1: <?php
  2: /**
  3:  *
  4:  *
  5:  * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
  6:  * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
  7:  *
  8:  * Licensed under The MIT License
  9:  * For full copyright and license information, please see the LICENSE.txt
 10:  * Redistributions of files must retain the above copyright notice.
 11:  *
 12:  * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
 13:  * @link          http://cakephp.org CakePHP(tm) Project
 14:  * @package       Cake.Model
 15:  * @since         CakePHP(tm) v 0.2.9
 16:  * @license       http://www.opensource.org/licenses/mit-license.php MIT License
 17:  */
 18: 
 19: App::uses('AppModel', 'Model');
 20: 
 21: /**
 22:  * Permissions linking AROs with ACOs
 23:  *
 24:  * @package       Cake.Model
 25:  */
 26: class Permission extends AppModel {
 27: 
 28: /**
 29:  * Explicitly disable in-memory query caching
 30:  *
 31:  * @var boolean
 32:  */
 33:     public $cacheQueries = false;
 34: 
 35: /**
 36:  * Override default table name
 37:  *
 38:  * @var string
 39:  */
 40:     public $useTable = 'aros_acos';
 41: 
 42: /**
 43:  * Permissions link AROs with ACOs
 44:  *
 45:  * @var array
 46:  */
 47:     public $belongsTo = array('Aro', 'Aco');
 48: 
 49: /**
 50:  * No behaviors for this model
 51:  *
 52:  * @var array
 53:  */
 54:     public $actsAs = null;
 55: 
 56: /**
 57:  * Constructor, used to tell this model to use the
 58:  * database configured for ACL
 59:  */
 60:     public function __construct() {
 61:         $config = Configure::read('Acl.database');
 62:         if (!empty($config)) {
 63:             $this->useDbConfig = $config;
 64:         }
 65:         parent::__construct();
 66:     }
 67: 
 68: /**
 69:  * Checks if the given $aro has access to action $action in $aco
 70:  *
 71:  * @param string $aro ARO The requesting object identifier.
 72:  * @param string $aco ACO The controlled object identifier.
 73:  * @param string $action Action (defaults to *)
 74:  * @return boolean Success (true if ARO has access to action in ACO, false otherwise)
 75:  */
 76:     public function check($aro, $aco, $action = '*') {
 77:         if (!$aro || !$aco) {
 78:             return false;
 79:         }
 80: 
 81:         $permKeys = $this->getAcoKeys($this->schema());
 82:         $aroPath = $this->Aro->node($aro);
 83:         $acoPath = $this->Aco->node($aco);
 84: 
 85:         if (!$aroPath) {
 86:             trigger_error(__d('cake_dev',
 87:                     "%s - Failed ARO node lookup in permissions check. Node references:\nAro: %s\nAco: %s",
 88:                     'DbAcl::check()',
 89:                     print_r($aro, true),
 90:                     print_r($aco, true)),
 91:                 E_USER_WARNING
 92:             );
 93:             return false;
 94:         }
 95: 
 96:         if (!$acoPath) {
 97:             trigger_error(__d('cake_dev',
 98:                     "%s - Failed ACO node lookup in permissions check. Node references:\nAro: %s\nAco: %s",
 99:                     'DbAcl::check()',
100:                     print_r($aro, true),
101:                     print_r($aco, true)),
102:                 E_USER_WARNING
103:             );
104:             return false;
105:         }
106: 
107:         if ($action !== '*' && !in_array('_' . $action, $permKeys)) {
108:             trigger_error(__d('cake_dev', "ACO permissions key %s does not exist in %s", $action, 'DbAcl::check()'), E_USER_NOTICE);
109:             return false;
110:         }
111: 
112:         $inherited = array();
113:         $acoIDs = Hash::extract($acoPath, '{n}.' . $this->Aco->alias . '.id');
114: 
115:         $count = count($aroPath);
116:         for ($i = 0; $i < $count; $i++) {
117:             $permAlias = $this->alias;
118: 
119:             $perms = $this->find('all', array(
120:                 'conditions' => array(
121:                     "{$permAlias}.aro_id" => $aroPath[$i][$this->Aro->alias]['id'],
122:                     "{$permAlias}.aco_id" => $acoIDs
123:                 ),
124:                 'order' => array($this->Aco->alias . '.lft' => 'desc'),
125:                 'recursive' => 0
126:             ));
127: 
128:             if (empty($perms)) {
129:                 continue;
130:             }
131:             $perms = Hash::extract($perms, '{n}.' . $this->alias);
132:             foreach ($perms as $perm) {
133:                 if ($action === '*') {
134: 
135:                     foreach ($permKeys as $key) {
136:                         if (!empty($perm)) {
137:                             if ($perm[$key] == -1) {
138:                                 return false;
139:                             } elseif ($perm[$key] == 1) {
140:                                 $inherited[$key] = 1;
141:                             }
142:                         }
143:                     }
144: 
145:                     if (count($inherited) === count($permKeys)) {
146:                         return true;
147:                     }
148:                 } else {
149:                     switch ($perm['_' . $action]) {
150:                         case -1:
151:                             return false;
152:                         case 0:
153:                             continue;
154:                         case 1:
155:                             return true;
156:                     }
157:                 }
158:             }
159:         }
160:         return false;
161:     }
162: 
163: /**
164:  * Allow $aro to have access to action $actions in $aco
165:  *
166:  * @param string $aro ARO The requesting object identifier.
