Context Navigation

source: trunk/lib/ACL.inc.php @ 506

Last change on this file since 506 was 506, checked in by anonymous, 9 years ago

File size: 30.0 KB

Line
1	<?php
2	/**
3	* The Strangecode Codebase - a general application development framework for PHP
4	* For details visit the project site: <http://trac.strangecode.com/codebase/>
5	* Copyright 2001-2012 Strangecode, LLC
6	*
7	* This file is part of The Strangecode Codebase.
8	*
9	* The Strangecode Codebase is free software: you can redistribute it and/or
10	* modify it under the terms of the GNU General Public License as published by the
11	* Free Software Foundation, either version 3 of the License, or (at your option)
12	* any later version.
13	*
14	* The Strangecode Codebase is distributed in the hope that it will be useful, but
15	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
16	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
17	* details.
18	*
19	* You should have received a copy of the GNU General Public License along with
20	* The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	/*
24	* ACL.inc.php
25	*
26	* Uses the ARO/ACO/AXO model of Access Control Lists.
27	* Uses Modified Preorder Tree Traversal to maintain a tree-structure.
28	* See: http://www.sitepoint.com/print/hierarchical-data-database
29	* Includes a command-line tool for managing rights (codebase/bin/acl.cli.php).
30	*
31	*
32	* @author Quinn Comendant <quinn@strangecode.com>
33	* @version 1.0
34	* @since 14 Jun 2006 22:35:11
35	*/
36
37	require_once dirname(__FILE__) . '/Cache.inc.php';
38
39	class ACL
40	{
41
42	// A place to keep an object instance for the singleton pattern.
43	protected static $instance = null;
44
45	// Configuration parameters for this object.
46	protected $_params = array(
47	// If false nothing will be cached or retrieved. Useful for testing realtime data requests.
48	'enable_cache' => true,
49
50	// Automatically create table and verify columns. Better set to false after site launch.
51	'create_table' => false,
52
53	// Maximum allowed length of names.
54	// This value can be increased only if {aro,aco,axo}_tbl.name VARCHAR length is increased.
55	'name_max_length' => 32.
56	);
57
58	/**
59	* Constructor.
60	*/
61	public function __construct()
62	{
63	$app =& App::getInstance();
64
65	// Configure the cache object.
66	$this->cache = new Cache('acl');
67	$this->cache->setParam(array('enabled' => true));
68
69	// Get create tables config from global context.
70	if (!is_null($app->getParam('db_create_tables'))) {
71	$this->setParam(array('create_table' => $app->getParam('db_create_tables')));
72	}
73	}
74
75	/**
76	* This method enforces the singleton pattern for this class.
77	*
78	* @return object Reference to the global ACL object.
79	* @access public
80	* @static
81	*/
82	public static function &getInstance()
83	{
84	if (self::$instance === null) {
85	self::$instance = new self();
86	}
87
88	return self::$instance;
89	}
90
91	/**
92	* Set (or overwrite existing) parameters by passing an array of new parameters.
93	*
94	* @access public
95	*
96	* @param array $params Array of parameters (key => val pairs).
97	*/
98	public function setParam($params)
99	{
100	$app =& App::getInstance();
101
102	if (isset($params) && is_array($params)) {
103	// Merge new parameters with old overriding only those passed.
104	$this->_params = array_merge($this->_params, $params);
105	} else {
106	$app->logMsg(sprintf('Parameters are not an array: %s', $params), LOG_ERR, __FILE__, __LINE__);
107	}
108	}
109
110	/**
111	* Return the value of a parameter, if it exists.
112	*
113	* @access public
114	* @param string $param Which parameter to return.
115	* @return mixed Configured parameter value.
116	*/
117	public function getParam($param)
118	{
119	$app =& App::getInstance();
120
121	if (array_key_exists($param, $this->_params)) {
122	return $this->_params[$param];
123	} else {
124	$app->logMsg(sprintf('Parameter is not set: %s', $param), LOG_NOTICE, __FILE__, __LINE__);
125	return null;
126	}
127	}
128
129	/**
130	* Setup the database tables for this class.
