1: <?php
  2: /**
  3:  * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
  4:  * Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
  5:  *
  6:  * Licensed under The MIT License
  7:  * Redistributions of files must retain the above copyright notice.
  8:  *
  9:  * @copyright     Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
 10:  * @link          http://cakephp.org CakePHP(tm) Project
 11:  * @package       Cake.Controller.Component
 12:  * @since         CakePHP(tm) v 0.10.0.1076
 13:  * @license       MIT License (http://www.opensource.org/licenses/mit-license.php)
 14:  */
 15: App::uses('AclInterface', 'Controller/Component/Acl');
 16: 
 17: /**
 18:  * DbAcl implements an ACL control system in the database.  ARO's and ACO's are
 19:  * structured into trees and a linking table is used to define permissions.  You
 20:  * can install the schema for DbAcl with the Schema Shell.
 21:  *
 22:  * `$aco` and `$aro` parameters can be slash delimited paths to tree nodes.
 23:  *
 24:  * eg. `controllers/Users/edit`
 25:  *
 26:  * Would point to a tree structure like
 27:  *
 28:  * {{{
 29:  *  controllers
 30:  *      Users
 31:  *          edit
 32:  * }}}
 33:  *
 34:  * @package       Cake.Controller.Component
 35:  */
 36: class DbAcl extends Object implements AclInterface {
 37: 
 38: /**
 39:  * Constructor
 40:  *
 41:  */
 42:     public function __construct() {
 43:         parent::__construct();
 44:         App::uses('AclNode', 'Model');
 45:         $this->Aro = ClassRegistry::init(array('class' => 'Aro', 'alias' => 'Aro'));
 46:         $this->Aco = ClassRegistry::init(array('class' => 'Aco', 'alias' => 'Aco'));
 47:     }
 48: 
 49: /**
 50:  * Initializes the containing component and sets the Aro/Aco objects to it.
 51:  *
 52:  * @param AclComponent $component
 53:  * @return void
 54:  */
 55:     public function initialize(Component $component) {
 56:         $component->Aro = $this->Aro;
 57:         $component->Aco = $this->Aco;
 58:     }
 59: 
 60: /**
 61:  * Checks if the given $aro has access to action $action in $aco
 62:  *
 63:  * @param string $aro ARO The requesting object identifier.
 64:  * @param string $aco ACO The controlled object identifier.
 65:  * @param string $action Action (defaults to *)
 66:  * @return boolean Success (true if ARO has access to action in ACO, false otherwise)
 67:  * @link http://book.cakephp.org/2.0/en/core-libraries/components/access-control-lists.html#checking-permissions-the-acl-component
 68:  */
 69:     public function check($aro, $aco, $action = "*") {
 70:         if ($aro == null || $aco == null) {
 71:             return false;
 72:         }
 73: 
 74:         $permKeys = $this->_getAcoKeys($this->Aro->Permission->schema());
 75:         $aroPath = $this->Aro->node($aro);
 76:         $acoPath = $this->Aco->node($aco);
 77: 
 78:         if (empty($aroPath) || empty($acoPath)) {
 79:             trigger_error(__d('cake_dev', "DbAcl::check() - Failed ARO/ACO node lookup in permissions check.  Node references:\nAro: ") . print_r($aro, true) . "\nAco: " . print_r($aco, true), E_USER_WARNING);
 80:             return false;
 81:         }
 82: 
 83:         if ($acoPath == null || $acoPath == array()) {
 84:             trigger_error(__d('cake_dev', "DbAcl::check() - Failed ACO node lookup in permissions check.  Node references:\nAro: ") . print_r($aro, true) . "\nAco: " . print_r($aco, true), E_USER_WARNING);
 85:             return false;
 86:         }
 87: 
 88:         if ($action != '*' && !in_array('_' . $action, $permKeys)) {
 89:             trigger_error(__d('cake_dev', "ACO permissions key %s does not exist in DbAcl::check()", $action), E_USER_NOTICE);
 90:             return false;
 91:         }
 92: 
 93:         $inherited = array();
 94:         $acoIDs = Set::extract($acoPath, '{n}.' . $this->Aco->alias . '.id');
 95: 
 96:         $count = count($aroPath);
 97:         for ($i = 0; $i < $count; $i++) {
 98:             $permAlias = $this->Aro->Permission->alias;
 99: 
100:             $perms = $this->Aro->Permission->find('all', array(
101:                 'conditions' => array(
102:                     "{$permAlias}.aro_id" => $aroPath[$i][$this->Aro->alias]['id'],
103:                     "{$permAlias}.aco_id" => $acoIDs
104:                 ),
105:                 'order' => array($this->Aco->alias . '.lft' => 'desc'),
106:                 'recursive' => 0
107:             ));
108: 
109:             if (empty($perms)) {
110:                 continue;
111:             } else {
112:                 $perms = Set::extract($perms, '{n}.' . $this->Aro->Permission->alias);
113:                 foreach ($perms as $perm) {
114:                     if ($action == '*') {
115: 
116:                         foreach ($permKeys as $key) {
117:                             if (!empty($perm)) {
118:                                 if ($perm[$key] == -1) {
119:                                     return false;
120:                                 } elseif ($perm[$key] == 1) {
121:                                     $inherited[$key] = 1;
122:                                 }
123:                             }
124:                         }
125: 
126:                         if (count($inherited) === count($permKeys)) {
127:                             return true;
128:                         }
129:                     } else {
130:                         switch ($perm['_' . $action]) {
131:                             case -1:
132:                                 return false;
133:                             case 0:
134:                                 continue;
135:                             break;
136:                             case 1:
137:                                 return true;
138:                             break;
139:                         }
140:                     }
141:                 }
142:             }
143:         }
144:         return false;
145:     }
146: 
147: /**
148:  * Allow $aro to have access to action $actions in $aco
149:  *
150:  * @param string $aro ARO The requesting object identifier.
151:  * @param string $aco ACO The controlled object identifier.
152:  * @param string $actions Action (defaults to *)
153:  * @param integer $value Value to indicate access type (1 to give access, -1 to deny, 0 to inherit)
154:  * @return boolean Success
155:  * @link http://book.cakephp.org/2.0/en/core-libraries/components/access-control-lists.html#assigning-permissions
156:  */
157:     public function allow($aro, $aco, $actions = "*", $value = 1) {
158:         $perms = $this->getAclLink($aro, $aco);
159:         $permKeys = $this->_getAcoKeys($this->Aro->Permission->schema());
160:         $save = array();
161: 
162:         if ($perms == false) {
163:             trigger_error(__d('cake_dev', 'DbAcl::allow() - Invalid node'), E_USER_WARNING);
164:             return false;
165:         }
166:         if (isset($perms[0])) {
167:             $save = $perms[0][$this->Aro->Permission->alias];
168:         }
169: 
170:         if ($actions == "*") {
171:             $permKeys = $this->_getAcoKeys($this->Aro->Permission->schema());
172:             $save = array_combine($permKeys, array_pad(array(), count($permKeys), $value));
173:         } else {
174:             if (!is_array($actions)) {
175:                 $actions = array('_' . $actions);
176:             }
177:             if (is_array($actions)) {
178:                 foreach ($actions as $action) {
179:                     if ($action{0} != '_') {
180:                         $action = '_' . $action;
181:                     }
182:                     if (in_array($action, $permKeys)) {
183:                         $save[$action] = $value;
184:                     }
185:                 }
186:             }
187:         }
188:         list($save['aro_id'], $save['aco_id']) = array($perms['aro'], $perms['aco']);
189: 
190:         if ($perms['link'] != null && !empty($perms['link'])) {
191:             $save['id'] = $perms['link'][0][$this->Aro->Permission->alias]['id'];
192:         } else {
193:             unset($save['id']);
194:             $this->Aro->Permission->id = null;
195:         }
196:         return ($this->Aro->Permission->save($save) !== false);
197:     }
198: 
199: /**
200:  * Deny access for $aro to action $action in $aco
201:  *
202:  * @param string $aro ARO The requesting object identifier.
203:  * @param string $aco ACO The controlled object identifier.
204:  * @param string $action Action (defaults to *)
205:  * @return boolean Success
206:  * @link http://book.cakephp.org/2.0/en/core-libraries/components/access-control-lists.html#assigning-permissions
207:  */
208:     public function deny($aro, $aco, $action = "*") {
209:         return $this->allow($aro, $aco, $action, -1);
210:     }
211: 
212: /**
213:  * Let access for $aro to action $action in $aco be inherited
214:  *
215:  * @param string $aro ARO The requesting object identifier.
216:  * @param string $aco ACO The controlled object identifier.
217:  * @param string $action Action (defaults to *)
218:  * @return boolean Success
219:  */
220:     public function inherit($aro, $aco, $action = "*") {
221:         return $this->allow($aro, $aco, $action, 0);
222:     }
223: 
224: /**
225:  * Allow $aro to have access to action $actions in $aco
226:  *
227:  * @param string $aro ARO The requesting object identifier.
228:  * @param string $aco ACO The controlled object identifier.
229:  * @param string $action Action (defaults to *)
230:  * @return boolean Success
231:  * @see allow()
232:  */
233:     public function grant($aro, $aco, $action = "*") {
234:         return $this->allow($aro, $aco, $action);
235:     }
236: 
237: /**
238:  * Deny access for $aro to action $action in $aco
239:  *
240:  * @param string $aro ARO The requesting object identifier.
241:  * @param string $aco ACO The controlled object identifier.
242:  * @param string $action Action (defaults to *)
243:  * @return boolean Success
244:  * @see deny()
245:  */
246:     public function revoke($aro, $aco, $action = "*") {
247:         return $this->deny($aro, $aco, $action);
248:     }
249: 
250: /**
251:  * Get an array of access-control links between the given Aro and Aco
252:  *
253:  * @param string $aro ARO The requesting object identifier.
254:  * @param string $aco ACO The controlled object identifier.
255:  * @return array Indexed array with: 'aro', 'aco' and 'link'
256:  */
257:     public function getAclLink($aro, $aco) {
258:         $obj = array();
259:         $obj['Aro'] = $this->Aro->node($aro);
260:         $obj['Aco'] = $this->Aco->node($aco);
261: 
262:         if (empty($obj['Aro']) || empty($obj['Aco'])) {
263:             return false;
264:         }
265: 
266:         return array(
267:             'aro' => Set::extract($obj, 'Aro.0.' . $this->Aro->alias . '.id'),
268:             'aco' => Set::extract($obj, 'Aco.0.' . $this->Aco->alias . '.id'),
269:             'link' => $this->Aro->Permission->find('all', array('conditions' => array(
270:                 $this->Aro->Permission->alias . '.aro_id' => Set::extract($obj, 'Aro.0.' . $this->Aro->alias . '.id'),
271:                 $this->Aro->Permission->alias . '.aco_id' => Set::extract($obj, 'Aco.0.' . $this->Aco->alias . '.id')
272:             )))
273:         );
274:     }
275: 
276: /**
277:  * Get the keys used in an ACO
278:  *
279:  * @param array $keys Permission model info
280:  * @return array ACO keys
281:  */
282:     protected function _getAcoKeys($keys) {
283:         $newKeys = array();
284:         $keys = array_keys($keys);
285:         foreach ($keys as $key) {
286:             if (!in_array($key, array('id', 'aro_id', 'aco_id'))) {
287:                 $newKeys[] = $key;
288:             }
289:         }
290:         return $newKeys;
291:     }
292: 
293: }
294: