1 | #!/usr/local/bin/php |
---|
2 | <?php |
---|
3 | /* |
---|
4 | * acl.cli.php |
---|
5 | * Code by Strangecode :: www.strangecode.com :: This document contains copyrighted information. |
---|
6 | * @author Quinn Comendant <quinn@strangecode.com> |
---|
7 | * @version 1.0 |
---|
8 | * @since 14 Jun 2006 23:10:45 |
---|
9 | */ |
---|
10 | |
---|
11 | |
---|
12 | /******************************************************************** |
---|
13 | * STARTUP |
---|
14 | ********************************************************************/ |
---|
15 | |
---|
16 | // Give them a fighting chance. Show the help message. ;P |
---|
17 | if ($_SERVER['argc'] <= 1) { |
---|
18 | help(); |
---|
19 | } |
---|
20 | |
---|
21 | // Make sure necessary files exist. |
---|
22 | define('COMMON_BASE', realpath('.')); |
---|
23 | $db_quth_file = COMMON_BASE . '/global/db_auth.inc.php'; |
---|
24 | if (!file_exists($db_quth_file)) { |
---|
25 | die(sprintf("%s error: the current directory must be common site directory (i.e. the parent directory of the document root) AND the global/db_auth.inc.php file must exist.\n", $_SERVER['argv'][0])); |
---|
26 | } |
---|
27 | |
---|
28 | if (fileowner($db_quth_file) != getmyuid()) { |
---|
29 | die(sprintf("%s error: you must execute this script as the owner of the web files.\n", $_SERVER['argv'][0])); |
---|
30 | } |
---|
31 | |
---|
32 | // Set include path. |
---|
33 | ini_set('include_path', get_include_path() |
---|
34 | . PATH_SEPARATOR . COMMON_BASE |
---|
35 | ); |
---|
36 | |
---|
37 | |
---|
38 | /******************************************************************** |
---|
39 | * CONFIG |
---|
40 | ********************************************************************/ |
---|
41 | |
---|
42 | // Include core libraries. |
---|
43 | require_once 'codebase/lib/App.inc.php'; |
---|
44 | require_once 'codebase/lib/Utilities.inc.php'; |
---|
45 | |
---|
46 | $app =& App::getInstance('module_maker'); |
---|
47 | $app->setParam(array( |
---|
48 | 'site_name' => 'ACL cli', |
---|
49 | 'site_email' => 'codebase@strangecode.com', |
---|
50 | 'enable_session' => false, |
---|
51 | 'enable_db' => true, |
---|
52 | 'db_always_debug' => false, |
---|
53 | 'db_debug' => true, |
---|
54 | 'db_die_on_failure' => true, |
---|
55 | 'display_errors' => true, |
---|
56 | 'error_reporting' => E_ALL, |
---|
57 | 'log_file_priority' => LOG_DEBUG, |
---|
58 | 'log_screen_priority' => LOG_NOTICE, |
---|
59 | 'log_directory' => COMMON_BASE . '/log', |
---|
60 | 'log_filename' => 'site_log', |
---|
61 | )); |
---|
62 | require_once 'global/db_auth.inc.php'; |
---|
63 | |
---|
64 | // Start application-based functionality: database, session, environment, ini setup, etc. |
---|
65 | // Most configuration parameters must be set before starting the App. |
---|
66 | $app->start(); |
---|
67 | |
---|
68 | // Global DB object. Automatically pre-configured by $app->start(). |
---|
69 | $db =& DB::getInstance(); |
---|
70 | |
---|
71 | // ACL! |
---|
72 | require_once 'codebase/lib/ACL.inc.php'; |
---|
73 | $acl =& ACL::getInstance(); |
---|
74 | |
---|
75 | |
---|
76 | /******************************************************************** |
---|
77 | * MAIN |
---|
78 | ********************************************************************/ |
---|
79 | |
---|
80 | $op = $_SERVER['argv'][1]; |
---|
81 | switch ($op) { |
---|
82 | case 'list' : |
---|
83 | $type = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
84 | if (isset($type)) { |
---|
85 | listACL('root', $type); |
---|
86 | } else { |
---|
87 | |
---|
88 | echo "\n_______________________Access Request Objects________________________\n\n"; |
---|
89 | listACL('root', 'aro'); |
---|
