class Permission implements Authorizator

Access control list (ACL) functionality and privileges management.

This solution is mostly based on Zend_Acl (c) Zend Technologies USA Inc. (https://www.zend.com), new BSD license

Methods

addRole(string $role, string|array|null $parents = null)

Adds a Role to the list. The most recently added parent takes precedence over parents that were previously added.

bool
hasRole(string $role)

Returns true if the Role exists in the list.

array
getRoles()

Returns all Roles.

array
getRoleParents(string $role)

Returns existing Role's parents ordered by ascending priority.

bool
roleInheritsFrom(string $role, string $inherit, bool $onlyParents = false)

Returns true if $role inherits from $inherit. If $onlyParents is true, then $role must inherit directly from $inherit.

removeRole(string $role)

Removes the Role from the list.

removeAllRoles()

Removes all Roles from the list.

addResource(string $resource, string|null $parent = null)

Adds a Resource having an identifier unique to the list.

bool
hasResource(string $resource)

Returns true if the Resource exists in the list.

array
getResources()

Returns all Resources.

bool
resourceInheritsFrom(string $resource, string $inherit, bool $onlyParent = false)

Returns true if $resource inherits from $inherit. If $onlyParents is true, then $resource must inherit directly from $inherit.

removeResource(string $resource)

Removes a Resource and all of its children.

removeAllResources()

Removes all Resources.

allow(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All, callable|null $assertion = null)

Allows one or more Roles access to [certain $privileges upon] the specified Resource(s).

deny(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All, callable|null $assertion = null)

Denies one or more Roles access to [certain $privileges upon] the specified Resource(s).

removeAllow(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All)

Removes "allow" permissions from the list in the context of the given Roles, Resources, and privileges.

removeDeny(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All)

Removes "deny" restrictions from the list in the context of the given Roles, Resources, and privileges.

void
setRule(bool $toAdd, bool $type, string|array|null $roles, string|array|null $resources, string|array|null $privileges, callable|null $assertion = null)

Performs operations on Access Control List rules.

bool
isAllowed(string|null $role = self::All, string|null $resource = self::All, string|null $privilege = self::All)

Returns true if and only if the Role has access to [certain $privileges upon] the Resource.

Role|null
getQueriedRole()

Returns real currently queried Role. Use by assertion.

Resource|null
getQueriedResource()

Returns real currently queried Resource. Use by assertion.

Details

at line 54
Permission addRole(string $role, string|array|null $parents = null)

Adds a Role to the list. The most recently added parent takes precedence over parents that were previously added.

Parameters

string $role
string|array|null $parents

Return Value

Permission

Exceptions

InvalidArgumentException
InvalidStateException

at line 87
bool hasRole(string $role)

Returns true if the Role exists in the list.

Parameters

string $role

Return Value

bool

at line 112
array getRoles()

Returns all Roles.

Return Value

array

at line 121
array getRoleParents(string $role)

Returns existing Role's parents ordered by ascending priority.

Parameters

string $role

Return Value

array

at line 133
bool roleInheritsFrom(string $role, string $inherit, bool $onlyParents = false)

Returns true if $role inherits from $inherit. If $onlyParents is true, then $role must inherit directly from $inherit.

Parameters

string $role
string $inherit
bool $onlyParents

Return Value

bool

Exceptions

InvalidStateException

at line 159
Permission removeRole(string $role)

Removes the Role from the list.

Parameters

string $role

Return Value

Permission

Exceptions

InvalidStateException

at line 196
Permission removeAllRoles()

Removes all Roles from the list.

Return Value

Permission

at line 223
Permission addResource(string $resource, string|null $parent = null)

Adds a Resource having an identifier unique to the list.

Parameters

string $resource
string|null $parent

Return Value

Permission

Exceptions

InvalidArgumentException
InvalidStateException

at line 248
bool hasResource(string $resource)

Returns true if the Resource exists in the list.

Parameters

string $resource

Return Value

bool

at line 273
array getResources()

Returns all Resources.

Return Value

array

at line 285
bool resourceInheritsFrom(string $resource, string $inherit, bool $onlyParent = false)

Returns true if $resource inherits from $inherit. If $onlyParents is true, then $resource must inherit directly from $inherit.

Parameters

string $resource
string $inherit
bool $onlyParent

Return Value

bool

Exceptions

InvalidStateException

at line 318
Permission removeResource(string $resource)

Removes a Resource and all of its children.

Parameters

string $resource

Return Value

Permission

Exceptions

InvalidStateException

at line 349
Permission removeAllResources()

Removes all Resources.

Return Value

Permission

at line 371
Permission allow(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All, callable|null $assertion = null)

Allows one or more Roles access to [certain $privileges upon] the specified Resource(s).

If $assertion is provided, then it must return true in order for rule to apply.

Parameters

string|array|null $roles
string|array|null $resources
string|array|null $privileges
callable|null $assertion

Return Value

Permission

at line 387
Permission deny(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All, callable|null $assertion = null)

Denies one or more Roles access to [certain $privileges upon] the specified Resource(s).

If $assertion is provided, then it must return true in order for rule to apply.

Parameters

string|array|null $roles
string|array|null $resources
string|array|null $privileges
callable|null $assertion

Return Value

Permission

at line 402
Permission removeAllow(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All)

Removes "allow" permissions from the list in the context of the given Roles, Resources, and privileges.

Parameters

string|array|null $roles
string|array|null $resources
string|array|null $privileges

Return Value

Permission

at line 416
Permission removeDeny(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All)

Removes "deny" restrictions from the list in the context of the given Roles, Resources, and privileges.

Parameters

string|array|null $roles
string|array|null $resources
string|array|null $privileges

Return Value

Permission

at line 431
protected void setRule(bool $toAdd, bool $type, string|array|null $roles, string|array|null $resources, string|array|null $privileges, callable|null $assertion = null)

Performs operations on Access Control List rules.

Parameters

bool $toAdd
bool $type
string|array|null $roles
string|array|null $resources
string|array|null $privileges
callable|null $assertion

Return Value

void

Exceptions

InvalidStateException

at line 548
bool isAllowed(string|null $role = self::All, string|null $resource = self::All, string|null $privilege = self::All)

Returns true if and only if the Role has access to [certain $privileges upon] the Resource.

This method checks Role inheritance using a depth-first traversal of the Role list. The highest priority parent (i.e., the parent most recently added) is checked first, and its respective parents are checked similarly before the lower-priority parents of the Role are checked.

Parameters

string|null $role
string|null $resource
string|null $privilege

Return Value

bool

Exceptions

InvalidStateException

at line 610
Role|null getQueriedRole()

Returns real currently queried Role. Use by assertion.

Return Value

Role|null

at line 619
Resource|null getQueriedResource()

Returns real currently queried Resource. Use by assertion.

Return Value

Resource|null