Context Navigation

source: trunk/lib/ACL.inc.php @ 172

Last change on this file since 172 was 172, checked in by scdev, 18 years ago
Q - added caching to ACL, and flush command to acl.cli.php
File size: 16.1 KB

Line
1	<?php
2	/*
3	* ACL.inc.php
4	*
5	* Uses the ARO/ACO/AXO model of Access Control Lists.
6	* Includes a command-line tool for managing rights.
7	*
8	* Code by Strangecode :: www.strangecode.com :: This document contains copyrighted information.
9	* @author Quinn Comendant <quinn@strangecode.com>
10	* @version 1.0
11	* @since 14 Jun 2006 22:35:11
12	*/
13
14	require_once dirname(__FILE__) . '/Cache.inc.php';
15
16	class ACL {
17
18	// Configuration parameters for this object.
19	var $_params = array(
20
21	// If false nothing will be cached or retreived. Useful for testing realtime data requests.
22	'enable_cache' => true,
23
24	// Automatically create table and verify columns. Better set to false after site launch.
25	'create_table' => false,
26	);
27
28	/**
29	* Prefs constructor.
30	*/
31	function ACL()
32	{
33	$app =& App::getInstance();
34
35	// Configure the cache object.
36	$this->cache = new Cache('acl');
37	$this->cache->setParam(array('enabled' => true));
38
39	// Get create tables config from global context.
40	if (!is_null($app->getParam('db_create_tables'))) {
41	$this->setParam(array('create_table' => $app->getParam('db_create_tables')));
42	}
43	}
44
45	/**
46	* This method enforces the singleton pattern for this class.
47	*
48	* @return object Reference to the global ACL object.
49	* @access public
50	* @static
51	*/
52	function &getInstance()
53	{
54	static $instance = null;
55
56	if ($instance === null) {
57	$instance = new ACL();
58	}
59
60	return $instance;
61	}
62
63	/**
64	* Set (or overwrite existing) parameters by passing an array of new parameters.
65	*
66	* @access public
67	*
68	* @param array $params Array of parameters (key => val pairs).
69	*/
70	function setParam($params)
71	{
72	$app =& App::getInstance();
73
74	if (isset($params) && is_array($params)) {
75	// Merge new parameters with old overriding only those passed.
76	$this->_params = array_merge($this->_params, $params);
77	} else {
78	$app->logMsg(sprintf('Parameters are not an array: %s', $params), LOG_ERR, __FILE__, __LINE__);
79	}
80	}
81
82	/**
83	* Return the value of a parameter, if it exists.
84	*
85	* @access public
86	* @param string $param Which parameter to return.
87	* @return mixed Configured parameter value.
88	*/
89	function getParam($param)
90	{
91	$app =& App::getInstance();
92
93	if (isset($this->_params[$param])) {
94	return $this->_params[$param];
95	} else {
96	$app->logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__);
97	return null;
98	}
99	}
100
101	/**
102	* Setup the database table for this class.
103	*
104	* @access public
105	* @author Quinn Comendant <quinn@strangecode.com>
106	* @since 04 Jun 2006 16:41:42
107	*/
108	function initDB($recreate_db=false)
109	{
110	$app =& App::getInstance();
111	$db =& DB::getInstance();
112
113	static $_db_tested = false;
114
115	if ($recreate_db \|\| !$_db_tested && $this->getParam('create_table')) {
116
117	if ($recreate_db) {
118	$db->query("DROP TABLE IF EXISTS acl_tbl");
119	$db->query("DROP TABLE IF EXISTS aro_tbl");
120	$db->query("DROP TABLE IF EXISTS aco_tbl");
121	$db->query("DROP TABLE IF EXISTS axo_tbl");
122	$app->logMsg(sprintf('Dropping and recreating tables acl_tbl, aro_tbl, aco_tbl, axo_tbl.', null), LOG_DEBUG, __FILE__, __LINE__);
123	}
124
125	// acl_tbl
126	$db->query("CREATE TABLE IF NOT EXISTS acl_tbl (
127	aro_id SMALLINT(11) UNSIGNED NOT NULL DEFAULT '0',
128	aco_id SMALLINT(11) UNSIGNED NOT NULL DEFAULT '0',
129	axo_id SMALLINT(11) UNSIGNED NOT NULL DEFAULT '0',
130	access ENUM('allow', 'deny') DEFAULT NULL,
131	added_datetime DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',
132	UNIQUE KEY (aro_id, aco_id, axo_id),
133	KEY (access)
134	) ENGINE=MyISAM
135	");
136	if (!$db->columnExists('acl_tbl', array(
137	'aro_id',
138	'aco_id',
139	'axo_id',
140	'access',
141	'added_datetime',
142	), false, false)) {
143	$app->logMsg(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), LOG_ALERT, __FILE__, __LINE__);
144	trigger_error(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), E_USER_ERROR);
145	}
146
147	// The tuples of objects.
