Context Navigation

source: trunk/lib/ACL.inc.php @ 247

Last change on this file since 247 was 247, checked in by quinn, 17 years ago
Converted all string functions to multi-byte (mb_*) functions
File size: 27.3 KB

Line
1	<?php
2	/*
3	* ACL.inc.php
4	*
5	* Uses the ARO/ACO/AXO model of Access Control Lists.
6	* Uses Modified Preorder Tree Traversal to maintain a tree-structure.
7	* See: http://www.sitepoint.com/print/hierarchical-data-database
8	* Includes a command-line tool for managing rights (codebase/bin/acl.cli.php).
9	*
10	* Code by Strangecode :: www.strangecode.com :: This document contains copyrighted information.
11	* @author Quinn Comendant <quinn@strangecode.com>
12	* @version 1.0
13	* @since 14 Jun 2006 22:35:11
14	*/
15
16	require_once dirname(__FILE__) . '/Cache.inc.php';
17
18	class ACL {
19
20	// Configuration parameters for this object.
21	var $_params = array(
22
23	// If false nothing will be cached or retreived. Useful for testing realtime data requests.
24	'enable_cache' => true,
25
26	// Automatically create table and verify columns. Better set to false after site launch.
27	'create_table' => false,
28	);
29
30	/**
31	* Constructor.
32	*/
33	function ACL()
34	{
35	$app =& App::getInstance();
36
37	// Configure the cache object.
38	$this->cache = new Cache('acl');
39	$this->cache->setParam(array('enabled' => true));
40
41	// Get create tables config from global context.
42	if (!is_null($app->getParam('db_create_tables'))) {
43	$this->setParam(array('create_table' => $app->getParam('db_create_tables')));
44	}
45	}
46
47	/**
48	* This method enforces the singleton pattern for this class.
49	*
50	* @return object Reference to the global ACL object.
51	* @access public
52	* @static
53	*/
54	function &getInstance()
55	{
56	static $instance = null;
57
58	if ($instance === null) {
59	$instance = new ACL();
60	}
61
62	return $instance;
63	}
64
65	/**
66	* Set (or overwrite existing) parameters by passing an array of new parameters.
67	*
68	* @access public
69	*
70	* @param array $params Array of parameters (key => val pairs).
71	*/
72	function setParam($params)
73	{
74	$app =& App::getInstance();
75
76	if (isset($params) && is_array($params)) {
77	// Merge new parameters with old overriding only those passed.
78	$this->_params = array_merge($this->_params, $params);
79	} else {
80	$app->logMsg(sprintf('Parameters are not an array: %s', $params), LOG_ERR, __FILE__, __LINE__);
81	}
82	}
83
84	/**
85	* Return the value of a parameter, if it exists.
86	*
87	* @access public
88	* @param string $param Which parameter to return.
89	* @return mixed Configured parameter value.
90	*/
91	function getParam($param)
92	{
93	$app =& App::getInstance();
94
95	if (isset($this->_params[$param])) {
96	return $this->_params[$param];
97	} else {
98	$app->logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__);
99	return null;
100	}
101	}
102
103	/**
104	* Setup the database tables for this class.
