Context Navigation

← Previous Revision
Next Revision →
Normal
Revision Log

ACL.inc.php

Last change on this file was 777, checked in by anonymous, 15 months ago
Avoid use of dynamic properties
File size: 32.5 KB

Rev	Line
[171]	1	<?php
[362]	2	/**
	3	* The Strangecode Codebase - a general application development framework for PHP
	4	* For details visit the project site: <http://trac.strangecode.com/codebase/>
[396]	5	* Copyright 2001-2012 Strangecode, LLC
[457]	6	*
[362]	7	* This file is part of The Strangecode Codebase.
	8	*
	9	* The Strangecode Codebase is free software: you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as published by the
	11	* Free Software Foundation, either version 3 of the License, or (at your option)
	12	* any later version.
[457]	13	*
[362]	14	* The Strangecode Codebase is distributed in the hope that it will be useful, but
	15	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	16	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
	17	* details.
[457]	18	*
[362]	19	* You should have received a copy of the GNU General Public License along with
	20	* The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>.
	21	*/
	22
[171]	23	/*
	24	* ACL.inc.php
[457]	25	*
[171]	26	* Uses the ARO/ACO/AXO model of Access Control Lists.
[173]	27	* Uses Modified Preorder Tree Traversal to maintain a tree-structure.
	28	* See: http://www.sitepoint.com/print/hierarchical-data-database
[174]	29	* Includes a command-line tool for managing rights (codebase/bin/acl.cli.php).
[362]	30	*
[457]	31	*
[171]	32	* @author Quinn Comendant <quinn@strangecode.com>
	33	* @version 1.0
	34	* @since 14 Jun 2006 22:35:11
	35	*/
	36
[172]	37	require_once dirname(__FILE__) . '/Cache.inc.php';
	38
[502]	39	class ACL
	40	{
[171]	41
[468]	42	// A place to keep an object instance for the singleton pattern.
[484]	43	protected static $instance = null;
[468]	44
[171]	45	// Configuration parameters for this object.
[484]	46	protected $_params = array(
[334]	47	// If false nothing will be cached or retrieved. Useful for testing realtime data requests.
[172]	48	'enable_cache' => true,
[171]	49
	50	// Automatically create table and verify columns. Better set to false after site launch.
	51	'create_table' => false,
[502]	52
	53	// Maximum allowed length of names.
	54	// This value can be increased only if {aro,aco,axo}_tbl.name VARCHAR length is increased.
	55	'name_max_length' => 32.
[171]	56	);
	57
[777]	58	// Cache object to store result of check() queries.
	59	private $cache;
	60
[171]	61	/**
[174]	62	* Constructor.
[171]	63	*/
[468]	64	public function __construct()
[171]	65	{
[479]	66	$app =& App::getInstance();
[171]	67
[172]	68	// Configure the cache object.
	69	$this->cache = new Cache('acl');
	70
[171]	71	// Get create tables config from global context.
	72	if (!is_null($app->getParam('db_create_tables'))) {
	73	$this->setParam(array('create_table' => $app->getParam('db_create_tables')));
	74	}
	75	}
	76
	77	/**
	78	* This method enforces the singleton pattern for this class.
	79	*
	80	* @return object Reference to the global ACL object.
	81	* @access public
	82	* @static
	83	*/
[468]	84	public static function &getInstance()
[171]	85	{
[468]	86	if (self::$instance === null) {
	87	self::$instance = new self();
[171]	88	}
	89
[468]	90	return self::$instance;
[171]	91	}
	92
	93	/**
	94	* Set (or overwrite existing) parameters by passing an array of new parameters.
	95	*
	96	* @access public
	97	*
	98	* @param array $params Array of parameters (key => val pairs).
	99	*/
[468]	100	public function setParam($params)
[171]	101	{
[479]	102	$app =& App::getInstance();
[457]	103
[171]	104	if (isset($params) && is_array($params)) {
[534]	105	// Some params require special processing. Catch those in a loop and process individually.
	106	foreach ($params as $key => $val) {
	107	switch ($key) {
	108	case 'enable_cache':
	109	$this->cache->setParam(array('enabled' => $val));
	110	break;
	111	}
	112
	113	}
	114	unset($key, $value);
	115
[171]	116	// Merge new parameters with old overriding only those passed.
	117	$this->_params = array_merge($this->_params, $params);
	118	} else {
	119	$app->logMsg(sprintf('Parameters are not an array: %s', $params), LOG_ERR, __FILE__, __LINE__);
	120	}
	121	}
	122
	123	/**
	124	* Return the value of a parameter, if it exists.
	125	*
	126	* @access public
	127	* @param string $param Which parameter to return.
	128	* @return mixed Configured parameter value.
	129	*/
[468]	130	public function getParam($param)
[171]	131	{
[479]	132	$app =& App::getInstance();
[457]	133
[478]	134	if (array_key_exists($param, $this->_params)) {
[171]	135	return $this->_params[$param];
	136	} else {
[420]	137	$app->logMsg(sprintf('Parameter is not set: %s', $param), LOG_NOTICE, __FILE__, __LINE__);
[171]	138	return null;
	139	}
	140	}
	141
	142	/**
[174]	143	* Setup the database tables for this class.
[171]	144	*
	145	* @access public
	146	* @author Quinn Comendant <quinn@strangecode.com>
	147	* @since 04 Jun 2006 16:41:42
	148	*/
[468]	149	public function initDB($recreate_db=false)
[171]	150	{
[479]	151	$app =& App::getInstance();
	152	$db =& DB::getInstance();
[171]	153
	154	static $_db_tested = false;
	155
	156	if ($recreate_db \|\| !$_db_tested && $this->getParam('create_table')) {
	157
	158	if ($recreate_db) {
	159	$db->query("DROP TABLE IF EXISTS acl_tbl");
	160	$db->query("DROP TABLE IF EXISTS aro_tbl");
	161	$db->query("DROP TABLE IF EXISTS aco_tbl");
	162	$db->query("DROP TABLE IF EXISTS axo_tbl");
[201]	163	$app->logMsg(sprintf('Dropping and recreating tables acl_tbl, aro_tbl, aco_tbl, axo_tbl.', null), LOG_INFO, __FILE__, __LINE__);
[171]	164	}
[457]	165
[171]	166	// acl_tbl
[601]	167	$db->query(sprintf("
[173]	168	CREATE TABLE IF NOT EXISTS acl_tbl (
[502]	169	aro_id SMALLINT UNSIGNED NOT NULL DEFAULT '0',
	170	aco_id SMALLINT UNSIGNED NOT NULL DEFAULT '0',
	171	axo_id SMALLINT UNSIGNED NOT NULL DEFAULT '0',
[171]	172	access ENUM('allow', 'deny') DEFAULT NULL,
[601]	173	added_datetime DATETIME NOT NULL DEFAULT '%s 00:00:00',
[171]	174	UNIQUE KEY (aro_id, aco_id, axo_id),
	175	KEY (access)
	176	) ENGINE=MyISAM
[601]	177	", $db->getParam('zero_date')));
[171]	178	if (!$db->columnExists('acl_tbl', array(
	179	'aro_id',
	180	'aco_id',
	181	'axo_id',
	182	'access',
	183	'added_datetime',
	184	), false, false)) {
	185	$app->logMsg(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), LOG_ALERT, __FILE__, __LINE__);
	186	trigger_error(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), E_USER_ERROR);
[173]	187	} else {
	188	// Insert root node data if nonexistant, dely all by default.
	189	$qid = $db->query("SELECT 1 FROM acl_tbl");
	190	if (mysql_num_rows($qid) == 0) {
[457]	191	$qid = $db->query("REPLACE INTO acl_tbl VALUES ('1', '1', '1', 'deny', NOW())");
	192	}
[171]	193	}
	194
[173]	195	// aro_tbl, aco_tbl, axo_tbl
[171]	196	foreach (array('aro', 'aco', 'axo') as $a_o) {
[601]	197	$db->query(sprintf("
	198	CREATE TABLE IF NOT EXISTS %1\$s_tbl (
	199	%1\$s_id SMALLINT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,
	200	name VARCHAR(%2\$s) NOT NULL DEFAULT '',
[502]	201	lft MEDIUMINT UNSIGNED NOT NULL DEFAULT '0',
	202	rgt MEDIUMINT UNSIGNED NOT NULL DEFAULT '0',
[601]	203	added_datetime DATETIME NOT NULL DEFAULT '%3\$s 00:00:00',
[173]	204	UNIQUE KEY name (name(15)),
[171]	205	KEY transversal (lft, rgt)
	206	) ENGINE=MyISAM;
[601]	207	", $a_o, $this->getParam('name_max_length'), $db->getParam('zero_date')));
[171]	208
	209	if (!$db->columnExists("{$a_o}_tbl", array(
	210	"{$a_o}_id",
	211	'name',
	212	'lft',
	213	'rgt',
	214	'added_datetime',
	215	), false, false)) {
	216	$app->logMsg(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), LOG_ALERT, __FILE__, __LINE__);
	217	trigger_error(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), E_USER_ERROR);
[173]	218	} else {
[334]	219	// Insert root node data if nonexistent.
[173]	220	$qid = $db->query("SELECT 1 FROM {$a_o}_tbl WHERE name = 'root'");
	221	if (mysql_num_rows($qid) == 0) {
[457]	222	$qid = $db->query("REPLACE INTO {$a_o}_tbl (name, lft, rgt, added_datetime) VALUES ('root', 1, 2, NOW())");
	223	}
[171]	224	}
[173]	225
[171]	226	}
	227	}
	228	$_db_tested = true;
[172]	229	return true;
[171]	230	}
	231
	232	/*
[174]	233	* Add a node to one of the aro/aco/axo tables.
[171]	234	*
	235	* @access public
[174]	236	* @param string $name A unique identifier for the new node.
	237	* @param string $parent The name of the parent under-which to attach the new node.
	238	* @param string $type The tree to add to, one of: aro, aco, axo.
	239	* @return bool \| int False on error, or the last_insert_id primary key of the new node.
[171]	240	* @author Quinn Comendant <quinn@strangecode.com>
	241	* @version 1.0
	242	* @since 14 Jun 2006 22:39:29
	243	*/
[757]	244	public function add($name, $parent, $type)
[171]	245	{
	246	$app =& App::getInstance();
	247	$db =& DB::getInstance();
[457]	248
[171]	249	$this->initDB();
[457]	250
[171]	251	switch ($type) {
	252	case 'aro' :
	253	$tbl = 'aro_tbl';
	254	break;
	255	case 'aco' :
	256	$tbl = 'aco_tbl';
	257	break;
	258	case 'axo' :
	259	$tbl = 'axo_tbl';
	260	break;
	261	default :
	262	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
	263	return false;
	264	break;
	265	}
[457]	266
[171]	267	// If $parent is null, use root object.
	268	if (is_null($parent)) {
	269	$parent = 'root';
	270	}
[457]	271
[171]	272	// Ensure node and parent name aren't empty.
	273	if ('' == trim($name) \|\| '' == trim($parent)) {
	274	$app->logMsg(sprintf('Cannot add node, parent (%s) or name (%s) missing.', $name, $parent), LOG_WARNING, __FILE__, __LINE__);
	275	return false;
	276	}
[457]	277
[502]	278	// Ensure node node name fits in the column size.
	279	// This value can be increased if {aro,aco.axo}_tbl.name VARCHAR length is increased.
	280	if (strlen(trim($name)) > $this->getParam('name_max_length')) {
	281	$app->logMsg(sprintf('Cannot add node, %s character limit exceeded for name "%s"', $this->getParam('name_max_length'), $name, $parent), LOG_WARNING, __FILE__, __LINE__);
	282	return false;
	283	}
	284
[171]	285	// Ensure node is unique.
	286	$qid = $db->query("SELECT 1 FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
	287	if (mysql_num_rows($qid) > 0) {
[420]	288	$app->logMsg(sprintf('Cannot add %s node, already exists: %s', $type, $name), LOG_INFO, __FILE__, __LINE__);
[171]	289	return false;
	290	}
[457]	291
[171]	292	// Select the rgt of $parent.
	293	$qid = $db->query("SELECT rgt FROM $tbl WHERE name = '" . $db->escapeString($parent) . "'");
[174]	294	if (!list($parent_rgt) = mysql_fetch_row($qid)) {
[334]	295	$app->logMsg(sprintf('Cannot add %s node to nonexistent parent: %s', $type, $parent), LOG_WARNING, __FILE__, __LINE__);
[171]	296	return false;
	297	}
[174]	298
[171]	299	// Update transversal numbers for all nodes to the rgt of $parent.
[174]	300	$db->query("UPDATE $tbl SET lft = lft + 2 WHERE lft >= $parent_rgt");
	301	$db->query("UPDATE $tbl SET rgt = rgt + 2 WHERE rgt >= $parent_rgt");
[457]	302
[171]	303	// Insert new node just below parent. Lft is parent's old rgt.
	304	$db->query("
[457]	305	INSERT INTO $tbl (name, lft, rgt, added_datetime)
[174]	306	VALUES ('" . $db->escapeString($name) . "', $parent_rgt, $parent_rgt + 1, NOW())
[171]	307	");
	308
[506]	309	$app->logMsg(sprintf('Added %s node %s to parent %s', $type, $name, $parent), LOG_INFO, __FILE__, __LINE__);
[171]	310	return mysql_insert_id($db->getDBH());
	311	}
	312
	313	// Alias functions for the different object types.
[468]	314	public function addRequestObject($name, $parent=null)
[171]	315	{
	316	return $this->add($name, $parent, 'aro');
	317	}
[468]	318	public function addControlObject($name, $parent=null)
[171]	319	{
	320	return $this->add($name, $parent, 'aco');
	321	}
[468]	322	public function addXtraObject($name, $parent=null)
[171]	323	{
	324	return $this->add($name, $parent, 'axo');
	325	}
	326
	327	/*
[174]	328	* Remove a node from one of the aro/aco/axo tables.
[171]	329	*
	330	* @access public
[174]	331	* @param string $name The identifier for the node to remove.
	332	* @param string $type The tree to modify, one of: aro, aco, axo.
	333	* @return bool \| int False on error, or true on success.
[171]	334	* @author Quinn Comendant <quinn@strangecode.com>
	335	* @version 1.0
	336	* @since 14 Jun 2006 22:39:29
	337	*/
[468]	338	public function remove($name, $type)
[171]	339	{
	340	$app =& App::getInstance();
	341	$db =& DB::getInstance();
[457]	342
[171]	343	$this->initDB();
	344
	345	switch ($type) {
	346	case 'aro' :
	347	$tbl = 'aro_tbl';
[174]	348	$primary_key = 'aro_id';
[171]	349	break;
	350	case 'aco' :
	351	$tbl = 'aco_tbl';
[174]	352	$primary_key = 'aco_id';
[171]	353	break;
	354	case 'axo' :
	355	$tbl = 'axo_tbl';
[174]	356	$primary_key = 'axo_id';
[171]	357	break;
	358	default :
	359	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
	360	return false;
	361	break;
	362	}
[457]	363
[171]	364	// Ensure node name isn't empty.
	365	if ('' == trim($name)) {
	366	$app->logMsg(sprintf('Cannot add node, name missing.', null), LOG_WARNING, __FILE__, __LINE__);
	367	return false;
	368	}
[457]	369
[174]	370	// Select the lft and rgt of $name to use for selecting children and reordering transversals.
[171]	371	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
	372	if (!list($lft, $rgt) = mysql_fetch_row($qid)) {
[420]	373	$app->logMsg(sprintf('Cannot delete nonexistent %s name: %s', $type, $name), LOG_WARNING, __FILE__, __LINE__);
[171]	374	return false;
	375	}
[457]	376
[174]	377	// Remove node and all children of node, as well as acl_tbl links.
	378	$db->query("
[457]	379	DELETE $tbl, acl_tbl
[174]	380	FROM $tbl
	381	LEFT JOIN acl_tbl ON ($tbl.$primary_key = acl_tbl.$primary_key)
	382	WHERE $tbl.lft BETWEEN $lft AND $rgt
	383	");
[171]	384	$num_deleted_nodes = mysql_affected_rows($db->getDBH());
	385
[609]	386	// Update transversal numbers for all nodes to the rgt of $parent, taking into account the absence of its children.
[171]	387	$db->query("UPDATE $tbl SET lft = lft - ($rgt - $lft + 1) WHERE lft > $lft");
	388	$db->query("UPDATE $tbl SET rgt = rgt - ($rgt - $lft + 1) WHERE rgt > $rgt");
	389
[201]	390	$app->logMsg(sprintf('Removed %s node %s along with %s children.', $type, $name, $num_deleted_nodes - 1), LOG_INFO, __FILE__, __LINE__);
[171]	391	return true;
	392	}
[457]	393
[171]	394	// Alias functions for the different object types.
[468]	395	public function removeRequestObject($name)
[171]	396	{
[174]	397	return $this->remove($name, 'aro');
[171]	398	}
[468]	399	public function removeControlObject($name)
[171]	400	{
[174]	401	return $this->remove($name, 'aco');
[171]	402	}
[468]	403	public function removeXtraObject($name)
[171]	404	{
[174]	405	return $this->remove($name, 'axo');
[171]	406	}
[174]	407
	408	/*
	409	* Move a node to a new parent in one of the aro/aco/axo tables.
	410	*
	411	* @access public
	412	* @param string $name The identifier for the node to remove.
	413	* @param string $new_parent The name of the parent under-which to attach the new node.
	414	* @param string $type The tree to modify, one of: aro, aco, axo.
	415	* @return bool \| int False on error, or the last_insert_id primary key of the new node.
	416	* @author Quinn Comendant <quinn@strangecode.com>
	417	* @version 1.0
	418	* @since 14 Jun 2006 22:39:29
	419	*/
[468]	420	public function move($name, $new_parent, $type)
[174]	421	{
	422	$app =& App::getInstance();
	423	$db =& DB::getInstance();
[457]	424
[174]	425	$this->initDB();
	426
	427	switch ($type) {
	428	case 'aro' :
	429	$tbl = 'aro_tbl';
	430	$primary_key = 'aro_id';
	431	break;
	432	case 'aco' :
	433	$tbl = 'aco_tbl';
	434	$primary_key = 'aco_id';
	435	break;
	436	case 'axo' :
	437	$tbl = 'axo_tbl';
	438	$primary_key = 'axo_id';
	439	break;
	440	default :
	441	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
	442	return false;
	443	break;
	444	}
[457]	445
[189]	446	// If $new_parent is null, use root object.
	447	if (is_null($new_parent)) {
	448	$new_parent = 'root';
[174]	449	}
[457]	450
[174]	451	// Ensure node and parent name aren't empty.
[189]	452	if ('' == trim($name) \|\| '' == trim($new_parent)) {
	453	$app->logMsg(sprintf('Cannot add node, parent (%s) or name (%s) missing.', $name, $new_parent), LOG_WARNING, __FILE__, __LINE__);
[174]	454	return false;
	455	}
[457]	456
[174]	457	// Select the lft and rgt of $name to use for selecting children and reordering transversals.
	458	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
	459	if (!list($lft, $rgt) = mysql_fetch_row($qid)) {
[420]	460	$app->logMsg(sprintf('Cannot move nonexistent %s name: %s', $type, $name), LOG_WARNING, __FILE__, __LINE__);
[174]	461	return false;
	462	}
[457]	463
[174]	464	// Total number of transversal values (that is, the count of self plus all children times two).
	465	$total_transversal_value = ($rgt - $lft + 1);
	466
	467	// Select the rgt of the new parent.
	468	$qid = $db->query("SELECT rgt FROM $tbl WHERE name = '" . $db->escapeString($new_parent) . "'");
	469	if (!list($new_parent_rgt) = mysql_fetch_row($qid)) {
[334]	470	$app->logMsg(sprintf('Cannot move %s node to nonexistent parent: %s', $type, $new_parent), LOG_WARNING, __FILE__, __LINE__);
[174]	471	return false;
	472	}
[457]	473
[174]	474	// Ensure the new parent is not a child of the node being moved.
	475	if ($new_parent_rgt <= $rgt && $new_parent_rgt >= $lft) {
	476	$app->logMsg(sprintf('Cannot move %s node %s to parent %s because it is a child of itself.', $type, $name, $new_parent), LOG_WARNING, __FILE__, __LINE__);
	477	return false;
	478	}
[457]	479
[174]	480	// Collect unique ids of all nodes being moved. The transversal numbers will become duplicated so these will be needed to identify these.
	481	$qid = $db->query("
	482	SELECT $primary_key
	483	FROM $tbl
	484	WHERE lft BETWEEN $lft AND $rgt
	485	AND rgt BETWEEN $lft AND $rgt
	486	");
	487	$ids = array();
	488	while (list($id) = mysql_fetch_row($qid)) {
	489	$ids[] = $id;
	490	}
	491
	492	// Update transversal numbers for all nodes to the rgt of the node being moved, taking in to account the absence of it's children.
	493	// This will temporarily "remove" the node from the tree, and its transversal values will be duplicated.
	494	$db->query("UPDATE $tbl SET lft = lft - $total_transversal_value WHERE lft > $rgt");
	495	$db->query("UPDATE $tbl SET rgt = rgt - $total_transversal_value WHERE rgt > $rgt");
[189]	496
[174]	497	// Apply transformation to new parent rgt also.
	498	$new_parent_rgt = $new_parent_rgt > $rgt ? $new_parent_rgt - $total_transversal_value : $new_parent_rgt;
[457]	499
[174]	500	// Update transversal values of moved node and children.
	501	$db->query("
[457]	502	UPDATE $tbl SET
[174]	503	lft = lft - ($lft - $new_parent_rgt),
	504	rgt = rgt - ($lft - $new_parent_rgt)
	505	WHERE $primary_key IN ('" . join("','", $ids) . "')
	506	");
	507
	508	// Update transversal values of all nodes to the rgt of moved node.
	509	$db->query("UPDATE $tbl SET lft = lft + $total_transversal_value WHERE lft >= $new_parent_rgt AND $primary_key NOT IN ('" . join("','", $ids) . "')");
	510	$db->query("UPDATE $tbl SET rgt = rgt + $total_transversal_value WHERE rgt >= $new_parent_rgt AND $primary_key NOT IN ('" . join("','", $ids) . "')");
	511
[506]	512	$app->logMsg(sprintf('Moved %s node %s to new parent %s', $type, $name, $new_parent), LOG_INFO, __FILE__, __LINE__);
[174]	513	return true;
	514	}
[457]	515
[174]	516	// Alias functions for the different object types.
[468]	517	public function moveRequestObject($name, $new_parent=null)
[174]	518	{
	519	return $this->move($name, $new_parent, 'aro');
	520	}
[468]	521	public function moveControlObject($name, $new_parent=null)
[174]	522	{
	523	return $this->move($name, $new_parent, 'aco');
	524	}
[468]	525	public function moveXtraObject($name, $new_parent=null)
[174]	526	{
	527	return $this->move($name, $new_parent, 'axo');
	528	}
[457]	529
[171]	530	/*
[174]	531	* Add an entry to the acl_tbl to allow (or deny) a truple with the specified
	532	* ARO -> ACO -> AXO entry.
[171]	533	*
	534	* @access public
[175]	535	* @param string\|null $aro Identifier of an existing ARO object (or null to use root).
	536	* @param string\|null $aco Identifier of an existing ACO object (or null to use root).
	537	* @param string\|null $axo Identifier of an existing AXO object (or null to use root).
[174]	538	* @return bool False on error, true on success.
[171]	539	* @author Quinn Comendant <quinn@strangecode.com>
	540	* @version 1.0
	541	* @since 15 Jun 2006 01:58:48
	542	*/
[468]	543	public function grant($aro=null, $aco=null, $axo=null, $access='allow')
[171]	544	{
	545	$app =& App::getInstance();
	546	$db =& DB::getInstance();
	547
	548	$this->initDB();
	549
	550	// If any access objects are null, assume using root values.
[173]	551	// However if they're empty we don't want to escalate the grant command to root!
[171]	552	$aro = is_null($aro) ? 'root' : $aro;
	553	$aco = is_null($aco) ? 'root' : $aco;
	554	$axo = is_null($axo) ? 'root' : $axo;
[457]	555
[218]	556	// Flush old cached values.
	557	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
	558	$this->cache->delete($cache_hash);
	559
[171]	560	// Ensure values exist.
	561	$qid = $db->query("SELECT aro_tbl.aro_id FROM aro_tbl WHERE aro_tbl.name = '" . $db->escapeString($aro) . "'");
	562	if (!list($aro_id) = mysql_fetch_row($qid)) {
[280]	563	$app->logMsg(sprintf('Grant failed, aro_tbl.name = "%s" does not exist.', $aro), LOG_WARNING, __FILE__, __LINE__);
[171]	564	return false;
	565	}
	566	$qid = $db->query("SELECT aco_tbl.aco_id FROM aco_tbl WHERE aco_tbl.name = '" . $db->escapeString($aco) . "'");
	567	if (!list($aco_id) = mysql_fetch_row($qid)) {
[280]	568	$app->logMsg(sprintf('Grant failed, aco_tbl.name = "%s" does not exist.', $aco), LOG_WARNING, __FILE__, __LINE__);
[171]	569	return false;
	570	}
	571	$qid = $db->query("SELECT axo_tbl.axo_id FROM axo_tbl WHERE axo_tbl.name = '" . $db->escapeString($axo) . "'");
	572	if (!list($axo_id) = mysql_fetch_row($qid)) {
[280]	573	$app->logMsg(sprintf('Grant failed, axo_tbl.name = "%s" does not exist.', $axo), LOG_WARNING, __FILE__, __LINE__);
[171]	574	return false;
	575	}
	576
	577	// Access must be 'allow' or 'deny'.
	578	$allow = 'allow' == $access ? 'allow' : 'deny';
[457]	579
[171]	580	$db->query("REPLACE INTO acl_tbl VALUES ('$aro_id', '$aco_id', '$axo_id', '$allow', NOW())");
[506]	581	$app->logMsg(sprintf('Set %s: %s -> %s -> %s', $allow, $aro, $aco, $axo), LOG_INFO, __FILE__, __LINE__);
[457]	582
[171]	583	return true;
	584	}
	585
	586	/*
[174]	587	* Add an entry to the acl_tbl to deny a truple with the specified
	588	* ARO -> ACO -> AXO entry. This calls the ACL::grant function to create the entry
	589	* but uses 'deny' as the fourth argument.
[171]	590	*
	591	* @access public
[175]	592	* @param string\|null $aro Identifier of an existing ARO object (or null to use root).
	593	* @param string\|null $aco Identifier of an existing ACO object (or null to use root).
	594	* @param string\|null $axo Identifier of an existing AXO object (or null to use root).
[174]	595	* @return bool False on error, true on success.
[171]	596	* @author Quinn Comendant <quinn@strangecode.com>
	597	* @version 1.0
	598	* @since 15 Jun 2006 04:35:54
	599	*/
[468]	600	public function revoke($aro=null, $aco=null, $axo=null)
[171]	601	{
	602	return $this->grant($aro, $aco, $axo, 'deny');
	603	}
[457]	604
[171]	605	/*
[175]	606	* Delete an entry from the acl_tbl completely to allow other permissions to cascade down.
	607	* Null values act as a "wildcard" and will cause ALL matches in that column to be deleted.
	608	*
	609	* @access public
	610	* @param string\|null $aro Identifier of an existing ARO object (or null for *).
	611	* @param string\|null $aco Identifier of an existing ACO object (or null for *).
	612	* @param string\|null $axo Identifier of an existing AXO object (or null for *).
	613	* @return bool False on error, true on success.
	614	* @author Quinn Comendant <quinn@strangecode.com>
	615	* @version 1.0
	616	* @since 20 Jun 2006 20:16:12
	617	*/
[468]	618	public function delete($aro=null, $aco=null, $axo=null)
[175]	619	{
	620	$app =& App::getInstance();
	621	$db =& DB::getInstance();
	622
	623	$this->initDB();
	624
	625	// If any access objects are null, assume using root values.
	626	// However if they're empty we don't want to escalate the grant command to root!
	627	$where = array();
	628	$where[] = is_null($aro) ? "aro_tbl.name IS NOT NULL" : "aro_tbl.name = '" . $db->escapeString($aro) . "' ";
	629	$where[] = is_null($aco) ? "aco_tbl.name IS NOT NULL" : "aco_tbl.name = '" . $db->escapeString($aco) . "' ";
	630	$where[] = is_null($axo) ? "axo_tbl.name IS NOT NULL" : "axo_tbl.name = '" . $db->escapeString($axo) . "' ";
	631
[218]	632	// If any access objects are null, assume using root values.
	633	// However if they're empty we don't want to escalate the grant command to root!
	634	$aro = is_null($aro) ? 'root' : $aro;
	635	$aco = is_null($aco) ? 'root' : $aco;
	636	$axo = is_null($axo) ? 'root' : $axo;
[457]	637
[218]	638	// Flush old cached values.
	639	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
	640	$this->cache->delete($cache_hash);
	641
[175]	642	$final_where = join(' AND ', $where);
[247]	643	if (mb_substr_count($final_where, 'IS NOT NULL') == 3) {
[175]	644	// Null on all three tables will delete ALL entries including the root -> root -> root = deny.
[420]	645	$app->logMsg('Cannot allow deletion of ALL acl entries.', LOG_WARNING, __FILE__, __LINE__);
[175]	646	return false;
	647	}
[457]	648
[175]	649	$qid = $db->query("
	650	DELETE acl_tbl
	651	FROM acl_tbl
	652	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
	653	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
	654	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
	655	WHERE $final_where
	656	");
	657
	658	$app->logMsg(sprintf('Deleted %s acl_tbl links: %s -> %s -> %s', mysql_affected_rows($db->getDBH()), $aro, $aco, $axo), LOG_INFO, __FILE__, __LINE__);
[457]	659
[175]	660	return true;
	661	}
[457]	662
[175]	663	/*
[174]	664	* Calculates the most specific cascading privilege found for a requested
[457]	665	* ARO -> ACO -> AXO entry. Returns FALSE if the entry is denied. By default,
[209]	666	* all entries are denied, unless some point in the hierarchy is set to "allow."
[171]	667	*
	668	* @access public
[174]	669	* @param string $aro Identifier of an existing ARO object.
	670	* @param string $aco Identifier of an existing ACO object (or null to use root).
	671	* @param string $axo Identifier of an existing AXO object (or null to use root).
	672	* @return bool False if denied, true on allowed.
[171]	673	* @author Quinn Comendant <quinn@strangecode.com>
	674	* @version 1.0
	675	* @since 15 Jun 2006 03:58:23
	676	*/
[468]	677	public function check($aro, $aco=null, $axo=null)
[171]	678	{
	679	$app =& App::getInstance();
	680	$db =& DB::getInstance();
[457]	681
[171]	682	$this->initDB();
	683
[173]	684	// If any access objects are null or empty, assume using root values.
	685	$aro = is_null($aro) \|\| '' == trim($aro) ? 'root' : $aro;
	686	$aco = is_null($aco) \|\| '' == trim($aco) ? 'root' : $aco;
	687	$axo = is_null($axo) \|\| '' == trim($axo) ? 'root' : $axo;
[457]	688
[172]	689	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
[534]	690	if (true === $this->getParam('enable_cache') && $this->cache->exists($cache_hash)) {
[172]	691	// Access value is cached.
	692	$access = $this->cache->get($cache_hash);
	693	} else {
[396]	694	// Retrieve access value from db.
[172]	695	$qid = $db->query("
	696	SELECT acl_tbl.access
	697	FROM acl_tbl
	698	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
	699	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
	700	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
[177]	701	WHERE (aro_tbl.lft <= (SELECT lft FROM aro_tbl WHERE name = '" . $db->escapeString($aro) . "') AND aro_tbl.rgt >= (SELECT rgt FROM aro_tbl WHERE name = '" . $db->escapeString($aro) . "'))
	702	AND (aco_tbl.lft <= (SELECT lft FROM aco_tbl WHERE name = '" . $db->escapeString($aco) . "') AND aco_tbl.rgt >= (SELECT rgt FROM aco_tbl WHERE name = '" . $db->escapeString($aco) . "'))
	703	AND (axo_tbl.lft <= (SELECT lft FROM axo_tbl WHERE name = '" . $db->escapeString($axo) . "') AND axo_tbl.rgt >= (SELECT rgt FROM axo_tbl WHERE name = '" . $db->escapeString($axo) . "'))
[208]	704	ORDER BY aro_tbl.lft DESC, aco_tbl.lft DESC, axo_tbl.lft DESC
[172]	705	LIMIT 1
	706	");
	707	if (!list($access) = mysql_fetch_row($qid)) {
[177]	708	$this->cache->set($cache_hash, 'deny');
[655]	709	$app->logMsg(sprintf('Access denied: %s -> %s -> %s (no records found).', $aro, $aco, $axo), LOG_NOTICE, __FILE__, __LINE__);
[172]	710	return false;
	711	}
	712	$this->cache->set($cache_hash, $access);
[171]	713	}
[457]	714
[171]	715	if ('allow' == $access) {
[506]	716	$app->logMsg(sprintf('Access granted: %s -> %s -> %s', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
[171]	717	return true;
	718	} else {
[534]	719	$app->logMsg(sprintf('Access denied: %s -> %s -> %s', $aro, $aco, $axo), LOG_NOTICE, __FILE__, __LINE__);
[171]	720	return false;
	721	}
	722	}
	723
[457]	724	/*
	725	* Bounce user if they are denied access. Because this function calls dieURL() it must be called before any other HTTP header output.
	726	*
	727	* @access public
	728	* @param string $aro Identifier of an existing ARO object.
	729	* @param string $aco Identifier of an existing ACO object (or null to use root).
	730	* @param string $axo Identifier of an existing AXO object (or null to use root).
	731	* @param string $message The text description of a message to raise.
	732	* @param int $type The type of message: MSG_NOTICE,
	733	* MSG_SUCCESS, MSG_WARNING, or MSG_ERR.
	734	* @param string $file __FILE__.
	735	* @param string $line __LINE__.
	736	* @author Quinn Comendant <quinn@strangecode.com>
	737	* @version 1.0
	738	* @since 20 Jan 2014 12:09:03
	739	*/
[468]	740	public function requireAllow($aro, $aco=null, $axo=null, $message='', $type=MSG_NOTICE, $file=null, $line=null)
[457]	741	{
[479]	742	$app =& App::getInstance();
[457]	743
	744	if (!$this->check($aro, $aco, $axo)) {
[502]	745	$message = '' == trim($message) ? sprintf(_("Sorry, you have insufficient privileges for <em>%s %s</em>."), $aco, $axo) : $message;
[457]	746	$app->raiseMsg($message, $type, $file, $line);
	747	$app->dieBoomerangURL();
	748	}
	749	}
	750
[534]	751	/*
	752	* Returns an array of the specified object type starting specified root.
	753	*
	754	* @access public
	755	* @param string $type Table to list, one of: aro, aco, or axo.
	756	* @param string $root Root node from which to begin from.
	757	* @return mixed Returns a multidimensional array of objects, or false on error.
	758	* @author Quinn Comendant <quinn@strangecode.com>
	759	* @version 1.0
	760	* @since 17 Jun 2006 23:41:22
	761	*/
	762	function getList($type, $root=null)
	763	{
	764	$app =& App::getInstance();
	765	$db =& DB::getInstance();
	766
	767	switch ($type) {
	768	case 'aro' :
	769	$tbl = 'aro_tbl';
	770	break;
	771	case 'aco' :
	772	$tbl = 'aco_tbl';
	773	break;
	774	case 'axo' :
	775	$tbl = 'axo_tbl';
	776	break;
	777	default :
	778	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
	779	return false;
	780	}
	781
	782	// By default start with the 'root' node.
	783	$root = !isset($root) ? 'root' : $root;
	784
	785	// Retrieve the left and right value of the $root node.
	786	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($root) . "'");
	787	list($lft, $rgt) = mysql_fetch_row($qid);
	788
	789	$results = array();
	790	$depth = array();
	791
	792	// Retrieve all descendants of the root node
	793	$qid = $db->query("SELECT name, lft, rgt, added_datetime FROM $tbl WHERE lft BETWEEN $lft AND $rgt ORDER BY lft ASC");
	794	while (list($name, $lft, $rgt, $added_datetime) = mysql_fetch_row($qid)) {
	795	// If the last element of $depth is less than the current rgt it means we finished with a set of children nodes.
	796	while (sizeof($depth) > 0 && end($depth) < $rgt) {
	797	array_pop($depth);
	798	}
	799
	800	$results[] = array(
	801	'name' => $name,
	802	'added_datetime' => $added_datetime,
	803	'depth' => sizeof($depth),
	804	);
	805
	806	// Add this node to the stack.
	807	$depth[] = $rgt;
	808	}
	809
	810	return $results;
	811	}
	812
[171]	813	} // End class.

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/lib/ACL.inc.php

Download in other formats: