in session, APC would be useful here too
$this->persistent->acl = $acl;
}
return $this->persistent->acl;
}
/**
* Returns an existing or new access control list
*
* @returns AclList
*/
public function getAcl()
{
if (!isset($this->persistent->acl)) {
$acl = new AclList();
$acl->setDefaultAction(Acl::DENY);
$config = $this->getDI()->get('config')->acl;
//Register roles
foreach ($config->roles as $role => $inheritance) {
$role = new Role($role);
if ($acl->isRole($inheritance) && !is_null($inheritance)) {
$inheritance = new Role($inheritance);
}
$acl->addRole($role, $inheritance);
}
//Register resources
foreach ($config->resources as $resource => $actions) {
$acl->addResource(new Resource($resource), $actions->toArray());
}
//Privileges
foreach ($config->privilege as $role => $methodList) {
foreach ($methodList as $method => $levels) {
foreach ($levels as $resource => $accessList) {
foreach ($accessList as $access) {
if ($method == 'allow') {
$acl->allow($role, $resource, $access);
} else {
$acl->deny($role, $resource, $access);
}
}
}
}
}
//The acl is stored in session, APC would be useful here too
$this->persistent->acl = $acl;
}
return $this->persistent->acl;
}
use Mocks\Examples\User;
use Ovide\Libs\Mvc\Rest\App;
use Phalcon\Acl;
use Ovide\Libs\Mvc\Rest\ContentType\XmlEncoder;
App::reset();
$app = App::instance();
$handlers = $app->getHandlers();
$accept = $handlers[\Ovide\Libs\Mvc\Rest\HeaderHandler\Accept::HEADER];
$accept->setAcceptable(XmlEncoder::CONTENT_TYPE, XmlEncoder::class);
$app->mountResource(User::class);
$app->di->set('acl', function () {
$guest = new Acl\Role('guest');
$user = new Acl\Role('user');
$root = new Acl\Role('root');
$users = new Acl\Resource('users');
$acl = new Acl\Adapter\Memory();
$acl->addRole($guest);
$acl->addRole($user, $guest);
$acl->addRole($root, $user);
$acl->addResource($users, ['delete', 'get', 'getOne', 'post', 'put', 'putSelf', 'getSelf', 'deleteSelf']);
$acl->allow('guest', 'users', ['post']);
$acl->allow('user', 'users', ['getSelf', 'deleteSelf', 'putSelf']);
$acl->deny('user', 'users', 'post');
$acl->allow('root', 'users', '*');
$acl->setDefaultAction(Acl::DENY);
//Sets 'gest' as active role
$acl->isAllowed('guest', '', '');
return $acl;
}, true);
return $app;
<?php
/**
* Created by PhpStorm.
* User: vlad
* Date: 8/29/15
* Time: 6:46 AM
*/
use Phalcon\Acl\Adapter\Memory as AclList;
use Phalcon\Acl\Resource;
$acl = new AclList();
$acl->setDefaultAction(Phalcon\Acl::ALLOW);
$acl->addRole("guest");
$acl->addRole("user");
$acl->addResource(new Resource("sign"), ['up', 'in', 'out']);
$acl->addResource(new Resource("projects"), ['create', 'edit', 'delete']);
$acl->deny("guest", "sign", ["out"]);
$acl->deny("user", "sign", ["up", "in"]);
$acl->deny("guest", "projects", ['create', 'edit', 'delete']);
/**
* Get acl system
*
* @return \Phalcon\Acl\Adapter\Memory
*/
public function getAdapter()
{
if (!$this->_acl) {
$cacheData = false;
$acl = null;
if ($this->_di->has('cacheData')) {
$cacheData = $this->_di->get('cacheData');
$acl = $cacheData->get(self::ACL_CACHE_KEY);
}
if ($acl === null) {
$acl = new AclMemory();
$acl->setDefaultAction(PhAcl::DENY);
$aclAdapter = $this->_di->get('aclAdapter');
$aclAdapter->setDefaultAction(PhAcl::DENY);
if (!$aclAdapter instanceof \Phalcon\Acl\Adapter) {
throw new \Engine\Exception('Acl adapter not instance of Phalcon\\Acl\\Adapter');
}
// prepare Roles
$aclAdapter->addRole(self::ROLE_TYPE_ADMIN);
$roles = $aclAdapter->getRoles();
foreach ($roles as $role) {
$acl->addRole($role);
}
// Defining admin area
$adminArea = new AclResource(self::ACL_ADMIN_AREA);
// Add "admin area" resource
$aclAdapter->addResource($adminArea, '*');
$acl->addResource($adminArea, '*');
$acl->allow(self::ROLE_TYPE_ADMIN, self::ACL_ADMIN_AREA, '*');
$acl->allow(self::ROLE_TYPE_ADMIN, '*', '*');
// Getting objects that is in acl
// Looking for all models in modelsDir and check @Acl annotation
$config = $this->_di->get('config');
foreach ($this->_di->get('modules') as $module => $enabled) {
if (!$enabled) {
continue;
}
$moduleName = ucfirst($module);
$controllerPath = $config->application->modulesDir . $moduleName . '/Controller';
if (file_exists($controllerPath)) {
$files = scandir($controllerPath);
// get all file names
foreach ($files as $file) {
// iterate files
if ($file == "." || $file == "..") {
continue;
}
$controllerClass = ucfirst(str_replace('.php', '', $file));
$controllerClassName = str_replace('Controller', '', $controllerClass);
$class = sprintf('\\%s\\Controller\\%s', $moduleName, $controllerClass);
$object = $this->getObjectAcl($class);
if ($object == null) {
continue;
}
$resource = $this->getResource($moduleName, $controllerClassName);
$aclAdapter->addResource($resource, $object->actions);
}
}
}
$resources = $aclAdapter->getResources();
foreach ($roles as $role) {
$roleName = $role->getName();
foreach ($resources as $resource) {
$actions = $aclAdapter->getResourceAccesses($resource);
$resourceName = $resource->getName();
$acl->addResource($resource, $actions);
foreach ($actions as $action) {
if ($aclAdapter->isAllowed($roleName, $resourceName, $action)) {
$acl->allow($roleName, $resourceName, $action);
} else {
$acl->deny($roleName, $resourceName, $action);
}
}
}
}
if ($cacheData) {
$cacheData->save(self::ACL_CACHE_KEY, $acl, 3600);
}
}
$this->_acl = $acl;
}
return $this->_acl;
}
public function deny($roleName, $resourceName, $access)
{
parent::deny($roleName, $resourceName, $access);
}
public function deny($roleName, $resourceName, $access, $func = null)
{
parent::deny($roleName, $resourceName, $access, $func);
}
/**
* Tests the negation of inherited roles
*
* @issue T65
*/
public function testNegationOfInheritedRoles_T65()
{
$acl = new PhAclMem();
$acl->setDefaultAction(PhAcl::DENY);
$acl->addRole('Guests');
$acl->addRole('Members', 'Guests');
$acl->addResource('Login', array('index'));
$acl->allow('Guests', 'Login', 'index');
$acl->deny('Members', 'Login', 'index');
$actual = (bool) $acl->isAllowed('Members', 'Login', 'index');
$this->assertFalse($actual, 'Negation of inherited roles not correct');
}
