SHARE
TWEET

Phalcon ACL database adapter with export to memory adapter

a guest Sep 24th, 2015 121 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. /*
  3.   +------------------------------------------------------------------------+
  4.   | Phalcon Framework                                                      |
  5.   +------------------------------------------------------------------------+
  6.   | Copyright (c) 2011-2014 Phalcon Team (http://www.phalconphp.com)       |
  7.   +------------------------------------------------------------------------+
  8.   | This source file is subject to the New BSD License that is bundled     |
  9.   | with this package in the file docs/LICENSE.txt.                        |
  10.   |                                                                        |
  11.   | If you did not receive a copy of the license and are unable to         |
  12.   | obtain it through the world-wide-web, please send an email             |
  13.   | to license@phalconphp.com so we can send you a copy immediately.       |
  14.   +------------------------------------------------------------------------+
  15.   | Authors: Andres Gutierrez <andres@phalconphp.com>                      |
  16.   |          Eduar Carvajal <eduar@phalconphp.com>                         |
  17.   +------------------------------------------------------------------------+
  18. */
  19. namespace Phalcon\Acl\Adapter;
  20.  
  21. use Phalcon\Db;
  22. use Phalcon\Acl\Adapter;
  23. use Phalcon\Acl\AdapterInterface;
  24. use Phalcon\Acl\Exception;
  25. use Phalcon\Acl\Resource;
  26. use Phalcon\Acl;
  27. use Phalcon\Acl\Role;
  28.  
  29. /**
  30.  * Phalcon\Acl\Adapter\Database
  31.  * Manages ACL lists in memory
  32.  */
  33. class Database extends Adapter implements AdapterInterface
  34. {
  35.  
  36.     /**
  37.      * @var array
  38.      */
  39.     protected $options;
  40.  
  41.     /**
  42.      * @var array
  43.      */
  44.     protected $_fullAcl = array();
  45.  
  46.     /**
  47.      * Class constructor.
  48.      *
  49.      * @param  array                  $options
  50.      * @throws \Phalcon\Acl\Exception
  51.      */
  52.     public function __construct(array $options)
  53.     {
  54.         if (!isset($options['db'])) {
  55.             throw new Exception("Parameter 'db' is required");
  56.         }
  57.  
  58.         if (!isset($options['roles'])) {
  59.             throw new Exception("Parameter 'roles' is required");
  60.         }
  61.  
  62.         if (!isset($options['resources'])) {
  63.             throw new Exception("Parameter 'resources' is required");
  64.         }
  65.  
  66.         if (!isset($options['resourcesAccesses'])) {
  67.             throw new Exception("Parameter 'resourcesAccesses' is required");
  68.         }
  69.  
  70.         if (!isset($options['accessList'])) {
  71.             throw new Exception("Parameter 'accessList' is required");
  72.         }
  73.  
  74.         $this->options = $options;
  75.     }
  76.  
  77.     /**
  78.      * {@inheritdoc}
  79.      * Example:
  80.      * <code>$acl->addRole(new Phalcon\Acl\Role('administrator'), 'consultor');</code>
  81.      * <code>$acl->addRole('administrator', 'consultor');</code>
  82.      *
  83.      * @param  \Phalcon\Acl\Role|string $role
  84.      * @param  string                   $accessInherits
  85.      * @return boolean
  86.      */
  87.     public function addRole($role, $accessInherits = null)
  88.     {
  89.         if (!is_object($role)) {
  90.             $role = new Role($role);
  91.         }
  92.  
  93.         $exists = $this->options['db']->fetchOne(
  94.             'SELECT COUNT(*) FROM ' . $this->options['roles'] . ' WHERE name = ?',
  95.             null,
  96.             array($role->getName())
  97.         );
  98.  
  99.         if (!$exists[0]) {
  100.             $this->options['db']->execute(
  101.                 'INSERT INTO ' . $this->options['roles'] . ' VALUES (?, ?)',
  102.                 array($role->getName(), $role->getDescription())
  103.             );
  104.  