90 | echo "\n_______________________Access Control Objects________________________\n\n"; |
---|
91 | listACL('root', 'aco'); |
---|
92 | echo "\n______________________Access eXtension Objects_______________________\n\n"; |
---|
93 | listACL('root', 'axo'); |
---|
94 | } |
---|
95 | break; |
---|
96 | |
---|
97 | case 'addaro' : |
---|
98 | case 'addaco' : |
---|
99 | case 'addaxo' : |
---|
100 | $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
101 | $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
102 | if (!isset($object)) { |
---|
103 | echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n"; |
---|
104 | } |
---|
105 | echo $acl->add($object, $parent, str_replace('add', '', $op)) ? "Ok\n" : "Error!\n"; |
---|
106 | break; |
---|
107 | |
---|
108 | case 'rmaro' : |
---|
109 | case 'rmaco' : |
---|
110 | case 'rmaxo' : |
---|
111 | $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
112 | if (!isset($object)) { |
---|
113 | echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n"; |
---|
114 | } |
---|
115 | echo $acl->remove($object, str_replace('rm', '', $op)) ? "Ok\n" : "Error!\n"; |
---|
116 | break; |
---|
117 | |
---|
118 | case 'flush' : |
---|
119 | echo $acl->initDB(true) ? "Ok\n" : "Error!\n"; |
---|
120 | break; |
---|
121 | |
---|
122 | case 'grant' : |
---|
123 | $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
124 | $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
125 | $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null; |
---|
126 | if (!isset($aro)) { |
---|
127 | echo "'grant' command require at least one argument. Try 'help' if you are lost.\n"; |
---|
128 | } |
---|
129 | echo $acl->grant($aro, $aco, $axo) ? "Ok\n" : "Error!\n"; |
---|
130 | break; |
---|
131 | |
---|
132 | case 'revoke' : |
---|
133 | $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
134 | $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
135 | $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null; |
---|
136 | if (!isset($aro)) { |
---|
137 | echo "'revoke' command require at least one argument. Try 'help' if you are lost.\n"; |
---|
138 | } |
---|
139 | echo $acl->revoke($aro, $aco, $axo) ? "Ok\n" : "Error!\n"; |
---|
140 | break; |
---|
141 | |
---|
142 | case 'check' : |
---|
143 | $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
144 | $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
145 | $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null; |
---|
146 | if (!isset($aro)) { |
---|
147 | echo "'check' command require at least one argument. Try 'help' if you are lost.\n"; |
---|
148 | } |
---|
149 | echo $acl->check($aro, $aco, $axo) ? "allow\n" : "deny\n"; |
---|
150 | break; |
---|
151 | |
---|
152 | case 'help' : |
---|
153 | help(); |
---|
154 | break; |
---|
155 | |
---|
156 | default : |
---|
157 | echo "'$op' is not an understood command. Try 'help' if you are lost.\n"; |
---|
158 | break; |
---|
159 | } |
---|
160 | |
---|
161 | |
---|
162 | /******************************************************************** |
---|
163 | * FUNCTIONS |
---|
164 | ********************************************************************/ |
---|
165 | |
---|
166 | function help() |
---|
167 | { |
---|
168 | ?> |
---|
169 | Access Control List command line tool. |
---|
170 | |
---|
171 | This script must be run in the common site directory (i.e. the parent |
---|
172 | directory of the document root). DB credentials are retrieved from: |
---|
173 | global/db_auth.inc.php so this file must exist. Further more this script |
---|
174 | must be executed as the owner of the db_auth.inc.php file. |
---|
175 | |
---|
176 | Three types of objects are managed by this interface: ARO - Access |
---|
177 | Request Objects, ACO - Access Control Objects, and AXO - Access eXtention |
---|
178 | Objects. These are most often used as a USER -> ACTION -> OBJECT model, |
---|
179 | but can just as easily be SPICES -> CUISINES -> DISHES A privilege is |
---|
180 | allowed if a user (ARO) can perform an action (ACO) on something (AXO). |
---|
181 | For example, Bob can edit article 4. If the AXO if omitted, this becomes |
---|
182 | "Bob can edit" (period). |
---|
183 | |
---|
184 | Each access object is stored as a node in hierarchial tree structures. A |
---|
185 | premission granted to a node is applied to all its children. If a child |
---|
186 | node is specified a different permission that is more specific that |
---|
187 | anything on the branch it will take precidence. If no permission is |
---|
188 | specified, root is used for that object. Root, in this case, means |
---|
189 | "anything" since it is at the top of all branches. |
---|
190 | |
---|
191 | Usage: <?php echo $_SERVER['argv'][0]; ?> <command> [args] |
---|
192 | |
---|
193 | |
---|
194 | <?php echo $_SERVER['argv'][0]; ?> list [aro | aco | axo] |
---|
195 | <?php echo $_SERVER['argv'][0]; ?> addaro <aro_object> [parent] |
---|
196 | <?php echo $_SERVER['argv'][0]; ?> addaco <aco_object> [parent] |
---|
197 | <?php echo $_SERVER['argv'][0]; ?> addaxo <axo_object> [parent] |
---|
198 | <?php echo $_SERVER['argv'][0]; ?> rmaro <aro_object> |
---|
199 | <?php echo $_SERVER['argv'][0]; ?> rmaco <aco_object> |
---|
200 | <?php echo $_SERVER['argv'][0]; ?> rmaxo <axo_object> |
---|
201 | <?php echo $_SERVER['argv'][0]; ?> flush |
---|
202 | <?php echo $_SERVER['argv'][0]; ?> grant <aro_object> [aco_object] [axo_object] |
---|
203 | <?php echo $_SERVER['argv'][0]; ?> revoke <aro_object> [aco_object] [axo_object] |
---|
204 | |
---|
205 | For the add*, grant, and revoke commands, if any of the optional |
---|
206 | args are not provided, 'root' is assumed. |
---|
207 | |
---|
208 | Strangecode :: www.strangecode.com |
---|
209 | <?php |
---|
210 | die; |
---|
211 | } |
---|
212 | |
---|
213 | |
---|
214 | function listACL($root, $type) |
---|
215 | { |
---|
216 | $app =& App::getInstance(); |
---|
217 | $db =& DB::getInstance(); |
---|
218 | |
---|
219 | switch ($type) { |
---|
220 | case 'aro' : |
---|
221 | $tbl = 'aro_tbl'; |
---|
222 | break; |
---|
223 | case 'aco' : |
---|
224 | $tbl = 'aco_tbl'; |
---|
225 | break; |
---|
226 | case 'axo' : |
---|
227 | $tbl = 'axo_tbl'; |
---|
228 | break; |
---|
229 | default : |
---|
230 | $app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__); |
---|
231 | return false; |
---|
232 | break; |
---|
233 | } |
---|
234 | |
---|
235 | // Retrieve the left and right value of the $root node. |
---|
236 | $qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($root) . "'"); |
---|
237 | list($lft, $rgt) = mysql_fetch_row($qid); |
---|
238 | |
---|
239 | $depth = array(); |
---|
240 | |
---|
241 | // Retrieve all descendants of the root node |
---|
242 | $qid = $db->query("SELECT name, lft, rgt, added_datetime FROM $tbl WHERE lft BETWEEN $lft AND $rgt ORDER BY lft ASC"); |
---|
243 | while (list($name, $lft, $rgt, $added_datetime) = mysql_fetch_row($qid)) { |
---|
244 | // If the last element of $depth is less than the current rgt it means we finished with a set of children nodes. |
---|
245 | while (sizeof($depth) > 0 && end($depth) < $rgt) { |
---|
246 | array_pop($depth); |
---|
247 | } |
---|
248 | |
---|
249 | // Display indented node title. |
---|
250 | printf("%-20s %-5s %-5s %s\n", str_repeat(' ', sizeof($depth)) . $name, $lft, $rgt, $added_datetime); |
---|
251 | |
---|
252 | // Add this node to the stack. |
---|
253 | $depth[] = $rgt; |
---|
254 | } |
---|
255 | } |
---|
256 | |
---|
257 | |
---|
258 | ?> |
---|