167:  * @param string $aco ACO The controlled object identifier.
168:  * @param string $actions Action (defaults to *) Invalid permissions will result in an exception
169:  * @param integer $value Value to indicate access type (1 to give access, -1 to deny, 0 to inherit)
170:  * @return boolean Success
171:  * @throws AclException on Invalid permission key.
172:  */
173:     public function allow($aro, $aco, $actions = '*', $value = 1) {
174:         $perms = $this->getAclLink($aro, $aco);
175:         $permKeys = $this->getAcoKeys($this->schema());
176:         $save = array();
177: 
178:         if (!$perms) {
179:             trigger_error(__d('cake_dev', '%s - Invalid node', 'DbAcl::allow()'), E_USER_WARNING);
180:             return false;
181:         }
182:         if (isset($perms[0])) {
183:             $save = $perms[0][$this->alias];
184:         }
185: 
186:         if ($actions === '*') {
187:             $save = array_combine($permKeys, array_pad(array(), count($permKeys), $value));
188:         } else {
189:             if (!is_array($actions)) {
190:                 $actions = array('_' . $actions);
191:             }
192:             foreach ($actions as $action) {
193:                 if ($action{0} !== '_') {
194:                     $action = '_' . $action;
195:                 }
196:                 if (!in_array($action, $permKeys, true)) {
197:                     throw new AclException(__d('cake_dev', 'Invalid permission key "%s"', $action));
198:                 }
199:                 $save[$action] = $value;
200:             }
201:         }
202:         list($save['aro_id'], $save['aco_id']) = array($perms['aro'], $perms['aco']);
203: 
204:         if ($perms['link'] && !empty($perms['link'])) {
205:             $save['id'] = $perms['link'][0][$this->alias]['id'];
206:         } else {
207:             unset($save['id']);
208:             $this->id = null;
209:         }
210:         return ($this->save($save) !== false);
211:     }
212: 
213: /**
214:  * Get an array of access-control links between the given Aro and Aco
215:  *
216:  * @param string $aro ARO The requesting object identifier.
217:  * @param string $aco ACO The controlled object identifier.
218:  * @return array Indexed array with: 'aro', 'aco' and 'link'
219:  */
220:     public function getAclLink($aro, $aco) {
221:         $obj = array();
222:         $obj['Aro'] = $this->Aro->node($aro);
223:         $obj['Aco'] = $this->Aco->node($aco);
224: 
225:         if (empty($obj['Aro']) || empty($obj['Aco'])) {
226:             return false;
227:         }
228:         $aro = Hash::extract($obj, 'Aro.0.' . $this->Aro->alias . '.id');
229:         $aco = Hash::extract($obj, 'Aco.0.' . $this->Aco->alias . '.id');
230:         $aro = current($aro);
231:         $aco = current($aco);
232: 
233:         return array(
234:             'aro' => $aro,
235:             'aco' => $aco,
236:             'link' => $this->find('all', array('conditions' => array(
237:                 $this->alias . '.aro_id' => $aro,
238:                 $this->alias . '.aco_id' => $aco
239:             )))
240:         );
241:     }
242: 
243: /**
244:  * Get the crud type keys
245:  *
246:  * @param array $keys Permission schema
247:  * @return array permission keys
248:  */
249:     public function getAcoKeys($keys) {
250:         $newKeys = array();
251:         $keys = array_keys($keys);
252:         foreach ($keys as $key) {
253:             if (!in_array($key, array('id', 'aro_id', 'aco_id'))) {
254:                 $newKeys[] = $key;
255:             }
256:         }
257:         return $newKeys;
258:     }
259: }
260: