Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
Y
yii2
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
PSDI Army
yii2
Commits
cd338706
Commit
cd338706
authored
May 09, 2013
by
Alexander Kochetov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Moved to framework/rbac + method names refactoring
parent
9158e110
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
539 additions
and
220 deletions
+539
-220
Assignment.php
framework/rbac/Assignment.php
+5
-5
Item.php
framework/rbac/Item.php
+24
-24
Manager.php
framework/rbac/Manager.php
+18
-18
PhpManager.php
framework/rbac/PhpManager.php
+492
-0
IAuthManager.php
framework/web/IAuthManager.php
+0
-173
No files found.
framework/
web/Auth
Assignment.php
→
framework/
rbac/
Assignment.php
View file @
cd338706
...
@@ -5,7 +5,7 @@
...
@@ -5,7 +5,7 @@
* @license http://www.yiiframework.com/license/
* @license http://www.yiiframework.com/license/
*/
*/
namespace
yii\
web
;
namespace
yii\
rbac
;
use
Yii
;
use
Yii
;
use
yii\base\Object
;
use
yii\base\Object
;
...
@@ -16,7 +16,7 @@ use yii\base\Object;
...
@@ -16,7 +16,7 @@ use yii\base\Object;
* @author Alexander Kochetov <creocoder@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @since 2.0
* @since 2.0
*/
*/
class
A
uthA
ssignment
extends
Object
class
Assignment
extends
Object
{
{
private
$_auth
;
private
$_auth
;
private
$_itemName
;
private
$_itemName
;
...
@@ -26,7 +26,7 @@ class AuthAssignment extends Object
...
@@ -26,7 +26,7 @@ class AuthAssignment extends Object
/**
/**
* Constructor.
* Constructor.
* @param I
Auth
Manager $auth the authorization manager
* @param IManager $auth the authorization manager
* @param string $itemName authorization item name
* @param string $itemName authorization item name
* @param mixed $userId user ID (see [[User::id]])
* @param mixed $userId user ID (see [[User::id]])
* @param string $bizRule the business rule associated with this assignment
* @param string $bizRule the business rule associated with this assignment
...
@@ -72,7 +72,7 @@ class AuthAssignment extends Object
...
@@ -72,7 +72,7 @@ class AuthAssignment extends Object
{
{
if
(
$this
->
_bizRule
!==
$value
)
{
if
(
$this
->
_bizRule
!==
$value
)
{
$this
->
_bizRule
=
$value
;
$this
->
_bizRule
=
$value
;
$this
->
_auth
->
saveA
uthA
ssignment
(
$this
);
$this
->
_auth
->
saveAssignment
(
$this
);
}
}
}
}
...
@@ -91,7 +91,7 @@ class AuthAssignment extends Object
...
@@ -91,7 +91,7 @@ class AuthAssignment extends Object
{
{
if
(
$this
->
_data
!==
$value
)
{
if
(
$this
->
_data
!==
$value
)
{
$this
->
_data
=
$value
;
$this
->
_data
=
$value
;
$this
->
_auth
->
saveA
uthA
ssignment
(
$this
);
$this
->
_auth
->
saveAssignment
(
$this
);
}
}
}
}
}
}
framework/
web/Auth
Item.php
→
framework/
rbac/
Item.php
View file @
cd338706
...
@@ -5,7 +5,7 @@
...
@@ -5,7 +5,7 @@
* @license http://www.yiiframework.com/license/
* @license http://www.yiiframework.com/license/
*/
*/
namespace
yii\
web
;
namespace
yii\
rbac
;
use
Yii
;
use
Yii
;
use
yii\base\Object
;
use
yii\base\Object
;
...
@@ -16,7 +16,7 @@ use yii\base\Object;
...
@@ -16,7 +16,7 @@ use yii\base\Object;
* @author Alexander Kochetov <creocoder@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @since 2.0
* @since 2.0
*/
*/
class
Auth
Item
extends
Object
class
Item
extends
Object
{
{
const
TYPE_OPERATION
=
0
;
const
TYPE_OPERATION
=
0
;
const
TYPE_TASK
=
1
;
const
TYPE_TASK
=
1
;
...
@@ -31,7 +31,7 @@ class AuthItem extends Object
...
@@ -31,7 +31,7 @@ class AuthItem extends Object
/**
/**
* Constructor.
* Constructor.
* @param I
Auth
Manager $auth authorization manager
* @param IManager $auth authorization manager
* @param string $name authorization item name
* @param string $name authorization item name
* @param integer $type authorization item type. This can be 0 (operation), 1 (task) or 2 (role).
* @param integer $type authorization item type. This can be 0 (operation), 1 (task) or 2 (role).
* @param string $description the description
* @param string $description the description
...
@@ -51,7 +51,7 @@ class AuthItem extends Object
...
@@ -51,7 +51,7 @@ class AuthItem extends Object
/**
/**
* Checks to see if the specified item is within the hierarchy starting from this item.
* Checks to see if the specified item is within the hierarchy starting from this item.
* This method is expected to be internally used by the actual implementations
* This method is expected to be internally used by the actual implementations
* of the [[I
Auth
Manager::checkAccess()]].
* of the [[IManager::checkAccess()]].
* @param string $itemName the name of the item to be checked
* @param string $itemName the name of the item to be checked
* @param array $params the parameters to be passed to business rule evaluation
* @param array $params the parameters to be passed to business rule evaluation
* @return boolean whether the specified item is within the hierarchy starting from this item.
* @return boolean whether the specified item is within the hierarchy starting from this item.
...
@@ -73,9 +73,9 @@ class AuthItem extends Object
...
@@ -73,9 +73,9 @@ class AuthItem extends Object
}
}
/**
/**
* @return I
Auth
Manager the authorization manager
* @return IManager the authorization manager
*/
*/
public
function
get
Auth
Manager
()
public
function
getManager
()
{
{
return
$this
->
_auth
;
return
$this
->
_auth
;
}
}
...
@@ -104,7 +104,7 @@ class AuthItem extends Object
...
@@ -104,7 +104,7 @@ class AuthItem extends Object
if
(
$this
->
_name
!==
$value
)
{
if
(
$this
->
_name
!==
$value
)
{
$oldName
=
$this
->
_name
;
$oldName
=
$this
->
_name
;
$this
->
_name
=
$value
;
$this
->
_name
=
$value
;
$this
->
_auth
->
save
Auth
Item
(
$this
,
$oldName
);
$this
->
_auth
->
saveItem
(
$this
,
$oldName
);
}
}
}
}
...
@@ -123,7 +123,7 @@ class AuthItem extends Object
...
@@ -123,7 +123,7 @@ class AuthItem extends Object
{
{
if
(
$this
->
_description
!==
$value
)
{
if
(
$this
->
_description
!==
$value
)
{
$this
->
_description
=
$value
;
$this
->
_description
=
$value
;
$this
->
_auth
->
save
Auth
Item
(
$this
);
$this
->
_auth
->
saveItem
(
$this
);
}
}
}
}
...
@@ -142,7 +142,7 @@ class AuthItem extends Object
...
@@ -142,7 +142,7 @@ class AuthItem extends Object
{
{
if
(
$this
->
_bizRule
!==
$value
)
{
if
(
$this
->
_bizRule
!==
$value
)
{
$this
->
_bizRule
=
$value
;
$this
->
_bizRule
=
$value
;
$this
->
_auth
->
save
Auth
Item
(
$this
);
$this
->
_auth
->
saveItem
(
$this
);
}
}
}
}
...
@@ -161,7 +161,7 @@ class AuthItem extends Object
...
@@ -161,7 +161,7 @@ class AuthItem extends Object
{
{
if
(
$this
->
_data
!==
$value
)
{
if
(
$this
->
_data
!==
$value
)
{
$this
->
_data
=
$value
;
$this
->
_data
=
$value
;
$this
->
_auth
->
save
Auth
Item
(
$this
);
$this
->
_auth
->
saveItem
(
$this
);
}
}
}
}
...
@@ -170,7 +170,7 @@ class AuthItem extends Object
...
@@ -170,7 +170,7 @@ class AuthItem extends Object
* @param string $name the name of the child item
* @param string $name the name of the child item
* @return boolean whether the item is added successfully
* @return boolean whether the item is added successfully
* @throws \yii\base\Exception if either parent or child doesn't exist or if a loop has been detected.
* @throws \yii\base\Exception if either parent or child doesn't exist or if a loop has been detected.
* @see I
Auth
Manager::addItemChild
* @see IManager::addItemChild
*/
*/
public
function
addChild
(
$name
)
public
function
addChild
(
$name
)
{
{
...
@@ -182,7 +182,7 @@ class AuthItem extends Object
...
@@ -182,7 +182,7 @@ class AuthItem extends Object
* Note, the child item is not deleted. Only the parent-child relationship is removed.
* Note, the child item is not deleted. Only the parent-child relationship is removed.
* @param string $name the child item name
* @param string $name the child item name
* @return boolean whether the removal is successful
* @return boolean whether the removal is successful
* @see I
Auth
Manager::removeItemChild
* @see IManager::removeItemChild
*/
*/
public
function
removeChild
(
$name
)
public
function
removeChild
(
$name
)
{
{
...
@@ -193,7 +193,7 @@ class AuthItem extends Object
...
@@ -193,7 +193,7 @@ class AuthItem extends Object
* Returns a value indicating whether a child exists
* Returns a value indicating whether a child exists
* @param string $name the child item name
* @param string $name the child item name
* @return boolean whether the child exists
* @return boolean whether the child exists
* @see I
Auth
Manager::hasItemChild
* @see IManager::hasItemChild
*/
*/
public
function
hasChild
(
$name
)
public
function
hasChild
(
$name
)
{
{
...
@@ -203,7 +203,7 @@ class AuthItem extends Object
...
@@ -203,7 +203,7 @@ class AuthItem extends Object
/**
/**
* Returns the children of this item.
* Returns the children of this item.
* @return array all child items of this item.
* @return array all child items of this item.
* @see I
Auth
Manager::getItemChildren
* @see IManager::getItemChildren
*/
*/
public
function
getChildren
()
public
function
getChildren
()
{
{
...
@@ -216,46 +216,46 @@ class AuthItem extends Object
...
@@ -216,46 +216,46 @@ class AuthItem extends Object
* @param string $bizRule the business rule to be executed when [[checkAccess()]] is called
* @param string $bizRule the business rule to be executed when [[checkAccess()]] is called
* for this particular authorization item.
* for this particular authorization item.
* @param mixed $data additional data associated with this assignment
* @param mixed $data additional data associated with this assignment
* @return A
uthA
ssignment the authorization assignment information.
* @return Assignment the authorization assignment information.
* @throws \yii\base\Exception if the item has already been assigned to the user
* @throws \yii\base\Exception if the item has already been assigned to the user
* @see I
Auth
Manager::assign
* @see IManager::assign
*/
*/
public
function
assign
(
$userId
,
$bizRule
=
null
,
$data
=
null
)
public
function
assign
(
$userId
,
$bizRule
=
null
,
$data
=
null
)
{
{
return
$this
->
_auth
->
assign
(
$
this
->
_name
,
$userId
,
$bizRule
,
$data
);
return
$this
->
_auth
->
assign
(
$
userId
,
$this
->
_name
,
$bizRule
,
$data
);
}
}
/**
/**
* Revokes an authorization assignment from a user.
* Revokes an authorization assignment from a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param mixed $userId the user ID (see [[User::id]])
* @return boolean whether removal is successful
* @return boolean whether removal is successful
* @see I
Auth
Manager::revoke
* @see IManager::revoke
*/
*/
public
function
revoke
(
$userId
)
public
function
revoke
(
$userId
)
{
{
return
$this
->
_auth
->
revoke
(
$
this
->
_name
,
$userId
);
return
$this
->
_auth
->
revoke
(
$
userId
,
$this
->
_name
);
}
}
/**
/**
* Returns a value indicating whether this item has been assigned to the user.
* Returns a value indicating whether this item has been assigned to the user.
* @param mixed $userId the user ID (see [[User::id]])
* @param mixed $userId the user ID (see [[User::id]])
* @return boolean whether the item has been assigned to the user.
* @return boolean whether the item has been assigned to the user.
* @see I
Auth
Manager::isAssigned
* @see IManager::isAssigned
*/
*/
public
function
isAssigned
(
$userId
)
public
function
isAssigned
(
$userId
)
{
{
return
$this
->
_auth
->
isAssigned
(
$
this
->
_name
,
$userId
);
return
$this
->
_auth
->
isAssigned
(
$
userId
,
$this
->
_name
);
}
}
/**
/**
* Returns the item assignment information.
* Returns the item assignment information.
* @param mixed $userId the user ID (see [[User::id]])
* @param mixed $userId the user ID (see [[User::id]])
* @return A
uthA
ssignment the item assignment information. Null is returned if
* @return Assignment the item assignment information. Null is returned if
* this item is not assigned to the user.
* this item is not assigned to the user.
* @see I
AuthManager::getAuth
Assignment
* @see I
Manager::get
Assignment
*/
*/
public
function
getAssignment
(
$userId
)
public
function
getAssignment
(
$userId
)
{
{
return
$this
->
_auth
->
getA
uthAssignment
(
$this
->
_name
,
$userId
);
return
$this
->
_auth
->
getA
ssignment
(
$userId
,
$this
->
_name
);
}
}
}
}
framework/
web/Auth
Manager.php
→
framework/
rbac/
Manager.php
View file @
cd338706
...
@@ -5,7 +5,7 @@
...
@@ -5,7 +5,7 @@
* @license http://www.yiiframework.com/license/
* @license http://www.yiiframework.com/license/
*/
*/
namespace
yii\
web
;
namespace
yii\
rbac
;
use
Yii
;
use
Yii
;
use
yii\base\Component
;
use
yii\base\Component
;
...
@@ -17,7 +17,7 @@ use yii\base\Exception;
...
@@ -17,7 +17,7 @@ use yii\base\Exception;
* @author Alexander Kochetov <creocoder@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @since 2.0
* @since 2.0
*/
*/
abstract
class
AuthManager
extends
Component
implements
IAuth
Manager
abstract
class
Manager
extends
Component
implements
I
Manager
{
{
/**
/**
* @var boolean Enable error reporting for bizRules.
* @var boolean Enable error reporting for bizRules.
...
@@ -38,86 +38,86 @@ abstract class AuthManager extends Component implements IAuthManager
...
@@ -38,86 +38,86 @@ abstract class AuthManager extends Component implements IAuthManager
/**
/**
* Creates a role.
* Creates a role.
* This is a shortcut method to [[I
AuthManager::createAuth
Item()]].
* This is a shortcut method to [[I
Manager::create
Item()]].
* @param string $name the item name
* @param string $name the item name
* @param string $description the item description.
* @param string $description the item description.
* @param string $bizRule the business rule associated with this item
* @param string $bizRule the business rule associated with this item
* @param mixed $data additional data to be passed when evaluating the business rule
* @param mixed $data additional data to be passed when evaluating the business rule
* @return
Auth
Item the authorization item
* @return Item the authorization item
*/
*/
public
function
createRole
(
$name
,
$description
=
''
,
$bizRule
=
null
,
$data
=
null
)
public
function
createRole
(
$name
,
$description
=
''
,
$bizRule
=
null
,
$data
=
null
)
{
{
return
$this
->
create
AuthItem
(
$name
,
Auth
Item
::
TYPE_ROLE
,
$description
,
$bizRule
,
$data
);
return
$this
->
create
Item
(
$name
,
Item
::
TYPE_ROLE
,
$description
,
$bizRule
,
$data
);
}
}
/**
/**
* Creates a task.
* Creates a task.
* This is a shortcut method to [[I
AuthManager::createAuth
Item()]].
* This is a shortcut method to [[I
Manager::create
Item()]].
* @param string $name the item name
* @param string $name the item name
* @param string $description the item description.
* @param string $description the item description.