105	*
106	* @access public
107	* @author Quinn Comendant <quinn@strangecode.com>
108	* @since 04 Jun 2006 16:41:42
109	*/
110	function initDB($recreate_db=false)
111	{
112	$app =& App::getInstance();
113	$db =& DB::getInstance();
114
115	static $_db_tested = false;
116
117	if ($recreate_db \|\| !$_db_tested && $this->getParam('create_table')) {
118
119	if ($recreate_db) {
120	$db->query("DROP TABLE IF EXISTS acl_tbl");
121	$db->query("DROP TABLE IF EXISTS aro_tbl");
122	$db->query("DROP TABLE IF EXISTS aco_tbl");
123	$db->query("DROP TABLE IF EXISTS axo_tbl");
124	$app->logMsg(sprintf('Dropping and recreating tables acl_tbl, aro_tbl, aco_tbl, axo_tbl.', null), LOG_INFO, __FILE__, __LINE__);
125	}
126
127	// acl_tbl
128	$db->query("
129	CREATE TABLE IF NOT EXISTS acl_tbl (
130	aro_id SMALLINT(11) UNSIGNED NOT NULL DEFAULT '0',
131	aco_id SMALLINT(11) UNSIGNED NOT NULL DEFAULT '0',
132	axo_id SMALLINT(11) UNSIGNED NOT NULL DEFAULT '0',
133	access ENUM('allow', 'deny') DEFAULT NULL,
134	added_datetime DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',
135	UNIQUE KEY (aro_id, aco_id, axo_id),
136	KEY (access)
137	) ENGINE=MyISAM
138	");
139	if (!$db->columnExists('acl_tbl', array(
140	'aro_id',
141	'aco_id',
142	'axo_id',
143	'access',
144	'added_datetime',
145	), false, false)) {
146	$app->logMsg(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), LOG_ALERT, __FILE__, __LINE__);
147	trigger_error(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), E_USER_ERROR);
148	} else {
149	// Insert root node data if nonexistant, dely all by default.
150	$qid = $db->query("SELECT 1 FROM acl_tbl");
151	if (mysql_num_rows($qid) == 0) {
152	$qid = $db->query("REPLACE INTO acl_tbl VALUES ('1', '1', '1', 'deny', NOW())");
153	}
154	}
155
156	// aro_tbl, aco_tbl, axo_tbl
157	foreach (array('aro', 'aco', 'axo') as $a_o) {
158	$db->query("
159	CREATE TABLE IF NOT EXISTS {$a_o}_tbl (
160	{$a_o}_id SMALLINT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,
161	name VARCHAR(32) NOT NULL DEFAULT '',
162	lft MEDIUMINT(9) UNSIGNED NOT NULL DEFAULT '0',
163	rgt MEDIUMINT(9) UNSIGNED NOT NULL DEFAULT '0',
164	added_datetime DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',
165	UNIQUE KEY name (name(15)),
166	KEY transversal (lft, rgt)
167	) ENGINE=MyISAM;
168	");
169
170	if (!$db->columnExists("{$a_o}_tbl", array(
171	"{$a_o}_id",
172	'name',
173	'lft',
174	'rgt',
175	'added_datetime',
176	), false, false)) {
177	$app->logMsg(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), LOG_ALERT, __FILE__, __LINE__);
178	trigger_error(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), E_USER_ERROR);
179	} else {
180	// Insert root node data if nonexistant.
181	$qid = $db->query("SELECT 1 FROM {$a_o}_tbl WHERE name = 'root'");
182	if (mysql_num_rows($qid) == 0) {
183	$qid = $db->query("REPLACE INTO {$a_o}_tbl (name, lft, rgt, added_datetime) VALUES ('root', 1, 2, NOW())");
184	}
185	}
186
187	}
188	}
189	$_db_tested = true;
190	return true;
191	}
192
193	/*
194	* Add a node to one of the aro/aco/axo tables.
195	*
196	* @access public
197	* @param string $name A unique identifier for the new node.
198	* @param string $parent The name of the parent under-which to attach the new node.
199	* @param string $type The tree to add to, one of: aro, aco, axo.
200	* @return bool \| int False on error, or the last_insert_id primary key of the new node.
201	* @author Quinn Comendant <quinn@strangecode.com>
202	* @version 1.0
203	* @since 14 Jun 2006 22:39:29
204	*/
205	function add($name, $parent=null, $type)
206	{
207	$app =& App::getInstance();
208	$db =& DB::getInstance();
209
210	$this->initDB();
211
212	switch ($type) {
213	case 'aro' :
214	$tbl = 'aro_tbl';
215	break;
216	case 'aco' :
217	$tbl = 'aco_tbl';
218	break;
219	case 'axo' :
220	$tbl = 'axo_tbl';
221	break;
222	default :
223	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
224	return false;
225	break;
226	}
227
228	// If $parent is null, use root object.
229	if (is_null($parent)) {
230	$parent = 'root';
231	}
232
233	// Ensure node and parent name aren't empty.
