Author: david
Date: Fri Sep 18 17:42:19 2009
New Revision: 3419
Log:
Go up acl group hierarchy if permissions not found at current group level. Add
'anonymous' and 'authenticated' users to acl chain.
Modified:
trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php
Modified: trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php
==============================================================================
--- trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php Fri Sep 18 16:51:33
2009 (r3418)
+++ trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php Fri Sep 18 17:42:19
2009 (r3419)
@@ -133,6 +133,13 @@
protected static function checkUserPermissions($user, $acoChain, $actionId,
$options = array())
{
+ // Anonymous users, check (anonymous) group permissions
+ if (null == $user)
+ {
+
+ return self::INHERIT;
+ }
+
$criteria = new Criteria;
$criteria->add(QubitAclPermission::USER_ID, $user->id, Criteria::EQUAL);
$criteria->add(QubitAclPermission::ACTION_ID, $actionId, Criteria::EQUAL);
@@ -143,20 +150,18 @@
return self::checkAcoPermissionChain($acoChain, $criteria, $options);
}
- protected static function checkGroupPermissions($user, $acoChain, $actionId,
$options = array())
+ protected static function addObjectCriteria($criteria, $objectId)
{
- $criteria = new Criteria;
- $criteria->add(QubitAclUserGroup::USER_ID, $user->id, Criteria::EQUAL);
- $criteria->addJoin(QubitAclUserGroup::GROUP_ID,
QubitAclPermission::GROUP_ID, Criteria::INNER_JOIN);
- $criteria->add(QubitAclPermission::ACTION_ID, $actionId, Criteria::EQUAL);
-
- // Check 'higher level' groups first
- $criteria->addAscendingOrderByColumn(QubitAclPermission::GROUP_ID);
-
- // Check 'last-in' permissions first
- $criteria->addDescendingOrderByColumn(QubitAclPermission::ID);
+ if (null == $objectId)
+ {
+ $criteria->add(QubitAclPermission::OBJECT_ID, null, Criteria::ISNULL);
+ }
+ else
+ {
+ $criteria->add(QubitAclPermission::OBJECT_ID, $objectId,
Criteria::EQUAL);
+ }
- return self::checkAcoPermissionChain($acoChain, $criteria, $options);
+ return $criteria;
}
protected static function checkAcoPermissionChain($acoChain, $criteria,
$options = array())
@@ -195,18 +200,95 @@
return $authorize;
}
- protected static function addObjectCriteria($criteria, $objectId)
+ protected static function checkGroupPermissions($user, $acoChain, $actionId,
$options = array())
{
- if (null == $objectId)
+ $authorize = self::INHERIT;
+ $groupsByGeneration = self::getGroupsByGeneration($user);
+
+ // Test siblings from youngest (last) to oldest (first) generation
+ while ($currentGeneration = array_pop($groupsByGeneration))
{
- $criteria->add(QubitAclPermission::OBJECT_ID, null, Criteria::ISNULL);
+ foreach ($currentGeneration as $groupId)
+ {
+ $group = QubitAclGroup::getById($groupId);
+
+ $criteria = new Criteria;
+ $criteria->add(QubitAclPermission::GROUP_ID, $groupId,
Criteria::EQUAL);
+ $criteria->add(QubitAclPermission::ACTION_ID, $actionId,
Criteria::EQUAL);
+
+ $groupAuthorize = self::checkAcoPermissionChain($acoChain, $criteria,
$options);
+
+ if (self::GRANT == $groupAuthorize)
+ {
+ // If *any* sibling group returns "grant" reponse, then grant access
+ $authorize = self::GRANT;
+ break 2;
+ }
+ else if (self::DENY == $groupAuthorize)
+ {
+ // If siblings return one (or more) 'deny' reponses, and no 'grant'
+ // responses then deny access
+ $authorize = self::DENY;
+ }
+ }
+
+ // If the current generation gives 'grant' or 'deny' result, don't check
+ // ancestor generations
+ if (self::INHERIT != $authorize)
+ {
+ break;
+ }
}
- else
+
+ return $authorize;
+ }
+
+ protected static function getGroupsByGeneration($user)
+ {
+ $groupsByGeneration = array();
+
+ if ($user == null)
{
- $criteria->add(QubitAclPermission::OBJECT_ID, $objectId,
Criteria::EQUAL);
+
+ // If user is not logged in, then 'anonymous' group is only one
+ return array(0 => array(0 => QubitAclGroup::ANONYMOUS_ID));
}
- return $criteria;
+ // Get 1st order groups (link directory from user)
+ // Note: may be mixed generations (e.g. parents and children)
+ $criteria = new Criteria;
+ $criteria->add(QubitAclUserGroup::USER_ID, $user->id, Criteria::EQUAL);
+ $criteria->addJoin(QubitAclUserGroup::GROUP_ID, QubitAclGroup::ID,
Criteria::INNER_JOIN);
+
+ if (0 == count($linkedGroups = QubitAclGroup::get($criteria)))
+ {
+ // user always belongs to the 'authenticated' group
+ $linkedGroups =
array(QubitAclGroup::getById(QubitAclGroup::AUTHENTICATED_ID));
+ }
+
+ // Build a list of groups, organized by generation (siblings together)
+ foreach ($linkedGroups as $group)
+ {
+ $generation = 0;
+ $lineage = $group->getAncestors()->andSelf()->orderBy('lft');
+
+ foreach ($lineage as $node)
+ {
+ // Ignore the root node
+ if (QubitAclGroup::ROOT_ID != $node->id)
+ {
+ // Don't re-add siblings already in array
+ if (!isset($groupsByGeneration[$generation]) || !in_array($node->id,
$groupsByGeneration[$generation]))
+ {
+ $groupsByGeneration[$generation][] = $node->id;
+ }
+
+ $generation++;
+ }
+ }
+ }
+
+ return $groupsByGeneration;
}
protected static function checkPermissionList($permissions, $parameters =
array())
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Qubit Toolkit Commits" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.ca/group/qubit-commits?hl=en
-~----------~----~----~----~------~----~------~--~---
