class Permission implements Authorizator

Access control list (ACL) functionality and privileges management.

This solution is mostly based on Zend_Acl (c) Zend Technologies USA Inc. (https://www.zend.com), new BSD license

Methods

addRole(string $role, string|array $parents = null)

Adds a Role to the list. The most recently added parent takes precedence over parents that were previously added.

bool
hasRole(string $role)

Returns true if the Role exists in the list.

array
getRoles()

Returns all Roles.

array
getRoleParents(string $role)

Returns existing Role's parents ordered by ascending priority.

bool
roleInheritsFrom(string $role, string $inherit, bool $onlyParents = false)

Returns true if $role inherits from $inherit. If $onlyParents is true, then $role must inherit directly from $inherit.

removeRole(string $role)

Removes the Role from the list.

removeAllRoles()

Removes all Roles from the list.

addResource(string $resource, string|null $parent = null)

Adds a Resource having an identifier unique to the list.

bool
hasResource(string $resource)

Returns true if the Resource exists in the list.

array
getResources()

Returns all Resources.

bool
resourceInheritsFrom(string $resource, string $inherit, bool $onlyParent = false)

Returns true if $resource inherits from $inherit. If $onlyParents is true, then $resource must inherit directly from $inherit.

removeResource(string $resource)

Removes a Resource and all of its children.

removeAllResources()

Removes all Resources.

allow(string|string[]|null $roles = self::All, string|string[]|null $resources = self::All, string|string[]|null $privileges = self::All, callable|null $assertion = null)

Allows one or more Roles access to [certain $privileges upon] the specified Resource(s).

deny(string|string[]|null $roles = self::All, string|string[]|null $resources = self::All, string|string[]|null $privileges = self::All, callable|null $assertion = null)

Denies one or more Roles access to [certain $privileges upon] the specified Resource(s).

removeAllow(string|string[]|null $roles = self::All, string|string[]|null $resources = self::All, string|string[]|null $privileges = self::All)

Removes "allow" permissions from the list in the context of the given Roles, Resources, and privileges.

removeDeny(string|string[]|null $roles = self::All, string|string[]|null $resources = self::All, string|string[]|null $privileges = self::All)

Removes "deny" restrictions from the list in the context of the given Roles, Resources, and privileges.

setRule(bool $toAdd, bool $type, string|string[]|null $roles, string|string[]|null $resources, string|string[]|null $privileges, callable|null $assertion = null)

Performs operations on Access Control List rules.

bool
isAllowed(string|null $role = self::All, string|null $resource = self::All, string|null $privilege = self::All)

Returns true if and only if the Role has access to [certain $privileges upon] the Resource.

mixed
getQueriedRole()

Returns real currently queried Role. Use by assertion.

mixed
getQueriedResource()

Returns real currently queried Resource. Use by assertion.

Details

at line 62
Permission addRole(string $role, string|array $parents = null)

Adds a Role to the list. The most recently added parent takes precedence over parents that were previously added.

Parameters

string $role
string|array $parents

Return Value

Permission

Exceptions

InvalidArgumentException
InvalidStateException

at line 95
bool hasRole(string $role)

Returns true if the Role exists in the list.

Parameters

string $role

Return Value

bool

at line 120
array getRoles()

Returns all Roles.

Return Value

array

at line 129
array getRoleParents(string $role)

Returns existing Role's parents ordered by ascending priority.

Parameters

string $role

Return Value

array

at line 141
bool roleInheritsFrom(string $role, string $inherit, bool $onlyParents = false)

Returns true if $role inherits from $inherit. If $onlyParents is true, then $role must inherit directly from $inherit.

Parameters

string $role
string $inherit
bool $onlyParents

Return Value

bool

Exceptions

InvalidStateException

at line 168
Permission removeRole(string $role)

Removes the Role from the list.

Parameters

string $role

Return Value

Permission

Exceptions

InvalidStateException

at line 207
Permission removeAllRoles()

Removes all Roles from the list.

Return Value

Permission

at line 235
Permission addResource(string $resource, string|null $parent = null)

Adds a Resource having an identifier unique to the list.

Parameters

string $resource
string|null $parent

Return Value

Permission

Exceptions

InvalidArgumentException
InvalidStateException

at line 260
bool hasResource(string $resource)

Returns true if the Resource exists in the list.

Parameters

string $resource

Return Value

bool

at line 285
array getResources()

Returns all Resources.

Return Value

array

at line 297
bool resourceInheritsFrom(string $resource, string $inherit, bool $onlyParent = false)

Returns true if $resource inherits from $inherit. If $onlyParents is true, then $resource must inherit directly from $inherit.

Parameters

string $resource
string $inherit
bool $onlyParent

Return Value

bool

Exceptions

InvalidStateException

at line 331
Permission removeResource(string $resource)

Removes a Resource and all of its children.

Parameters

string $resource

Return Value

Permission

Exceptions

InvalidStateException

at line 363
Permission removeAllResources()

Removes all Resources.

Return Value

Permission

at line 390
Permission allow(string|string[]|null $roles = self::All, string|string[]|null $resources = self::All, string|string[]|null $privileges = self::All, callable|null $assertion = null)

Allows one or more Roles access to [certain $privileges upon] the specified Resource(s).

If $assertion is provided, then it must return true in order for rule to apply.

Parameters

string|string[]|null $roles
string|string[]|null $resources
string|string[]|null $privileges
callable|null $assertion

Return Value

Permission

at line 410
Permission deny(string|string[]|null $roles = self::All, string|string[]|null $resources = self::All, string|string[]|null $privileges = self::All, callable|null $assertion = null)

Denies one or more Roles access to [certain $privileges upon] the specified Resource(s).

If $assertion is provided, then it must return true in order for rule to apply.

Parameters

string|string[]|null $roles
string|string[]|null $resources
string|string[]|null $privileges
callable|null $assertion

Return Value

Permission

at line 429
Permission removeAllow(string|string[]|null $roles = self::All, string|string[]|null $resources = self::All, string|string[]|null $privileges = self::All)

Removes "allow" permissions from the list in the context of the given Roles, Resources, and privileges.

Parameters

string|string[]|null $roles
string|string[]|null $resources
string|string[]|null $privileges

Return Value

Permission

at line 444
Permission removeDeny(string|string[]|null $roles = self::All, string|string[]|null $resources = self::All, string|string[]|null $privileges = self::All)

Removes "deny" restrictions from the list in the context of the given Roles, Resources, and privileges.

Parameters

string|string[]|null $roles
string|string[]|null $resources
string|string[]|null $privileges

Return Value

Permission

at line 459
protected Permission setRule(bool $toAdd, bool $type, string|string[]|null $roles, string|string[]|null $resources, string|string[]|null $privileges, callable|null $assertion = null)

Performs operations on Access Control List rules.

Parameters

bool $toAdd
bool $type
string|string[]|null $roles
string|string[]|null $resources
string|string[]|null $privileges
callable|null $assertion

Return Value

Permission

Exceptions

InvalidStateException

at line 574
bool isAllowed(string|null $role = self::All, string|null $resource = self::All, string|null $privilege = self::All)

Returns true if and only if the Role has access to [certain $privileges upon] the Resource.

This method checks Role inheritance using a depth-first traversal of the Role list. The highest priority parent (i.e., the parent most recently added) is checked first, and its respective parents are checked similarly before the lower-priority parents of the Role are checked.

Parameters

string|null $role
string|null $resource
string|null $privilege

Return Value

bool

Exceptions

InvalidStateException

at line 633
mixed getQueriedRole()

Returns real currently queried Role. Use by assertion.

Return Value

mixed

at line 643
mixed getQueriedResource()

Returns real currently queried Resource. Use by assertion.

Return Value

mixed

Traits

SmartObject