/** * @param Providers\IPermissionsProvider $permissionsProvider * @param Providers\IRolesProvider $rolesProvider */ public function __construct(Providers\IPermissionsProvider $permissionsProvider, Providers\IRolesProvider $rolesProvider) { $resources = $permissionsProvider->getResources(); /** @var Entities\IResource[] $resources */ $roles = $rolesProvider->findAll(); /** @var Entities\IRole[] $roles */ // Register resources into Nette\Security\Permission foreach ($resources as $resource) { $resourceParent = $resource->getParent(); $this->addResource($resource->getName(), $resourceParent ? $resourceParent->getName() : NULL); } // Register roles into Nette\Security\Permission & setup role permissions foreach ($roles as $role) { $roleParents = $role->getParents(); if (is_array($roleParents)) { $roleParents = array_map(function ($parent) { /** @var Entities\IRole $parent */ return $parent->getName(); }, $roleParents); } $this->addRole($role->getName(), $roleParents); // Allow all privileges for administrator if ($role->isAdministrator()) { $this->allow($role->getName()); } else { $rolePermissions = $role->getPermissions(); foreach ($rolePermissions as $permission) { /** @var Entities\IPermission $permission */ $resource = $permission->getResource(); $resource = $resource ? $resource->getName() : NS\IAuthorizator::ALL; $this->allow($role->getName(), $resource, $permission->getPrivilege(), $permission->getAssertion()); } } } }
/** * Roles are defined like this: * * IRole::ROLE_ADMINISTRATOR (administrator) * IRole::ROLE_ANONYMOUS (guest) * └ IRole::ROLE_AUTHENTICATED (authenticated) * employee * ├ sales * └ engineer * └ backend-engineer * auditor * * Here are also role permission assigned, see the code. * * @param Security\Providers\IPermissionsProvider $permissionsProvider */ public function __construct(Security\Providers\IPermissionsProvider $permissionsProvider) { $permissions = $permissionsProvider->getPermissions(); $this->addRole(Entities\IRole::ROLE_ADMINISTRATOR); $this->addRole(Entities\IRole::ROLE_ANONYMOUS, NULL, $permissions['intranet:access']); $this->addRole(Entities\IRole::ROLE_AUTHENTICATED, $this->getRole(Entities\IRole::ROLE_ANONYMOUS), [$permissions['climatisation:']]); $this->addRole('employee', NULL, [$permissions['climatisation:'], $permissions['documents:'], $permissions['intranet:access']]); $this->addRole('sales', $this->getRole('employee'), [$permissions['salesModule:']]); $this->addRole('engineer', $this->getRole('employee'), [$permissions['servers:access']]); $this->addRole('backend-engineer', $this->getRole('engineer'), [$permissions['servers:restart'], $permissions['databaseFarm:restart']]); $this->addRole('auditor', NULL, [$permissions['intranet:access']]); }