| 1 |
|
<?php |
| 2 |
|
/** |
| 3 |
|
* Xyster Framework |
| 4 |
|
* |
| 5 |
|
* LICENSE |
| 6 |
|
* |
| 7 |
|
* This source file is subject to the new BSD license that is bundled |
| 8 |
|
* with this package in the file LICENSE.txt. |
| 9 |
|
* It is also available through the world-wide-web at this URL: |
| 10 |
|
* http://www.opensource.org/licenses/bsd-license.php |
| 11 |
|
* If you did not receive a copy of the license and are unable to |
| 12 |
|
* obtain it through the world-wide-web, please send an email |
| 13 |
|
* to xyster@devweblog.org so we can send you a copy immediately. |
| 14 |
|
* |
| 15 |
|
* @category Xyster |
| 16 |
|
* @package Xyster_Acl |
| 17 |
|
* @copyright Copyright (c) 2007 Irrational Logic (http://devweblog.org) |
| 18 |
|
* @license http://www.opensource.org/licenses/bsd-license.php New BSD License |
| 19 |
|
* @version $Id: Acl.php 90 2007-09-19 00:25:13Z doublecompile $ |
| 20 |
|
*/ |
| 21 |
|
/** |
| 22 |
|
* Zend_Acl |
| 23 |
|
*/ |
| 24 |
1 |
require_once 'Zend/Acl.php'; |
| 25 |
|
/** |
| 26 |
|
* An access control list that can dynamically build its own rules |
| 27 |
|
* |
| 28 |
|
* @category Xyster |
| 29 |
|
* @package Xyster_Acl |
| 30 |
|
* @copyright Copyright (c) 2007 Irrational Logic (http://devweblog.org) |
| 31 |
|
* @license http://www.opensource.org/licenses/bsd-license.php New BSD License |
| 32 |
|
*/ |
| 33 |
|
class Xyster_Acl extends Zend_Acl |
| 34 |
|
{ |
| 35 |
|
/** |
| 36 |
|
* The authorizers |
| 37 |
|
* |
| 38 |
|
* @var Xyster_Acl_Authorizer_Interface[] |
| 39 |
|
*/ |
| 40 |
|
protected $_authorizers = array(); |
| 41 |
|
|
| 42 |
|
/** |
| 43 |
|
* Adds an authorizer to the ACL |
| 44 |
|
* |
| 45 |
|
* @param Xyster_Acl_Authorizer_Interface $authorizer |
| 46 |
|
* @return Xyster_Acl provides a fluent interface |
| 47 |
|
*/ |
| 48 |
|
public function addAuthorizer( Xyster_Acl_Authorizer_Interface $authorizer ) |
| 49 |
|
{ |
| 50 |
3 |
if ( !in_array($authorizer, $this->_authorizers, true) ) { |
| 51 |
3 |
$this->_authorizers[] = $authorizer; |
| 52 |
3 |
} |
| 53 |
3 |
return $this; |
| 54 |
|
} |
| 55 |
|
|
| 56 |
|
/** |
| 57 |
|
* Throws an exception if the Role is denied access to the Resource |
| 58 |
|
* |
| 59 |
|
* @param Zend_Acl_Role_Interface|string $role |
| 60 |
|
* @param Zend_Acl_Resource_Interface|string $resource |
| 61 |
|
* @param string $privilege |
| 62 |
|
* @throws Zend_Acl_Exception |
| 63 |
|
*/ |
| 64 |
|
public function assertAllowed($role = null, $resource = null, $privilege = null) |
| 65 |
|
{ |
| 66 |
2 |
if ( $this->isAllowed($role, $resource, $privilege) ) { |
| 67 |
1 |
return true; |
| 68 |
0 |
} |
| 69 |
|
|
| 70 |
1 |
$msg = 'Insufficient permissions: '; |
| 71 |
1 |
$msg .= ( $role instanceof Zend_Acl_Role_Interface ) ? |
| 72 |
1 |
$role->getRoleId() : $role; |
| 73 |
1 |
$msg .= ' -> '; |
| 74 |
1 |
$msg .= ( $resource instanceof Zend_Acl_Resource_Interface ) ? |
| 75 |
1 |
$resource->getResourceId() : $resource; |
| 76 |
1 |
if ( $privilege ) { |
| 77 |
1 |
$msg .= ' (' . $privilege . ')'; |
| 78 |
1 |
} |
| 79 |
|
|
| 80 |
1 |
require_once 'Zend/Acl/Exception.php'; |
| 81 |
1 |
throw new Zend_Acl_Exception($msg); |
| 82 |
|
} |
| 83 |
|
|
| 84 |
|
/** |
| 85 |
|
* Gets the authorizer for a resource |
| 86 |
|
* |
| 87 |
|
* If more than one authorizer applies to a resource, only the first is |
| 88 |
|
* returned (in the order in which they were added. First in, first out). |
| 89 |
|
* |
| 90 |
|
* If none apply, null is returned. |
| 91 |
|
* |
| 92 |
|
* @param Zend_Acl_Resource_Interface|string $resource |
| 93 |
|
* @return Xyster_Acl_Authorizer_Interface |
| 94 |
|
*/ |
| 95 |
|
public function getAuthorizer($resource = null) |
| 96 |
|
{ |
| 97 |
10 |
$resource = ( $resource !== null ) ? $this->get($resource) : null; |
| 98 |
10 |
$return = null; |
| 99 |
|
|
| 100 |
10 |
if ( $resource !== null ) { |
| 101 |
10 |
foreach( $this->_authorizers as $authorizer ) { |
| 102 |
|
/* @var $authorizer Xyster_Acl_Authorizer_Interface */ |
| 103 |
3 |
if ( $authorizer->applies($resource) ) { |
| 104 |
3 |
$return = $authorizer; |
| 105 |
3 |
} |
| 106 |
3 |
} |
| 107 |
10 |
} |
| 108 |
|
|
| 109 |
10 |
return $return; |
| 110 |
|
} |
| 111 |
|
|
| 112 |
|
/** |
| 113 |
|
* Returns true if and only if the Role has access to the Resource |
| 114 |
|
* |
| 115 |
|
* {@inherit} |
| 116 |
|
* |
| 117 |
|
* @param Zend_Acl_Role_Interface|string $role |
| 118 |
|
* @param Zend_Acl_Resource_Interface|string $resource |
| 119 |
|
* @param string $privilege |
| 120 |
|
* @return boolean |
| 121 |
|
*/ |
| 122 |
|
public function isAllowed($role = null, $resource = null, $privilege = null) |
| 123 |
|
{ |
| 124 |
9 |
$role = ( $role !== null ) ? $this->getRole($role) : null; |
| 125 |
9 |
$resource = ( $resource !== null ) ? $this->get($resource) : null; |
| 126 |
|
|
| 127 |
9 |
if ( $this->_getRuleType($resource, $role, $privilege) === null ) { |
| 128 |
9 |
if ( $authorizer = $this->getAuthorizer($resource) ) { |
| 129 |
2 |
$allowed = $authorizer->isAllowed($role, $resource, $privilege); |
| 130 |
|
|
| 131 |
2 |
if ( $allowed ) { |
| 132 |
1 |
$this->allow($role, $resource, $privilege); |
| 133 |
1 |
} else { |
| 134 |
1 |
$this->deny($role, $resource, $privilege); |
| 135 |
|
} |
| 136 |
|
|
| 137 |
2 |
return $allowed; |
| 138 |
0 |
} |
| 139 |
7 |
} |
| 140 |
|
|
| 141 |
9 |
return parent::isAllowed($role, $resource, $privilege); |
| 142 |
|
} |
| 143 |
|
} |
