Source for file Permission.php
Documentation is available at Permission.php
- 1: <?php
- 3: /**
- 4: * Nette Framework
- 5: *
- 6: * Copyright (c) 2004, 2009 David Grudl (http://davidgrudl.com)
- 7: *
- 8: * This source file is subject to the "Nette license" that is bundled
- 9: * with this package in the file license.txt.
- 10: *
- 11: * For more information please see https://nette.org
- 12: *
- 19: */
- 29: /**
- 30: * Access control list (ACL) functionality and privileges management.
- 31: *
- 32: * This solution is mostly based on Zend_Acl (c) Zend Technologies USA Inc. (http://www.zend.com), new BSD license
- 33: *
- 38: */
- 40: {
- 67: /********************* roles ****************d*g**/
- 70: /**
- 71: * Adds a Role to the list.
- 72: *
- 73: * The $parents parameter may be a Role identifier (or array of identifiers)
- 74: * to indicate the Roles from which the newly added Role will directly inherit.
- 75: *
- 76: * In order to resolve potential ambiguities with conflicting rules inherited
- 77: * from different parents, the most recently added parent takes precedence over
- 78: * parents that were previously added. In other words, the first parent added
- 79: * will have the least priority, and the last parent added will have the
- 80: * highest priority.
- 81: *
- 87: */
- 89: {
- 94: }
- 101: }
- 107: }
- 108: }
- 116: }
- 120: /**
- 121: * Returns TRUE if the Role exists in the list.
- 124: */
- 126: {
- 129: }
- 133: /**
- 134: * Checks whether Role is valid and exists in the list.
- 139: */
- 141: {
- 147: }
- 148: }
- 152: /**
- 153: * Returns an array of an existing Role's parents.
- 154: *
- 155: * The parent Roles are ordered in this array by ascending priority.
- 156: * The highest priority parent Role, last in the array, corresponds with
- 157: * the parent Role most recently added.
- 158: *
- 159: * If the Role does not have any parents, then an empty array is returned.
- 160: *
- 163: */
- 165: {
- 168: }
- 172: /**
- 173: * Returns TRUE if $role inherits from $inherit.
- 174: *
- 175: * If $onlyParents is TRUE, then $role must inherit directly from
- 176: * $inherit in order to return TRUE. By default, this method looks
- 177: * through the entire inheritance DAG to determine whether $role
- 178: * inherits from $inherit through its ancestor Roles.
- 179: *
- 185: */
- 187: {
- 195: }
- 200: }
- 201: }
- 204: }
- 208: /**
- 209: * Removes the Role from the list.
- 210: *
- 214: */
- 216: {
- 230: }
- 231: }
- 237: }
- 238: }
- 239: }
- 242: }
- 246: /**
- 247: * Removes all Roles from the list.
- 248: *
- 250: */
- 252: {
- 261: }
- 262: }
- 265: }
- 269: /********************* resources ****************d*g**/
- 273: /**
- 274: * Adds a Resource having an identifier unique to the list.
- 275: *
- 281: */
- 283: {
- 288: }
- 293: }
- 301: }
- 305: /**
- 306: * Returns TRUE if the Resource exists in the list.
- 309: */
- 311: {
- 314: }
- 318: /**
- 319: * Checks whether Resource is valid and exists in the list.
- 324: */
- 326: {
- 332: }
- 333: }
- 337: /**
- 338: * Returns TRUE if $resource inherits from $inherit.
- 339: *
- 340: * If $onlyParents is TRUE, then $resource must inherit directly from
- 341: * $inherit in order to return TRUE. By default, this method looks
- 342: * through the entire inheritance tree to determine whether $resource
- 343: * inherits from $inherit through its ancestor Resources.
- 344: *
- 350: */
- 352: {
- 358: }
- 366: }
- 372: }
- 373: }
- 376: }
- 380: /**
- 381: * Removes a Resource and all of its children.
- 382: *
- 386: */
- 388: {
- 394: }
- 400: }
- 406: }
- 407: }
- 408: }
- 413: }
- 417: /**
- 418: * Removes all Resources.
- 419: *
- 421: */
- 423: {
- 428: }
- 429: }
- 430: }
- 434: }
- 438: /********************* defining rules ****************d*g**/
- 442: /**
- 443: * Adds an "allow" rule to the list. A rule is added that would allow one
- 444: * or more Roles access to [certain $privileges upon] the specified Resource(s).
- 445: *
- 446: * If either $roles or $resources is Permission::ALL, then the rule applies to all Roles or all Resources,
- 447: * respectively. Both may be Permission::ALL in order to work with the default rule of the ACL.