131	*
132	* @access public
133	* @author Quinn Comendant <quinn@strangecode.com>
134	* @since 04 Jun 2006 16:41:42
135	*/
136	public function initDB($recreate_db=false)
137	{
138	$app =& App::getInstance();
139	$db =& DB::getInstance();
140
141	static $_db_tested = false;
142
143	if ($recreate_db \|\| !$_db_tested && $this->getParam('create_table')) {
144
145	if ($recreate_db) {
146	$db->query("DROP TABLE IF EXISTS acl_tbl");
147	$db->query("DROP TABLE IF EXISTS aro_tbl");
148	$db->query("DROP TABLE IF EXISTS aco_tbl");
149	$db->query("DROP TABLE IF EXISTS axo_tbl");
150	$app->logMsg(sprintf('Dropping and recreating tables acl_tbl, aro_tbl, aco_tbl, axo_tbl.', null), LOG_INFO, __FILE__, __LINE__);
151	}
152
153	// acl_tbl
154	$db->query("
155	CREATE TABLE IF NOT EXISTS acl_tbl (
156	aro_id SMALLINT UNSIGNED NOT NULL DEFAULT '0',
157	aco_id SMALLINT UNSIGNED NOT NULL DEFAULT '0',
158	axo_id SMALLINT UNSIGNED NOT NULL DEFAULT '0',
159	access ENUM('allow', 'deny') DEFAULT NULL,
160	added_datetime DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',
161	UNIQUE KEY (aro_id, aco_id, axo_id),
162	KEY (access)
163	) ENGINE=MyISAM
164	");
165	if (!$db->columnExists('acl_tbl', array(
166	'aro_id',
167	'aco_id',
168	'axo_id',
169	'access',
170	'added_datetime',
171	), false, false)) {
172	$app->logMsg(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), LOG_ALERT, __FILE__, __LINE__);
173	trigger_error(sprintf('Database table acl_tbl has invalid columns. Please update this table manually.', null), E_USER_ERROR);
174	} else {
175	// Insert root node data if nonexistant, dely all by default.
176	$qid = $db->query("SELECT 1 FROM acl_tbl");
177	if (mysql_num_rows($qid) == 0) {
178	$qid = $db->query("REPLACE INTO acl_tbl VALUES ('1', '1', '1', 'deny', NOW())");
179	}
180	}
181
182	// aro_tbl, aco_tbl, axo_tbl
183	foreach (array('aro', 'aco', 'axo') as $a_o) {
184	$db->query("
185	CREATE TABLE IF NOT EXISTS {$a_o}_tbl (
186	{$a_o}_id SMALLINT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,
187	name VARCHAR(" . $this->getParam('name_max_length') . ") NOT NULL DEFAULT '',
188	lft MEDIUMINT UNSIGNED NOT NULL DEFAULT '0',
189	rgt MEDIUMINT UNSIGNED NOT NULL DEFAULT '0',
190	added_datetime DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',
191	UNIQUE KEY name (name(15)),
192	KEY transversal (lft, rgt)
193	) ENGINE=MyISAM;
194	");
195
196	if (!$db->columnExists("{$a_o}_tbl", array(
197	"{$a_o}_id",
198	'name',
199	'lft',
200	'rgt',
201	'added_datetime',
202	), false, false)) {
203	$app->logMsg(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), LOG_ALERT, __FILE__, __LINE__);
204	trigger_error(sprintf('Database table %s has invalid columns. Please update this table manually.', "{$a_o}_tbl"), E_USER_ERROR);
205	} else {
206	// Insert root node data if nonexistent.
207	$qid = $db->query("SELECT 1 FROM {$a_o}_tbl WHERE name = 'root'");
208	if (mysql_num_rows($qid) == 0) {
209	$qid = $db->query("REPLACE INTO {$a_o}_tbl (name, lft, rgt, added_datetime) VALUES ('root', 1, 2, NOW())");
210	}
211	}
212
213	}
214	}
215	$_db_tested = true;
216	return true;
217	}
218
219	/*
220	* Add a node to one of the aro/aco/axo tables.
221	*
222	* @access public
223	* @param string $name A unique identifier for the new node.
224	* @param string $parent The name of the parent under-which to attach the new node.
225	* @param string $type The tree to add to, one of: aro, aco, axo.
226	* @return bool \| int False on error, or the last_insert_id primary key of the new node.
227	* @author Quinn Comendant <quinn@strangecode.com>
228	* @version 1.0
229	* @since 14 Jun 2006 22:39:29
230	*/
231	public function add($name, $parent=null, $type)
232	{
233	$app =& App::getInstance();
234	$db =& DB::getInstance();
235
236	$this->initDB();
237
238	switch ($type) {
239	case 'aro' :
240	$tbl = 'aro_tbl';
241	break;
242	case 'aco' :
243	$tbl = 'aco_tbl';
244	break;
245	case 'axo' :
246	$tbl = 'axo_tbl';
247	break;
248	default :
249	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
250	return false;
251	break;
252	}
253
254	// If $parent is null, use root object.
255	if (is_null($parent)) {
256	$parent = 'root';
257	}
258
259	// Ensure node and parent name aren't empty.
260	if ('' == trim($name) \|\| '' == trim($parent)) {
261	$app->logMsg(sprintf('Cannot add node, parent (%s) or name (%s) missing.', $name, $parent), LOG_WARNING, __FILE__, __LINE__);
262	return false;
263	}
264
265	// Ensure node node name fits in the column size.
266	// This value can be increased if {aro,aco.axo}_tbl.name VARCHAR length is increased.
267	if (strlen(trim($name)) > $this->getParam('name_max_length')) {
268	$app->logMsg(sprintf('Cannot add node, %s character limit exceeded for name "%s"', $this->getParam('name_max_length'), $name, $parent), LOG_WARNING, __FILE__, __LINE__);
269	return false;
270	}
271
272	// Ensure node is unique.
273	$qid = $db->query("SELECT 1 FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
274	if (mysql_num_rows($qid) > 0) {
275	$app->logMsg(sprintf('Cannot add %s node, already exists: %s', $type, $name), LOG_INFO, __FILE__, __LINE__);
276	return false;
277	}
278
279	// Select the rgt of $parent.
280	$qid = $db->query("SELECT rgt FROM $tbl WHERE name = '" . $db->escapeString($parent) . "'");
281	if (!list($parent_rgt) = mysql_fetch_row($qid)) {
282	$app->logMsg(sprintf('Cannot add %s node to nonexistent parent: %s', $type, $parent), LOG_WARNING, __FILE__, __LINE__);
283	return false;
284	}
285
286	// Update transversal numbers for all nodes to the rgt of $parent.
287	$db->query("UPDATE $tbl SET lft = lft + 2 WHERE lft >= $parent_rgt");
288	$db->query("UPDATE $tbl SET rgt = rgt + 2 WHERE rgt >= $parent_rgt");
289
290	// Insert new node just below parent. Lft is parent's old rgt.
291	$db->query("
292	INSERT INTO $tbl (name, lft, rgt, added_datetime)
293	VALUES ('" . $db->escapeString($name) . "', $parent_rgt, $parent_rgt + 1, NOW())
294	");
295
296	$app->logMsg(sprintf('Added %s node %s to parent %s', $type, $name, $parent), LOG_INFO, __FILE__, __LINE__);
297	return mysql_insert_id($db->getDBH());
298	}
299
300	// Alias functions for the different object types.
301	public function addRequestObject($name, $parent=null)
302	{
303	return $this->add($name, $parent, 'aro');
304	}
305	public function addControlObject($name, $parent=null)
306	{
307	return $this->add($name, $parent, 'aco');
308	}
309	public function addXtraObject($name, $parent=null)
310	{
311	return $this->add($name, $parent, 'axo');
312	}
313
314	/*
315	* Remove a node from one of the aro/aco/axo tables.
