Context Navigation

source: trunk/lib/ACL.inc.php @ 757

Last change on this file since 757 was 757, checked in by anonymous, 2 years ago
Fix depreciated notices
File size: 32.5 KB

Rev	Line
[171]	1	<?php
[362]	2	/**
	3	* The Strangecode Codebase - a general application development framework for PHP
	4	* For details visit the project site: <http://trac.strangecode.com/codebase/>
[396]	5	* Copyright 2001-2012 Strangecode, LLC
[457]	6	*
[362]	7	* This file is part of The Strangecode Codebase.
	8	*
	9	* The Strangecode Codebase is free software: you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as published by the
	11	* Free Software Foundation, either version 3 of the License, or (at your option)
	12	* any later version.
[457]	13	*
[362]	14	* The Strangecode Codebase is distributed in the hope that it will be useful, but
	15	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	16	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
	17	* details.
[457]	18	*
[362]	19	* You should have received a copy of the GNU General Public License along with
	20	* The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>.
	21	*/
	22
[171]	23	/*
	24	* ACL.inc.php
[457]	25	*
[171]	26	* Uses the ARO/ACO/AXO model of Access Control Lists.
[173]	27	* Uses Modified Preorder Tree Traversal to maintain a tree-structure.
	28	* See: http://www.sitepoint.com/print/hierarchical-data-database
[174]	29	* Includes a command-line tool for managing rights (codebase/bin/acl.cli.php).
[362]	30	*
[457]	31	*
[171]	32	* @author Quinn Comendant <quinn@strangecode.com>
	33	* @version 1.0
	34	* @since 14 Jun 2006 22:35:11
	35	*/
	36
[172]	37	require_once dirname(__FILE__) . '/Cache.inc.php';
	38
[502]	39	class ACL
	40	{
[171]	41
[468]	42	// A place to keep an object instance for the singleton pattern.
[484]	43	protected static $instance = null;
[468]	44
[171]	45	// Configuration parameters for this object.
[484]	46	protected $_params = array(
[334]	47	// If false nothing will be cached or retrieved. Useful for testing realtime data requests.
[172]	48	'enable_cache' => true,
[171]	49
	50	// Automatically create table and verify columns. Better set to false after site launch.
	51	'create_table' => false,
[502]	52
	53	// Maximum allowed length of names.
	54	// This value can be increased only if {aro,aco,axo}_tbl.name VARCHAR length is increased.
	55	'name_max_length' => 32.
[171]	56	);
	57
	58	/**
[174]	59	* Constructor.
[171]	60	*/
[468]	61	public function __construct()
[171]	62	{
[479]	63	$app =& App::getInstance();
[171]	64
[172]	65	// Configure the cache object.
	66	$this->cache = new Cache('acl');
	67
[171]	68	// Get create tables config from global context.
	69	if (!is_null($app->getParam('db_create_tables'))) {
	70	$this->setParam(array('create_table' => $app->getParam('db_create_tables')));
	71	}
	72	}
	73
	74	/**
	75	* This method enforces the singleton pattern for this class.
	76	*
	77	* @return object Reference to the global ACL object.
	78	* @access public
	79	* @static
	80	*/
[468]	81	public static function &getInstance()
[171]	82	{
[468]	83	if (self::$instance === null) {
	84	self::$instance = new self();
[171]	85	}
	86
[468]	87	return self::$instance;
[171]	88	}
	89
	90	/**
	91	* Set (or overwrite existing) parameters by passing an array of new parameters.
	92	*
	93	* @access public
	94	*
	95	* @param array $params Array of parameters (key => val pairs).
	96	*/
[468]	97	public function setParam($params)
[171]	98	{
[479]	99	$app =& App::getInstance();
[457]	100
[171]	101	if (isset($params) && is_array($params)) {
[534]	102	// Some params require special processing. Catch those in a loop and process individually.
	103	foreach ($params as $key => $val) {
	104	switch ($key) {
	105	case 'enable_cache':
	106	$this->cache->setParam(array('enabled' => $val));
	107	break;
	108	}
	109
	110	}
	111	unset($key, $value);
	112
[171]	113	// Merge new parameters with old overriding only those passed.
	114	$this->_params = array_merge($this->_params, $params);
	115	} else {
	116	$app->logMsg(sprintf('Parameters are not an array: %s', $params), LOG_ERR, __FILE__, __LINE__);
	117	}
	118	}
	119
	120	/**
	121	* Return the value of a parameter, if it exists.
	122	*
	123	* @access public
	124	* @param string $param Which parameter to return.
	125	* @return mixed Configured parameter value.
	126	*/
[468]	127	public function getParam($param)
[171]	128	{
[479]	129	$app =& App::getInstance();
[457]	130
[478]	131	if (array_key_exists($param, $this->_params)) {
[171]	132	return $this->_params[$param];
	133	} else {
[420]	134	$app->logMsg(sprintf('Parameter is not set: %s', $param), LOG_NOTICE, __FILE__, __LINE__);
[171]	135	return null;
	136	}
	137	}
	138
	139	/**
[174]	140	* Setup the database tables for this class.
[171]	141	*
	142	* @access public
	143	* @author Quinn Comendant <quinn@strangecode.com>
	144	* @since 04 Jun 2006 16:41:42
	145	*/
[468]	146	public function initDB($recreate_db=false)
[171]	147	{
[479]	148	$app =& App::getInstance();
	149	$db =& DB::getInstance();
[171]	150
	151	static $_db_tested = false;
	152
	153	if ($recreate_db \|\| !$_db_tested && $this->getParam('create_table')) {
	154
	155	if ($recreate_db) {
	156	$db->query("DROP TABLE IF EXISTS acl_tbl");
	157	$db->query("DROP TABLE IF EXISTS aro_tbl");
	158	$db->query("DROP TABLE IF EXISTS aco_tbl");
	159	$db->query("DROP TABLE IF EXISTS axo_tbl");
[201]	160	$app->logMsg(sprintf('Dropping and recreating tables acl_tbl, aro_tbl, aco_tbl, axo_tbl.', null), LOG_INFO, __FILE__, __LINE__);
[171]	161	}
[457]	162
[171]	163	// acl_tbl
[601]	164	$db->query(sprintf("
[173]	165	CREATE TABLE IF NOT EXISTS acl_tbl (
[502]	166	aro_id SMALLINT UNSIGNED NOT NULL DEFAULT '0',
	167	aco_id SMALLINT UNSIGNED NOT NULL DEFAULT '0',
	168	axo_id SMALLINT UNSIGNED NOT NULL DEFAULT '0',
[171]	169	access ENUM('allow', 'deny') DEFAULT NULL,
[601]	170	added_datetime DATETIME NOT NULL DEFAULT '%s 00:00:00',
[171]	171	UNIQUE KEY (aro_id, aco_id, axo_id),
	172	KEY (access)
	173	) ENGINE=MyISAM
[601]	174	", $db->getParam('zero_date')));
[171]	175	if (!$db->columnExists('acl_tbl', array(
	176	'aro_id',
	177	'aco_id',
	178	'axo_id',
	179	'access',
	180	'added_datetime',
	181	), false, false)) {
	182	$app->logMsg(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), LOG_ALERT, __FILE__, __LINE__);
	183	trigger_error(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), E_USER_ERROR);
[173]	184	} else {
	185	// Insert root node data if nonexistant, dely all by default.
	186	$qid = $db->query("SELECT 1 FROM acl_tbl");
	187	if (mysql_num_rows($qid) == 0) {
[457]	188	$qid = $db->query("REPLACE INTO acl_tbl VALUES ('1', '1', '1', 'deny', NOW())");
	189	}
[171]	190	}
	191
[173]	192	// aro_tbl, aco_tbl, axo_tbl
[171]	193	foreach (array('aro', 'aco', 'axo') as $a_o) {
[601]	194	$db->query(sprintf("
	195	CREATE TABLE IF NOT EXISTS %1\$s_tbl (
	196	%1\$s_id SMALLINT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,
	197	name VARCHAR(%2\$s) NOT NULL DEFAULT '',
[502]	198	lft MEDIUMINT UNSIGNED NOT NULL DEFAULT '0',
	199	rgt MEDIUMINT UNSIGNED NOT NULL DEFAULT '0',
[601]	200	added_datetime DATETIME NOT NULL DEFAULT '%3\$s 00:00:00',
[173]	201	UNIQUE KEY name (name(15)),
[171]	202	KEY transversal (lft, rgt)
	203	) ENGINE=MyISAM;
[601]	204	", $a_o, $this->getParam('name_max_length'), $db->getParam('zero_date')));
[171]	205
	206	if (!$db->columnExists("{$a_o}_tbl", array(
	207	"{$a_o}_id",
	208	'name',
	209	'lft',
	210	'rgt',
	211	'added_datetime',
	212	), false, false)) {
	213	$app->logMsg(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), LOG_ALERT, __FILE__, __LINE__);
	214	trigger_error(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), E_USER_ERROR);
[173]	215	} else {
[334]	216	// Insert root node data if nonexistent.
[173]	217	$qid = $db->query("SELECT 1 FROM {$a_o}_tbl WHERE name = 'root'");
	218	if (mysql_num_rows($qid) == 0) {
[457]	219	$qid = $db->query("REPLACE INTO {$a_o}_tbl (name, lft, rgt, added_datetime) VALUES ('root', 1, 2, NOW())");
	220	}
[171]	221	}
[173]	222
[171]	223	}
	224	}
	225	$_db_tested = true;
[172]	226	return true;
[171]	227	}
	228
	229	/*
[174]	230	* Add a node to one of the aro/aco/axo tables.
[171]	231	*
	232	* @access public
[174]	233	* @param string $name A unique identifier for the new node.
	234	* @param string $parent The name of the parent under-which to attach the new node.
	235	* @param string $type The tree to add to, one of: aro, aco, axo.
	236	* @return bool \| int False on error, or the last_insert_id primary key of the new node.
[171]	237	* @author Quinn Comendant <quinn@strangecode.com>
	238	* @version 1.0
	239	* @since 14 Jun 2006 22:39:29
	240	*/
[757]	241	public function add($name, $parent, $type)
[171]	242	{
	243	$app =& App::getInstance();
	244	$db =& DB::getInstance();
[457]	245
[171]	246	$this->initDB();
[457]	247
[171]	248	switch ($type) {
	249	case 'aro' :
	250	$tbl = 'aro_tbl';
	251	break;
	252	case 'aco' :
	253	$tbl = 'aco_tbl';
	254	break;
	255	case 'axo' :
	256	$tbl = 'axo_tbl';
	257	break;
	258	default :
	259	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
	260	return false;
	261	break;
	262	}
[457]	263
[171]	264	// If $parent is null, use root object.
	265	if (is_null($parent)) {
	266	$parent = 'root';
	267	}
[457]	268
[171]	269	// Ensure node and parent name aren't empty.
	270	if ('' == trim($name) \|\| '' == trim($parent)) {
	271	$app->logMsg(sprintf('Cannot add node, parent (%s) or name (%s) missing.', $name, $parent), LOG_WARNING, __FILE__, __LINE__);
	272	return false;
	273	}
[457]	274
[502]	275	// Ensure node node name fits in the column size.
	276	// This value can be increased if {aro,aco.axo}_tbl.name VARCHAR length is increased.
	277	if (strlen(trim($name)) > $this->getParam('name_max_length')) {
	278	$app->logMsg(sprintf('Cannot add node, %s character limit exceeded for name "%s"', $this->getParam('name_max_length'), $name, $parent), LOG_WARNING, __FILE__, __LINE__);
	279	return false;
	280	}
	281
[171]	282	// Ensure node is unique.
	283	$qid = $db->query("SELECT 1 FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
	284	if (mysql_num_rows($qid) > 0) {
[420]	285	$app->logMsg(sprintf('Cannot add %s node, already exists: %s', $type, $name), LOG_INFO, __FILE__, __LINE__);
[171]	286	return false;
	287	}
[457]	288
[171]	289	// Select the rgt of $parent.
	290	$qid = $db->query("SELECT rgt FROM $tbl WHERE name = '" . $db->escapeString($parent) . "'");
[174]	291	if (!list($parent_rgt) = mysql_fetch_row($qid)) {
[334]	292	$app->logMsg(sprintf('Cannot add %s node to nonexistent parent: %s', $type, $parent), LOG_WARNING, __FILE__, __LINE__);
[171]	293	return false;
	294	}
[174]	295
[171]	296	// Update transversal numbers for all nodes to the rgt of $parent.
[174]	297	$db->query("UPDATE $tbl SET lft = lft + 2 WHERE lft >= $parent_rgt");
	298	$db->query("UPDATE $tbl SET rgt = rgt + 2 WHERE rgt >= $parent_rgt");
[457]	299
[171]	300	// Insert new node just below parent. Lft is parent's old rgt.
	301	$db->query("
[457]	302	INSERT INTO $tbl (name, lft, rgt, added_datetime)
[174]	303	VALUES ('" . $db->escapeString($name) . "', $parent_rgt, $parent_rgt + 1, NOW())
[171]	304	");
	305
[506]	306	$app->logMsg(sprintf('Added %s node %s to parent %s', $type, $name, $parent), LOG_INFO, __FILE__, __LINE__);
[171]	307	return mysql_insert_id($db->getDBH());
	308	}
	309
	310	// Alias functions for the different object types.
[468]	311	public function addRequestObject($name, $parent=null)
[171]	312	{
	313	return $this->add($name, $parent, 'aro');
	314	}
[468]	315	public function addControlObject($name, $parent=null)
[171]	316	{
	317	return $this->add($name, $parent, 'aco');
	318	}
[468]	319	public function addXtraObject($name, $parent=null)
[171]	320	{
	321	return $this->add($name, $parent, 'axo');
	322	}
	323
	324	/*
[174]	325	* Remove a node from one of the aro/aco/axo tables.
[171]	326	*
	327	* @access public
[174]	328	* @param string $name The identifier for the node to remove.
	329	* @param string $type The tree to modify, one of: aro, aco, axo.
	330	* @return bool \| int False on error, or true on success.
[171]	331	* @author Quinn Comendant <quinn@strangecode.com>
	332	* @version 1.0
	333	* @since 14 Jun 2006 22:39:29
	334	*/
[468]	335	public function remove($name, $type)
[171]	336	{
	337	$app =& App::getInstance();
	338	$db =& DB::getInstance();
[457]	339
[171]	340	$this->initDB();
	341
	342	switch ($type) {
	343	case 'aro' :
	344	$tbl = 'aro_tbl';
[174]	345	$primary_key = 'aro_id';
[171]	346	break;
	347	case 'aco' :
	348	$tbl = 'aco_tbl';
[174]	349	$primary_key = 'aco_id';
[171]	350	break;
	351	case 'axo' :
	352	$tbl = 'axo_tbl';
[174]	353	$primary_key = 'axo_id';
[171]	354	break;
	355	default :
	356	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
	357	return false;
	358	break;
	359	}
[457]	360
[171]	361	// Ensure node name isn't empty.
	362	if ('' == trim($name)) {
	363	$app->logMsg(sprintf('Cannot add node, name missing.', null), LOG_WARNING, __FILE__, __LINE__);
	364	return false;
	365	}
[457]	366
[174]	367	// Select the lft and rgt of $name to use for selecting children and reordering transversals.
[171]	368	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
	369	if (!list($lft, $rgt) = mysql_fetch_row($qid)) {
[420]	370	$app->logMsg(sprintf('Cannot delete nonexistent %s name: %s', $type, $name), LOG_WARNING, __FILE__, __LINE__);
[171]	371	return false;
	372	}
[457]	373
[174]	374	// Remove node and all children of node, as well as acl_tbl links.
	375	$db->query("
[457]	376	DELETE $tbl, acl_tbl
[174]	377	FROM $tbl
	378	LEFT JOIN acl_tbl ON ($tbl.$primary_key = acl_tbl.$primary_key)
	379	WHERE $tbl.lft BETWEEN $lft AND $rgt
	380	");
[171]	381	$num_deleted_nodes = mysql_affected_rows($db->getDBH());
	382
[609]	383	// Update transversal numbers for all nodes to the rgt of $parent, taking into account the absence of its children.
[171]	384	$db->query("UPDATE $tbl SET lft = lft - ($rgt - $lft + 1) WHERE lft > $lft");
	385	$db->query("UPDATE $tbl SET rgt = rgt - ($rgt - $lft + 1) WHERE rgt > $rgt");
	386
[201]	387	$app->logMsg(sprintf('Removed %s node %s along with %s children.', $type, $name, $num_deleted_nodes - 1), LOG_INFO, __FILE__, __LINE__);
[171]	388	return true;
	389	}
[457]	390
[171]	391	// Alias functions for the different object types.
[468]	392	public function removeRequestObject($name)
[171]	393	{
[174]	394	return $this->remove($name, 'aro');
[171]	395	}
[468]	396	public function removeControlObject($name)
[171]	397	{
[174]	398	return $this->remove($name, 'aco');
[171]	399	}
[468]	400	public function removeXtraObject($name)
[171]	401	{
[174]	402	return $this->remove($name, 'axo');
[171]	403	}
[174]	404
	405	/*
	406	* Move a node to a new parent in one of the aro/aco/axo tables.
	407	*
	408	* @access public
	409	* @param string $name The identifier for the node to remove.
	410	* @param string $new_parent The name of the parent under-which to attach the new node.
	411	* @param string $type The tree to modify, one of: aro, aco, axo.
	412	* @return bool \| int False on error, or the last_insert_id primary key of the new node.
	413	* @author Quinn Comendant <quinn@strangecode.com>
	414	* @version 1.0
	415	* @since 14 Jun 2006 22:39:29
	416	*/
[468]	417	public function move($name, $new_parent, $type)
[174]	418	{
	419	$app =& App::getInstance();
	420	$db =& DB::getInstance();
[457]	421
[174]	422	$this->initDB();
	423
	424	switch ($type) {
	425	case 'aro' :
	426	$tbl = 'aro_tbl';
	427	$primary_key = 'aro_id';
	428	break;
	429	case 'aco' :
	430	$tbl = 'aco_tbl';
	431	$primary_key = 'aco_id';
	432	break;
	433	case 'axo' :
	434	$tbl = 'axo_tbl';
	435	$primary_key = 'axo_id';
	436	break;
	437	default :
	438	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
	439	return false;
	440	break;
	441	}
[457]	442
[189]	443	// If $new_parent is null, use root object.
	444	if (is_null($new_parent)) {
	445	$new_parent = 'root';
[174]	446	}
[457]	447
[174]	448	// Ensure node and parent name aren't empty.
[189]	449	if ('' == trim($name) \|\| '' == trim($new_parent)) {
	450	$app->logMsg(sprintf('Cannot add node, parent (%s) or name (%s) missing.', $name, $new_parent), LOG_WARNING, __FILE__, __LINE__);
[174]	451	return false;
	452	}
[457]	453
[174]	454	// Select the lft and rgt of $name to use for selecting children and reordering transversals.
	455	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
	456	if (!list($lft, $rgt) = mysql_fetch_row($qid)) {
[420]	457	$app->logMsg(sprintf('Cannot move nonexistent %s name: %s', $type, $name), LOG_WARNING, __FILE__, __LINE__);
[174]	458	return false;
	459	}
[457]	460
[174]	461	// Total number of transversal values (that is, the count of self plus all children times two).
	462	$total_transversal_value = ($rgt - $lft + 1);
	463
	464	// Select the rgt of the new parent.
	465	$qid = $db->query("SELECT rgt FROM $tbl WHERE name = '" . $db->escapeString($new_parent) . "'");
	466	if (!list($new_parent_rgt) = mysql_fetch_row($qid)) {
[334]	467	$app->logMsg(sprintf('Cannot move %s node to nonexistent parent: %s', $type, $new_parent), LOG_WARNING, __FILE__, __LINE__);
[174]	468	return false;
	469	}
[457]	470
[174]	471	// Ensure the new parent is not a child of the node being moved.
	472	if ($new_parent_rgt <= $rgt && $new_parent_rgt >= $lft) {
	473	$app->logMsg(sprintf('Cannot move %s node %s to parent %s because it is a child of itself.', $type, $name, $new_parent), LOG_WARNING, __FILE__, __LINE__);
	474	return false;
	475	}
[457]	476
[174]	477	// Collect unique ids of all nodes being moved. The transversal numbers will become duplicated so these will be needed to identify these.
	478	$qid = $db->query("
	479	SELECT $primary_key
	480	FROM $tbl
	481	WHERE lft BETWEEN $lft AND $rgt
	482	AND rgt BETWEEN $lft AND $rgt
	483	");
	484	$ids = array();
	485	while (list($id) = mysql_fetch_row($qid)) {
	486	$ids[] = $id;
	487	}
	488
	489	// Update transversal numbers for all nodes to the rgt of the node being moved, taking in to account the absence of it's children.
	490	// This will temporarily "remove" the node from the tree, and its transversal values will be duplicated.
	491	$db->query("UPDATE $tbl SET lft = lft - $total_transversal_value WHERE lft > $rgt");
	492	$db->query("UPDATE $tbl SET rgt = rgt - $total_transversal_value WHERE rgt > $rgt");
[189]	493
[174]	494	// Apply transformation to new parent rgt also.
	495	$new_parent_rgt = $new_parent_rgt > $rgt ? $new_parent_rgt - $total_transversal_value : $new_parent_rgt;
[457]	496
[174]	497	// Update transversal values of moved node and children.
	498	$db->query("
[457]	499	UPDATE $tbl SET
[174]	500	lft = lft - ($lft - $new_parent_rgt),
	501	rgt = rgt - ($lft - $new_parent_rgt)
	502	WHERE $primary_key IN ('" . join("','", $ids) . "')
	503	");
	504
	505	// Update transversal values of all nodes to the rgt of moved node.
	506	$db->query("UPDATE $tbl SET lft = lft + $total_transversal_value WHERE lft >= $new_parent_rgt AND $primary_key NOT IN ('" . join("','", $ids) . "')");
	507	$db->query("UPDATE $tbl SET rgt = rgt + $total_transversal_value WHERE rgt >= $new_parent_rgt AND $primary_key NOT IN ('" . join("','", $ids) . "')");
	508
[506]	509	$app->logMsg(sprintf('Moved %s node %s to new parent %s', $type, $name, $new_parent), LOG_INFO, __FILE__, __LINE__);
[174]	510	return true;
	511	}
[457]	512
[174]	513	// Alias functions for the different object types.
[468]	514	public function moveRequestObject($name, $new_parent=null)
[174]	515	{
	516	return $this->move($name, $new_parent, 'aro');
	517	}
[468]	518	public function moveControlObject($name, $new_parent=null)
[174]	519	{
	520	return $this->move($name, $new_parent, 'aco');
	521	}
[468]	522	public function moveXtraObject($name, $new_parent=null)
[174]	523	{
	524	return $this->move($name, $new_parent, 'axo');
	525	}
[457]	526
[171]	527	/*
[174]	528	* Add an entry to the acl_tbl to allow (or deny) a truple with the specified
	529	* ARO -> ACO -> AXO entry.
[171]	530	*
	531	* @access public
[175]	532	* @param string\|null $aro Identifier of an existing ARO object (or null to use root).
	533	* @param string\|null $aco Identifier of an existing ACO object (or null to use root).
	534	* @param string\|null $axo Identifier of an existing AXO object (or null to use root).
[174]	535	* @return bool False on error, true on success.
[171]	536	* @author Quinn Comendant <quinn@strangecode.com>
	537	* @version 1.0
	538	* @since 15 Jun 2006 01:58:48
	539	*/
[468]	540	public function grant($aro=null, $aco=null, $axo=null, $access='allow')
[171]	541	{
	542	$app =& App::getInstance();
	543	$db =& DB::getInstance();
	544
	545	$this->initDB();
	546
	547	// If any access objects are null, assume using root values.
[173]	548	// However if they're empty we don't want to escalate the grant command to root!
[171]	549	$aro = is_null($aro) ? 'root' : $aro;
	550	$aco = is_null($aco) ? 'root' : $aco;
	551	$axo = is_null($axo) ? 'root' : $axo;
[457]	552
[218]	553	// Flush old cached values.
	554	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
	555	$this->cache->delete($cache_hash);
	556
[171]	557	// Ensure values exist.
	558	$qid = $db->query("SELECT aro_tbl.aro_id FROM aro_tbl WHERE aro_tbl.name = '" . $db->escapeString($aro) . "'");
	559	if (!list($aro_id) = mysql_fetch_row($qid)) {
[280]	560	$app->logMsg(sprintf('Grant failed, aro_tbl.name = "%s" does not exist.', $aro), LOG_WARNING, __FILE__, __LINE__);
[171]	561	return false;
	562	}
	563	$qid = $db->query("SELECT aco_tbl.aco_id FROM aco_tbl WHERE aco_tbl.name = '" . $db->escapeString($aco) . "'");
	564	if (!list($aco_id) = mysql_fetch_row($qid)) {
[280]	565	$app->logMsg(sprintf('Grant failed, aco_tbl.name = "%s" does not exist.', $aco), LOG_WARNING, __FILE__, __LINE__);
[171]	566	return false;
	567	}
	568	$qid = $db->query("SELECT axo_tbl.axo_id FROM axo_tbl WHERE axo_tbl.name = '" . $db->escapeString($axo) . "'");
	569	if (!list($axo_id) = mysql_fetch_row($qid)) {
[280]	570	$app->logMsg(sprintf('Grant failed, axo_tbl.name = "%s" does not exist.', $axo), LOG_WARNING, __FILE__, __LINE__);
[171]	571	return false;
	572	}
	573
	574	// Access must be 'allow' or 'deny'.
	575	$allow = 'allow' == $access ? 'allow' : 'deny';
[457]	576
[171]	577	$db->query("REPLACE INTO acl_tbl VALUES ('$aro_id', '$aco_id', '$axo_id', '$allow', NOW())");
[506]	578	$app->logMsg(sprintf('Set %s: %s -> %s -> %s', $allow, $aro, $aco, $axo), LOG_INFO, __FILE__, __LINE__);
[457]	579
[171]	580	return true;
	581	}
	582
	583	/*
[174]	584	* Add an entry to the acl_tbl to deny a truple with the specified
	585	* ARO -> ACO -> AXO entry. This calls the ACL::grant function to create the entry
	586	* but uses 'deny' as the fourth argument.
[171]	587	*
	588	* @access public
[175]	589	* @param string\|null $aro Identifier of an existing ARO object (or null to use root).
	590	* @param string\|null $aco Identifier of an existing ACO object (or null to use root).
	591	* @param string\|null $axo Identifier of an existing AXO object (or null to use root).
[174]	592	* @return bool False on error, true on success.
[171]	593	* @author Quinn Comendant <quinn@strangecode.com>
	594	* @version 1.0
	595	* @since 15 Jun 2006 04:35:54
	596	*/
[468]	597	public function revoke($aro=null, $aco=null, $axo=null)
[171]	598	{
	599	return $this->grant($aro, $aco, $axo, 'deny');
	600	}
[457]	601
[171]	602	/*
[175]	603	* Delete an entry from the acl_tbl completely to allow other permissions to cascade down.
	604	* Null values act as a "wildcard" and will cause ALL matches in that column to be deleted.
	605	*
	606	* @access public
	607	* @param string\|null $aro Identifier of an existing ARO object (or null for *).
	608	* @param string\|null $aco Identifier of an existing ACO object (or null for *).
	609	* @param string\|null $axo Identifier of an existing AXO object (or null for *).
	610	* @return bool False on error, true on success.
	611	* @author Quinn Comendant <quinn@strangecode.com>
	612	* @version 1.0
	613	* @since 20 Jun 2006 20:16:12
	614	*/
[468]	615	public function delete($aro=null, $aco=null, $axo=null)
[175]	616	{
	617	$app =& App::getInstance();
	618	$db =& DB::getInstance();
	619
	620	$this->initDB();
	621
	622	// If any access objects are null, assume using root values.
	623	// However if they're empty we don't want to escalate the grant command to root!
	624	$where = array();
	625	$where[] = is_null($aro) ? "aro_tbl.name IS NOT NULL" : "aro_tbl.name = '" . $db->escapeString($aro) . "' ";
	626	$where[] = is_null($aco) ? "aco_tbl.name IS NOT NULL" : "aco_tbl.name = '" . $db->escapeString($aco) . "' ";
	627	$where[] = is_null($axo) ? "axo_tbl.name IS NOT NULL" : "axo_tbl.name = '" . $db->escapeString($axo) . "' ";
	628
[218]	629	// If any access objects are null, assume using root values.
	630	// However if they're empty we don't want to escalate the grant command to root!
	631	$aro = is_null($aro) ? 'root' : $aro;
	632	$aco = is_null($aco) ? 'root' : $aco;
	633	$axo = is_null($axo) ? 'root' : $axo;
[457]	634
[218]	635	// Flush old cached values.
	636	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
	637	$this->cache->delete($cache_hash);
	638
[175]	639	$final_where = join(' AND ', $where);
[247]	640	if (mb_substr_count($final_where, 'IS NOT NULL') == 3) {
[175]	641	// Null on all three tables will delete ALL entries including the root -> root -> root = deny.
[420]	642	$app->logMsg('Cannot allow deletion of ALL acl entries.', LOG_WARNING, __FILE__, __LINE__);
[175]	643	return false;
	644	}
[457]	645
[175]	646	$qid = $db->query("
	647	DELETE acl_tbl
	648	FROM acl_tbl
	649	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
	650	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
	651	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
	652	WHERE $final_where
	653	");
	654
	655	$app->logMsg(sprintf('Deleted %s acl_tbl links: %s -> %s -> %s', mysql_affected_rows($db->getDBH()), $aro, $aco, $axo), LOG_INFO, __FILE__, __LINE__);
[457]	656
[175]	657	return true;
	658	}
[457]	659
[175]	660	/*
[174]	661	* Calculates the most specific cascading privilege found for a requested
[457]	662	* ARO -> ACO -> AXO entry. Returns FALSE if the entry is denied. By default,
[209]	663	* all entries are denied, unless some point in the hierarchy is set to "allow."
[171]	664	*
	665	* @access public
[174]	666	* @param string $aro Identifier of an existing ARO object.
	667	* @param string $aco Identifier of an existing ACO object (or null to use root).
	668	* @param string $axo Identifier of an existing AXO object (or null to use root).
	669	* @return bool False if denied, true on allowed.
[171]	670	* @author Quinn Comendant <quinn@strangecode.com>
	671	* @version 1.0
	672	* @since 15 Jun 2006 03:58:23
	673	*/
[468]	674	public function check($aro, $aco=null, $axo=null)
[171]	675	{
	676	$app =& App::getInstance();
	677	$db =& DB::getInstance();
[457]	678
[171]	679	$this->initDB();
	680
[173]	681	// If any access objects are null or empty, assume using root values.
	682	$aro = is_null($aro) \|\| '' == trim($aro) ? 'root' : $aro;
	683	$aco = is_null($aco) \|\| '' == trim($aco) ? 'root' : $aco;
	684	$axo = is_null($axo) \|\| '' == trim($axo) ? 'root' : $axo;
[457]	685
[172]	686	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
[534]	687	if (true === $this->getParam('enable_cache') && $this->cache->exists($cache_hash)) {
[172]	688	// Access value is cached.
	689	$access = $this->cache->get($cache_hash);
	690	} else {
[396]	691	// Retrieve access value from db.
[172]	692	$qid = $db->query("
	693	SELECT acl_tbl.access
	694	FROM acl_tbl
	695	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
	696	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
	697	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
[177]	698	WHERE (aro_tbl.lft <= (SELECT lft FROM aro_tbl WHERE name = '" . $db->escapeString($aro) . "') AND aro_tbl.rgt >= (SELECT rgt FROM aro_tbl WHERE name = '" . $db->escapeString($aro) . "'))
	699	AND (aco_tbl.lft <= (SELECT lft FROM aco_tbl WHERE name = '" . $db->escapeString($aco) . "') AND aco_tbl.rgt >= (SELECT rgt FROM aco_tbl WHERE name = '" . $db->escapeString($aco) . "'))
	700	AND (axo_tbl.lft <= (SELECT lft FROM axo_tbl WHERE name = '" . $db->escapeString($axo) . "') AND axo_tbl.rgt >= (SELECT rgt FROM axo_tbl WHERE name = '" . $db->escapeString($axo) . "'))
[208]	701	ORDER BY aro_tbl.lft DESC, aco_tbl.lft DESC, axo_tbl.lft DESC
[172]	702	LIMIT 1
	703	");
	704	if (!list($access) = mysql_fetch_row($qid)) {
[177]	705	$this->cache->set($cache_hash, 'deny');
[655]	706	$app->logMsg(sprintf('Access denied: %s -> %s -> %s (no records found).', $aro, $aco, $axo), LOG_NOTICE, __FILE__, __LINE__);
[172]	707	return false;
	708	}
	709	$this->cache->set($cache_hash, $access);
[171]	710	}
[457]	711
[171]	712	if ('allow' == $access) {
[506]	713	$app->logMsg(sprintf('Access granted: %s -> %s -> %s', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
[171]	714	return true;
	715	} else {
[534]	716	$app->logMsg(sprintf('Access denied: %s -> %s -> %s', $aro, $aco, $axo), LOG_NOTICE, __FILE__, __LINE__);
[171]	717	return false;
	718	}
	719	}
	720
[457]	721	/*
	722	* Bounce user if they are denied access. Because this function calls dieURL() it must be called before any other HTTP header output.
	723	*
	724	* @access public
	725	* @param string $aro Identifier of an existing ARO object.
	726	* @param string $aco Identifier of an existing ACO object (or null to use root).
	727	* @param string $axo Identifier of an existing AXO object (or null to use root).
	728	* @param string $message The text description of a message to raise.
	729	* @param int $type The type of message: MSG_NOTICE,
	730	* MSG_SUCCESS, MSG_WARNING, or MSG_ERR.
	731	* @param string $file __FILE__.
	732	* @param string $line __LINE__.
	733	* @author Quinn Comendant <quinn@strangecode.com>
	734	* @version 1.0
	735	* @since 20 Jan 2014 12:09:03
	736	*/
[468]	737	public function requireAllow($aro, $aco=null, $axo=null, $message='', $type=MSG_NOTICE, $file=null, $line=null)
[457]	738	{
[479]	739	$app =& App::getInstance();
[457]	740
	741	if (!$this->check($aro, $aco, $axo)) {
[502]	742	$message = '' == trim($message) ? sprintf(_("Sorry, you have insufficient privileges for <em>%s %s</em>."), $aco, $axo) : $message;
[457]	743	$app->raiseMsg($message, $type, $file, $line);
	744	$app->dieBoomerangURL();
	745	}
	746	}
	747
[534]	748	/*
	749	* Returns an array of the specified object type starting specified root.
	750	*
	751	* @access public
	752	* @param string $type Table to list, one of: aro, aco, or axo.
	753	* @param string $root Root node from which to begin from.
	754	* @return mixed Returns a multidimensional array of objects, or false on error.
	755	* @author Quinn Comendant <quinn@strangecode.com>
	756	* @version 1.0
	757	* @since 17 Jun 2006 23:41:22
	758	*/
	759	function getList($type, $root=null)
	760	{
	761	$app =& App::getInstance();
	762	$db =& DB::getInstance();
	763
	764	switch ($type) {
	765	case 'aro' :
	766	$tbl = 'aro_tbl';
	767	break;
	768	case 'aco' :
	769	$tbl = 'aco_tbl';
	770	break;
	771	case 'axo' :
	772	$tbl = 'axo_tbl';
	773	break;
	774	default :
	775	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
	776	return false;
	777	}
	778
	779	// By default start with the 'root' node.
	780	$root = !isset($root) ? 'root' : $root;
	781
	782	// Retrieve the left and right value of the $root node.
	783	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($root) . "'");
	784	list($lft, $rgt) = mysql_fetch_row($qid);
	785
	786	$results = array();
	787	$depth = array();
	788
	789	// Retrieve all descendants of the root node
	790	$qid = $db->query("SELECT name, lft, rgt, added_datetime FROM $tbl WHERE lft BETWEEN $lft AND $rgt ORDER BY lft ASC");
	791	while (list($name, $lft, $rgt, $added_datetime) = mysql_fetch_row($qid)) {
	792	// If the last element of $depth is less than the current rgt it means we finished with a set of children nodes.
	793	while (sizeof($depth) > 0 && end($depth) < $rgt) {
	794	array_pop($depth);
	795	}
	796
	797	$results[] = array(
	798	'name' => $name,
	799	'added_datetime' => $added_datetime,
	800	'depth' => sizeof($depth),
	801	);
	802
	803	// Add this node to the stack.
	804	$depth[] = $rgt;
	805	}
	806
	807	return $results;
	808	}
	809
[171]	810	} // End class.

Note: See TracBrowser for help on using the repository browser.

Download in other formats: