Author: david
Date: Wed Sep 16 18:28:58 2009
New Revision: 3358
Log:
Improve ACL authorization logic.
Modified:
trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php
trunk/plugins/qbAclPlugin/lib/model/QubitAclPermission.php
Modified: trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php
==============================================================================
--- trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php Wed Sep 16 16:41:46
2009 (r3357)
+++ trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php Wed Sep 16 18:28:58
2009 (r3358)
@@ -59,7 +59,7 @@
{
// Check permissions with repository condition
case 'QubitInformationObject':
- $options['repositoryId'] = $aco->getRepository()->id;
+ $options['parameters']['repositoryId'] = $aco->getRepository()->id;
$hasAccess = self::allowAccess($user, $aco, $actionId, $options);
break;
@@ -87,9 +87,9 @@
return $hasAccess;
}
- protected static function getGrantDeny($permission)
+ protected static function evalGrantDeny($grantDeny)
{
- switch ($permission->grantDeny)
+ switch ($grantDeny)
{
case '1':
return self::GRANT;
@@ -115,93 +115,81 @@
{
$permission = self::INHERIT;
+ $acoChain = $aco->getAncestors()->andSelf()->orderBy('rgt');
+
// Check user permissions first
- $permission = self::checkUserPermissions($user, $aco, $actionId, $options);
+ $permission = self::checkUserPermissions($user, $acoChain, $actionId,
$options);
// Then check group permissions
if (self::INHERIT == $permission)
{
- $permission = self::checkGroupPermissions($user, $aco, $actionId,
$options);
+ $permission = self::checkGroupPermissions($user, $acoChain, $actionId,
$options);
}
return (self::GRANT == $permission);
}
- protected static function checkUserPermissions($user, $aco, $actionId,
$options = array())
+ protected static function checkUserPermissions($user, $acoChain, $actionId,
$options = array())
{
- $grantDeny = self::INHERIT;
-
$criteria = new Criteria;
$criteria->add(QubitAclPermission::USER_ID, $user->id, Criteria::EQUAL);
$criteria->add(QubitAclPermission::ACTION_ID, $actionId, Criteria::EQUAL);
- $criteria = self::addObjectCriteria($criteria, $aco->id);
// Check 'last-in' permissions first
$criteria->addDescendingOrderyByColumn(QubitAclPermission::ID);
- if (0 < count($permissions = QubitAclPermission::get($c)))
- {
- $grantDeny = self::evaluatePermissionList($permissions);
- }
-
- // If 'inherit' work way up permission chain
- if (self::INHERIT == $grantDeny)
- {
- if (0 < count($ancestors = $aco->getAncestors()->orderBy('rgt')))
- {
- $parent = $ancestors->offsetGet(0);
- $grantDeny = self::checkUserPermissions($user, $parent, $actionId,
$options);
- }
- else
- {
- // Check for global (objectId == null) permissions if specific
- // permissions for ACO chain are not found
- $grantDeny = self::checkUserPermissions($user, null, $actionId,
$options);
- }
- }
-
- return $grantDeny;
+ return checkAcoPermissionChain($acoChain, $criteria, $options);
}
- protected static function checkGroupPermissions($user, $aco, $actionId,
$options = array())
+ protected static function checkGroupPermissions($user, $acoChain, $actionId,
$options = array())
{
- $grantDeny = self::INHERIT;
-
$criteria = new Criteria;
$criteria->add(QubitAclUserGroup::USER_ID, $user->id, Criteria::EQUAL);
$criteria->addJoin(QubitAclUserGroup::GROUP_ID,
QubitAclPermission::GROUP_ID, Criteria::INNER_JOIN);
$criteria->add(QubitAclPermission::ACTION_ID, $actionId, Criteria::EQUAL);
- $criteria = self::addObjectCriteria($criteria, $aco->id);
-
// Check 'higher level' groups first
$criteria->addAscendingOrderyByColumn(QubitAclPermission::GROUP_ID);
// Check 'last-in' permissions first
$criteria->addDescendingOrderyByColumn(QubitAclPermission::ID);
- if (0 < count($permissions = QubitAclPermission::get($c)))
+ return checkAcoPermissionChain($acoChain, $criteria, $options);
+ }
+
+ protected static function checkAcoPermissionChain($acoChain, $criteria,
$options = array())
+ {
+ $authorize = self::INHERIT;
+
+ $parameters = array();
+ if (isset($options['parameters']))
+ {
+ $parameters = $options['parameters'];
+ }
+ $aco = array_shift($acoChain);
+
+ $acoCriteria = self::addObjectCriteria($criteria, $aco);
+ if (0 < count($permissions = QubitAclPermission::get($acoCriteria)))
{
- $grantDeny = self::evaluatePermissionList($permissions);
+ $authorize = self::checkPermissionList($permissions, $parameters);
}
- // If 'inherit' work way up permission chain
- if (self::INHERIT == $grantDeny)
+ // If 'inherit' work way up aco chain
+ if (self::INHERIT == $authorize)
{
- if (0 < count($ancestors = $aco->getAncestors()->orderBy('rgt')))
+ if (0 < count($acoChain))
{
- $parent = $ancestors->offsetGet(0);
- $grantDeny = self::checkGroupPermissions($user, $parent, $actionId,
$options);
+ $authorize = self::checkAcoPermissionChain($acoChain, $criteria,
$options = array());
}
else
{
// Check for global (objectId == null) permissions if specific
// permissions for ACO chain are not found
- $grantDeny = self::checkGroupPermissions($user, null, $actionId,
$options);
+ $authorize = self::checkAcoPermissionChain(null, $criteria, $options =
array());
}
}
- return $grantDeny;
+ return $authorize;
}
protected static function addObjectCriteria($criteria, $objectId)
@@ -218,21 +206,23 @@
return $criteria;
}
- protected static function evaluatePermissionList($permissions, $aco)
+ protected static function checkPermissionList($permissions, $parameters =
array())
{
- $grantDeny = self::INHERIT;
+ $grantDeny = null;
// Evaluate permission in descending order (last permission entered takes
// precedence)
foreach ($permissions as $permission)
{
- if ($permission->objectId == $node->id)
+ $grantDeny = $permission->check($permission->userId, $permission->acoId,
$permission->actionId, $parameters);
+ $permission->debug($parameters);
+
+ if (null != $grantDeny)
{
- $grantDeny = self::getGrantDeny($permission);
break;
}
}
- return $grantDeny;
+ return self::evalGrantDeny($grantDeny);
}
}
Modified: trunk/plugins/qbAclPlugin/lib/model/QubitAclPermission.php
==============================================================================
--- trunk/plugins/qbAclPlugin/lib/model/QubitAclPermission.php Wed Sep 16
16:41:46 2009 (r3357)
+++ trunk/plugins/qbAclPlugin/lib/model/QubitAclPermission.php Wed Sep 16
18:28:58 2009 (r3358)
@@ -19,6 +19,18 @@
class QubitAclPermission extends BaseAclPermission
{
+ public function check($userId, $objectId, $actionId, $parameters = array())
+ {
+ if (
+ $userId == $this->userId &&
+ $objectId == $this->objectId &&
+ $actionId == $this->actionId &&
+ $this->evaluateConditional($parameters))
+ {
+ return $this->grantDeny;
+ }
+ }
+
public function setRepository($repository)
{
if ($repository instanceof QubitRepository)
@@ -48,23 +60,15 @@
return QubitRepository::getById($repositoryId);
}
- public function accessRepository($repositoryId)
+ public function evaluateConditional($parameters)
{
- $constants = unserialize($this->constants);
-
- if (!isset($constants['repositoryId']))
+ // If no conditional specified, than always return true
+ if (0 == strlen($conditional = $this->conditional))
{
- // If no repository constant is defined, then all repositories are
accessible
return true;
}
- return $this->evaluateConditional($parameters = array('repositoryId' =>
$repositoryId));
- }
-
- public function evaluateConditional($parameters)
- {
- $conditional = $this->conditional;
$constants = unserialize($this->constants);
// Substitute constants
@@ -91,8 +95,19 @@
}
}
- var_dump('Conditional: '.$conditional);
// evaluate conditional
return eval('return ('.$conditional.');');
}
+
+ public function debug($parameters)
+ {
+ $debug = 'permission_'.$this->id.'( ';
+ $debug .= 'userId: '.$this->userId.', ';
+ $debug .= 'objectId: '.$this->objectId.', ';
+ $debug .= 'actionId: '.$this->actionId.', ';
+ $debug .= 'parameters: array('.print_r($parameters).'))<br />';
+ $debug .= "\n";
+
+ echo $debug;
+ }
}
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Qubit Toolkit Commits" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.ca/group/qubit-commits?hl=en
-~----------~----~----~----~------~----~------~--~---