234	if ('' == trim($name) \|\| '' == trim($parent)) {
235	$app->logMsg(sprintf('Cannot add node, parent (%s) or name (%s) missing.', $name, $parent), LOG_WARNING, __FILE__, __LINE__);
236	return false;
237	}
238
239	// Ensure node is unique.
240	$qid = $db->query("SELECT 1 FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
241	if (mysql_num_rows($qid) > 0) {
242	$app->logMsg(sprintf('Cannot add %s node, already exists: %s', $type, $name), LOG_NOTICE, __FILE__, __LINE__);
243	return false;
244	}
245
246	// Select the rgt of $parent.
247	$qid = $db->query("SELECT rgt FROM $tbl WHERE name = '" . $db->escapeString($parent) . "'");
248	if (!list($parent_rgt) = mysql_fetch_row($qid)) {
249	$app->logMsg(sprintf('Cannot add %s node to nonexistant parent: %s', $type, $parent), LOG_WARNING, __FILE__, __LINE__);
250	return false;
251	}
252
253	// Update transversal numbers for all nodes to the rgt of $parent.
254	$db->query("UPDATE $tbl SET lft = lft + 2 WHERE lft >= $parent_rgt");
255	$db->query("UPDATE $tbl SET rgt = rgt + 2 WHERE rgt >= $parent_rgt");
256
257	// Insert new node just below parent. Lft is parent's old rgt.
258	$db->query("
259	INSERT INTO $tbl (name, lft, rgt, added_datetime)
260	VALUES ('" . $db->escapeString($name) . "', $parent_rgt, $parent_rgt + 1, NOW())
261	");
262
263	$app->logMsg(sprintf('Added %s node %s to parent %s.', $type, $name, $parent), LOG_INFO, __FILE__, __LINE__);
264	return mysql_insert_id($db->getDBH());
265	}
266
267	// Alias functions for the different object types.
268	function addRequestObject($name, $parent=null)
269	{
270	return $this->add($name, $parent, 'aro');
271	}
272	function addControlObject($name, $parent=null)
273	{
274	return $this->add($name, $parent, 'aco');
275	}
276	function addXtraObject($name, $parent=null)
277	{
278	return $this->add($name, $parent, 'axo');
279	}
280
281	/*
282	* Remove a node from one of the aro/aco/axo tables.
283	*
284	* @access public
285	* @param string $name The identifier for the node to remove.
286	* @param string $type The tree to modify, one of: aro, aco, axo.
287	* @return bool \| int False on error, or true on success.
288	* @author Quinn Comendant <quinn@strangecode.com>
289	* @version 1.0
290	* @since 14 Jun 2006 22:39:29
291	*/
292	function remove($name, $type)
293	{
294	$app =& App::getInstance();
295	$db =& DB::getInstance();
296
297	$this->initDB();
298
299	switch ($type) {
300	case 'aro' :
301	$tbl = 'aro_tbl';
302	$primary_key = 'aro_id';
303	break;
304	case 'aco' :
305	$tbl = 'aco_tbl';
306	$primary_key = 'aco_id';
307	break;
308	case 'axo' :
309	$tbl = 'axo_tbl';
310	$primary_key = 'axo_id';
311	break;
312	default :
313	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
314	return false;
315	break;
316	}
317
318	// Ensure node name isn't empty.
319	if ('' == trim($name)) {
320	$app->logMsg(sprintf('Cannot add node, name missing.', null), LOG_WARNING, __FILE__, __LINE__);
321	return false;
322	}
323
324	// Select the lft and rgt of $name to use for selecting children and reordering transversals.
325	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
326	if (!list($lft, $rgt) = mysql_fetch_row($qid)) {
327	$app->logMsg(sprintf('Cannot delete nonexistant %s name: %s', $type, $name), LOG_NOTICE, __FILE__, __LINE__);
328	return false;
329	}
330
331	// Remove node and all children of node, as well as acl_tbl links.
332	$db->query("
333	DELETE $tbl, acl_tbl
334	FROM $tbl
335	LEFT JOIN acl_tbl ON ($tbl.$primary_key = acl_tbl.$primary_key)
336	WHERE $tbl.lft BETWEEN $lft AND $rgt
337	");
338	$num_deleted_nodes = mysql_affected_rows($db->getDBH());
339
340	// Update transversal numbers for all nodes to the rgt of $parent, taking in to account the absence of it's children.
341	$db->query("UPDATE $tbl SET lft = lft - ($rgt - $lft + 1) WHERE lft > $lft");
342	$db->query("UPDATE $tbl SET rgt = rgt - ($rgt - $lft + 1) WHERE rgt > $rgt");
343
344	$app->logMsg(sprintf('Removed %s node %s along with %s children.', $type, $name, $num_deleted_nodes - 1), LOG_INFO, __FILE__, __LINE__);
345	return true;
346	}
347
348	// Alias functions for the different object types.
349	function removeRequestObject($name)
350	{
351	return $this->remove($name, 'aro');
352	}
353	function removeControlObject($name)
354	{
355	return $this->remove($name, 'aco');
356	}
357	function removeXtraObject($name)
358	{
359	return $this->remove($name, 'axo');
360	}
361
362	/*
363	* Move a node to a new parent in one of the aro/aco/axo tables.
364	*
365	* @access public
366	* @param string $name The identifier for the node to remove.
367	* @param string $new_parent The name of the parent under-which to attach the new node.
368	* @param string $type The tree to modify, one of: aro, aco, axo.
369	* @return bool \| int False on error, or the last_insert_id primary key of the new node.
370	* @author Quinn Comendant <quinn@strangecode.com>
371	* @version 1.0
372	* @since 14 Jun 2006 22:39:29
373	*/
374	function move($name, $new_parent, $type)
375	{
376	$app =& App::getInstance();
377	$db =& DB::getInstance();
378
379	$this->initDB();
380
381	switch ($type) {
382	case 'aro' :
383	$tbl = 'aro_tbl';
384	$primary_key = 'aro_id';
385	break;
386	case 'aco' :
387	$tbl = 'aco_tbl';
388	$primary_key = 'aco_id';
389	break;
390	case 'axo' :
391	$tbl = 'axo_tbl';
392	$primary_key = 'axo_id';
393	break;
394	default :
395	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
396	return false;
397	break;
398	}
399
400	// If $new_parent is null, use root object.
401	if (is_null($new_parent)) {
402	$new_parent = 'root';
403	}
404
405	// Ensure node and parent name aren't empty.
406	if ('' == trim($name) \|\| '' == trim($new_parent)) {
407	$app->logMsg(sprintf('Cannot add node, parent (%s) or name (%s) missing.', $name, $new_parent), LOG_WARNING, __FILE__, __LINE__);
408	return false;
409	}
410
411	// Select the lft and rgt of $name to use for selecting children and reordering transversals.
412	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
413	if (!list($lft, $rgt) = mysql_fetch_row($qid)) {
414	$app->logMsg(sprintf('Cannot move nonexistant %s name: %s', $type, $name), LOG_NOTICE, __FILE__, __LINE__);
415	return false;
416	}
417
418	// Total number of transversal values (that is, the count of self plus all children times two).
419	$total_transversal_value = ($rgt - $lft + 1);
420
421	// Select the rgt of the new parent.
422	$qid = $db->query("SELECT rgt FROM $tbl WHERE name = '" . $db->escapeString($new_parent) . "'");
423	if (!list($new_parent_rgt) = mysql_fetch_row($qid)) {
424	$app->logMsg(sprintf('Cannot move %s node to nonexistant parent: %s', $type, $new_parent), LOG_WARNING, __FILE__, __LINE__);
425	return false;
426	}
427
428	// Ensure the new parent is not a child of the node being moved.
429	if ($new_parent_rgt <= $rgt && $new_parent_rgt >= $lft) {
430	$app->logMsg(sprintf('Cannot move %s node %s to parent %s because it is a child of itself.', $type, $name, $new_parent), LOG_WARNING, __FILE__, __LINE__);
431	return false;
432	}
433
434	// Collect unique ids of all nodes being moved. The transversal numbers will become duplicated so these will be needed to identify these.
435	$qid = $db->query("
436	SELECT $primary_key
437	FROM $tbl
438	WHERE lft BETWEEN $lft AND $rgt
439	AND rgt BETWEEN $lft AND $rgt
440	");
441	$ids = array();
442	while (list($id) = mysql_fetch_row($qid)) {
443	$ids[] = $id;
444	}
445
446	// Update transversal numbers for all nodes to the rgt of the node being moved, taking in to account the absence of it's children.
447	// This will temporarily "remove" the node from the tree, and its transversal values will be duplicated.
448	$db->query("UPDATE $tbl SET lft = lft - $total_transversal_value WHERE lft > $rgt");
449	$db->query("UPDATE $tbl SET rgt = rgt - $total_transversal_value WHERE rgt > $rgt");
450
451	// Apply transformation to new parent rgt also.
452	$new_parent_rgt = $new_parent_rgt > $rgt ? $new_parent_rgt - $total_transversal_value : $new_parent_rgt;
453
454	// Update transversal values of moved node and children.
455	$db->query("
456	UPDATE $tbl SET
457	lft = lft - ($lft - $new_parent_rgt),
458	rgt = rgt - ($lft - $new_parent_rgt)
459	WHERE $primary_key IN ('" . join("','", $ids) . "')
460	");
461
462	// Update transversal values of all nodes to the rgt of moved node.
463	$db->query("UPDATE $tbl SET lft = lft + $total_transversal_value WHERE lft >= $new_parent_rgt AND $primary_key NOT IN ('" . join("','", $ids) . "')");
464	$db->query("UPDATE $tbl SET rgt = rgt + $total_transversal_value WHERE rgt >= $new_parent_rgt AND $primary_key NOT IN ('" . join("','", $ids) . "')");
465
466	$app->logMsg(sprintf('Moved %s node %s to new parent %s.', $type, $name, $new_parent), LOG_INFO, __FILE__, __LINE__);
467	return true;
468	}
469
470	// Alias functions for the different object types.
471	function moveRequestObject($name, $new_parent=null)
472	{
473	return $this->move($name, $new_parent, 'aro');
474	}
475	function moveControlObject($name, $new_parent=null)
476	{
477	return $this->move($name, $new_parent, 'aco');
478	}
479	function moveXtraObject($name, $new_parent=null)
480	{
481	return $this->move($name, $new_parent, 'axo');
482	}
483
484	/*
485	* Add an entry to the acl_tbl to allow (or deny) a truple with the specified
486	* ARO -> ACO -> AXO entry.
487	*
488	* @access public
489	* @param string\|null $aro Identifier of an existing ARO object (or null to use root).
490	* @param string\|null $aco Identifier of an existing ACO object (or null to use root).
491	* @param string\|null $axo Identifier of an existing AXO object (or null to use root).
492	* @return bool False on error, true on success.
493	* @author Quinn Comendant <quinn@strangecode.com>
494	* @version 1.0
495	* @since 15 Jun 2006 01:58:48
496	*/
497	function grant($aro=null, $aco=null, $axo=null, $access='allow')
498	{
499	$app =& App::getInstance();
500	$db =& DB::getInstance();
501
502	$this->initDB();
503
504	// If any access objects are null, assume using root values.
505	// However if they're empty we don't want to escalate the grant command to root!
506	$aro = is_null($aro) ? 'root' : $aro;
507	$aco = is_null($aco) ? 'root' : $aco;
508	$axo = is_null($axo) ? 'root' : $axo;
509
510	// Flush old cached values.
511	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
512	$this->cache->delete($cache_hash);
513
514	// Ensure values exist.
515	$qid = $db->query("SELECT aro_tbl.aro_id FROM aro_tbl WHERE aro_tbl.name = '" . $db->escapeString($aro) . "'");
516	if (!list($aro_id) = mysql_fetch_row($qid)) {
517	$app->logMsg(sprintf('Grant failed, aro_tbl.name %s does not exist.', $aro), LOG_WARNING, __FILE__, __LINE__);
518	return false;
519	}
520	$qid = $db->query("SELECT aco_tbl.aco_id FROM aco_tbl WHERE aco_tbl.name = '" . $db->escapeString($aco) . "'");
521	if (!list($aco_id) = mysql_fetch_row($qid)) {
522	$app->logMsg(sprintf('Grant failed, aco_tbl.name %s does not exist.', $aco), LOG_WARNING, __FILE__, __LINE__);
523	return false;
524	}
525	$qid = $db->query("SELECT axo_tbl.axo_id FROM axo_tbl WHERE axo_tbl.name = '" . $db->escapeString($axo) . "'");
526	if (!list($axo_id) = mysql_fetch_row($qid)) {
527	$app->logMsg(sprintf('Grant failed, axo_tbl.name %s does not exist.', $axo), LOG_WARNING, __FILE__, __LINE__);
528	return false;
529	}
530
531	// Access must be 'allow' or 'deny'.
532	$allow = 'allow' == $access ? 'allow' : 'deny';
533
534	$db->query("REPLACE INTO acl_tbl VALUES ('$aro_id', '$aco_id', '$axo_id', '$allow', NOW())");
535	$app->logMsg(sprintf('Set %s: %s -> %s -> %s.', $allow, $aro, $aco, $axo), LOG_INFO, __FILE__, __LINE__);
536
537	return true;
538	}
539
540	/*
541	* Add an entry to the acl_tbl to deny a truple with the specified
542	* ARO -> ACO -> AXO entry. This calls the ACL::grant function to create the entry
543	* but uses 'deny' as the fourth argument.
544	*
545	* @access public
546	* @param string\|null $aro Identifier of an existing ARO object (or null to use root).
547	* @param string\|null $aco Identifier of an existing ACO object (or null to use root).
548	* @param string\|null $axo Identifier of an existing AXO object (or null to use root).
549	* @return bool False on error, true on success.
550	* @author Quinn Comendant <quinn@strangecode.com>
551	* @version 1.0
552	* @since 15 Jun 2006 04:35:54
553	*/
554	function revoke($aro=null, $aco=null, $axo=null)
555	{
556	return $this->grant($aro, $aco, $axo, 'deny');
557	}
558
559	/*
560	* Delete an entry from the acl_tbl completely to allow other permissions to cascade down.
561	* Null values act as a "wildcard" and will cause ALL matches in that column to be deleted.
562	*
563	* @access public
564	* @param string\|null $aro Identifier of an existing ARO object (or null for *).
565	* @param string\|null $aco Identifier of an existing ACO object (or null for *).
566	* @param string\|null $axo Identifier of an existing AXO object (or null for *).
567	* @return bool False on error, true on success.
568	* @author Quinn Comendant <quinn@strangecode.com>
569	* @version 1.0
570	* @since 20 Jun 2006 20:16:12
571	*/
572	function delete($aro=null, $aco=null, $axo=null)
573	{
574	$app =& App::getInstance();
575	$db =& DB::getInstance();
576
577	$this->initDB();
578
579	// If any access objects are null, assume using root values.
580	// However if they're empty we don't want to escalate the grant command to root!
581	$where = array();
582	$where[] = is_null($aro) ? "aro_tbl.name IS NOT NULL" : "aro_tbl.name = '" . $db->escapeString($aro) . "' ";
583	$where[] = is_null($aco) ? "aco_tbl.name IS NOT NULL" : "aco_tbl.name = '" . $db->escapeString($aco) . "' ";
584	$where[] = is_null($axo) ? "axo_tbl.name IS NOT NULL" : "axo_tbl.name = '" . $db->escapeString($axo) . "' ";
585
586	// If any access objects are null, assume using root values.
587	// However if they're empty we don't want to escalate the grant command to root!
588	$aro = is_null($aro) ? 'root' : $aro;
589	$aco = is_null($aco) ? 'root' : $aco;
590	$axo = is_null($axo) ? 'root' : $axo;
591
592	// Flush old cached values.
593	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
594	$this->cache->delete($cache_hash);
595
596	$final_where = join(' AND ', $where);
597	if (mb_substr_count($final_where, 'IS NOT NULL') == 3) {
598	// Null on all three tables will delete ALL entries including the root -> root -> root = deny.
599	$app->logMsg(sprintf('Cannot allow deletion of ALL acl entries.', null), LOG_NOTICE, __FILE__, __LINE__);
600	return false;
601	}
602
603	$qid = $db->query("
604	DELETE acl_tbl
605	FROM acl_tbl
606	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
607	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
608	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
609	WHERE $final_where
610	");
611
612	$app->logMsg(sprintf('Deleted %s acl_tbl links: %s -> %s -> %s', mysql_affected_rows($db->getDBH()), $aro, $aco, $axo), LOG_INFO, __FILE__, __LINE__);
613
614	return true;
615	}
616
617	/*
618	* Calculates the most specific cascading privilege found for a requested
619	* ARO -> ACO -> AXO entry. Returns FALSE if the entry is denied. By default,
620	* all entries are denied, unless some point in the hierarchy is set to "allow."
621	*
622	* @access public
623	* @param string $aro Identifier of an existing ARO object.
624	* @param string $aco Identifier of an existing ACO object (or null to use root).
625	* @param string $axo Identifier of an existing AXO object (or null to use root).
626	* @return bool False if denied, true on allowed.
627	* @author Quinn Comendant <quinn@strangecode.com>
628	* @version 1.0
629	* @since 15 Jun 2006 03:58:23
630	*/
631	function check($aro, $aco=null, $axo=null)
632	{
633	$app =& App::getInstance();
634	$db =& DB::getInstance();
635
636	$this->initDB();
637
638	// If any access objects are null or empty, assume using root values.
639	$aro = is_null($aro) \|\| '' == trim($aro) ? 'root' : $aro;
640	$aco = is_null($aco) \|\| '' == trim($aco) ? 'root' : $aco;
641	$axo = is_null($axo) \|\| '' == trim($axo) ? 'root' : $axo;
642
643	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
644	if ($this->cache->exists($cache_hash) && true === $this->getParam('enable_cache')) {
645	// Access value is cached.
646	$access = $this->cache->get($cache_hash);
647	} else {
648	// Retreive access value from db.
649	$qid = $db->query("
650	SELECT acl_tbl.access
651	FROM acl_tbl
652	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
653	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
654	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
655	WHERE (aro_tbl.lft <= (SELECT lft FROM aro_tbl WHERE name = '" . $db->escapeString($aro) . "') AND aro_tbl.rgt >= (SELECT rgt FROM aro_tbl WHERE name = '" . $db->escapeString($aro) . "'))
656	AND (aco_tbl.lft <= (SELECT lft FROM aco_tbl WHERE name = '" . $db->escapeString($aco) . "') AND aco_tbl.rgt >= (SELECT rgt FROM aco_tbl WHERE name = '" . $db->escapeString($aco) . "'))
657	AND (axo_tbl.lft <= (SELECT lft FROM axo_tbl WHERE name = '" . $db->escapeString($axo) . "') AND axo_tbl.rgt >= (SELECT rgt FROM axo_tbl WHERE name = '" . $db->escapeString($axo) . "'))
658	ORDER BY aro_tbl.lft DESC, aco_tbl.lft DESC, axo_tbl.lft DESC
659	LIMIT 1
660	");
661	if (!list($access) = mysql_fetch_row($qid)) {
662	$this->cache->set($cache_hash, 'deny');
663	$app->logMsg(sprintf('Access denyed: %s -> %s -> %s. No records found.', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
664	return false;
665	}
666	$this->cache->set($cache_hash, $access);
667	}
668
669	if ('allow' == $access) {
670	$app->logMsg(sprintf('Access granted: %s -> %s -> %s.', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
671	return true;
672	} else {
673	$app->logMsg(sprintf('Access denyed: %s -> %s -> %s.', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
674	return false;
675	}
676	}
677
678	} // End class.
679
680
681	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: