/** * Loads permissions into role object * * @param Role\RoleObject $role A role object */ protected function loadRolePermissions(Role\RoleObject $role) { if ($role instanceof Role\AccountRoleObject) { $sAcc = 'account_'; $rmJoin = "LEFT JOIN acl_account_role_resource_modes rm ON rr.`account_role_id` = rm.account_role_id " . " AND rr.`resource_id` = rm.`resource_id`"; } else { $sAcc = ''; $rmJoin = ''; } $disabledResources = Acl::getDisabledResources(); $disabledSql = !empty($disabledResources) ? "AND rr.resource_id NOT IN (" . implode(',', array_fill(0, count($disabledResources), '?')) . ")" : ""; $res = $this->db->Execute("\n SELECT\n rr.`" . $sAcc . "role_id` AS `role_id`,\n rr.`resource_id`, rr.`granted`, rp.`perm_id`,\n rp.`granted` AS `perm_granted`,\n " . (!empty($rmJoin) ? "rm.`mode`" : "NULL AS `mode`") . "\n FROM `acl_" . $sAcc . "role_resources` rr\n " . $rmJoin . "\n LEFT JOIN `acl_" . $sAcc . "role_resource_permissions` rp\n ON rp.`" . $sAcc . "role_id` = rr.`" . $sAcc . "role_id`\n AND rp.`resource_id` = rr.`resource_id`\n WHERE rr.`" . $sAcc . "role_id` = ?\n {$disabledSql}\n ", array_merge((array) $role->getRoleId(), $disabledResources)); if ($res) { $resources = $role->getResources(); while ($rec = $res->FetchRow()) { if (!isset($resources[$rec['resource_id']])) { //Adds resource to role object $resource = new Role\RoleResourceObject($rec['role_id'], $rec['resource_id'], $rec['granted'], $rec['mode']); $role->appendResource($resource); } else { $resource = $resources[$rec['resource_id']]; } if ($rec['perm_id'] !== null) { $permission = new Role\RoleResourcePermissionObject($rec['role_id'], $rec['resource_id'], $rec['perm_id'], $rec['perm_granted']); //We should append permission only if it's been declared in the definition. $resourceDefinition = Resource\Definition::get($resource->getResourceId()); if ($resourceDefinition->hasPermission($permission->getPermissionId())) { $resource->appendPermission($permission); } unset($permission); } unset($resource); } } }
/** * Loads permissions into role object * * @param Role\RoleObject $role A role object */ protected function loadRolePermissions(Role\RoleObject $role) { $sAcc = $role instanceof Role\AccountRoleObject ? 'account_' : ''; $res = $this->db->Execute("\n SELECT\n rr.`" . $sAcc . "role_id` as `role_id`,\n rr.`resource_id`, rr.`granted`, rp.`perm_id`,\n rp.`granted` AS `perm_granted`\n FROM `acl_" . $sAcc . "role_resources` rr\n LEFT JOIN `acl_" . $sAcc . "role_resource_permissions` rp\n ON rp.`" . $sAcc . "role_id` = rr.`" . $sAcc . "role_id`\n AND rp.`resource_id` = rr.`resource_id`\n WHERE rr.`" . $sAcc . "role_id` = ?\n ", array($role->getRoleId())); if ($res) { $resources = $role->getResources(); while ($rec = $res->FetchRow()) { if (!isset($resources[$rec['resource_id']])) { //Adds resource to role object $resource = new Role\RoleResourceObject($rec['role_id'], $rec['resource_id'], $rec['granted']); $role->appendResource($resource); } else { $resource = $resources[$rec['resource_id']]; } if ($rec['perm_id'] !== null) { $permission = new Role\RoleResourcePermissionObject($rec['role_id'], $rec['resource_id'], $rec['perm_id'], $rec['perm_granted']); //We should append permission only if it's been declared in the definition. $resourceDefinition = Resource\Definition::get($resource->getResourceId()); if ($resourceDefinition->hasPermission($permission->getPermissionId())) { $resource->appendPermission($permission); } unset($permission); } unset($resource); } } }
/** * {@inheritdoc} * @see Scalr\Acl\Role.RoleObject::isOverridden() */ public function isOverridden($resourceId, $permissionId = null) { $overridden = parent::isAllowed($resourceId, $permissionId) !== null; return $overridden; }