  105.             $this->options['db']->execute(
  106.                 'INSERT INTO ' . $this->options['accessList'] . ' VALUES (?, ?, ?, ?)',
  107.                 array($role->getName(), '*', '*', $this->_defaultAccess)
  108.             );
  109.         }
  110.  
  111.         if ($accessInherits) {
  112.             return $this->addInherit($role->getName(), $accessInherits);
  113.         }
  114.  
  115.         return true;
  116.     }
  117.  
  118.     /**
  119.      * {@inheritdoc}
  120.      *
  121.      * @param  string                 $roleName
  122.      * @param  string                 $roleToInherit
  123.      * @throws \Phalcon\Acl\Exception
  124.      */
  125.     public function addInherit($roleName, $roleToInherit)
  126.     {
  127.         $sql = 'SELECT COUNT(*) FROM ' . $this->options['roles'] . ' WHERE name = ?';
  128.         $exists = $this->options['db']->fetchOne($sql, null, array($roleName));
  129.         if (!$exists[0]) {
  130.             throw new Exception("Role '" . $roleName . "' does not exist in the role list");
  131.         }
  132.  
  133.         $exists = $this->options['db']->fetchOne(
  134.             'SELECT COUNT(*) FROM ' . $this->options['rolesInherits'] . ' WHERE roles_name = ? AND roles_inherit = ?',
  135.             null,
  136.             array($roleName, $roleToInherit)
  137.         );
  138.  
  139.         if (!$exists[0]) {
  140.             $this->options['db']->execute(
  141.                 'INSERT INTO ' . $this->options['rolesInherits'] . ' VALUES (?, ?)',
  142.                 array($roleName, $roleToInherit)
  143.             );
  144.         }
  145.     }
  146.  
  147.     /**
  148.      * {@inheritdoc}
  149.      *
  150.      * @param  string  $roleName
  151.      * @return boolean
  152.      */
  153.     public function isRole($roleName)
  154.     {
  155.         $exists = $this->options['db']->fetchOne(
  156.             'SELECT COUNT(*) FROM ' . $this->options['roles'] . ' WHERE name = ?',
  157.             null,
  158.             array($roleName)
  159.         );
  160.  
  161.         return (bool) $exists[0];
  162.     }
  163.  
  164.     /**
  165.      * {@inheritdoc}
  166.      *
  167.      * @param  string  $resourceName
  168.      * @return boolean
  169.      */
  170.     public function isResource($resourceName)
  171.     {
  172.         $exists = $this->options['db']->fetchOne(
  173.             'SELECT COUNT(*) FROM ' . $this->options['resources'] . ' WHERE name = ?',
  174.             null,
  175.             array($resourceName)
  176.         );
  177.  
  178.         return (bool) $exists[0];
  179.     }
  180.  
  181.     /**
  182.      * {@inheritdoc}
  183.      * Example:
  184.      * <code>
  185.      * //Add a resource to the the list allowing access to an action
  186.      * $acl->addResource(new Phalcon\Acl\Resource('customers'), 'search');
  187.      * $acl->addResource('customers', 'search');
  188.      * //Add a resource  with an access list
  189.      * $acl->addResource(new Phalcon\Acl\Resource('customers'), array('create', 'search'));
  190.      * $acl->addResource('customers', array('create', 'search'));
  191.      * </code>
  192.      *
  193.      * @param  \Phalcon\Acl\Resource|string $resource
  194.      * @param  array|string                 $accessList
  195.      * @return boolean
  196.      */
  197.     public function addResource($resource, $accessList = null)
  198.     {
  199.         if (!is_object($resource)) {
  200.             $resource = new Resource($resource);
  201.         }
  202.  
  203.         $exists = $this->options['db']->fetchOne(
  204.             'SELECT COUNT(*) FROM ' . $this->options['resources'] . ' WHERE name = ?',
  205.             null,
  206.             array($resource->getName())
  207.         );
  208.  
  209.         if (!$exists[0]) {
  210.             $this->options['db']->execute(
  211.                 'INSERT INTO ' . $this->options['resources'] . ' VALUES (?, ?)',
  212.                 array($resource->getName(), $resource->getDescription())
  213.             );
  214.         }
  215.  
