source: trunk/bin/acl.cli.php @ 171

Last change on this file since 171 was 171, checked in by scdev, 18 years ago

Q - wrote the new codebase Access Control List class, along with command line script for managing permissions.
  • Property svn:executable set to *
File size: 8.5 KB
Line 
1#!/usr/local/bin/php
2<?php
3/*
4* acl.cli.php
5* Code by Strangecode :: www.strangecode.com :: This document contains copyrighted information.
6* @author   Quinn Comendant <quinn@strangecode.com>
7* @version  1.0
8* @since    14 Jun 2006 23:10:45
9*/
10
11
12/********************************************************************
13* STARTUP
14********************************************************************/
15
16// Give them a fighting chance. Show the help message. ;P
17if ($_SERVER['argc'] <= 1) {
18    help();
19}
20
21// Make sure necessary files exist.
22define('COMMON_BASE', realpath('.'));
23$db_quth_file = COMMON_BASE . '/global/db_auth.inc.php';
24if (!file_exists($db_quth_file)) {
25    die(sprintf("%s error: the current directory must be common site directory (i.e. the parent directory of the document root) AND the global/db_auth.inc.php file must exist.\n", $_SERVER['argv'][0]));
26}
27
28if (fileowner($db_quth_file) != getmyuid()) {
29    die(sprintf("%s error: you must execute this script as the owner of the web files.\n", $_SERVER['argv'][0]));
30}
31
32// Set include path.
33ini_set('include_path', get_include_path()
34    . PATH_SEPARATOR . COMMON_BASE
35);
36
37
38/********************************************************************
39* CONFIG
40********************************************************************/
41
42// Include core libraries.
43require_once 'codebase/lib/App.inc.php';
44require_once 'codebase/lib/Utilities.inc.php';
45
46$app =& App::getInstance('module_maker');
47$app->setParam(array(
48    'site_name' => 'ACL cli',
49    'site_email' => 'codebase@strangecode.com',
50    'enable_session' => false,
51    'enable_db' => true,
52    'db_always_debug' => false,
53    'db_debug' => true,
54    'db_die_on_failure' => true,
55    'display_errors' => true,
56    'error_reporting' => E_ALL,
57    'log_file_priority' => LOG_DEBUG,
58    'log_screen_priority' => LOG_NOTICE,
59    'log_directory' => COMMON_BASE . '/log',
60    'log_filename' => 'site_log',
61));
62require_once 'global/db_auth.inc.php';
63
64// Start application-based functionality: database, session, environment, ini setup, etc.
65// Most configuration parameters must be set before starting the App.
66$app->start();
67
68// Global DB object. Automatically pre-configured by $app->start().
69$db =& DB::getInstance();
70
71// ACL!
72require_once 'codebase/lib/ACL.inc.php';
73$acl =& ACL::getInstance();
74
75
76/********************************************************************
77* MAIN
78********************************************************************/
79
80$op = $_SERVER['argv'][1];
81switch ($op) {
82case 'list' :
83$type = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
84if (isset($type)) {
85    listACL('root', $type);
86} else {
87
88    echo "\n_______________________Access Request Objects________________________\n\n";
89    listACL('root', 'aro');                               
90    echo "\n_______________________Access Control Objects________________________\n\n";
91    listACL('root', 'aco');                               
92    echo "\n______________________Access eXtension Objects_______________________\n\n";
93    listACL('root', 'axo');
94}
95break;
96
97case 'addaro' :
98case 'addaco' :
99case 'addaxo' :
100    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
101    $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
102    if (!isset($object)) {
103        echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
104    }
105    echo $acl->add($object, $parent, str_replace('add', '', $op)) ? "Ok\n" : "Error!\n";
106    break;
107
108case 'rmaro' :
109case 'rmaco' :
110case 'rmaxo' :
111    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
112    if (!isset($object)) {
113        echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
114    }
115    echo $acl->remove($object, str_replace('rm', '', $op)) ? "Ok\n" : "Error!\n";
116    break;
117
118case 'grant' :
119    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
120    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
121    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
122    if (!isset($aro)) {
123        echo "'grant' command require at least one argument. Try 'help' if you are lost.\n";
124    }
125    echo $acl->grant($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
126    break;
127
128case 'revoke' :
129    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
130    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
131    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
132    if (!isset($aro)) {
133        echo "'revoke' command require at least one argument. Try 'help' if you are lost.\n";
134    }
135    echo $acl->revoke($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
136    break;
137
138case 'check' :
139    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
140    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
141    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
142    if (!isset($aro)) {
143        echo "'check' command require at least one argument. Try 'help' if you are lost.\n";
144    }
145    echo $acl->check($aro, $aco, $axo) ? "allow\n" : "deny\n";
146    break;
147
148case 'help' :
149    help();
150    break;
151
152default :
153    echo "'$op' is not an understood command. Try 'help' if you are lost.\n";
154    break;
155}
156
157
158/********************************************************************
159* FUNCTIONS
160********************************************************************/
161
162function help()
163{
164    ?>
165Access Control List command line tool.
166
167This script must be run in the common site directory (i.e. the parent
168directory of the document root). DB credentials are retrieved from:
169global/db_auth.inc.php so this file must exist. Further more this script
170must be executed as the owner of the db_auth.inc.php file.
171
172Three types of objects are managed by this interface: ARO - Access
173Request Objects, ACO - Access Control Objects, and AXO - Access eXtention
174Objects. These are most often used as a USER -> ACTION -> OBJECT model,
175but can just as easily be SPICES -> CUISINES -> DISHES A privilege is
176allowed if a user (ARO) can perform an action (ACO) on something (AXO).
177For example, Bob can edit article 4. If the AXO if omitted, this becomes
178"Bob can edit" (period).
179
180Each access object is stored as a node in hierarchial tree structures. A
181premission granted to a node is applied to all its children. If a child
182node is specified a different permission that is more specific that
183anything on the branch it will take precidence. If no permission is
184specified, root is used for that object. Root, in this case, means
185"anything" since it is at the top of all branches.
186
187Usage: <?php echo $_SERVER['argv'][0]; ?> <command> [args]
188
189
190<?php echo $_SERVER['argv'][0]; ?> list [aro | aco | axo]
191<?php echo $_SERVER['argv'][0]; ?> addaro <aro_object> [parent]
192<?php echo $_SERVER['argv'][0]; ?> addaco <aco_object> [parent]
193<?php echo $_SERVER['argv'][0]; ?> addaxo <axo_object> [parent]
194<?php echo $_SERVER['argv'][0]; ?> rmaro <aro_object>
195<?php echo $_SERVER['argv'][0]; ?> rmaco <aco_object>
196<?php echo $_SERVER['argv'][0]; ?> rmaxo <axo_object>
197<?php echo $_SERVER['argv'][0]; ?> grant <aro_object> [aco_object] [axo_object]
198<?php echo $_SERVER['argv'][0]; ?> revoke <aro_object> [aco_object] [axo_object]
199
200For the add*, grant, and revoke commands, if any of the optional
201args are not provided, 'root' is assumed.
202
203Strangecode :: www.strangecode.com
204<?php
205    die;
206}
207
208
209function listACL($root, $type)
210{
211    $app =& App::getInstance();
212    $db =& DB::getInstance();
213   
214    switch ($type) {
215    case 'aro' :
216        $tbl = 'aro_tbl';
217        break;
218    case 'aco' :
219        $tbl = 'aco_tbl';
220        break;
221    case 'axo' :
222        $tbl = 'axo_tbl';
223        break;
224    default :
225        $app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
226        return false;
227        break;
228    }
229   
230    // Retrieve the left and right value of the $root node.
231    $qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($root) . "'");
232    list($lft, $rgt) = mysql_fetch_row($qid);
233   
234    $depth = array();
235   
236    // Retrieve all descendants of the root node
237    $qid = $db->query("SELECT name, lft, rgt, added_datetime FROM $tbl WHERE lft BETWEEN $lft AND $rgt ORDER BY lft ASC");
238    while (list($name, $lft, $rgt, $added_datetime) = mysql_fetch_row($qid)) {
239        // If the last element of $depth is less than the current rgt it means we finished with a set of children nodes.
240        while (sizeof($depth) > 0 && end($depth) < $rgt) {
241            array_pop($depth);
242        }
243   
244        // Display indented node title.
245        printf("%-20s %-5s %-5s %s\n", str_repeat('    ', sizeof($depth)) . $name, $lft, $rgt, $added_datetime);
246       
247        // Add this node to the stack.
248        $depth[] = $rgt;
249    }
250}
251
252
253?>
Note: See TracBrowser for help on using the repository browser.