316	*
317	* @access public
318	* @param string $name The identifier for the node to remove.
319	* @param string $type The tree to modify, one of: aro, aco, axo.
320	* @return bool \| int False on error, or true on success.
321	* @author Quinn Comendant <quinn@strangecode.com>
322	* @version 1.0
323	* @since 14 Jun 2006 22:39:29
324	*/
325	public function remove($name, $type)
326	{
327	$app =& App::getInstance();
328	$db =& DB::getInstance();
329
330	$this->initDB();
331
332	switch ($type) {
333	case 'aro' :
334	$tbl = 'aro_tbl';
335	$primary_key = 'aro_id';
336	break;
337	case 'aco' :
338	$tbl = 'aco_tbl';
339	$primary_key = 'aco_id';
340	break;
341	case 'axo' :
342	$tbl = 'axo_tbl';
343	$primary_key = 'axo_id';
344	break;
345	default :
346	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
347	return false;
348	break;
349	}
350
351	// Ensure node name isn't empty.
352	if ('' == trim($name)) {
353	$app->logMsg(sprintf('Cannot add node, name missing.', null), LOG_WARNING, __FILE__, __LINE__);
354	return false;
355	}
356
357	// Select the lft and rgt of $name to use for selecting children and reordering transversals.
358	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
359	if (!list($lft, $rgt) = mysql_fetch_row($qid)) {
360	$app->logMsg(sprintf('Cannot delete nonexistent %s name: %s', $type, $name), LOG_WARNING, __FILE__, __LINE__);
361	return false;
362	}
363
364	// Remove node and all children of node, as well as acl_tbl links.
365	$db->query("
366	DELETE $tbl, acl_tbl
367	FROM $tbl
368	LEFT JOIN acl_tbl ON ($tbl.$primary_key = acl_tbl.$primary_key)
369	WHERE $tbl.lft BETWEEN $lft AND $rgt
370	");
371	$num_deleted_nodes = mysql_affected_rows($db->getDBH());
372
373	// Update transversal numbers for all nodes to the rgt of $parent, taking in to account the absence of it's children.
374	$db->query("UPDATE $tbl SET lft = lft - ($rgt - $lft + 1) WHERE lft > $lft");
375	$db->query("UPDATE $tbl SET rgt = rgt - ($rgt - $lft + 1) WHERE rgt > $rgt");
376
377	$app->logMsg(sprintf('Removed %s node %s along with %s children.', $type, $name, $num_deleted_nodes - 1), LOG_INFO, __FILE__, __LINE__);
378	return true;
379	}
380
381	// Alias functions for the different object types.
382	public function removeRequestObject($name)
383	{
384	return $this->remove($name, 'aro');
385	}
386	public function removeControlObject($name)
387	{
388	return $this->remove($name, 'aco');
389	}
390	public function removeXtraObject($name)
391	{
392	return $this->remove($name, 'axo');
393	}
394
395	/*
396	* Move a node to a new parent in one of the aro/aco/axo tables.
397	*
398	* @access public
399	* @param string $name The identifier for the node to remove.
400	* @param string $new_parent The name of the parent under-which to attach the new node.
401	* @param string $type The tree to modify, one of: aro, aco, axo.
402	* @return bool \| int False on error, or the last_insert_id primary key of the new node.
403	* @author Quinn Comendant <quinn@strangecode.com>
404	* @version 1.0
405	* @since 14 Jun 2006 22:39:29
406	*/
407	public function move($name, $new_parent, $type)
408	{
409	$app =& App::getInstance();
410	$db =& DB::getInstance();
411
412	$this->initDB();
413
414	switch ($type) {
415	case 'aro' :
416	$tbl = 'aro_tbl';
417	$primary_key = 'aro_id';
418	break;
419	case 'aco' :
420	$tbl = 'aco_tbl';
421	$primary_key = 'aco_id';
422	break;
423	case 'axo' :
424	$tbl = 'axo_tbl';
425	$primary_key = 'axo_id';
426	break;
427	default :
428	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
429	return false;
430	break;
431	}
432
433	// If $new_parent is null, use root object.
434	if (is_null($new_parent)) {
435	$new_parent = 'root';
436	}
437
438	// Ensure node and parent name aren't empty.
439	if ('' == trim($name) \|\| '' == trim($new_parent)) {
440	$app->logMsg(sprintf('Cannot add node, parent (%s) or name (%s) missing.', $name, $new_parent), LOG_WARNING, __FILE__, __LINE__);
441	return false;
442	}
443
444	// Select the lft and rgt of $name to use for selecting children and reordering transversals.
445	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($name) . "'");
446	if (!list($lft, $rgt) = mysql_fetch_row($qid)) {
447	$app->logMsg(sprintf('Cannot move nonexistent %s name: %s', $type, $name), LOG_WARNING, __FILE__, __LINE__);
448	return false;
449	}
450
451	// Total number of transversal values (that is, the count of self plus all children times two).
452	$total_transversal_value = ($rgt - $lft + 1);
453
454	// Select the rgt of the new parent.
455	$qid = $db->query("SELECT rgt FROM $tbl WHERE name = '" . $db->escapeString($new_parent) . "'");
456	if (!list($new_parent_rgt) = mysql_fetch_row($qid)) {
457	$app->logMsg(sprintf('Cannot move %s node to nonexistent parent: %s', $type, $new_parent), LOG_WARNING, __FILE__, __LINE__);
458	return false;
459	}
460
461	// Ensure the new parent is not a child of the node being moved.
462	if ($new_parent_rgt <= $rgt && $new_parent_rgt >= $lft) {
463	$app->logMsg(sprintf('Cannot move %s node %s to parent %s because it is a child of itself.', $type, $name, $new_parent), LOG_WARNING, __FILE__, __LINE__);
464	return false;
465	}
466
467	// Collect unique ids of all nodes being moved. The transversal numbers will become duplicated so these will be needed to identify these.
468	$qid = $db->query("
469	SELECT $primary_key
470	FROM $tbl
471	WHERE lft BETWEEN $lft AND $rgt
472	AND rgt BETWEEN $lft AND $rgt
473	");
474	$ids = array();
475	while (list($id) = mysql_fetch_row($qid)) {
476	$ids[] = $id;
477	}
478
479	// Update transversal numbers for all nodes to the rgt of the node being moved, taking in to account the absence of it's children.
480	// This will temporarily "remove" the node from the tree, and its transversal values will be duplicated.
481	$db->query("UPDATE $tbl SET lft = lft - $total_transversal_value WHERE lft > $rgt");
482	$db->query("UPDATE $tbl SET rgt = rgt - $total_transversal_value WHERE rgt > $rgt");
483
484	// Apply transformation to new parent rgt also.
485	$new_parent_rgt = $new_parent_rgt > $rgt ? $new_parent_rgt - $total_transversal_value : $new_parent_rgt;
486
487	// Update transversal values of moved node and children.
488	$db->query("
489	UPDATE $tbl SET
490	lft = lft - ($lft - $new_parent_rgt),
491	rgt = rgt - ($lft - $new_parent_rgt)
492	WHERE $primary_key IN ('" . join("','", $ids) . "')
493	");
494
495	// Update transversal values of all nodes to the rgt of moved node.
496	$db->query("UPDATE $tbl SET lft = lft + $total_transversal_value WHERE lft >= $new_parent_rgt AND $primary_key NOT IN ('" . join("','", $ids) . "')");
497	$db->query("UPDATE $tbl SET rgt = rgt + $total_transversal_value WHERE rgt >= $new_parent_rgt AND $primary_key NOT IN ('" . join("','", $ids) . "')");
498
499	$app->logMsg(sprintf('Moved %s node %s to new parent %s', $type, $name, $new_parent), LOG_INFO, __FILE__, __LINE__);
500	return true;
501	}
502
503	// Alias functions for the different object types.
504	public function moveRequestObject($name, $new_parent=null)
505	{
506	return $this->move($name, $new_parent, 'aro');
507	}
508	public function moveControlObject($name, $new_parent=null)
509	{
510	return $this->move($name, $new_parent, 'aco');
511	}
512	public function moveXtraObject($name, $new_parent=null)
513	{
514	return $this->move($name, $new_parent, 'axo');
515	}
516
517	/*
518	* Add an entry to the acl_tbl to allow (or deny) a truple with the specified
519	* ARO -> ACO -> AXO entry.
520	*
521	* @access public
522	* @param string\|null $aro Identifier of an existing ARO object (or null to use root).
523	* @param string\|null $aco Identifier of an existing ACO object (or null to use root).
524	* @param string\|null $axo Identifier of an existing AXO object (or null to use root).
525	* @return bool False on error, true on success.
526	* @author Quinn Comendant <quinn@strangecode.com>
527	* @version 1.0
528	* @since 15 Jun 2006 01:58:48
529	*/
530	public function grant($aro=null, $aco=null, $axo=null, $access='allow')
531	{
532	$app =& App::getInstance();
533	$db =& DB::getInstance();
534
535	$this->initDB();
536
537	// If any access objects are null, assume using root values.
538	// However if they're empty we don't want to escalate the grant command to root!
539	$aro = is_null($aro) ? 'root' : $aro;
540	$aco = is_null($aco) ? 'root' : $aco;
541	$axo = is_null($axo) ? 'root' : $axo;
542
543	// Flush old cached values.
544	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
545	$this->cache->delete($cache_hash);
546
547	// Ensure values exist.
548	$qid = $db->query("SELECT aro_tbl.aro_id FROM aro_tbl WHERE aro_tbl.name = '" . $db->escapeString($aro) . "'");
549	if (!list($aro_id) = mysql_fetch_row($qid)) {
550	$app->logMsg(sprintf('Grant failed, aro_tbl.name = "%s" does not exist.', $aro), LOG_WARNING, __FILE__, __LINE__);
551	return false;
552	}
553	$qid = $db->query("SELECT aco_tbl.aco_id FROM aco_tbl WHERE aco_tbl.name = '" . $db->escapeString($aco) . "'");
554	if (!list($aco_id) = mysql_fetch_row($qid)) {
555	$app->logMsg(sprintf('Grant failed, aco_tbl.name = "%s" does not exist.', $aco), LOG_WARNING, __FILE__, __LINE__);
556	return false;
557	}
558	$qid = $db->query("SELECT axo_tbl.axo_id FROM axo_tbl WHERE axo_tbl.name = '" . $db->escapeString($axo) . "'");
559	if (!list($axo_id) = mysql_fetch_row($qid)) {
560	$app->logMsg(sprintf('Grant failed, axo_tbl.name = "%s" does not exist.', $axo), LOG_WARNING, __FILE__, __LINE__);
561	return false;
562	}
563
564	// Access must be 'allow' or 'deny'.
565	$allow = 'allow' == $access ? 'allow' : 'deny';
566
567	$db->query("REPLACE INTO acl_tbl VALUES ('$aro_id', '$aco_id', '$axo_id', '$allow', NOW())");
568	$app->logMsg(sprintf('Set %s: %s -> %s -> %s', $allow, $aro, $aco, $axo), LOG_INFO, __FILE__, __LINE__);
569
570	return true;
571	}
572
573	/*
574	* Add an entry to the acl_tbl to deny a truple with the specified
575	* ARO -> ACO -> AXO entry. This calls the ACL::grant function to create the entry
576	* but uses 'deny' as the fourth argument.
577	*
578	* @access public
579	* @param string\|null $aro Identifier of an existing ARO object (or null to use root).
580	* @param string\|null $aco Identifier of an existing ACO object (or null to use root).
581	* @param string\|null $axo Identifier of an existing AXO object (or null to use root).
582	* @return bool False on error, true on success.
583	* @author Quinn Comendant <quinn@strangecode.com>
584	* @version 1.0
585	* @since 15 Jun 2006 04:35:54
586	*/
587	public function revoke($aro=null, $aco=null, $axo=null)
588	{
589	return $this->grant($aro, $aco, $axo, 'deny');
590	}
591
592	/*
593	* Delete an entry from the acl_tbl completely to allow other permissions to cascade down.
594	* Null values act as a "wildcard" and will cause ALL matches in that column to be deleted.
595	*
596	* @access public
597	* @param string\|null $aro Identifier of an existing ARO object (or null for *).
598	* @param string\|null $aco Identifier of an existing ACO object (or null for *).
599	* @param string\|null $axo Identifier of an existing AXO object (or null for *).
600	* @return bool False on error, true on success.
601	* @author Quinn Comendant <quinn@strangecode.com>
602	* @version 1.0
603	* @since 20 Jun 2006 20:16:12
604	*/
605	public function delete($aro=null, $aco=null, $axo=null)
606	{
607	$app =& App::getInstance();
608	$db =& DB::getInstance();
609
610	$this->initDB();
611
612	// If any access objects are null, assume using root values.
613	// However if they're empty we don't want to escalate the grant command to root!
614	$where = array();
615	$where[] = is_null($aro) ? "aro_tbl.name IS NOT NULL" : "aro_tbl.name = '" . $db->escapeString($aro) . "' ";
616	$where[] = is_null($aco) ? "aco_tbl.name IS NOT NULL" : "aco_tbl.name = '" . $db->escapeString($aco) . "' ";
617	$where[] = is_null($axo) ? "axo_tbl.name IS NOT NULL" : "axo_tbl.name = '" . $db->escapeString($axo) . "' ";
618
619	// If any access objects are null, assume using root values.
620	// However if they're empty we don't want to escalate the grant command to root!
621	$aro = is_null($aro) ? 'root' : $aro;
622	$aco = is_null($aco) ? 'root' : $aco;
623	$axo = is_null($axo) ? 'root' : $axo;
624
625	// Flush old cached values.
626	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
627	$this->cache->delete($cache_hash);
628
629	$final_where = join(' AND ', $where);
630	if (mb_substr_count($final_where, 'IS NOT NULL') == 3) {
631	// Null on all three tables will delete ALL entries including the root -> root -> root = deny.
632	$app->logMsg('Cannot allow deletion of ALL acl entries.', LOG_WARNING, __FILE__, __LINE__);
633	return false;
634	}
635
636	$qid = $db->query("
637	DELETE acl_tbl
638	FROM acl_tbl
639	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
640	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
641	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
642	WHERE $final_where
643	");
644
645	$app->logMsg(sprintf('Deleted %s acl_tbl links: %s -> %s -> %s', mysql_affected_rows($db->getDBH()), $aro, $aco, $axo), LOG_INFO, __FILE__, __LINE__);
646
647	return true;
648	}
649
650	/*
651	* Calculates the most specific cascading privilege found for a requested
652	* ARO -> ACO -> AXO entry. Returns FALSE if the entry is denied. By default,
653	* all entries are denied, unless some point in the hierarchy is set to "allow."
654	*
655	* @access public
656	* @param string $aro Identifier of an existing ARO object.
657	* @param string $aco Identifier of an existing ACO object (or null to use root).
658	* @param string $axo Identifier of an existing AXO object (or null to use root).
659	* @return bool False if denied, true on allowed.
660	* @author Quinn Comendant <quinn@strangecode.com>
661	* @version 1.0
662	* @since 15 Jun 2006 03:58:23
663	*/
664	public function check($aro, $aco=null, $axo=null)
665	{
666	$app =& App::getInstance();
667	$db =& DB::getInstance();
668
669	$this->initDB();
670
671	// If any access objects are null or empty, assume using root values.
672	$aro = is_null($aro) \|\| '' == trim($aro) ? 'root' : $aro;
673	$aco = is_null($aco) \|\| '' == trim($aco) ? 'root' : $aco;
674	$axo = is_null($axo) \|\| '' == trim($axo) ? 'root' : $axo;
675
676	$cache_hash = $aro . '\|' . $aco . '\|' . $axo;
677	if ($this->cache->exists($cache_hash) && true === $this->getParam('enable_cache')) {
678	// Access value is cached.
679	$access = $this->cache->get($cache_hash);
680	} else {
681	// Retrieve access value from db.
682	$qid = $db->query("
683	SELECT acl_tbl.access
684	FROM acl_tbl
685	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
686	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
687	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
688	WHERE (aro_tbl.lft <= (SELECT lft FROM aro_tbl WHERE name = '" . $db->escapeString($aro) . "') AND aro_tbl.rgt >= (SELECT rgt FROM aro_tbl WHERE name = '" . $db->escapeString($aro) . "'))
689	AND (aco_tbl.lft <= (SELECT lft FROM aco_tbl WHERE name = '" . $db->escapeString($aco) . "') AND aco_tbl.rgt >= (SELECT rgt FROM aco_tbl WHERE name = '" . $db->escapeString($aco) . "'))
690	AND (axo_tbl.lft <= (SELECT lft FROM axo_tbl WHERE name = '" . $db->escapeString($axo) . "') AND axo_tbl.rgt >= (SELECT rgt FROM axo_tbl WHERE name = '" . $db->escapeString($axo) . "'))
691	ORDER BY aro_tbl.lft DESC, aco_tbl.lft DESC, axo_tbl.lft DESC
692	LIMIT 1
693	");
694	if (!list($access) = mysql_fetch_row($qid)) {
695	$this->cache->set($cache_hash, 'deny');
696	$app->logMsg(sprintf('Access denied: %s -> %s -> %s (no records found).', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
697	return false;
698	}
699	$this->cache->set($cache_hash, $access);
700	}
701
702	if ('allow' == $access) {
703	$app->logMsg(sprintf('Access granted: %s -> %s -> %s', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
704	return true;
705	} else {
706	$app->logMsg(sprintf('Access denied: %s -> %s -> %s', $aro, $aco, $axo), LOG_DEBUG, __FILE__, __LINE__);
707	return false;
708	}
709	}
710
711	/*
712	* Bounce user if they are denied access. Because this function calls dieURL() it must be called before any other HTTP header output.
713	*
714	* @access public
715	* @param string $aro Identifier of an existing ARO object.
716	* @param string $aco Identifier of an existing ACO object (or null to use root).
717	* @param string $axo Identifier of an existing AXO object (or null to use root).
718	* @param string $message The text description of a message to raise.
719	* @param int $type The type of message: MSG_NOTICE,
720	* MSG_SUCCESS, MSG_WARNING, or MSG_ERR.
721	* @param string $file __FILE__.
722	* @param string $line __LINE__.
723	* @author Quinn Comendant <quinn@strangecode.com>
724	* @version 1.0
725	* @since 20 Jan 2014 12:09:03
726	*/
727	public function requireAllow($aro, $aco=null, $axo=null, $message='', $type=MSG_NOTICE, $file=null, $line=null)
728	{
729	$app =& App::getInstance();
730
731	if (!$this->check($aro, $aco, $axo)) {
732	$message = '' == trim($message) ? sprintf(_("Sorry, you have insufficient privileges for <em>%s %s</em>."), $aco, $axo) : $message;
733	$app->raiseMsg($message, $type, $file, $line);
734	$app->dieBoomerangURL();
735	}
736	}
737
738	} // End class.

Note: See TracBrowser for help on using the repository browser.

Download in other formats: