class Permission implements Authorizator

Access control list (ACL) functionality and privileges management.

This solution is mostly based on Zend_Acl (c) Zend Technologies USA Inc. (https://www.zend.com), new BSD license

Methods

addRole(string $role, string|array $parents = null)

Adds a Role to the list. The most recently added parent takes precedence over parents that were previously added.

bool
hasRole(string $role)

Returns true if the Role exists in the list.

array
getRoles()

Returns all Roles.

array
getRoleParents(string $role)

Returns existing Role's parents ordered by ascending priority.

bool
roleInheritsFrom(string $role, string $inherit, bool $onlyParents = false)

Returns true if $role inherits from $inherit. If $onlyParents is true, then $role must inherit directly from $inherit.

removeRole(string $role)

Removes the Role from the list.

removeAllRoles()

Removes all Roles from the list.

addResource(string $resource, string|null $parent = null)

Adds a Resource having an identifier unique to the list.

bool
hasResource(string $resource)

Returns true if the Resource exists in the list.

array
getResources()

Returns all Resources.

bool
resourceInheritsFrom(string $resource, string $inherit, bool $onlyParent = false)

Returns true if $resource inherits from $inherit. If $onlyParents is true, then $resource must inherit directly from $inherit.

removeResource(string $resource)

Removes a Resource and all of its children.

removeAllResources()

Removes all Resources.

allow(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All, callable|null $assertion = null)

Allows one or more Roles access to [certain $privileges upon] the specified Resource(s).

deny(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All, callable|null $assertion = null)

Denies one or more Roles access to [certain $privileges upon] the specified Resource(s).

removeAllow(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All)

Removes "allow" permissions from the list in the context of the given Roles, Resources, and privileges.

removeDeny(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All)

Removes "deny" restrictions from the list in the context of the given Roles, Resources, and privileges.

void
setRule(bool $toAdd, bool $type, string|array|null $roles, string|array|null $resources, string|array|null $privileges, callable|null $assertion = null)

Performs operations on Access Control List rules.

bool
isAllowed(string|null $role = self::All, string|null $resource = self::All, string|null $privilege = self::All)

Returns true if and only if the Role has access to [certain $privileges upon] the Resource.

Role|null
getQueriedRole()

Returns real currently queried Role. Use by assertion.

Resource|null
getQueriedResource()

Returns real currently queried Resource. Use by assertion.

Details

at line 53
Permission addRole(string $role, string|array $parents = null)

Adds a Role to the list. The most recently added parent takes precedence over parents that were previously added.

Parameters

string $role
string|array $parents

Return Value

Permission

Exceptions

InvalidArgumentException
InvalidStateException

at line 86
bool hasRole(string $role)

Returns true if the Role exists in the list.

Parameters

string $role

Return Value

bool

at line 111
array getRoles()

Returns all Roles.

Return Value

array

at line 120
array getRoleParents(string $role)

Returns existing Role's parents ordered by ascending priority.

Parameters

string $role

Return Value

array

at line 132
bool roleInheritsFrom(string $role, string $inherit, bool $onlyParents = false)

Returns true if $role inherits from $inherit. If $onlyParents is true, then $role must inherit directly from $inherit.

Parameters

string $role
string $inherit
bool $onlyParents

Return Value

bool

Exceptions

InvalidStateException

at line 158
Permission removeRole(string $role)

Removes the Role from the list.

Parameters

string $role

Return Value

Permission

Exceptions

InvalidStateException

at line 195
Permission removeAllRoles()

Removes all Roles from the list.

Return Value

Permission

at line 222
Permission addResource(string $resource, string|null $parent = null)

Adds a Resource having an identifier unique to the list.

Parameters

string $resource
string|null $parent

Return Value

Permission

Exceptions

InvalidArgumentException
InvalidStateException

at line 247
bool hasResource(string $resource)

Returns true if the Resource exists in the list.

Parameters

string $resource

Return Value

bool

at line 272
array getResources()

Returns all Resources.

Return Value

array

at line 284
bool resourceInheritsFrom(string $resource, string $inherit, bool $onlyParent = false)

Returns true if $resource inherits from $inherit. If $onlyParents is true, then $resource must inherit directly from $inherit.

Parameters

string $resource
string $inherit
bool $onlyParent

Return Value

bool

Exceptions

InvalidStateException

at line 317
Permission removeResource(string $resource)

Removes a Resource and all of its children.

Parameters

string $resource

Return Value

Permission

Exceptions

InvalidStateException

at line 348
Permission removeAllResources()

Removes all Resources.

Return Value

Permission

at line 370
Permission allow(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All, callable|null $assertion = null)

Allows one or more Roles access to [certain $privileges upon] the specified Resource(s).

If $assertion is provided, then it must return true in order for rule to apply.

Parameters

string|array|null $roles
string|array|null $resources
string|array|null $privileges
callable|null $assertion

Return Value

Permission

at line 386
Permission deny(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All, callable|null $assertion = null)

Denies one or more Roles access to [certain $privileges upon] the specified Resource(s).

If $assertion is provided, then it must return true in order for rule to apply.

Parameters

string|array|null $roles
string|array|null $resources
string|array|null $privileges
callable|null $assertion

Return Value

Permission

at line 401
Permission removeAllow(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All)

Removes "allow" permissions from the list in the context of the given Roles, Resources, and privileges.

Parameters

string|array|null $roles
string|array|null $resources
string|array|null $privileges

Return Value

Permission

at line 415
Permission removeDeny(string|array|null $roles = self::All, string|array|null $resources = self::All, string|array|null $privileges = self::All)

Removes "deny" restrictions from the list in the context of the given Roles, Resources, and privileges.

Parameters

string|array|null $roles
string|array|null $resources
string|array|null $privileges

Return Value

Permission

at line 430
protected void setRule(bool $toAdd, bool $type, string|array|null $roles, string|array|null $resources, string|array|null $privileges, callable|null $assertion = null)

Performs operations on Access Control List rules.

Parameters

bool $toAdd
bool $type
string|array|null $roles
string|array|null $resources
string|array|null $privileges
callable|null $assertion

Return Value

void

Exceptions

InvalidStateException

at line 547
bool isAllowed(string|null $role = self::All, string|null $resource = self::All, string|null $privilege = self::All)

Returns true if and only if the Role has access to [certain $privileges upon] the Resource.

This method checks Role inheritance using a depth-first traversal of the Role list. The highest priority parent (i.e., the parent most recently added) is checked first, and its respective parents are checked similarly before the lower-priority parents of the Role are checked.

Parameters

string|null $role
string|null $resource
string|null $privilege

Return Value

bool

Exceptions

InvalidStateException

at line 609
Role|null getQueriedRole()

Returns real currently queried Role. Use by assertion.

Return Value

Role|null

at line 618
Resource|null getQueriedResource()

Returns real currently queried Resource. Use by assertion.

Return Value

Resource|null