Methods summary
public
NPermission
|
#
addRole( string $role, string|array $parents = NULL )
Adds a Role to the list.
The $parents parameter may be a Role identifier (or array of identifiers) to
indicate the Roles from which the newly added Role will directly inherit.
In order to resolve potential ambiguities with conflicting rules inherited
from different parents, the most recently added parent takes precedence over
parents that were previously added. In other words, the first parent added will
have the least priority, and the last parent added will have the highest
priority.
Parameters
- $role
string
- $parents
string|array
Returns
Throws
|
public
boolean
|
#
hasRole( string $role )
Returns TRUE if the Role exists in the list.
Returns TRUE if the Role exists in the list.
Parameters
Returns
boolean
|
public
array
|
#
getRoleParents( string $role )
Returns an array of an existing Role's parents.
Returns an array of an existing Role's parents.
The parent Roles are ordered in this array by ascending priority. The highest
priority parent Role, last in the array, corresponds with the parent Role most
recently added.
If the Role does not have any parents, then an empty array is returned.
Parameters
Returns
array
|
public
boolean
|
#
roleInheritsFrom( string $role, string $inherit, boolean $onlyParents = FALSE )
Returns TRUE if $role inherits from $inherit.
Returns TRUE if $role inherits from $inherit.
If $onlyParents is TRUE, then $role must inherit directly from $inherit in
order to return TRUE. By default, this method looks through the entire
inheritance DAG to determine whether $role inherits from $inherit through its
ancestor Roles.
Parameters
- $role
string
- $inherit
string
- $onlyParents
boolean
Returns
boolean
Throws
|
public
NPermission
|
#
removeRole( string $role )
Removes the Role from the list.
Removes the Role from the list.
Parameters
Returns
Throws
|
public
NPermission
|
#
removeAllRoles( )
Removes all Roles from the list.
Removes all Roles from the list.
Returns
|
public
NPermission
|
#
addResource( string $resource, string $parent = NULL )
Adds a Resource having an identifier unique to the list.
Adds a Resource having an identifier unique to the list.
Parameters
- $resource
string
- $parent
string
Returns
Throws
|
public
boolean
|
#
hasResource( string $resource )
Returns TRUE if the Resource exists in the list.
Returns TRUE if the Resource exists in the list.
Parameters
Returns
boolean
|
public
boolean
|
#
resourceInheritsFrom( string $resource, string $inherit, boolean $onlyParent = FALSE )
Returns TRUE if $resource inherits from $inherit.
Returns TRUE if $resource inherits from $inherit.
If $onlyParents is TRUE, then $resource must inherit directly from $inherit
in order to return TRUE. By default, this method looks through the entire
inheritance tree to determine whether $resource inherits from $inherit through
its ancestor Resources.
Parameters
- $resource
string
- $inherit
string
- $onlyParent
boolean
Returns
boolean
Throws
|
public
NPermission
|
#
removeResource( string $resource )
Removes a Resource and all of its children.
Removes a Resource and all of its children.
Parameters
Returns
Throws
|
public
NPermission
|
|
public
NPermission
|
#
allow( string|array|IAuthorizator::ALL $roles = IAuthorizator::ALL , string|array|IAuthorizator::ALL $resources = IAuthorizator::ALL , string|array|IAuthorizator::ALL $privileges = IAuthorizator::ALL , IPermissionAssertion $assertion = NULL )
Adds an "allow" rule to the list. A rule is added that would allow one or
more Roles access to [certain $privileges upon] the specified Resource(s).
Adds an "allow" rule to the list. A rule is added that would allow one or
more Roles access to [certain $privileges upon] the specified Resource(s).
If either $roles or $resources is NPermission::ALL, then the rule applies to
all Roles or all Resources, respectively. Both may be NPermission::ALL in order
to work with the default rule of the ACL.
The $privileges parameter may be used to further specify that the rule
applies only to certain privileges upon the Resource(s) in question. This may be
specified to be a single privilege with a string, and multiple privileges may be
specified as an array of strings.
If $assertion is provided, then its assert() method must return TRUE in order
for the rule to apply. If $assertion is provided with $roles, $resources, and
$privileges all equal to NULL, then a rule will imply a type of DENY when the
rule's assertion fails.
Parameters
Returns
|
public
NPermission
|
#
deny( string|array|IAuthorizator::ALL $roles = IAuthorizator::ALL , string|array|IAuthorizator::ALL $resources = IAuthorizator::ALL , string|array|IAuthorizator::ALL $privileges = IAuthorizator::ALL , IPermissionAssertion $assertion = NULL )
Adds a "deny" rule to the list. A rule is added that would deny one or more
Roles access to [certain $privileges upon] the specified Resource(s).
Adds a "deny" rule to the list. A rule is added that would deny one or more
Roles access to [certain $privileges upon] the specified Resource(s).
If either $roles or $resources is NPermission::ALL, then the rule applies to
all Roles or all Resources, respectively. Both may be NPermission::ALL in order
to work with the default rule of the ACL.
The $privileges parameter may be used to further specify that the rule
applies only to certain privileges upon the Resource(s) in question. This may be
specified to be a single privilege with a string, and multiple privileges may be
specified as an array of strings.
If $assertion is provided, then its assert() method must return TRUE in order
for the rule to apply. If $assertion is provided with $roles, $resources, and
$privileges all equal to NULL, then a rule will imply a type of ALLOW when the
rule's assertion fails.
Parameters
Returns
|
public
NPermission
|
#
removeAllow( string|array|IAuthorizator::ALL $roles = IAuthorizator::ALL , string|array|IAuthorizator::ALL $resources = IAuthorizator::ALL , string|array|IAuthorizator::ALL $privileges = IAuthorizator::ALL )
Removes "allow" permissions from the list. The rule is removed only in the
context of the given Roles, Resources, and privileges. Existing rules to which
the remove operation does not apply would remain in the
Removes "allow" permissions from the list. The rule is removed only in the
context of the given Roles, Resources, and privileges. Existing rules to which
the remove operation does not apply would remain in the
Parameters
Returns
|
public
NPermission
|
#
removeDeny( string|array|IAuthorizator::ALL $roles = IAuthorizator::ALL , string|array|IAuthorizator::ALL $resources = IAuthorizator::ALL , string|array|IAuthorizator::ALL $privileges = IAuthorizator::ALL )
Removes "deny" restrictions from the list. The rule is removed only in the
context of the given Roles, Resources, and privileges. Existing rules to which
the remove operation does not apply would remain in the
Removes "deny" restrictions from the list. The rule is removed only in the
context of the given Roles, Resources, and privileges. Existing rules to which
the remove operation does not apply would remain in the
Parameters
Returns
|
protected
NPermission
|
|
public
boolean
|
#
isAllowed( string|IAuthorizator::ALL |IRole $role = IAuthorizator::ALL , string|IAuthorizator::ALL |IResource $resource = IAuthorizator::ALL , string|IAuthorizator::ALL $privilege = IAuthorizator::ALL )
Returns TRUE if and only if the Role has access to the Resource.
Returns TRUE if and only if the Role has access to the Resource.
If either $role or $resource is NPermission::ALL, then the query applies to
all Roles or all Resources, respectively. Both may be NPermission::ALL to query
whether the ACL has a "blacklist" rule (allow everything to all). By default,
Permission creates a "whitelist" rule (deny everything to all), and this method
would return FALSE unless this default has been overridden (i.e., by executing
$acl->allow()).
If a $privilege is not provided, then this method returns FALSE if and only
if the Role is denied access to at least one privilege upon the Resource. In
other words, this method returns TRUE if and only if the Role is allowed all
privileges on the Resource.
This method checks Role inheritance using a depth-first traversal of the Role
list. The highest priority parent (i.e., the parent most recently added) is
checked first, and its respective parents are checked similarly before the
lower-priority parents of the Role are checked.
Parameters
Returns
boolean
Throws
Implementation of
|
public
mixed
|
#
getQueriedRole( )
Returns real currently queried Role. Use by IPermissionAssertion::asert().
Returns real currently queried Role. Use by IPermissionAssertion::asert().
Returns
mixed
|
public
mixed
|
#
getQueriedResource( )
Returns real currently queried Resource. Use by IPermissionAssertion::asert().
Returns real currently queried Resource. Use by IPermissionAssertion::asert().
Returns
mixed
|