148	foreach (array('aro', 'aco', 'axo') as $a_o) {
149	// Each of these uses Modified Preorder Tree Traversal to maintain a tree-structure in a flat format.
150	// See: http://www.sitepoint.com/print/hierarchical-data-database
151	$db->query("CREATE TABLE IF NOT EXISTS {$a_o}_tbl (
152	{$a_o}_id SMALLINT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,
153	name VARCHAR(32) NOT NULL DEFAULT '',
154	lft MEDIUMINT(9) UNSIGNED NOT NULL DEFAULT '0',
155	rgt MEDIUMINT(9) UNSIGNED NOT NULL DEFAULT '0',
156	added_datetime DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',
157	UNIQUE name (name),
158	KEY transversal (lft, rgt)
159	) ENGINE=MyISAM;
160	");
161
162	$qid = $db->query("SELECT 1 FROM {$a_o}_tbl WHERE name = 'root'");
163	if (mysql_num_rows($qid) == 0) {
164	// Insert root node data.
165	$qid = $db->query("REPLACE INTO {$a_o}_tbl (name, lft, rgt, added_datetime) VALUES ('root', 1, 2, NOW())");
166	}
167
168	if (!$db->columnExists("{$a_o}_tbl", array(
169	"{$a_o}_id",
170	'name',
171	'lft',
172	'rgt',
173	'added_datetime',
174	), false, false)) {
175	$app->logMsg(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), LOG_ALERT, __FILE__, __LINE__);
176	trigger_error(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), E_USER_ERROR);
177	}
178	}
179	}
180	$_db_tested = true;
181	return true;
182	}
183
184	/*
185	*
186	*
187	* @access public
188	* @param
189	* @return
190	* @author Quinn Comendant <quinn@strangecode.com>
191	* @version 1.0
192	* @since 14 Jun 2006 22:39:29
193	*/
194	function add($name, $parent=null, $type)
195	{
196	$app =& App::getInstance();
197	$db =& DB::getInstance();
198
199	$this->initDB();
200
201	switch ($type) {
202	case 'aro' :
203	$tbl = 'aro_tbl';
204	break;
205	case 'aco' :
206	$tbl = 'aco_tbl';
207	break;
208	case 'axo' :
209	$tbl = 'axo_tbl';
210	break;
211	default :
212	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
213	return false;
214	break;
215	}
216
217	// If $parent is null, use root object.
218	if (is_null($parent)) {
219	$parent = 'root';
220	}
221
222	// Ensure node and parent name aren't empty.
223	if ('' == trim($name) \|\| '' == trim($parent)) {
224	$app->logMsg(sprintf('Cannot add node, parent (%s) or name (%s) missing.', $name, $parent), LOG_WARNING, __FILE__, __LINE__);
225	return false;
226	}
227
228	// Ensure node is unique.
229	$qid = $db->query("SELECT 1 FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
230	if (mysql_num_rows($qid) > 0) {
231	$app->logMsg(sprintf('Cannot add %s node, already exists: %s', $type, $name), LOG_NOTICE, __FILE__, __LINE__);
232	return false;
233	}
234
235	// Select the rgt of $parent.
236	$qid = $db->query("SELECT rgt FROM $tbl WHERE name = '" . $db->escapeString($parent) . "'");
237	if (!list($rgt) = mysql_fetch_row($qid)) {
238	$app->logMsg(sprintf('Cannot add %s node to nonexistant parent: %s', $type, $parent), LOG_WARNING, __FILE__, __LINE__);
239	return false;
240	}
241	// Update transversal numbers for all nodes to the rgt of $parent.
242	$db->query("UPDATE $tbl SET lft = lft + 2 WHERE lft >= $rgt");
243	$db->query("UPDATE $tbl SET rgt = rgt + 2 WHERE rgt >= $rgt");
244
245	// Insert new node just below parent. Lft is parent's old rgt.
246	$db->query("
247	INSERT INTO $tbl (name, lft, rgt, added_datetime)
248	VALUES ('" . $db->escapeString($name) . "', $rgt, $rgt + 1, NOW())
249	");
250
251	$app->logMsg(sprintf('Added %s node %s to parent %s.', $type, $name, $parent), LOG_DEBUG, __FILE__, __LINE__);
252	return mysql_insert_id($db->getDBH());
253	}
254
255	// Alias functions for the different object types.
256	function addARO($name, $parent=null)
257	{
258	return $this->add($name, $parent, 'aro');
259	}
260	function addACO($name, $parent=null)
261	{
262	return $this->add($name, $parent, 'aco');
263	}
264	function addAXO($name, $parent=null)
265	{
266	return $this->add($name, $parent, 'axo');
267	}
268
269	/*
270	*
271	*
272	* @access public
273	* @param
274	* @return
275	* @author Quinn Comendant <quinn@strangecode.com>
276	* @version 1.0
277	* @since 14 Jun 2006 22:39:29
278	*/
279	function remove($name, $type)
280	{
281	$app =& App::getInstance();
282	$db =& DB::getInstance();
283
284	$this->initDB();
285
286	switch ($type) {
287	case 'aro' :
288	$tbl = 'aro_tbl';
289	break;
290	case 'aco' :
291	$tbl = 'aco_tbl';
292	break;
293	case 'axo' :
294	$tbl = 'axo_tbl';
295	break;
296	default :
297	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
298	return false;
299	break;
300	}
301
302	// Ensure node name isn't empty.
303	if ('' == trim($name)) {
304	$app->logMsg(sprintf('Cannot add node, name missing.', null), LOG_WARNING, __FILE__, __LINE__);
305	return false;
306	}
307
308	// Select the lft of $name
309	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
310	if (!list($lft, $rgt) = mysql_fetch_row($qid)) {
311	$app->logMsg(sprintf('Cannot delete nonexistant %s name: %s', $type, $name), LOG_NOTICE, __FILE__, __LINE__);
312	return false;
313	}
314
315	// Remove node and all children of node.
316	$db->query("DELETE FROM $tbl WHERE lft BETWEEN $lft AND $rgt");
317	$num_deleted_nodes = mysql_affected_rows($db->getDBH());
318
319	// Update transversal numbers for all nodes to the rgt of $parent, taking in to account the absence of it's children.
320	$db->query("UPDATE $tbl SET lft = lft - ($rgt - $lft + 1) WHERE lft > $lft");
321	$db->query("UPDATE $tbl SET rgt = rgt - ($rgt - $lft + 1) WHERE rgt > $rgt");
322
323	$app->logMsg(sprintf('Removed %s node %s along with %s children.', $type, $name, $num_deleted_nodes), LOG_DEBUG, __FILE__, __LINE__);
324	return true;
325	}
326
327	// Alias functions for the different object types.
328	function removeUser($name, $parent=null)
329	{
330	return $this->remove($name, $parent, 'aro');
331	}
332	function removeAction($name, $parent=null)
333	{
334	return $this->remove($name, $parent, 'aco');
335	}
336	function removeObject($name, $parent=null)
337	{
338	return $this->remove($name, $parent, 'axo');
339	}
340
341	/*
342	*
343	*
344	* @access public
345	* @param
346	* @return
347	* @author Quinn Comendant <quinn@strangecode.com>
348	* @version 1.0
349	* @since 15 Jun 2006 01:58:48
350	*/
351	function grant($aro=null, $aco=null, $axo=null, $access='allow')
352	{
353	$app =& App::getInstance();
354	$db =& DB::getInstance();
355
356	$this->initDB();
357
358	// If any access objects are null, assume using root values.
359	$aro = is_null($aro) ? 'root' : $aro;
360	$aco = is_null($aco) ? 'root' : $aco;
361	$axo = is_null($axo) ? 'root' : $axo;
362
363	// Ensure values exist.
364	$qid = $db->query("SELECT aro_tbl.aro_id FROM aro_tbl WHERE aro_tbl.name = '" . $db->escapeString($aro) . "'");
365	if (!list($aro_id) = mysql_fetch_row($qid)) {
366	$app->logMsg(sprintf('Grant failed, aro_tbl.name %s does not exist.', $aro), LOG_WARNING, __FILE__, __LINE__);
367	return false;
368	}
369	$qid = $db->query("SELECT aco_tbl.aco_id FROM aco_tbl WHERE aco_tbl.name = '" . $db->escapeString($aco) . "'");
370	if (!list($aco_id) = mysql_fetch_row($qid)) {
371	$app->logMsg(sprintf('Grant failed, aco_tbl.name %s does not exist.', $aco), LOG_WARNING, __FILE__, __LINE__);
372	return false;
373	}
374	$qid = $db->query("SELECT axo_tbl.axo_id FROM axo_tbl WHERE axo_tbl.name = '" . $db->escapeString($axo) . "'");
375	if (!list($axo_id) = mysql_fetch_row($qid)) {
376	$app->logMsg(sprintf('Grant failed, axo_tbl.name %s does not exist.', $axo), LOG_WARNING, __FILE__, __LINE__);
377	return false;
378	}
379
380	// Access must be 'allow' or 'deny'.
381	$allow = 'allow' == $access ? 'allow' : 'deny';
382
383	$db->query("REPLACE INTO acl_tbl VALUES ('$aro_id', '$aco_id', '$axo_id', '$allow', NOW())");
384
385	return true;
386	}
387
388	/*
389	*
390	*
391	* @access public
392	* @param
393	* @return
394	* @author Quinn Comendant <quinn@strangecode.com>
395	* @version 1.0
396	* @since 15 Jun 2006 04:35:54
397	*/
398	function revoke($aro=null, $aco=null, $axo=null)
399	{
400	return $this->grant($aro, $aco, $axo, 'deny');
401	}
402
403	/*
404	*
405	*
406	* @access public
407	* @param
408	* @return
409	* @author Quinn Comendant <quinn@strangecode.com>
410	* @version 1.0
411	* @since 15 Jun 2006 03:58:23
412	*/
413	function check($aro, $aco=null, $axo=null)
414	{
415	$app =& App::getInstance();
416	$db =& DB::getInstance();
417
418	$this->initDB();
419
420	// If any access objects are null, assume using root values.
421	$aro = is_null($aro) ? 'root' : $aro;
422	$aco = is_null($aco) ? 'root' : $aco;
423	$axo = is_null($axo) ? 'root' : $axo;
424
425	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
426	if ($this->cache->exists($cache_hash) && true === $this->getParam('enable_cache')) {
427	// Access value is cached.
428	$access = $this->cache->get($cache_hash);
429	} else {
430	// Retreive access value from db.
431	$qid = $db->query("
432	SELECT acl_tbl.access
433	FROM acl_tbl
434	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
435	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
436	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
437	WHERE aro_tbl.lft <= (SELECT lft FROM aro_tbl WHERE name = '" . $db->escapeString($aro) . "')
438	AND aco_tbl.lft <= (SELECT lft FROM aco_tbl WHERE name = '" . $db->escapeString($aco) . "')
439	AND axo_tbl.lft <= (SELECT lft FROM axo_tbl WHERE name = '" . $db->escapeString($axo) . "')
440	ORDER BY aro_tbl.aro_id DESC, aco_tbl.aco_id DESC, axo_tbl.axo_id DESC
441	LIMIT 1
442	");
443	if (!list($access) = mysql_fetch_row($qid)) {
444	$app->logMsg(sprintf('Access denyed: %s -> %s -> %s. No records found.', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
445	return false;
446	}
447	$this->cache->set($cache_hash, $access);
448	}
449
450	if ('allow' == $access) {
451	$app->logMsg(sprintf('Access granted: %s -> %s -> %s.', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
452	return true;
453	} else {
454	$app->logMsg(sprintf('Access denyed: %s -> %s -> %s.', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
455	return false;
456	}
457	}
458
459	} // End class.
460
461
462	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: