source: trunk/bin/acl.cli.php @ 500

Last change on this file since 500 was 484, checked in by anonymous, 10 years ago

Changed private methods and properties to protected. A few minor bug fixes.
  • Property svn:executable set to *
File size: 12.7 KB
Line 
1#!/usr/bin/php
2<?php
3/**
4 * The Strangecode Codebase - a general application development framework for PHP
5 * For details visit the project site: <http://trac.strangecode.com/codebase/>
6 * Copyright 2001-2012 Strangecode, LLC
7 *
8 * This file is part of The Strangecode Codebase.
9 *
10 * The Strangecode Codebase is free software: you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as published by the
12 * Free Software Foundation, either version 3 of the License, or (at your option)
13 * any later version.
14 *
15 * The Strangecode Codebase is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
17 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
18 * details.
19 *
20 * You should have received a copy of the GNU General Public License along with
21 * The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24/*
25* acl.cli.php
26*
27* @author   Quinn Comendant <quinn@strangecode.com>
28* @version  1.0
29* @since    14 Jun 2006 23:10:45
30*/
31
32
33/********************************************************************
34* STARTUP
35********************************************************************/
36
37$this_script = basename($_SERVER['argv'][0]);
38
39// Give them a fighting chance. Show the help message. ;P
40if ($_SERVER['argc'] <= 1) {
41    help();
42}
43
44// Make sure necessary files exist.
45define('COMMON_BASE', realpath('.'));
46$db_quth_file = COMMON_BASE . '/global/db_auth.inc.php';
47if (!file_exists($db_quth_file)) {
48    die(sprintf("%s error: the current directory must be common site directory (i.e. the parent directory of the document root) AND the global/db_auth.inc.php file must exist.\n", $this_script));
49}
50
51if (fileowner($db_quth_file) != getmyuid()) {
52    die(sprintf("%s error: you must execute this script as the owner of the web files.\n", $this_script));
53}
54
55// Set include path.
56ini_set('include_path', get_include_path()
57    . PATH_SEPARATOR . COMMON_BASE
58);
59
60/********************************************************************
61* CONFIG
62********************************************************************/
63
64// Include core libraries.
65require_once 'codebase/lib/App.inc.php';
66require_once 'codebase/lib/Utilities.inc.php';
67
68define('_CLI', true);
69$app =& App::getInstance('module_maker');
70$app->setParam(array(
71    'site_name' => 'ACL cli',
72    'site_email' => 'codebase@strangecode.com',
73    'enable_session' => false,
74    'enable_db' => true,
75    'db_always_debug' => false,
76    'db_debug' => true,
77    'db_die_on_failure' => true,
78    'display_errors' => true,
79    'error_reporting' => E_ALL,
80    'log_file_priority' => LOG_INFO,
81    'log_screen_priority' => LOG_ERR,
82    'log_directory' => COMMON_BASE . '/log',
83    'log_filename' => 'site_log',
84));
85require_once 'global/db_auth.inc.php';
86
87// Start application-based functionality: database, session, environment, ini setup, etc.
88// Most configuration parameters must be set before starting the App.
89$app->start();
90
91// Global DB object. Automatically pre-configured by $app->start().
92$db =& DB::getInstance();
93
94// ACL!
95require_once 'codebase/lib/ACL.inc.php';
96$acl =& ACL::getInstance();
97$acl->setParam(array('create_table' => false));
98
99
100/********************************************************************
101* MAIN
102********************************************************************/
103
104if (!$db->tableExists('acl_tbl')) {
105    printf("This project doesn't appear to be using ACL (there is no acl_tbl in the %s DB).\n", $app->getParam('db_name'));
106    die;
107}
108
109$op = $_SERVER['argv'][1];
110switch ($op) {
111case 'list' :
112    $type = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
113    switch ($type) {
114    case 'aro' :
115    case 'aco' :
116    case 'axo' :
117        listObjects('root', $type);
118        break;
119    case 'all' :
120        listObjects('root', 'aro');
121        listObjects('root', 'aco');
122        listObjects('root', 'axo');
123        break;
124    case 'perms' :
125    default :
126        listPerms();
127        break;
128    }
129    break;
130
131case 'addaro' :
132case 'addaco' :
133case 'addaxo' :
134    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
135    $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
136    if (!isset($object)) {
137        echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
138        break;
139    }
140    echo $acl->add($object, $parent, str_replace('add', '', $op)) ? "Ok\n" : "Error!\n";
141    break;
142
143case 'mvaro' :
144case 'mvaco' :
145case 'mvaxo' :
146    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
147    $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
148    if (!isset($object)) {
149        echo "'mv*' commands require at least one argument. Try 'help' if you are lost.\n";
150        break;
151    }
152    echo $acl->move($object, $parent, str_replace('mv', '', $op)) ? "Ok\n" : "Error!\n";
153    break;
154
155case 'rmaro' :
156case 'rmaco' :
157case 'rmaxo' :
158    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
159    if (!isset($object)) {
160        echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
161        break;
162    }
163    echo $acl->remove($object, str_replace('rm', '', $op)) ? "Ok\n" : "Error!\n";
164    break;
165
166case 'initdb' :
167    echo $acl->initDB(true) ? "Ok\n" : "Error!\n";
168    break;
169
170case 'grant' :
171    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
172    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
173    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
174    if (!isset($aro)) {
175        echo "'grant' command require at least one argument. Try 'help' if you are lost.\n";
176        break;
177    }
178    echo $acl->grant($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
179    break;
180
181case 'revoke' :
182    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
183    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
184    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
185    if (!isset($aro)) {
186        echo "'revoke' command require at least one argument. Try 'help' if you are lost.\n";
187        break;
188    }
189    echo $acl->revoke($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
190    break;
191
192case 'delete' :
193    $aro = isset($_SERVER['argv'][2]) && 'null' != $_SERVER['argv'][2] ? $_SERVER['argv'][2] : null;
194    $aco = isset($_SERVER['argv'][3]) && 'null' != $_SERVER['argv'][3] ? $_SERVER['argv'][3] : null;
195    $axo = isset($_SERVER['argv'][4]) && 'null' != $_SERVER['argv'][4] ? $_SERVER['argv'][4] : null;
196    if (!isset($_SERVER['argv'][2]) || !isset($_SERVER['argv'][3]) || !isset($_SERVER['argv'][4])) {
197        echo "'delete' command require all three arguments to be specified. Try 'help' if you are lost.\n";
198        break;
199    }
200    echo $acl->delete($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
201    break;
202
203case 'check' :
204    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
205    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
206    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
207    if (!isset($aro)) {
208        echo "'check' command require at least one argument. Try 'help' if you are lost.\n";
209        break;
210    }
211    echo $acl->check($aro, $aco, $axo) ? "allow\n" : "deny\n";
212    break;
213
214case 'help' :
215    help();
216    break;
217
218default :
219    echo "'$op' is not an understood command. Try 'help' if you are lost.\n";
220    break;
221}
222
223
224/********************************************************************
225* FUNCTIONS
226********************************************************************/
227
228function help()
229{
230    global $this_script;
231
232    ?>
233Access Control List command line tool.
234
235This script must be run in the common site directory (i.e. the parent
236directory of the document root). DB credentials are retrieved from:
237global/db_auth.inc.php so this file must exist. Furthermore this script
238must be executed as the owner of the db_auth.inc.php file.
239
240Three types of objects are managed by this interface:
241
242  ARO - Access Request Objects
243  ACO - Access Control Objects
244  AXO - Access Xtra Objects
245
246These are most often used as a USER -> ACTION -> OBJECT model,
247but could just as easily be SPICES -> CUISINES -> DISHES. A privilege is
248allowed if a user (ARO) can perform an action (ACO) on something (AXO).
249For example, with an `ARO->ACO->AXO` of `Bob->edit->4`, Bob can edit article 4.
250If the AXO were omitted (i.e. just `Bob->edit`), this becomes "Bob can edit"
251(he can edit any object).
252
253Each access object is stored as a node in hierarchical tree structure.
254A permission granted to a node is applied to all its children. If a child
255node is specified with a permission more specific than its ancestors, the
256child will take precedence. If no permission is specified, root is used,
257implying access to any object of that type.
258
259Usage: <?php echo $this_script; ?> command [args]
260
261Where command is any of the following (with arguments):
262
263    initdb
264    list [aro | aco | axo | all | perms]
265    check aro [aco] [axo]
266    addaro aro [parent]
267    addaco aco [parent]
268    addaxo axo [parent]
269    mvaro aro [parent]
270    mvaco aco [parent]
271    mvaxo axo [parent]
272    rmaro aro
273    rmaco aco
274    rmaxo axo
275    grant aro [aco] [axo]
276    revoke aro [aco] [axo]
277    delete aro aco axo
278
279For the add*, mv*, grant, and revoke commands if any of the optional
280args are not provided, 'root' is assumed. The delete command requires
281all object types to be specified; Passing the string 'null' will cause
282all matches in that column to be deleted. run with 'grants' to view what
283can be deleted.
284<?php
285    die;
286}
287
288
289/*
290* Print the tree structure of a specified table (aro_tbl, aco_tbl, or axo_tbl).
291*
292* @access   public
293* @param    string $root Root node from which to begin calculating.
294* @param    string $type Table to call, one of: aro, aco, or axo.
295* @return   bool Returns false on error.
296* @author   Quinn Comendant <quinn@strangecode.com>
297* @version  1.0
298* @since    17 Jun 2006 23:41:22
299*/
300function listObjects($root, $type)
301{
302    $app =& App::getInstance();
303    $db =& DB::getInstance();
304    global $this_script;
305
306    echo "\n";
307
308    switch ($type) {
309    case 'aro' :
310        $tbl = 'aro_tbl';
311        printf("%-35s %-5s %-5s %s\n", 'Request objects', 'lft', 'rgt', 'Added');
312        break;
313    case 'aco' :
314        $tbl = 'aco_tbl';
315        printf("%-35s %-5s %-5s %s\n", 'Control objects', 'lft', 'rgt', 'Added');
316        break;
317    case 'axo' :
318        $tbl = 'axo_tbl';
319        printf("%-35s %-5s %-5s %s\n", 'Xtra objects', 'lft', 'rgt', 'Added');
320        break;
321    default :
322        $app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
323        return false;
324        break;
325    }
326
327    echo "-----------------------------------------------------------\n";
328
329    // Retrieve the left and right value of the $root node.
330    $qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($root) . "'");
331    list($lft, $rgt) = mysql_fetch_row($qid);
332
333    $depth = array();
334
335    // Retrieve all descendants of the root node
336    $qid = $db->query("SELECT name, lft, rgt, added_datetime FROM $tbl WHERE lft BETWEEN $lft AND $rgt ORDER BY lft ASC");
337    while (list($name, $lft, $rgt, $added_datetime) = mysql_fetch_row($qid)) {
338        // If the last element of $depth is less than the current rgt it means we finished with a set of children nodes.
339        while (sizeof($depth) > 0 && end($depth) < $rgt) {
340            array_pop($depth);
341        }
342
343        // Display indented node title.
344        printf("%-35s %-5s %-5s %s\n", str_repeat('    ', sizeof($depth)) . $name, $lft, $rgt, date($app->getParam('date_format'), strtotime($added_datetime)));
345
346        // Add this node to the stack.
347        $depth[] = $rgt;
348    }
349}
350
351/*
352* List all entries in the acl_tbl.
353*
354* @access   public
355* @author   Quinn Comendant <quinn@strangecode.com>
356* @version  1.0
357* @since    17 Jun 2006 15:11:53
358*/
359function listPerms()
360{
361    $app =& App::getInstance();
362    $db =& DB::getInstance();
363    global $this_script;
364
365    // Retrieve access value from db.
366    $qid = $db->query("
367        SELECT aro_tbl.name AS aro, aco_tbl.name AS aco, axo_tbl.name AS axo, acl_tbl.access, acl_tbl.added_datetime
368        FROM acl_tbl
369        LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
370        LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
371        LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
372        ORDER BY aro_tbl.lft ASC, aco_tbl.lft ASC, axo_tbl.lft ASC
373    ");
374    echo "\n";
375    printf("%-25s %-25s %-25s %-6s %-10s\n", 'Request objects', 'Control objects', 'Xtra objects', '', 'Added');
376    echo "------------------------------------------------------------------------------------------------\n";
377    while ($p = mysql_fetch_assoc($qid)) {
378        printf("%-25s %-25s %-25s \033[0;%sm%-6s\033[0m %-10s\n", $p['aro'], $p['aco'], $p['axo'], ('allow' == $p['access'] ? '32' : '31'), $p['access'], date($app->getParam('date_format'), strtotime($p['added_datetime'])));
379    }
380}
381
382
Note: See TracBrowser for help on using the repository browser.