- 448: *
- 449: * The $privileges parameter may be used to further specify that the rule applies only
- 450: * to certain privileges upon the Resource(s) in question. This may be specified to be a single
- 451: * privilege with a string, and multiple privileges may be specified as an array of strings.
- 452: *
- 453: * If $assertion is provided, then its assert() method must return TRUE in order for
- 454: * the rule to apply. If $assertion is provided with $roles, $resources, and $privileges all
- 455: * equal to NULL, then a rule will imply a type of DENY when the rule's assertion fails.
- 456: *
- 462: */
- 464: {
- 467: }
- 471: /**
- 472: * Adds a "deny" rule to the list. A rule is added that would deny one
- 473: * or more Roles access to [certain $privileges upon] the specified Resource(s).
- 474: *
- 475: * If either $roles or $resources is Permission::ALL, then the rule applies to all Roles or all Resources,
- 476: * respectively. Both may be Permission::ALL in order to work with the default rule of the ACL.
- 477: *
- 478: * The $privileges parameter may be used to further specify that the rule applies only
- 479: * to certain privileges upon the Resource(s) in question. This may be specified to be a single
- 480: * privilege with a string, and multiple privileges may be specified as an array of strings.
- 481: *
- 482: * If $assertion is provided, then its assert() method must return TRUE in order for
- 483: * the rule to apply. If $assertion is provided with $roles, $resources, and $privileges all
- 484: * equal to NULL, then a rule will imply a type of ALLOW when the rule's assertion fails.
- 485: *
- 491: */
- 493: {
- 496: }
- 500: /**
- 501: * Removes "allow" permissions from the list. The rule is removed only in the context
- 502: * of the given Roles, Resources, and privileges. Existing rules to which the remove
- 503: * operation does not apply would remain in the
- 504: *
- 509: */
- 510: public function removeAllow($roles = self::ALL, $resources = self::ALL, $privileges = self::ALL)
- 511: {
- 514: }
- 518: /**
- 519: * Removes "deny" restrictions from the list. The rule is removed only in the context
- 520: * of the given Roles, Resources, and privileges. Existing rules to which the remove
- 521: * operation does not apply would remain in the
- 522: *
- 527: */
- 528: public function removeDeny($roles = self::ALL, $resources = self::ALL, $privileges = self::ALL)
- 529: {
- 532: }
- 536: /**
- 537: * Performs operations on Access Control List rules.
- 538: *
- 547: */
- 549: {
- 550: // ensure that all specified Roles exist; normalize input to array of Roles or NULL
- 557: }
- 561: }
- 562: }
- 564: // ensure that all specified Resources exist; normalize input to array of Resources or NULL
- 571: }
- 575: }
- 576: }
- 578: // normalize privileges to array
- 584: }
- 596: }
- 601: }
- 602: }
- 603: }
- 604: }
- 612: }
- 623: }
- 625: }
- 628: }
- 634: }
- 635: }
- 636: }
- 637: }
- 638: }
- 639: }
- 640: }
- 644: /********************* querying the ACL ****************d*g**/
- 648: /**
- 649: * Returns TRUE if and only if the Role has access to the Resource.
- 650: *
- 651: * If either $role or $resource is Permission::ALL, then the query applies to all Roles or all Resources,
- 652: * respectively. Both may be Permission::ALL to query whether the ACL has a "blacklist" rule
- 653: * (allow everything to all). By default, Permission creates a "whitelist" rule (deny
- 654: * everything to all), and this method would return FALSE unless this default has
- 655: * been overridden (i.e., by executing $acl->allow()).
- 656: *
- 657: * If a $privilege is not provided, then this method returns FALSE if and only if the
- 658: * Role is denied access to at least one privilege upon the Resource. In other words, this
- 659: * method returns TRUE if and only if the Role is allowed all privileges on the Resource.
- 660: *
- 661: * This method checks Role inheritance using a depth-first traversal of the Role list.
- 662: * The highest priority parent (i.e., the parent most recently added) is checked first,
- 663: * and its respective parents are checked similarly before the lower-priority parents of
- 664: * the Role are checked.
- 665: *
- 671: */
- 673: {
- 678: }
- 680: }
- 686: }
- 688: }
- 691: // query on all privileges
- 693: // depth-first search on $role if it is not 'allRoles' pseudo-parent
- 696: }
- 698: // look for rule on 'allRoles' psuedo-parent
- 701: if (self::DENY === ($ruleTypeOnePrivilege = $this->getRuleType($resource, NULL, $privilege))) {
- 704: }
- 705: }
- 709: }
- 710: }
- 712: // try next Resource
- 718: // query on one privilege
- 720: // depth-first search on $role if it is not 'allRoles' pseudo-parent
- 721: if ($role !== NULL && NULL !== ($result = $this->roleDFSOnePrivilege($role, $resource, $privilege))) {
- 723: }
- 725: // look for rule on 'allRoles' pseudo-parent
- 733: }
- 735: // try next Resource
- 739: }
- 743: }
- 747: /**
- 750: */
- 752: {
- 754: }
- 758: /**
- 761: */
- 763: {
- 765: }
- 769: /********************* internals ****************d*g**/
- 773: /**
- 774: * Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule.
- 775: * allowing/denying $role access to all privileges upon $resource
- 776: *
- 777: * This method returns TRUE if a rule is found and allows access. If a rule exists and denies access,
- 778: * then this method returns FALSE. If no applicable rule is found, then this method returns NULL.
- 779: *
- 783: */
- 785: {
- 795: }
- 796: }
- 797: }
- 800: }
- 804: /**
- 805: * Visits a $role in order to look for a rule allowing/denying $role access to all privileges upon $resource.
- 806: *
- 807: * This method returns TRUE if a rule is found and allows access. If a rule exists and denies access,
- 808: * then this method returns FALSE. If no applicable rule is found, then this method returns NULL.
- 809: *
- 810: * This method is used by the internal depth-first search algorithm and may modify the DFS data structure.
- 811: *
- 816: */
- 818: {
- 823: }
- 824: }
- 827: }
- 828: }
- 833: }
- 836: }
- 840: /**
- 841: * Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule.
- 842: * allowing/denying $role access to a $privilege upon $resource
- 843: *
- 844: * This method returns TRUE if a rule is found and allows access. If a rule exists and denies access,
- 845: * then this method returns FALSE. If no applicable rule is found, then this method returns NULL.
- 846: *
- 851: */
- 853: {
- 861: if (NULL !== ($result = $this->roleDFSVisitOnePrivilege($role, $resource, $privilege, $dfs))) {
- 863: }
- 864: }
- 865: }
- 868: }
- 872: /**
- 873: * Visits a $role in order to look for a rule allowing/denying $role access to a $privilege upon $resource.
- 874: *
- 875: * This method returns TRUE if a rule is found and allows access. If a rule exists and denies access,
- 876: * then this method returns FALSE. If no applicable rule is found, then this method returns NULL.
- 877: *
- 878: * This method is used by the internal depth-first search algorithm and may modify the DFS data structure.
- 879: *
- 885: */
- 887: {
- 890: }
- 894: }
- 901: }
- 905: /**
- 906: * Returns the rule type associated with the specified Resource, Role, and privilege.
- 907: * combination.
- 908: *
- 909: * If a rule does not exist or its attached assertion fails, which means that
- 910: * the rule is not applicable, then this method returns NULL. Otherwise, the
- 911: * rule type applies and is returned as either ALLOW or DENY.
- 912: *
- 913: * If $resource or $role is Permission::ALL, then this means that the rule must apply to
- 914: * all Resources or Roles, respectively.
- 915: *
- 916: * If $privilege is Permission::ALL, then the rule must apply to all privileges.
- 917: *
- 918: * If all three parameters are Permission::ALL, then the default ACL rule type is returned,
- 919: * based on whether its assertion method passes.
- 920: *
- 925: */
- 927: {
- 928: // get the rules for the $resource and $role
- 931: }
- 933: // follow $privilege
- 939: }
- 945: }
- 947: // check assertion if necessary
- 948: if ($rule['assert'] === NULL || $rule['assert']->assert($this, $role, $resource, $privilege)) {
- 959: }
- 960: }
- 964: /**
- 965: * Returns the rules associated with a Resource and a Role, or NULL if no such rules exist.
- 966: *
- 967: * If either $resource or $role is Permission::ALL, this means that the rules returned are for all Resources or all Roles,
- 968: * respectively. Both can be Permission::ALL to return the default rule set for all Resources and all Roles.
- 969: *
- 970: * If the $create parameter is TRUE, then a rule set is first created and then returned to the caller.
- 971: *
- 976: */
- 978: {
- 979: // follow $resource
- 984: }
- 989: }
- 991: }
- 996: // follow $role
- 1002: }
- 1004: }
- 1006: }
- 1012: }
- 1014: }
- 1017: }
- 1019: }