  216.         if ($accessList) {
  217.             return $this->addResourceAccess($resource->getName(), $accessList);
  218.         }
  219.  
  220.         return true;
  221.     }
  222.  
  223.     /**
  224.      * {@inheritdoc}
  225.      *
  226.      * @param  string                 $resourceName
  227.      * @param  array|string           $accessList
  228.      * @return boolean
  229.      * @throws \Phalcon\Acl\Exception
  230.      */
  231.     public function addResourceAccess($resourceName, $accessList)
  232.     {
  233.         if (!$this->isResource($resourceName)) {
  234.             throw new Exception("Resource '" . $resourceName . "' does not exist in ACL");
  235.         }
  236.  
  237.         $sql = 'SELECT COUNT(*) FROM ' .
  238.             $this->options['resourcesAccesses'] .
  239.             ' WHERE resources_name = ? AND access_name = ?';
  240.  
  241.         if (!is_array($accessList)) {
  242.             $accessList = array($accessList);
  243.         }
  244.  
  245.         foreach ($accessList as $accessName) {
  246.             $exists = $this->options['db']->fetchOne($sql, null, array($resourceName, $accessName));
  247.             if (!$exists[0]) {
  248.                 $this->options['db']->execute(
  249.                     'INSERT INTO ' . $this->options['resourcesAccesses'] . ' VALUES (?, ?)',
  250.                     array($resourceName, $accessName)
  251.                 );
  252.             }
  253.         }
  254.  
  255.         return true;
  256.     }
  257.  
  258.     /**
  259.      * {@inheritdoc}
  260.      *
  261.      * @return \Phalcon\Acl\Resource[]
  262.      */
  263.     public function getResources()
  264.     {
  265.         $resources = array();
  266.         $sql       = 'SELECT * FROM ' . $this->options['resources'];
  267.  
  268.         foreach ($this->options['db']->fetchAll($sql, Db::FETCH_ASSOC) as $row) {
  269.             $resources[] = new Resource($row['name'], $row['description']);
  270.         }
  271.  
  272.         return $resources;
  273.     }
  274.  
  275.     /**
  276.      * {@inheritdoc}
  277.      *
  278.      * @return \Phalcon\Acl\Role[]
  279.      */
  280.     public function getRoles()
  281.     {
  282.         $roles = array();
  283.         $sql   = 'SELECT * FROM ' . $this->options['roles'];
  284.  
  285.         foreach ($this->options['db']->fetchAll($sql, Db::FETCH_ASSOC) as $row) {
  286.             $roles[] = new Role($row['name'], $row['description']);
  287.         }
  288.  
  289.         return $roles;
  290.     }
  291.  
  292.     /**
  293.      * {@inheritdoc}
  294.      *
  295.      * @param string       $resourceName
  296.      * @param array|string $accessList
  297.      */
  298.     public function dropResourceAccess($resourceName, $accessList)
  299.     {
  300.     }
  301.  
  302.     /**
  303.      * {@inheritdoc}
  304.      * You can use '*' as wildcard
  305.      * Example:
  306.      * <code>
  307.      * //Allow access to guests to search on customers
  308.      * $acl->allow('guests', 'customers', 'search');
  309.      * //Allow access to guests to search or create on customers
  310.      * $acl->allow('guests', 'customers', array('search', 'create'));
  311.      * //Allow access to any role to browse on products
  312.      * $acl->allow('*', 'products', 'browse');
  313.      * //Allow access to any role to browse on any resource
  314.      * $acl->allow('*', '*', 'browse');
  315.      * </code>
  316.      *
  317.      * @param string       $roleName
  318.      * @param string       $resourceName
  319.      * @param array|string $access
  320.      */
  321.     public function allow($roleName, $resourceName, $access)
  322.     {
  323.         $this->allowOrDeny($roleName, $resourceName, $access, Acl::ALLOW);
  324.     }
  325.  
  326.     /**
  327.      * {@inheritdoc}
  328.      * You can use '*' as wildcard
  329.      * Example:
  330.      * <code>
  331.      * //Deny access to guests to search on customers
  332.      * $acl->deny('guests', 'customers', 'search');
  333.      * //Deny access to guests to search or create on customers
  334.      * $acl->deny('guests', 'customers', array('search', 'create'));
  335.      * //Deny access to any role to browse on products
  336.      * $acl->deny('*', 'products', 'browse');
  337.      * //Deny access to any role to browse on any resource
  338.      * $acl->deny('*', '*', 'browse');
  339.      * </code>
  340.      *
  341.      * @param  string       $roleName
  342.      * @param  string       $resourceName
  343.      * @param  array|string $access
  344.      * @return boolean
  345.      */
  346.     public function deny($roleName, $resourceName, $access)
  347.     {
  348.         $this->allowOrDeny($roleName, $resourceName, $access, Acl::DENY);
  349.     }
  350.  
  351.     /**
  352.      * {@inheritdoc}
  353.      * Example:
  354.      * <code>
  355.      * //Does Andres have access to the customers resource to create?
  356.      * $acl->isAllowed('Andres', 'Products', 'create');
  357.      * //Do guests have access to any resource to edit?
  358.      * $acl->isAllowed('guests', '*', 'edit');
  359.      * </code>
  360.      *
  361.      * @param string $role
  362.      * @param string $resource
  363.      * @param string $access
  364.      *
  365.      * @return bool
  366.      */
  367.     public function isAllowed($role, $resource, $access)
  368.     {
  369.         $sql = implode(' ', array(
  370.             'SELECT allowed FROM', $this->options['accessList'], 'AS a',
  371.             // role_name in:
  372.             'WHERE roles_name IN (',
  373.                 // given 'role'-parameter
  374.                 'SELECT ? ',
  375.                 // inherited role_names
  376.                 'UNION SELECT roles_inherit FROM', $this->options['rolesInherits'], 'WHERE roles_name = ?',
  377.                 // or 'any'
  378.                 "UNION SELECT '*'",
  379.             ')',
  380.             // resources_name should be given one or 'any'
  381.             "AND resources_name IN (?, '*')",
  382.             // access_name should be given one or 'any'
  383.             "AND access_name IN (?, '*')",
  384.             // order be the sum of bools for 'literals' before 'any'
  385.             "ORDER BY CAST((roles_name != '*') AS INT)+CAST((resources_name != '*') AS INT)+CAST((access_name != '*') AS INT) DESC",
  386.             // get only one...
  387.             'LIMIT 1'
  388.         ));
  389.  
  390.         // fetch one entry...
  391.         $allowed = $this->options['db']->fetchOne($sql, Db::FETCH_NUM, array($role, $role, $resource, $access));
  392.         if (is_array($allowed)) {
  393.             return (bool) $allowed[0];
  394.         }
  395.  
  396.         /**
  397.          * Return the default access action
  398.          */
  399.  
  400.         return $this->_defaultAccess;
  401.     }
  402.  
  403.     /**
  404.      * Inserts/Updates a permission in the access list
  405.      *
  406.      * @param  string                 $roleName
  407.      * @param  string                 $resourceName
  408.      * @param  string                 $accessName
  409.      * @param  integer                $action
  410.      * @return boolean
  411.      * @throws \Phalcon\Acl\Exception
  412.      */
  413.     protected function insertOrUpdateAccess($roleName, $resourceName, $accessName, $action)
  414.     {
  415.         /**
  416.          * Check if the access is valid in the resource
  417.          */
  418.         $sql = 'SELECT COUNT(*) FROM ' .
  419.             $this->options['resourcesAccesses'] .
  420.             ' WHERE resources_name = ? AND access_name = ?';
  421.         $exists = $this->options['db']->fetchOne($sql, null, array($resourceName, $accessName));
  422.         if (!$exists[0]) {
  423.             throw new Exception(
  424.                 "Access '" . $accessName . "' does not exist in resource '" . $resourceName . "' in ACL"
  425.             );
  426.         }
  427.  
  428.         /**
  429.          * Update the access in access_list
  430.          */
  431.         $sql = 'SELECT COUNT(*) FROM ' .
  432.             $this->options['accessList'] .
  433.             ' WHERE roles_name = ? AND resources_name = ? AND access_name = ?';
  434.         $exists = $this->options['db']->fetchOne($sql, null, array($roleName, $resourceName, $accessName));
  435.         if (!$exists[0]) {
  436.             $sql = 'INSERT INTO ' . $this->options['accessList'] . ' VALUES (?, ?, ?, ?)';
  437.             $params = array($roleName, $resourceName, $accessName, $action);
  438.         } else {
  439.             $sql = 'UPDATE ' .
  440.                 $this->options['accessList'] .
  441.                 ' SET allowed = ? WHERE roles_name = ? AND resources_name = ? AND access_name = ?';
  442.             $params = array($action, $roleName, $resourceName, $accessName);
  443.         }
  444.  
  445.         $this->options['db']->execute($sql, $params);
  446.  
  447.         /**
  448.          * Update the access '*' in access_list
  449.          */
  450.         $sql = 'SELECT COUNT(*) FROM ' .
  451.             $this->options['accessList'] .
  452.             ' WHERE roles_name = ? AND resources_name = ? AND access_name = ?';
  453.         $exists = $this->options['db']->fetchOne($sql, null, array($roleName, $resourceName, '*'));
  454.         if (!$exists[0]) {
  455.             $sql = 'INSERT INTO ' . $this->options['accessList'] . ' VALUES (?, ?, ?, ?)';
  456.             $this->options['db']->execute($sql, array($roleName, $resourceName, '*', $this->_defaultAccess));
  457.         }
  458.  
  459.         $this->_fullAcl[$roleName][$resourceName][] = $accessName;
  460.  
  461.         return true;
  462.     }
  463.  
  464.     /**
  465.      * Inserts/Updates a permission in the access list
  466.      *
  467.      * @param  string                 $roleName
  468.      * @param  string                 $resourceName
  469.      * @param  array|string           $access
  470.      * @param  integer                $action
  471.      * @throws \Phalcon\Acl\Exception
  472.      */
  473.     protected function allowOrDeny($roleName, $resourceName, $access, $action)
  474.     {
  475.         if (!$this->isRole($roleName)) {
  476.             throw new Exception('Role "' . $roleName . '" does not exist in the list');
  477.         }
  478.  
  479.         if (!is_array($access)) {
  480.             $access = array($access);
  481.         }
  482.  
  483.         foreach ($access as $accessName) {
  484.             $this->insertOrUpdateAccess($roleName, $resourceName, $accessName, $action);
  485.         }
  486.     }
  487.  
  488.     /**
  489.      * {@inheritdoc}
  490.      *
  491.      * @return StdClass
  492.      */
  493.     public function getData()
  494.     {
  495.         return (object)[
  496.             "defaultAction" => $this->getDefaultAction(),
  497.             "roles"         => $this->getRoles(),
  498.             "resources"     => $this->getResources(),
  499.             "accessList"    => $this->_fullAcl
  500.         ];
  501.     }
  502.  
  503.     /**
  504.      * {@inheritdoc}
  505.      *
  506.      * @return \Phalcon\Acl\Adapter\Memory
  507.      */
  508.     public function toMemory()
  509.     {
  510.         $adapter = new \Phalcon\Acl\Adapter\Memory();
  511.         $object  = $this->getData();
  512.  
  513.         $adapter->setDefaultAction($object->defaultAction);
  514.  
  515.         foreach ($object->accessList as $role => $resources) {
  516.             $adapter->addRole($role);
  517.             foreach ($resources as $resource => $accesses) {
  518.                 $adapter->addResource($resource, $accesses);
  519.                 foreach ($accesses as $access) {
  520.                     $adapter->allow($role, $resource, $access);
  521.                 }
  522.             }
  523.         }
  524.  
  525.         return $adapter;
  526.     }
  527. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top