* @param string $bizRule the business rule associated with this item
* @param string $bizRule the business rule associated with this item
* @param mixed $data additional data to be passed when evaluating the business rule
* @param mixed $data additional data to be passed when evaluating the business rule
* @return
Auth
Item the authorization item
* @return Item the authorization item
*/
*/
public
function
createTask
(
$name
,
$description
=
''
,
$bizRule
=
null
,
$data
=
null
)
public
function
createTask
(
$name
,
$description
=
''
,
$bizRule
=
null
,
$data
=
null
)
{
{
return
$this
->
create
AuthItem
(
$name
,
Auth
Item
::
TYPE_TASK
,
$description
,
$bizRule
,
$data
);
return
$this
->
create
Item
(
$name
,
Item
::
TYPE_TASK
,
$description
,
$bizRule
,
$data
);
}
}
/**
/**
* Creates an operation.
* Creates an operation.
* This is a shortcut method to [[I
AuthManager::createAuth
Item()]].
* This is a shortcut method to [[I
Manager::create
Item()]].
* @param string $name the item name
* @param string $name the item name
* @param string $description the item description.
* @param string $description the item description.
* @param string $bizRule the business rule associated with this item
* @param string $bizRule the business rule associated with this item
* @param mixed $data additional data to be passed when evaluating the business rule
* @param mixed $data additional data to be passed when evaluating the business rule
* @return
Auth
Item the authorization item
* @return Item the authorization item
*/
*/
public
function
createOperation
(
$name
,
$description
=
''
,
$bizRule
=
null
,
$data
=
null
)
public
function
createOperation
(
$name
,
$description
=
''
,
$bizRule
=
null
,
$data
=
null
)
{
{
return
$this
->
create
AuthItem
(
$name
,
Auth
Item
::
TYPE_OPERATION
,
$description
,
$bizRule
,
$data
);
return
$this
->
create
Item
(
$name
,
Item
::
TYPE_OPERATION
,
$description
,
$bizRule
,
$data
);
}
}
/**
/**
* Returns roles.
* Returns roles.
* This is a shortcut method to [[I
AuthManager::getAuth
Items()]].
* This is a shortcut method to [[I
Manager::get
Items()]].
* @param mixed $userId the user ID. If not null, only the roles directly assigned to the user
* @param mixed $userId the user ID. If not null, only the roles directly assigned to the user
* will be returned. Otherwise, all roles will be returned.
* will be returned. Otherwise, all roles will be returned.
* @return array roles (name=>AuthItem)
* @return array roles (name=>AuthItem)
*/
*/
public
function
getRoles
(
$userId
=
null
)
public
function
getRoles
(
$userId
=
null
)
{
{
return
$this
->
get
AuthItems
(
AuthItem
::
TYPE_ROLE
,
$userId
);
return
$this
->
get
Items
(
$userId
,
Item
::
TYPE_ROLE
);
}
}
/**
/**
* Returns tasks.
* Returns tasks.
* This is a shortcut method to [[I
AuthManager::getAuth
Items()]].
* This is a shortcut method to [[I
Manager::get
Items()]].
* @param mixed $userId the user ID. If not null, only the tasks directly assigned to the user
* @param mixed $userId the user ID. If not null, only the tasks directly assigned to the user
* will be returned. Otherwise, all tasks will be returned.
* will be returned. Otherwise, all tasks will be returned.
* @return array tasks (name=>AuthItem)
* @return array tasks (name=>AuthItem)
*/
*/
public
function
getTasks
(
$userId
=
null
)
public
function
getTasks
(
$userId
=
null
)
{
{
return
$this
->
get
AuthItems
(
AuthItem
::
TYPE_TASK
,
$userId
);
return
$this
->
get
Items
(
$userId
,
Item
::
TYPE_TASK
);
}
}
/**
/**
* Returns operations.
* Returns operations.
* This is a shortcut method to [[I
AuthManager::getAuth
Items()]].
* This is a shortcut method to [[I
Manager::get
Items()]].
* @param mixed $userId the user ID. If not null, only the operations directly assigned to the user
* @param mixed $userId the user ID. If not null, only the operations directly assigned to the user
* will be returned. Otherwise, all operations will be returned.
* will be returned. Otherwise, all operations will be returned.
* @return array operations (name=>AuthItem)
* @return array operations (name=>AuthItem)
*/
*/
public
function
getOperations
(
$userId
=
null
)
public
function
getOperations
(
$userId
=
null
)
{
{
return
$this
->
get
AuthItems
(
AuthItem
::
TYPE_OPERATION
,
$userId
);
return
$this
->
get
Items
(
$userId
,
Item
::
TYPE_OPERATION
);
}
}
/**
/**
* Executes the specified business rule.
* Executes the specified business rule.
* @param string $bizRule the business rule to be executed.
* @param string $bizRule the business rule to be executed.
* @param array $params parameters passed to [[I
Auth
Manager::checkAccess()]].
* @param array $params parameters passed to [[IManager::checkAccess()]].
* @param mixed $data additional data associated with the authorization item or assignment.
* @param mixed $data additional data associated with the authorization item or assignment.
* @return boolean whether the business rule returns true.
* @return boolean whether the business rule returns true.
* If the business rule is empty, it will still return true.
* If the business rule is empty, it will still return true.
...
...
framework/rbac/PhpManager.php
0 → 100644
View file @
cd338706
<?php
/**
* @link http://www.yiiframework.com/
* @copyright Copyright (c) 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
*/
namespace
yii\rbac
;
use
Yii
;
use
yii\base\Exception
;
/**
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @since 2.0
*/
class
PhpManager
extends
Manager
{
/**
* @var string the path of the PHP script that contains the authorization data.
* If not set, it will be using 'protected/data/auth.php' as the data file.
* Make sure this file is writable by the Web server process if the authorization
* needs to be changed.
* @see loadFromFile
* @see saveToFile
*/
public
$authFile
;
private
$_items
=
array
();
// itemName => item
private
$_children
=
array
();
// itemName, childName => child
private
$_assignments
=
array
();
// userId, itemName => assignment
/**
* Initializes the application component.
* This method overrides parent implementation by loading the authorization data
* from PHP script.
*/
public
function
init
()
{
parent
::
init
();
if
(
$this
->
authFile
===
null
)
{
$this
->
authFile
=
Yii
::
getAlias
(
'@app/data/rbac'
)
.
'.php'
;
}
$this
->
load
();
}
/**
* Performs access check for the specified user.
* @param mixed $userId the user ID. This can be either an integer or a string representing
* @param string $itemName the name of the operation that need access check
* the unique identifier of a user. See [[User::id]].
* @param array $params name-value pairs that would be passed to biz rules associated
* with the tasks and roles assigned to the user.
* Since version 1.1.11 a param with name 'userId' is added to this array, which holds the value of <code>$userId</code>.
* @return boolean whether the operations can be performed by the user.
*/
public
function
checkAccess
(
$userId
,
$itemName
,
$params
=
array
())
{
if
(
!
isset
(
$this
->
_items
[
$itemName
]))
{
return
false
;
}
$item
=
$this
->
_items
[
$itemName
];
Yii
::
trace
(
'Checking permission: '
.
$item
->
getName
(),
__METHOD__
);
if
(
!
isset
(
$params
[
'userId'
]))
{
$params
[
'userId'
]
=
$userId
;
}
if
(
$this
->
executeBizRule
(
$item
->
getBizRule
(),
$params
,
$item
->
getData
()))
{
if
(
in_array
(
$itemName
,
$this
->
defaultRoles
))
{
return
true
;
}
if
(
isset
(
$this
->
_assignments
[
$userId
][
$itemName
]))
{
$assignment
=
$this
->
_assignments
[
$userId
][
$itemName
];
if
(
$this
->
executeBizRule
(
$assignment
->
getBizRule
(),
$params
,
$assignment
->
getData
()))
{
return
true
;
}
}
foreach
(
$this
->
_children
as
$parentName
=>
$children
)
{
if
(
isset
(
$children
[
$itemName
])
&&
$this
->
checkAccess
(
$userId
,
$parentName
,
$params
))
{
return
true
;
}
}
}
return
false
;
}
/**
* Adds an item as a child of another item.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the item is added successfully
* @throws Exception if either parent or child doesn't exist or if a loop has been detected.
*/
public
function
addItemChild
(
$itemName
,
$childName
)
{
if
(
!
isset
(
$this
->
_items
[
$childName
],
$this
->
_items
[
$itemName
]))
{
throw
new
Exception
(
"Either '
$itemName
' or '
$childName
' does not exist."
);
}
$child
=
$this
->
_items
[
$childName
];
$item
=
$this
->
_items
[
$itemName
];
$this
->
checkItemChildType
(
$item
->
getType
(),
$child
->
getType
());
if
(
$this
->
detectLoop
(
$itemName
,
$childName
))
{
throw
new
Exception
(
"Cannot add '
$childName
' as a child of '
$itemName
'. A loop has been detected."
);
}
if
(
isset
(
$this
->
_children
[
$itemName
][
$childName
]))
{
throw
new
Exception
(
"The item '
$itemName
' already has a child '
$childName
'."
);
}
$this
->
_children
[
$itemName
][
$childName
]
=
$this
->
_items
[
$childName
];
return
true
;
}
/**
* Removes a child from its parent.
* Note, the child item is not deleted. Only the parent-child relationship is removed.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the removal is successful
*/
public
function
removeItemChild
(
$itemName
,
$childName
)
{
if
(
isset
(
$this
->
_children
[
$itemName
][
$childName
]))
{
unset
(
$this
->
_children
[
$itemName
][
$childName
]);
return
true
;
}
else
{
return
false
;
}
}
/**
* Returns a value indicating whether a child exists within a parent.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the child exists
*/
public
function
hasItemChild
(
$itemName
,
$childName
)
{
return
isset
(
$this
->
_children
[
$itemName
][
$childName
]);
}
/**
* Returns the children of the specified item.
* @param mixed $names the parent item name. This can be either a string or an array.
* The latter represents a list of item names.
* @return array all child items of the parent
*/
public
function
getItemChildren
(
$names
)
{
if
(
is_string
(
$names
))
{
return
isset
(
$this
->
_children
[
$names
])
?
$this
->
_children
[
$names
]
:
array
();
}
$children
=
array
();
foreach
(
$names
as
$name
)
{
if
(
isset
(
$this
->
_children
[
$name
]))
{
$children
=
array_merge
(
$children
,
$this
->
_children
[
$name
]);
}
}
return
$children
;
}
/**
* Assigns an authorization item to a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @param string $bizRule the business rule to be executed when [[checkAccess()]] is called
* for this particular authorization item.
* @param mixed $data additional data associated with this assignment
* @return Assignment the authorization assignment information.
* @throws Exception if the item does not exist or if the item has already been assigned to the user
*/
public
function
assign
(
$userId
,
$itemName
,
$bizRule
=
null
,
$data
=
null
)
{
if
(
!
isset
(
$this
->
_items
[
$itemName
]))
{
throw
new
Exception
(
"Unknown authorization item '
$itemName
'."
);
}
elseif
(
isset
(
$this
->
_assignments
[
$userId
][
$itemName
]))
{
throw
new
Exception
(
"Authorization item '
$itemName
' has already been assigned to user '
$userId
'."
);
}
else
{
return
$this
->
_assignments
[
$userId
][
$itemName
]
=
new
Assignment
(
$this
,
$itemName
,
$userId
,
$bizRule
,
$data
);
}
}
/**
* Revokes an authorization assignment from a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return boolean whether removal is successful
*/
public
function
revoke
(
$userId
,
$itemName
)
{
if
(
isset
(
$this
->
_assignments
[
$userId
][
$itemName
]))
{
unset
(
$this
->
_assignments
[
$userId
][
$itemName
]);
return
true
;
}
else
{
return
false
;
}
}
/**
* Returns a value indicating whether the item has been assigned to the user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return boolean whether the item has been assigned to the user.
*/
public
function
isAssigned
(
$userId
,
$itemName
)
{
return
isset
(
$this
->
_assignments
[
$userId
][
$itemName
]);
}
/**
* Returns the item assignment information.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return Assignment the item assignment information. Null is returned if
* the item is not assigned to the user.
*/
public
function
getAssignment
(
$userId
,
$itemName
)
{
return
isset
(
$this
->
_assignments
[
$userId
][
$itemName
])
?
$this
->
_assignments
[
$userId
][
$itemName
]
:
null
;
}
/**
* Returns the item assignments for the specified user.
* @param mixed $userId the user ID (see [[User::id]])
* @return array the item assignment information for the user. An empty array will be
* returned if there is no item assigned to the user.
*/
public
function
getAssignments
(
$userId
)
{
return
isset
(
$this
->
_assignments
[
$userId
])
?
$this
->
_assignments
[
$userId
]
:
array
();
}
/**
* Returns the authorization items of the specific type and user.
* @param mixed $userId the user ID. Defaults to null, meaning returning all items even if
* they are not assigned to a user.
* @param integer $type the item type (0: operation, 1: task, 2: role). Defaults to null,
* meaning returning all items regardless of their type.
* @return array the authorization items of the specific type.
*/
public
function
getItems
(
$userId
=
null
,
$type
=
null
)
{
if
(
$type
===
null
&&
$userId
===
null
)
{
return
$this
->
_items
;
}
$items
=
array
();
if
(
$userId
===
null
)
{
foreach
(
$this
->
_items
as
$name
=>
$item
)
{
if
(
$item
->
getType
()
==
$type
)
{
$items
[
$name
]
=
$item
;
}
}
}
elseif
(
isset
(
$this
->
_assignments
[
$userId
]))
{
foreach
(
$this
->
_assignments
[
$userId
]
as
$assignment
)
{
$name
=
$assignment
->
getItemName
();
if
(
isset
(
$this
->
_items
[
$name
])
&&
(
$type
===
null
||
$this
->
_items
[
$name
]
->
getType
()
==
$type
))
{
$items
[
$name
]
=
$this
->
_items
[
$name
];
}
}
}
return
$items
;
}
/**
* Creates an authorization item.
* An authorization item represents an action permission (e.g. creating a post).
* It has three types: operation, task and role.
* Authorization items form a hierarchy. Higher level items inheirt permissions representing
* by lower level items.
* @param string $name the item name. This must be a unique identifier.
* @param integer $type the item type (0: operation, 1: task, 2: role).
* @param string $description description of the item
* @param string $bizRule business rule associated with the item. This is a piece of
* PHP code that will be executed when [[checkAccess()]] is called for the item.
* @param mixed $data additional data associated with the item.
* @return Item the authorization item
* @throws Exception if an item with the same name already exists
*/
public
function
createItem
(
$name
,
$type
,
$description
=
''
,
$bizRule
=
null
,
$data
=
null
)
{
if
(
isset
(
$this
->
_items
[
$name
]))
{
throw
new
Exception
(
'Unable to add an item whose name is the same as an existing item.'
);
}
return
$this
->
_items
[
$name
]
=
new
Item
(
$this
,
$name
,
$type
,
$description
,
$bizRule
,
$data
);
}
/**
* Removes the specified authorization item.
* @param string $name the name of the item to be removed
* @return boolean whether the item exists in the storage and has been removed
*/
public
function
removeItem
(
$name
)
{
if
(
isset
(
$this
->
_items
[
$name
]))
{
foreach
(
$this
->
_children
as
&
$children
)
{
unset
(
$children
[
$name
]);
}
foreach
(
$this
->
_assignments
as
&
$assignments
)
{
unset
(
$assignments
[
$name
]);
}
unset
(
$this
->
_items
[
$name
]);
return
true
;
}
else
{
return
false
;
}
}
/**
* Returns the authorization item with the specified name.
* @param string $name the name of the item
* @return Item the authorization item. Null if the item cannot be found.
*/
public
function
getItem
(
$name
)
{
return
isset
(
$this
->
_items
[
$name
])
?
$this
->
_items
[
$name
]
:
null
;
}
/**
* Saves an authorization item to persistent storage.
* @param Item $item the item to be saved.
* @param string $oldName the old item name. If null, it means the item name is not changed.
* @throws Exception if an item with the same name already taken
*/
public
function
saveItem
(
$item
,
$oldName
=
null
)
{
if
(
$oldName
!==
null
&&
(
$newName
=
$item
->
getName
())
!==
$oldName
)
// name changed
{
if
(
isset
(
$this
->
_items
[
$newName
]))
{
throw
new
Exception
(
"Unable to change the item name. The name '
$newName
' is already used by another item."
);
}
if
(
isset
(
$this
->
_items
[
$oldName
])
&&
$this
->
_items
[
$oldName
]
===
$item
)
{
unset
(
$this
->
_items
[
$oldName
]);
$this
->
_items
[
$newName
]
=
$item
;
if
(
isset
(
$this
->
_children
[
$oldName
]))
{
$this
->
_children
[
$newName
]
=
$this
->
_children
[
$oldName
];
unset
(
$this
->
_children
[
$oldName
]);
}
foreach
(
$this
->
_children
as
&
$children
)
{
if
(
isset
(
$children
[
$oldName
]))
{
$children
[
$newName
]
=
$children
[
$oldName
];
unset
(
$children
[
$oldName
]);
}
}
foreach
(
$this
->
_assignments
as
&
$assignments
)
{
if
(
isset
(
$assignments
[
$oldName
]))
{
$assignments
[
$newName
]
=
$assignments
[
$oldName
];
unset
(
$assignments
[
$oldName
]);
}
}
}
}
}
/**
* Saves the changes to an authorization assignment.
* @param Assignment $assignment the assignment that has been changed.
*/
public
function
saveAssignment
(
$assignment
)
{
}
/**
* Saves authorization data into persistent storage.
* If any change is made to the authorization data, please make
* sure you call this method to save the changed data into persistent storage.
*/
public
function
save
()
{
$items
=
array
();
foreach
(
$this
->
_items
as
$name
=>
$item
)
{
$items
[
$name
]
=
array
(
'type'
=>
$item
->
getType
(),
'description'
=>
$item
->
getDescription
(),
'bizRule'
=>
$item
->
getBizRule
(),
'data'
=>
$item
->
getData
(),
);
if
(
isset
(
$this
->
_children
[
$name
]))
{
foreach
(
$this
->
_children
[
$name
]
as
$child
)
{
$items
[
$name
][
'children'
][]
=
$child
->
getName
();
}
}
}
foreach
(
$this
->
_assignments
as
$userId
=>
$assignments
)
{
foreach
(
$assignments
as
$name
=>
$assignment
)
{
if
(
isset
(
$items
[
$name
]))
{
$items
[
$name
][
'assignments'
][
$userId
]
=
array
(
'bizRule'
=>
$assignment
->
getBizRule
(),
'data'
=>
$assignment
->
getData
(),
);
}
}
}
$this
->
saveToFile
(
$items
,
$this
->
authFile
);
}
/**
* Loads authorization data.
*/
public
function
load
()
{
$this
->
clearAll
();
$items
=
$this
->
loadFromFile
(
$this
->
authFile
);
foreach
(
$items
as
$name
=>
$item
)
{
$this
->
_items
[
$name
]
=
new
Item
(
$this
,
$name
,
$item
[
'type'
],
$item
[
'description'
],
$item
[
'bizRule'
],
$item
[
'data'
]);
}
foreach
(
$items
as
$name
=>
$item
)
{
if
(
isset
(
$item
[
'children'
]))
{
foreach
(
$item
[
'children'
]
as
$childName
)
{
if
(
isset
(
$this
->
_items
[
$childName
]))
{
$this
->
_children
[
$name
][
$childName
]
=
$this
->
_items
[
$childName
];
}
}
}
if
(
isset
(
$item
[
'assignments'
]))
{
foreach
(
$item
[
'assignments'
]
as
$userId
=>
$assignment
)
{
$this
->
_assignments
[
$userId
][
$name
]
=
new
Assignment
(
$this
,
$name
,
$userId
,
$assignment
[
'bizRule'
],
$assignment
[
'data'
]);
}
}
}
}
/**
* Removes all authorization data.
*/
public
function
clearAll
()
{
$this
->
clearAssignments
();
$this
->
_children
=
array
();
$this
->
_items
=
array
();
}
/**
* Removes all authorization assignments.
*/
public
function
clearAssignments
()
{
$this
->
_assignments
=
array
();
}
/**
* Checks whether there is a loop in the authorization item hierarchy.
* @param string $itemName parent item name
* @param string $childName the name of the child item that is to be added to the hierarchy
* @return boolean whether a loop exists
*/
protected
function
detectLoop
(
$itemName
,
$childName
)
{
if
(
$childName
===
$itemName
)
{
return
true
;
}
if
(
!
isset
(
$this
->
_children
[
$childName
],
$this
->
_items
[
$itemName
]))
{
return
false
;
}
foreach
(
$this
->
_children
[
$childName
]
as
$child
)
{
if
(
$this
->
detectLoop
(
$itemName
,
$child
->
getName
()))
{
return
true
;
}
}
return
false
;
}
/**
* Loads the authorization data from a PHP script file.
* @param string $file the file path.
* @return array the authorization data
* @see saveToFile
*/
protected
function
loadFromFile
(
$file
)
{
if
(
is_file
(
$file
))
{
return
require
(
$file
);
}
else
{
return
array
();
}
}
/**
* Saves the authorization data to a PHP script file.
* @param array $data the authorization data
* @param string $file the file path.
* @see loadFromFile
*/
protected
function
saveToFile
(
$data
,
$file
)
{
file_put_contents
(
$file
,
"<?php
\n
return "
.
var_export
(
$data
,
true
)
.
";
\n
"
);
}
}
framework/web/IAuthManager.php
deleted
100644 → 0
View file @
9158e110
<?php
/**
* @link http://www.yiiframework.com/
* @copyright Copyright (c) 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
*/
namespace
yii\web
;
/**
* IAuthManager interface is implemented by an auth manager application component.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @since 2.0
*/
interface
IAuthManager
{
/**
* Performs access check for the specified user.
* @param mixed $userId the user ID. This should be either an integer or a string representing
* the unique identifier of a user. See [[User::id]].
* @param string $itemName the name of the operation that we are checking access to
* @param array $params name-value pairs that would be passed to biz rules associated
* with the tasks and roles assigned to the user.
* @return boolean whether the operations can be performed by the user.
*/
public
function
checkAccess
(
$userId
,
$itemName
,
$params
=
array
());
/**
* Creates an authorization item.
* An authorization item represents an action permission (e.g. creating a post).
* It has three types: operation, task and role.
* Authorization items form a hierarchy. Higher level items inheirt permissions representing
* by lower level items.
* @param string $name the item name. This must be a unique identifier.
* @param integer $type the item type (0: operation, 1: task, 2: role).
* @param string $description description of the item
* @param string $bizRule business rule associated with the item. This is a piece of
* PHP code that will be executed when [[checkAccess()]] is called for the item.
* @param mixed $data additional data associated with the item.
* @throws \yii\base\Exception if an item with the same name already exists
* @return AuthItem the authorization item
*/
public
function
createAuthItem
(
$name
,
$type
,
$description
=
''
,
$bizRule
=
null
,
$data
=
null
);
/**
* Removes the specified authorization item.
* @param string $name the name of the item to be removed
* @return boolean whether the item exists in the storage and has been removed
*/
public
function
removeAuthItem
(
$name
);
/**
* Returns the authorization items of the specific type and user.
* @param mixed $userId the user ID. Defaults to null, meaning returning all items even if
* they are not assigned to a user.
* @param integer $type the item type (0: operation, 1: task, 2: role). Defaults to null,
* meaning returning all items regardless of their type.
* @return array the authorization items of the specific type.
*/
public
function
getAuthItems
(
$userId
=
null
,
$type
=
null
);
/**
* Returns the authorization item with the specified name.
* @param string $name the name of the item
* @return AuthItem the authorization item. Null if the item cannot be found.
*/
public
function
getAuthItem
(
$name
);
/**
* Saves an authorization item to persistent storage.
* @param AuthItem $item the item to be saved.
* @param string $oldName the old item name. If null, it means the item name is not changed.
*/
public
function
saveAuthItem
(
$item
,
$oldName
=
null
);
/**
* Adds an item as a child of another item.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @throws \yii\base\Exception if either parent or child doesn't exist or if a loop has been detected.
*/
public
function
addItemChild
(
$itemName
,
$childName
);
/**
* Removes a child from its parent.
* Note, the child item is not deleted. Only the parent-child relationship is removed.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the removal is successful
*/
public
function
removeItemChild
(
$itemName
,
$childName
);
/**
* Returns a value indicating whether a child exists within a parent.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the child exists
*/
public
function
hasItemChild
(
$itemName
,
$childName
);
/**
* Returns the children of the specified item.
* @param mixed $itemName the parent item name. This can be either a string or an array.
* The latter represents a list of item names.
* @return array all child items of the parent
*/
public
function
getItemChildren
(
$itemName
);
/**
* Assigns an authorization item to a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @param string $bizRule the business rule to be executed when [[checkAccess()]] is called
* for this particular authorization item.
* @param mixed $data additional data associated with this assignment
* @return AuthAssignment the authorization assignment information.
* @throws \yii\base\Exception if the item does not exist or if the item has already been assigned to the user
*/
public
function
assign
(
$userId
,
$itemName
,
$bizRule
=
null
,
$data
=
null
);
/**
* Revokes an authorization assignment from a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return boolean whether removal is successful
*/
public
function
revoke
(
$userId
,
$itemName
);
/**
* Returns a value indicating whether the item has been assigned to the user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return boolean whether the item has been assigned to the user.
*/
public
function
isAssigned
(
$userId
,
$itemName
);
/**
* Returns the item assignment information.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return AuthAssignment the item assignment information. Null is returned if
* the item is not assigned to the user.
*/
public
function
getAuthAssignment
(
$userId
,
$itemName
);
/**
* Returns the item assignments for the specified user.
* @param mixed $userId the user ID (see [[User::id]])
* @return array the item assignment information for the user. An empty array will be
* returned if there is no item assigned to the user.
*/
public
function
getAuthAssignments
(
$userId
);
/**
* Saves the changes to an authorization assignment.
* @param AuthAssignment $assignment the assignment that has been changed.
*/
public
function
saveAuthAssignment
(
$assignment
);
/**
* Removes all authorization data.
*/
public
function
clearAll
();
/**
* Removes all authorization assignments.
*/
public
function
clearAuthAssignments
();
/**
* Saves authorization data into persistent storage.
* If any change is made to the authorization data, please make
* sure you call this method to save the changed data into persistent storage.
*/
public
function
save
();
/**
* Executes a business rule.
* A business rule is a piece of PHP code that will be executed when [[checkAccess()]] is called.
* @param string $bizRule the business rule to be executed.
* @param array $params additional parameters to be passed to the business rule when being executed.
* @param mixed $data additional data that is associated with the corresponding authorization item or assignment
* @return boolean whether the execution returns a true value.
* If the business rule is empty, it will also return true.
*/
public
function
executeBizRule
(
$bizRule
,
$params
,
$data
);
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment