tao-test/app/funcAcl/models/FuncAcl.php

200 lines
7.3 KiB
PHP

<?php
/**
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; under version 2
* of the License (non-upgradable).
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Copyright (c) 2013 (original work) Open Assessment Technologies SA (under the project TAO-PRODUCT);
*
*/
namespace oat\funcAcl\models;
use oat\funcAcl\helpers\CacheHelper;
use oat\funcAcl\helpers\MapHelper;
use oat\tao\model\accessControl\func\FuncAccessControl;
use oat\tao\model\accessControl\func\AccessRule;
use oat\oatbox\user\User;
use oat\oatbox\service\ConfigurableService;
use oat\tao\model\accessControl\AccessControl;
/**
* Proxy for the Acl Implementation
*
* @access public
* @author Joel Bout, <joel@taotesting.com>
* @package tao
*/
class FuncAcl extends ConfigurableService implements FuncAccessControl, AccessControl
{
/**
* (non-PHPdoc)
* @see \oat\tao\model\accessControl\func\FuncAccessControl::accessPossible()
*/
public function accessPossible(User $user, $controller, $action)
{
$userRoles = $user->getRoles();
try {
$controllerAccess = CacheHelper::getControllerAccess($controller);
$allowedRoles = isset($controllerAccess['actions'][$action])
? array_merge($controllerAccess['module'], $controllerAccess['actions'][$action])
: $controllerAccess['module'];
$accessAllowed = count(array_intersect($userRoles, $allowedRoles)) > 0;
} catch (\ReflectionException $e) {
\common_Logger::i('Unknown controller ' . $controller);
$accessAllowed = false;
}
return (bool) $accessAllowed;
}
public function hasAccess(User $user, $controllerName, $actionName, $parameters)
{
return $this->accessPossible($user, $controllerName, $actionName);
}
public function applyRule(AccessRule $rule)
{
if ($rule->isGrant()) {
$accessService = AccessService::singleton();
$elements = $this->evalFilterMask($rule->getMask());
switch (count($elements)) {
case 1:
$extension = reset($elements);
$accessService->grantExtensionAccess($rule->getRole(), $extension);
break;
case 2:
list($extension, $shortName) = $elements;
$accessService->grantModuleAccess($rule->getRole(), $extension, $shortName);
break;
case 3:
list($extension, $shortName, $action) = $elements;
$accessService->grantActionAccess($rule->getRole(), $extension, $shortName, $action);
break;
default:
// fail silently warning should already be send
}
} else {
$this->revokeRule(
new AccessRule(
AccessRule::GRANT,
$rule->getRole(),
$rule->getMask()
)
);
}
}
public function revokeRule(AccessRule $rule)
{
if ($rule->isGrant()) {
$accessService = AccessService::singleton();
$elements = $this->evalFilterMask($rule->getMask());
switch (count($elements)) {
case 1:
$extension = reset($elements);
$accessService->revokeExtensionAccess($rule->getRole(), $extension);
break;
case 2:
list($extension, $shortName) = $elements;
$accessService->revokeModuleAccess($rule->getRole(), $extension, $shortName);
break;
case 3:
list($extension, $shortName, $action) = $elements;
$accessService->revokeActionAccess($rule->getRole(), $extension, $shortName, $action);
break;
default:
// fail silently warning should already be send
}
} else {
\common_Logger::w('Only grant rules accepted in ' . __CLASS__);
}
}
/**
* Evaluate the mask to ACL components
*
* @param mixed $mask
* @return string[] tao ACL components
*/
public function evalFilterMask($mask)
{
// string masks
if (is_string($mask)) {
if (strpos($mask, '@') !== false) {
[$controller, $action] = explode('@', $mask, 2);
} else {
$controller = $mask;
$action = null;
}
if (class_exists($controller)) {
$extension = MapHelper::getExtensionFromController($controller);
$shortName = strpos($controller, '\\') !== false
? substr($controller, strrpos($controller, '\\') + 1)
: substr($controller, strrpos($controller, '_') + 1);
if (is_null($action)) {
// grant controller
return [$extension, $shortName];
}
// grant action
return [$extension, $shortName, $action];
}
\common_Logger::w('Unknown controller ' . $controller);
} elseif (is_array($mask)) { /// array masks
if (isset($mask['act'], $mask['mod'], $mask['ext'])) {
return [$mask['ext'], $mask['mod'], $mask['act']];
}
if (isset($mask['mod'], $mask['ext'])) {
return [$mask['ext'], $mask['mod']];
}
if (isset($mask['ext'])) {
return [$mask['ext']];
}
if (isset($mask['controller'])) {
$extension = MapHelper::getExtensionFromController($mask['controller']);
$shortName = strpos($mask['controller'], '\\') !== false
? substr($mask['controller'], strrpos($mask['controller'], '\\') + 1)
: substr($mask['controller'], strrpos($mask['controller'], '_') + 1);
return [$extension, $shortName];
}
if (isset($mask['act']) && strpos($mask['act'], '@') !== false) {
[$controller, $action] = explode('@', $mask['act'], 2);
$extension = MapHelper::getExtensionFromController($controller);
$shortName = strpos($controller, '\\') !== false
? substr($controller, strrpos($controller, '\\') + 1)
: substr($controller, strrpos($controller, '_') + 1);
return [$extension, $shortName, $action];
}
\common_Logger::w('Uninterpretable filter in ' . __CLASS__);
} else {
\common_Logger::w('Uninterpretable filtertype ' . gettype($mask));
}
return [];
}
}