Context Navigation

source: trunk/lib/ACL.inc.php @ 171

Last change on this file since 171 was 171, checked in by scdev, 18 years ago
Q - wrote the new codebase Access Control List class, along with command line script for managing permissions.
File size: 15.3 KB

Line
1	<?php
2	/*
3	* ACL.inc.php
4	*
5	* Uses the ARO/ACO/AXO model of Access Control Lists.
6	* Includes a command-line tool for managing rights.
7	*
8	* Code by Strangecode :: www.strangecode.com :: This document contains copyrighted information.
9	* @author Quinn Comendant <quinn@strangecode.com>
10	* @version 1.0
11	* @since 14 Jun 2006 22:35:11
12	*/
13
14	class ACL {
15
16	// Configuration parameters for this object.
17	var $_params = array(
18
19	// Automatically create table and verify columns. Better set to false after site launch.
20	'create_table' => false,
21	);
22
23	/**
24	* Prefs constructor.
25	*/
26	function ACL()
27	{
28	$app =& App::getInstance();
29
30	// Get create tables config from global context.
31	if (!is_null($app->getParam('db_create_tables'))) {
32	$this->setParam(array('create_table' => $app->getParam('db_create_tables')));
33	}
34	}
35
36	/**
37	* This method enforces the singleton pattern for this class.
38	*
39	* @return object Reference to the global ACL object.
40	* @access public
41	* @static
42	*/
43	function &getInstance()
44	{
45	static $instance = null;
46
47	if ($instance === null) {
48	$instance = new ACL();
49	}
50
51	return $instance;
52	}
53
54	/**
55	* Set (or overwrite existing) parameters by passing an array of new parameters.
56	*
57	* @access public
58	*
59	* @param array $params Array of parameters (key => val pairs).
60	*/
61	function setParam($params)
62	{
63	$app =& App::getInstance();
64
65	if (isset($params) && is_array($params)) {
66	// Merge new parameters with old overriding only those passed.
67	$this->_params = array_merge($this->_params, $params);
68	} else {
69	$app->logMsg(sprintf('Parameters are not an array: %s', $params), LOG_ERR, __FILE__, __LINE__);
70	}
71	}
72
73	/**
74	* Return the value of a parameter, if it exists.
75	*
76	* @access public
77	* @param string $param Which parameter to return.
78	* @return mixed Configured parameter value.
79	*/
80	function getParam($param)
81	{
82	$app =& App::getInstance();
83
84	if (isset($this->_params[$param])) {
85	return $this->_params[$param];
86	} else {
87	$app->logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__);
88	return null;
89	}
90	}
91
92	/**
93	* Setup the database table for this class.
94	*
95	* @access public
96	* @author Quinn Comendant <quinn@strangecode.com>
97	* @since 04 Jun 2006 16:41:42
98	*/
99	function initDB($recreate_db=false)
100	{
101	$app =& App::getInstance();
102	$db =& DB::getInstance();
103
104	static $_db_tested = false;
105
106	if ($recreate_db \|\| !$_db_tested && $this->getParam('create_table')) {
107
108	if ($recreate_db) {
109	$db->query("DROP TABLE IF EXISTS acl_tbl");
110	$db->query("DROP TABLE IF EXISTS aro_tbl");
111	$db->query("DROP TABLE IF EXISTS aco_tbl");
112	$db->query("DROP TABLE IF EXISTS axo_tbl");
113	$app->logMsg(sprintf('Dropping and recreating tables acl_tbl, aro_tbl, aco_tbl, axo_tbl.', null), LOG_DEBUG, __FILE__, __LINE__);
114	}
115
116	// acl_tbl
117	$db->query("CREATE TABLE IF NOT EXISTS acl_tbl (
118	aro_id SMALLINT(11) UNSIGNED NOT NULL DEFAULT '0',
119	aco_id SMALLINT(11) UNSIGNED NOT NULL DEFAULT '0',
120	axo_id SMALLINT(11) UNSIGNED NOT NULL DEFAULT '0',
121	access ENUM('allow', 'deny') DEFAULT NULL,
122	added_datetime DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',
123	UNIQUE KEY (aro_id, aco_id, axo_id),
124	KEY (access)
125	) ENGINE=MyISAM
126	");
127	if (!$db->columnExists('acl_tbl', array(
128	'aro_id',
129	'aco_id',
130	'axo_id',
131	'access',
132	'added_datetime',
133	), false, false)) {
134	$app->logMsg(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), LOG_ALERT, __FILE__, __LINE__);
135	trigger_error(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), E_USER_ERROR);
136	}
137
138	// The tuples of objects.
139	foreach (array('aro', 'aco', 'axo') as $a_o) {
140	// Each of these uses Modified Preorder Tree Traversal to maintain a tree-structure in a flat format.
141	// See: http://www.sitepoint.com/print/hierarchical-data-database
142	$db->query("CREATE TABLE IF NOT EXISTS {$a_o}_tbl (
143	{$a_o}_id SMALLINT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,
144	name VARCHAR(32) NOT NULL DEFAULT '',
145	lft MEDIUMINT(9) UNSIGNED NOT NULL DEFAULT '0',
146	rgt MEDIUMINT(9) UNSIGNED NOT NULL DEFAULT '0',
147	added_datetime DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',
148	UNIQUE name (name),
149	KEY transversal (lft, rgt)
150	) ENGINE=MyISAM;
151	");
152
153	$qid = $db->query("SELECT 1 FROM {$a_o}_tbl WHERE name = 'root'");
154	if (mysql_num_rows($qid) == 0) {
155	// Insert root node data.
156	$qid = $db->query("REPLACE INTO {$a_o}_tbl (name, lft, rgt, added_datetime) VALUES ('root', 1, 2, NOW())");
157	}
158
159	if (!$db->columnExists("{$a_o}_tbl", array(
160	"{$a_o}_id",
161	'name',
162	'lft',
163	'rgt',
164	'added_datetime',
165	), false, false)) {
166	$app->logMsg(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), LOG_ALERT, __FILE__, __LINE__);
167	trigger_error(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), E_USER_ERROR);
168	}
169	}
170	}
171	$_db_tested = true;
172	}
173
174	/*
175	*
176	*
177	* @access public
178	* @param
179	* @return
180	* @author Quinn Comendant <quinn@strangecode.com>
181	* @version 1.0
182	* @since 14 Jun 2006 22:39:29
183	*/
184	function add($name, $parent=null, $type)
185	{
186	$app =& App::getInstance();
187	$db =& DB::getInstance();
188
189	$this->initDB();
190
191	switch ($type) {
192	case 'aro' :
193	$tbl = 'aro_tbl';
194	break;
195	case 'aco' :
196	$tbl = 'aco_tbl';
197	break;
198	case 'axo' :
199	$tbl = 'axo_tbl';
200	break;
201	default :
202	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
203	return false;
204	break;
205	}
206
207	// If $parent is null, use root object.
208	if (is_null($parent)) {
209	$parent = 'root';
210	}
211
212	// Ensure node and parent name aren't empty.
213	if ('' == trim($name) \|\| '' == trim($parent)) {
214	$app->logMsg(sprintf('Cannot add node, parent (%s) or name (%s) missing.', $name, $parent), LOG_WARNING, __FILE__, __LINE__);
215	return false;
216	}
217
218	// Ensure node is unique.
219	$qid = $db->query("SELECT 1 FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
220	if (mysql_num_rows($qid) > 0) {
221	$app->logMsg(sprintf('Cannot add %s node, name exists: %s', $type, $name), LOG_WARNING, __FILE__, __LINE__);
222	return false;
223	}
224
225	// Select the rgt of $parent.
226	$qid = $db->query("SELECT rgt FROM $tbl WHERE name = '" . $db->escapeString($parent) . "'");
227	if (!list($rgt) = mysql_fetch_row($qid)) {
228	$app->logMsg(sprintf('Cannot add %s node to nonexistant parent: %s', $type, $parent), LOG_WARNING, __FILE__, __LINE__);
229	return false;
230	}
231	// Update transversal numbers for all nodes to the rgt of $parent.
232	$db->query("UPDATE $tbl SET lft = lft + 2 WHERE lft >= $rgt");
233	$db->query("UPDATE $tbl SET rgt = rgt + 2 WHERE rgt >= $rgt");
234
235	// Insert new node just below parent. Lft is parent's old rgt.
236	$db->query("
237	INSERT INTO $tbl (name, lft, rgt, added_datetime)
238	VALUES ('" . $db->escapeString($name) . "', $rgt, $rgt + 1, NOW())
239	");
240
241	$app->logMsg(sprintf('Added %s node %s to parent %s.', $type, $name, $parent), LOG_DEBUG, __FILE__, __LINE__);
242	return mysql_insert_id($db->getDBH());
243	}
244
245	// Alias functions for the different object types.
246	function addARO($name, $parent=null)
247	{
248	return $this->add($name, $parent, 'aro');
249	}
250	function addACO($name, $parent=null)
251	{
252	return $this->add($name, $parent, 'aco');
253	}
254	function addAXO($name, $parent=null)
255	{
256	return $this->add($name, $parent, 'axo');
257	}
258
259	/*
260	*
261	*
262	* @access public
263	* @param
264	* @return
265	* @author Quinn Comendant <quinn@strangecode.com>
266	* @version 1.0
267	* @since 14 Jun 2006 22:39:29
268	*/
269	function remove($name, $type)
270	{
271	$app =& App::getInstance();
272	$db =& DB::getInstance();
273
274	$this->initDB();
275
276	switch ($type) {
277	case 'aro' :
278	$tbl = 'aro_tbl';
279	break;
280	case 'aco' :
281	$tbl = 'aco_tbl';
282	break;
283	case 'axo' :
284	$tbl = 'axo_tbl';
285	break;
286	default :
287	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
288	return false;
289	break;
290	}
291
292	// Ensure node name isn't empty.
293	if ('' == trim($name)) {
294	$app->logMsg(sprintf('Cannot add node, name missing.', null), LOG_WARNING, __FILE__, __LINE__);
295	return false;
296	}
297
298	// Select the lft of $name
299	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
300	if (!list($lft, $rgt) = mysql_fetch_row($qid)) {
301	$app->logMsg(sprintf('Cannot delete nonexistant %s name: %s', $type, $name), LOG_WARNING, __FILE__, __LINE__);
302	return false;
303	}
304
305	// Remove node and all children of node.
306	$db->query("DELETE FROM $tbl WHERE lft BETWEEN $lft AND $rgt");
307	$num_deleted_nodes = mysql_affected_rows($db->getDBH());
308
309	// Update transversal numbers for all nodes to the rgt of $parent, taking in to account the absence of it's children.
310	$db->query("UPDATE $tbl SET lft = lft - ($rgt - $lft + 1) WHERE lft > $lft");
311	$db->query("UPDATE $tbl SET rgt = rgt - ($rgt - $lft + 1) WHERE rgt > $rgt");
312
313	$app->logMsg(sprintf('Removed %s node %s along with %s children.', $type, $name, $num_deleted_nodes), LOG_DEBUG, __FILE__, __LINE__);
314	return true;
315	}
316
317	// Alias functions for the different object types.
318	function removeUser($name, $parent=null)
319	{
320	return $this->remove($name, $parent, 'aro');
321	}
322	function removeAction($name, $parent=null)
323	{
324	return $this->remove($name, $parent, 'aco');
325	}
326	function removeObject($name, $parent=null)
327	{
328	return $this->remove($name, $parent, 'axo');
329	}
330
331	/*
332	*
333	*
334	* @access public
335	* @param
336	* @return
337	* @author Quinn Comendant <quinn@strangecode.com>
338	* @version 1.0
339	* @since 15 Jun 2006 01:58:48
340	*/
341	function grant($aro=null, $aco=null, $axo=null, $access='allow')
342	{
343	$app =& App::getInstance();
344	$db =& DB::getInstance();
345
346	$this->initDB();
347
348	// If any access objects are null, assume using root values.
349	$aro = is_null($aro) ? 'root' : $aro;
350	$aco = is_null($aco) ? 'root' : $aco;
351	$axo = is_null($axo) ? 'root' : $axo;
352
353	// Ensure values exist.
354	$qid = $db->query("SELECT aro_tbl.aro_id FROM aro_tbl WHERE aro_tbl.name = '" . $db->escapeString($aro) . "'");
355	if (!list($aro_id) = mysql_fetch_row($qid)) {
356	$app->logMsg(sprintf('Grant failed, aro_tbl.name %s does not exist.', $aro), LOG_WARNING, __FILE__, __LINE__);
357	return false;
358	}
359	$qid = $db->query("SELECT aco_tbl.aco_id FROM aco_tbl WHERE aco_tbl.name = '" . $db->escapeString($aco) . "'");
360	if (!list($aco_id) = mysql_fetch_row($qid)) {
361	$app->logMsg(sprintf('Grant failed, aco_tbl.name %s does not exist.', $aco), LOG_WARNING, __FILE__, __LINE__);
362	return false;
363	}
364	$qid = $db->query("SELECT axo_tbl.axo_id FROM axo_tbl WHERE axo_tbl.name = '" . $db->escapeString($axo) . "'");
365	if (!list($axo_id) = mysql_fetch_row($qid)) {
366	$app->logMsg(sprintf('Grant failed, axo_tbl.name %s does not exist.', $axo), LOG_WARNING, __FILE__, __LINE__);
367	return false;
368	}
369
370	// Access must be 'allow' or 'deny'.
371	$allow = 'allow' == $access ? 'allow' : 'deny';
372
373	$db->query("REPLACE INTO acl_tbl VALUES ('$aro_id', '$aco_id', '$axo_id', '$allow', NOW())");
374
375	return true;
376	}
377
378	/*
379	*
380	*
381	* @access public
382	* @param
383	* @return
384	* @author Quinn Comendant <quinn@strangecode.com>
385	* @version 1.0
386	* @since 15 Jun 2006 04:35:54
387	*/
388	function revoke($aro=null, $aco=null, $axo=null)
389	{
390	return $this->grant($aro, $aco, $axo, 'deny');
391	}
392
393	/*
394	*
395	*
396	* @access public
397	* @param
398	* @return
399	* @author Quinn Comendant <quinn@strangecode.com>
400	* @version 1.0
401	* @since 15 Jun 2006 03:58:23
402	*/
403	function check($aro, $aco=null, $axo=null)
404	{
405	$app =& App::getInstance();
406	$db =& DB::getInstance();
407
408	$this->initDB();
409
410	// If any access objects are null, assume using root values.
411	$aro = is_null($aro) ? 'root' : $aro;
412	$aco = is_null($aco) ? 'root' : $aco;
413	$axo = is_null($axo) ? 'root' : $axo;
414
415	$qid = $db->query("
416	SELECT acl_tbl.access
417	FROM acl_tbl
418	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
419	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
420	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
421	WHERE aro_tbl.lft <= (SELECT lft FROM aro_tbl WHERE name = '" . $db->escapeString($aro) . "')
422	AND aco_tbl.lft <= (SELECT lft FROM aco_tbl WHERE name = '" . $db->escapeString($aco) . "')
423	AND axo_tbl.lft <= (SELECT lft FROM axo_tbl WHERE name = '" . $db->escapeString($axo) . "')
424	ORDER BY aro_tbl.aro_id DESC, aco_tbl.aco_id DESC, axo_tbl.axo_id DESC
425	LIMIT 1
426	");
427	if (!list($access) = mysql_fetch_row($qid)) {
428	$app->logMsg(sprintf('Access denyed: %s -> %s -> %s. No records found.', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
429	return false;
430	}
431
432	if ('allow' == $access) {
433	$app->logMsg(sprintf('Access granted: %s -> %s -> %s.', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
434	return true;
435	} else {
436	$app->logMsg(sprintf('Access denyed: %s -> %s -> %s.', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
437	return false;
438	}
439	}
440
441	} // End class.
442
443
444	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: