/**
* (non-PHPdoc)
* @see Zend_Application_Resource_ResourceAbstract#init()
*/
public function init()
{
$this->_acl = new Zend_Acl();
// static roles
$this->_acl->addRole(new Zend_Acl_Role('all'));
$this->_acl->addRole(new Zend_Acl_Role('anonymous'), 'all');
$this->_acl->addRole(new Zend_Acl_Role('identified'), 'all');
// dinamic roles
foreach ($this->_roles as $roleName) {
if (!$this->_acl->hasRole($roleName)) {
$this->_acl->addRole(new Zend_Acl_Role($roleName), 'identified');
}
}
// var_dump($this->_resources);exit;
// rules
foreach ($this->_resources as $module => $grants) {
$module = strtolower($module);
$this->_acl->add(new Zend_Acl_Resource($module));
foreach ($grants as $controller => $grant) {
$controller = strtolower($controller);
foreach ($grant as $action => $roles) {
$resource = $controller . self::RESOURCE_SEPARATOR . $action;
foreach (explode(',', $roles) as $role) {
if (!empty($role)) {
$this->_acl->allow(trim($role), $module, $resource);
}
}
}
}
}
Zend_Registry::set('acl', $this->_acl);
return $this->_acl;
}
public function checkAccess(Zend_Controller_Request_Abstract $request)
{
$resource = new User_Model_Acl_Resource();
$resource->getPrivileges($request);
if (!$resource->privileges || !$resource->resource_id) {
//error in getting resource privileges or nobody is allowed access, deny access and redirect to forbidden
return false;
}
$acl = new Zend_Acl();
$acl->add(new Zend_Acl_Resource($resource->resource_id));
foreach ($resource->privileges as $key => $privilege) {
if (!$acl->hasRole($privilege["role_id"])) {
$acl->addRole(new Zend_Acl_Role($privilege["role_id"]));
$acl->allow($privilege["role_id"], $resource->resource_id);
}
}
$authorization = Zend_Auth::getInstance();
if ($authorization->hasIdentity()) {
$user = $authorization->getIdentity();
if ($acl->hasRole($user['role_id']) && $acl->isAllowed($user['role_id'], $resource->resource_id)) {
//role has access
return true;
}
//user role does not have access to this resource
return false;
} else {
$aclrole = new User_Model_Acl_Role();
$aclrole->getDefaultRole();
if (!$aclrole->default_role || !$acl->hasRole($aclrole->default_role) || !$acl->isAllowed($aclrole->default_role, $resource->resource_id)) {
//redirect to login
return false;
}
}
return true;
}
/**
* @covers System_Acl_Loader_Options::load
* @covers System_Acl_Loader_Options::<protected>
*/
public function testLoadRoles()
{
$this->object->setOptions($this->optionsHelper(System_Acl_Loader_Options::ROLES, array('test' => null, 'test1' => 'test')));
$this->object->load();
self::assertTrue($this->acl->hasRole('test'));
self::assertTrue($this->acl->hasRole('test1'));
self::assertTrue($this->acl->inheritsRole('test1', 'test', true));
}
/**
* @covers System_Acl_Loader_Db::load
* @covers System_Acl_Loader_Db::<protected>
*/
public function testLoadRoles()
{
$this->createTableMocks('AclResource');
$this->createTableMocks('AclRule');
$this->createTableMocks('AclRole', array(array('name' => 'test', 'parent' => null), array('name' => 'test1', 'parent' => 'test')));
$this->object->load();
self::assertTrue($this->acl->hasRole('test'));
self::assertTrue($this->acl->hasRole('test1'));
self::assertTrue($this->acl->inheritsRole('test1', 'test', true));
}
private function _addRoleById(array $roles, $roleId)
{
foreach ($roles as $roleName => $properties) {
// If the properties aren't set as an array, then we will consider
// the value as the role ID.
if (!is_array($properties)) {
$properties = array('id' => $properties);
}
$id = $properties['id'];
$parents = array();
if (is_null($id) || empty($id)) {
throw new Zend_Application_Resource_Exception(sprintf($this->_missingPropertyMessage, 'ID', 'role', $roleName));
}
if (isset($properties['parents']) && !empty($properties['parents'])) {
$parents = explode(',', $properties['parents']);
}
if ($id == $roleId) {
if ($this->_acl->hasRole($roleId)) {
return;
}
foreach ($parents as $parent) {
if (!$this->_acl->hasRole($parent)) {
$this->_addRoleById($roles, $parent);
}
}
$this->_acl->addRole(new Zend_Acl_Role($roleId), $parents);
// Since we've finished adding the specified role, let's break
// from our loop.
break;
}
}
}
/**
* Ensures that removal of all Roles works
*
* @return void
*/
public function testRoleRegistryRemoveAll()
{
$roleGuest = new Zend_Acl_Role('guest');
$this->_acl->addRole($roleGuest)
->removeRoleAll();
$this->assertFalse($this->_acl->hasRole($roleGuest));
}
/**
* Метод загружающий правила ACL
* из хранилища правил в объект Zend_Acl
*
* @throws Excore_Acl_Rules_Exception
* @return void
*/
protected function _loadRules()
{
$rules = $this->_rules->getAll();
foreach ($rules as $rule) {
if (!in_array($rule['type'], $this->_ruleTypes)) {
throw new Excore_Acl_Rules_Exception("Rule type `{$rule['type']}` is invalid rule type for current settings");
}
if (!$this->_acl->hasRole(new Zend_Acl_Role($rule['roleId']))) {
throw new Excore_Acl_Rules_Exception("Role `{$rule['roleId']}` found in rules storage, but was not in roles storage");
}
if (!$this->_acl->has(new Zend_Acl_Resource($rule['resourceId']))) {
throw new Excore_Acl_Rules_Exception("Resource `{$rule['resourceId']}` found in rules storage, but was not in resources storage");
}
$assert = $rule['assert'];
if ($assert !== null) {
$assert = new $assert();
}
switch ($rule['type']) {
case $this->_ruleTypes['TYPE_ALLOW']:
$this->_acl->allow(new Zend_Acl_Role($rule['roleId']), new Zend_Acl_Resource($rule['resourceId']), $rule['privileges'], $assert);
break;
case $this->_ruleTypes['TYPE_DENY']:
$this->_acl->deny(new Zend_Acl_Role($rule['roleId']), new Zend_Acl_Resource($rule['resourceId']), $rule['privileges'], $assert);
break;
}
}
}
/**
* Deny access to this role for a particular permissible object (or globally)
*
* @param string permission to deny
* @param QFrame_Permissible (optional) permissible object to deny access to
*/
public function deny($permission, QFrame_Permissible $permissible = null)
{
$resource = $permissible === null ? "GLOBAL" : $permissible->getPermissionID();
if (!$this->acl->hasRole($permission)) {
$this->acl->addRole(new Zend_Acl_Role($permission));
}
if (!$this->acl->has($resource)) {
$this->acl->add(new Zend_Acl_Resource($resource));
}
$this->acl->deny($permission, $resource);
}
public function hasRole($role)
{
if (preg_match('/^((group|role)_[0-9]+_[0-9]+)|(profile_[0-9]+)$/', $role)) {
return parent::hasRole($role);
} elseif (preg_match('/^(group|role)_([0-9]+)$/', $role, $matches)) {
$modelName = ucfirst($matches[1]);
$model = new $modelName();
$role = $model->findOne($matches[2]);
return parent::hasRole($matches[1] . '_' . (int) $role->priority . '_' . $matches[2]);
} else {
return false;
}
}
public function buildAcl()
{
if ($this->_acl !== null) {
return $this->_acl;
}
$aclDefinition = Zym_Message_Dispatcher::get()->post('buildAcl')->getResult('buildAcl');
$acl = new Zend_Acl();
foreach ($aclDefinition as $module) {
if (!$acl->has($module['resource'])) {
$acl->addResource($module['resource']);
}
foreach ($module['rules'] as $key => $rule) {
if (!$acl->hasRole($key)) {
$acl->addRole($key);
}
$acl->setRule('OP_ADD', $rule['allPrivileges']['type'], $key, $module['resource']);
}
}
$this->_acl = $acl;
return $this->_acl;
}
/**
* initAcl() - Initialize common ACL and save to cache.
*
* @return Zend_Acl
*/
protected static function initAcl()
{
$cache = self::getCache();
$db = self::getDb();
$selectRes = new Zend_Db_Select($db);
$roleResources = $selectRes->from('mod_role_resource')->query(Zend_Db::FETCH_GROUP)->fetchAll();
//Zend_Registry::get ( 'logger' )->notice ( 'Role and Resources:' );
//Zend_Registry::get ( 'logger' )->debug ( $roleResources );
$acl = new Zend_Acl();
$dbRoles = array(self::GUEST);
$acl->addRole(self::GUEST);
foreach ($roleResources as $roleKey => $resources) {
$role = strtolower($roleKey);
if (!(self::GUEST === $role)) {
if (!$acl->hasRole($role)) {
$acl->addRole($role, self::GUEST);
$dbRoles[] = $role;
} else {
Zend_Registry::get('logger')->debug('Duplicate role : "' . $role . '"');
}
}
foreach ($resources as $key => $resource) {
$res = strtolower($resource['module_id'] . '_' . $resource['controller_id'] . '_' . $resource['action_id']);
if (!$acl->has($res)) {
$acl->addResource($res);
}
$acl->allow($role, $res);
}
}
$commonAcl = array('acl' => $acl, 'dbRoles' => $dbRoles);
$cache->save($commonAcl, 'commonAcl');
Zend_Registry::get('logger')->debug('Common ACL cached.');
return $commonAcl;
}
/**
* Confirm that deleting a role after allowing access to all roles
* raise undefined index error
*
* @group ZF-5700
*/
public function testRemovingRoleAfterItWasAllowedAccessToAllResourcesGivesError()
{
$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('test0'));
$acl->addRole(new Zend_Acl_Role('test1'));
$acl->addRole(new Zend_Acl_Role('test2'));
$acl->addResource(new Zend_Acl_Resource('Test'));
$acl->allow(null, 'Test', 'xxx');
// error test
$acl->removeRole('test0');
// Check after fix
$this->assertFalse($acl->hasRole('test0'));
}
protected function _initAcl()
{
$acl = new Zend_Acl();
$acl->addRole(Kaltura_AclHelper::ROLE_GUEST);
$currentRole = Kaltura_AclHelper::getCurrentRole();
$currentPermissions = Kaltura_AclHelper::getCurrentPermissions();
if (!$acl->hasRole($currentRole)) {
$acl->addRole($currentRole);
}
$accessItems = Zend_Registry::get('config')->access;
$allAccess = array();
foreach ($accessItems as $resource => $accessConfig) {
if (!$accessConfig instanceof Zend_Config) {
$requiredPermissions = $accessConfig;
} else {
if (isset($accessConfig->all)) {
$requiredPermissions = $accessConfig->all;
} else {
continue;
}
}
$acl->addResource(new Zend_Acl_Resource($resource));
if ($requiredPermissions) {
$allow = true;
if ($requiredPermissions != '*') {
$allAccess[$resource] = $requiredPermissions;
$requiredPermissions = array_map('trim', explode(',', $requiredPermissions));
foreach ($requiredPermissions as $required) {
if (!in_array($required, $currentPermissions, true)) {
$allow = false;
break;
}
}
}
if ($allow) {
$acl->allow($currentRole, $resource);
} else {
$acl->deny($currentRole, $resource);
}
}
}
foreach ($accessItems as $resource => $accessConfig) {
if ($accessConfig instanceof Zend_Config) {
foreach ($accessConfig as $action => $requiredPermissions) {
if ($action == 'all') {
continue;
}
$acl->addResource(new Zend_Acl_Resource($resource . $action), $resource);
$allow = true;
if ($requiredPermissions != '*') {
if (isset($allAccess[$resource])) {
$requiredPermissions .= ',' . $allAccess[$resource];
}
$requiredPermissions = array_map('trim', explode(',', $requiredPermissions));
foreach ($requiredPermissions as $required) {
if (!in_array($required, $currentPermissions, true)) {
$allow = false;
break;
}
}
}
if ($allow) {
$acl->allow($currentRole, $resource, $action);
} else {
$acl->deny($currentRole, $resource, $action);
}
}
}
}
Zend_Registry::set('acl', $acl);
}
/**
* Returns true if and only if the Role exists in the registry
*
* The $role parameter can either be a Role or a Role identifier.
*
* @param Zend_Acl_Role_Interface|string $role
* @uses Zend_Acl::hasRole()
* @return boolean
*/
public function hasRole($role)
{
if ($this->hasCachingAdapter()) {
$this->_checkCaching();
}
//Wenn die Role angegeben wurde und nicht im Acl-Object existiert
//und noch kein Ladeversuch unternommen wurde, wird versucht die Role zu laden.
$roleId = $role instanceof Zend_Acl_Role_Interface ? $role->getRoleId() : (string) $role;
if (!is_null($roleId) && !parent::hasRole($roleId) && !$this->hasRoleLoaded($roleId)) {
$arrRoles = $this->_getAdapter()->loadRole($roleId);
if (count($arrRoles) > 0) {
foreach ($arrRoles as $arrRole) {
if ($this->hasRoleLoaded($arrRole[0])) {
continue;
}
$this->_setRoleLoaded($arrRole[0]);
parent::addRole(new Zend_Acl_Role($arrRole[0]), $arrRole[1]);
}
} else {
$this->_setRoleLoaded($roleId);
}
}
return parent::hasRole($roleId);
}
/**
* Roles (papeis)
*/
protected function _setupResourcesPrivileges()
{
if (!$this->_acl->hasRole('Usuario')) {
$this->_acl->addRole(new Zend_Acl_Role('Usuario'));
}
}
/**
* get roles and resources from db, build Zend_Acl structure and add permissions
* @param Zend_Db $db
*/
protected function makeAcl($db)
{
$acl = new Zend_Acl();
$res = $db->fetchAll('select * from system_role');
foreach ($res as $obj) {
if ($obj['inherit_role'] != '') {
if ($acl->hasRole($obj['inherit_role'])) {
$acl->addRole(new Zend_Acl_Role($obj['role']), $obj['inherit_role']);
} else {
/**
* @todo very simply system to order roles, add role before inherited role
*/
$res[] = $obj;
continue;
}
} else {
$acl->addRole(new Zend_Acl_Role($obj['role']));
}
}
$res = $db->fetchAll('select * from system_resource');
foreach ($res as $obj) {
$acl->addResource(new Zend_Acl_Resource($obj['resource']));
}
$res = $db->fetchAll('select r.role as role, rs.resource as resource, permission, privilege ' . 'from system_role as r join system_role_has_system_resource as m on ' . '(r.id = m.system_role_id) join system_resource as rs on (m.system_resource_id = rs.id)');
foreach ($res as $obj) {
$privilege = explode(',', $obj['privilege']);
if ($obj['permission'] == 'allow') {
$acl->allow($obj['role'], $obj['resource'], $privilege);
} else {
$acl->deny($obj['role'], $obj['resource'], $privilege);
}
}
return $acl;
}
/**
* Check if the ACL allows accessing the function or method
*
* @param string|object $object Object or class being accessed
* @param string $function Function or method being accessed
* @return unknown_type
*/
protected function _checkAcl($object, $function)
{
if (!$this->_acl) {
return true;
}
if ($object) {
$class = is_object($object) ? get_class($object) : $object;
if (!$this->_acl->has($class)) {
require_once 'Zend/Acl/Resource.php';
$this->_acl->add(new Zend_Acl_Resource($class));
}
$call = array($object, "initAcl");
if (is_callable($call) && !call_user_func($call, $this->_acl)) {
// if initAcl returns false, no ACL check
return true;
}
} else {
$class = null;
}
$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) {
$role = $auth->getIdentity()->role;
} else {
if ($this->_acl->hasRole(Zend_Amf_Constants::GUEST_ROLE)) {
$role = Zend_Amf_Constants::GUEST_ROLE;
} else {
require_once 'Zend/Amf/Server/Exception.php';
throw new Zend_Amf_Server_Exception("Unauthenticated access not allowed");
}
}
if ($this->_acl->isAllowed($role, $class, $function)) {
return true;
} else {
require_once 'Zend/Amf/Server/Exception.php';
throw new Zend_Amf_Server_Exception("Access not allowed");
}
}
protected function _initAcl()
{
$acl = new Zend_Acl();
$acl->addRole(Infra_AclHelper::ROLE_GUEST);
$currentRole = Infra_AclHelper::getCurrentRole();
$currentPermissions = Infra_AclHelper::getCurrentPermissions();
if (!$acl->hasRole($currentRole)) {
$acl->addRole($currentRole);
}
$accessItems = Zend_Registry::get('config')->access;
$allAccess = array();
foreach ($accessItems as $resource => $accessConfig) {
if (!$accessConfig instanceof Zend_Config) {
$requiredPermissions = $accessConfig;
} else {
if (isset($accessConfig->all)) {
$requiredPermissions = $accessConfig->all;
} else {
continue;
}
}
$acl->addResource(new Zend_Acl_Resource($resource));
if ($requiredPermissions) {
$allow = true;
if ($requiredPermissions != '*') {
$allAccess[$resource] = $requiredPermissions;
$requiredPermissions = array_map('trim', explode(',', $requiredPermissions));
foreach ($requiredPermissions as $required) {
if (!in_array($required, $currentPermissions, true)) {
$allow = false;
break;
}
}
}
if ($allow) {
$acl->allow($currentRole, $resource);
} else {
$acl->deny($currentRole, $resource);
}
}
}
foreach ($accessItems as $resource => $accessConfig) {
if ($accessConfig instanceof Zend_Config) {
foreach ($accessConfig as $action => $requiredPermissions) {
if ($action == 'all') {
continue;
}
$acl->addResource(new Zend_Acl_Resource($resource . $action), $resource);
$allow = true;
if ($requiredPermissions != '*') {
if (isset($allAccess[$resource])) {
$requiredPermissions .= ',' . $allAccess[$resource];
}
$requiredPermissions = array_map('trim', explode(',', $requiredPermissions));
foreach ($requiredPermissions as $required) {
if (!in_array($required, $currentPermissions, true)) {
$allow = false;
break;
}
}
} else {
//If no special permission is required to view this resource, it should be added to the whitelisted resources
$resourceUrl = "{$resource}/{$action}";
Infra_AuthPlugin::addToWhitelist($resourceUrl);
}
if ($allow) {
$acl->allow($currentRole, $resource, $action);
} else {
$acl->deny($currentRole, $resource, $action);
}
}
}
}
Zend_Registry::set('acl', $acl);
}
