Gentics Portal.Node PHP API
 All Classes Namespaces Functions Variables Pages
Public Member Functions | Public Attributes | Protected Member Functions | List of all members
RAuthorizer Class Reference

Public Member Functions

 init ()
 getRoles ($includeSuperuser=true, $sort=true)
 createAuthItem ($name, $type, $description= '', $bizRule=null, $data=null)
 updateAuthItem ($oldName, $name, $description= '', $bizRule=null, $data=null)
 getAuthItems ($types=null, $userId=null, CAuthItem $parent=null, $sort=true, $exclude=array())
 getAuthItemParents ($item, $type=null, $parentName=null, $direct=false)
 getAuthItemChildren ($item, $type=null)
 attachAuthItemBehavior ($items, $userId=null, CAuthItem $parent=null)
 getSuperusers ()
 attachUserBehavior ($users)
 isSuperuser ($userId)
 getPermissions ($itemName=null)
 hasPermission ($itemName, $parentName=null, $permissions=array())
 getAuthManager ()

Public Attributes

 $superuserName

Protected Member Functions

 mergeAuthItems ($array1, $array2)
 excludeInvalidAuthItems ($items, CAuthItem $parent=null, $exclude=array())
 sanitizeExpression ($code)

Detailed Description

Rights authorizer component class file.

Author
Christoffer Niska cnisk.nosp@m.a@li.nosp@m.ve.co.nosp@m.m
Since
0.5

Definition at line 9 of file RAuthorizer.php.

Member Function Documentation

RAuthorizer::attachAuthItemBehavior (   $items,
  $userId = null,
CAuthItem  $parent = null 
)

Attaches the rights authorization item behavior to the given item.

Parameters
mixed$itemsthe item or items to which attach the behavior.
int$userIdthe ID of the user to which the item is assigned.
CAuthItem$parentthe parent of the given item.
Returns
mixed the item or items with the behavior attached.

Definition at line 289 of file RAuthorizer.php.

Referenced by getAuthItemChildren(), getAuthItemParents(), getAuthItems(), and getRoles().

{
// We have a single item.
if ($items instanceof CAuthItem) {
$items->attachBehavior('rights', new RAuthItemBehavior($userId, $parent));
// We have multiple items.
} else if ($items===(array)$items) {
foreach ($items as $item) {
$item->attachBehavior('rights', new RAuthItemBehavior($userId, $parent));
}
}
return $items;
}
RAuthorizer::attachUserBehavior (   $users)

Attaches the rights user behavior to the given users.

Parameters
mixed$usersthe user or users to which attach the behavior.
Returns
mixed the user or users with the behavior attached.

Definition at line 347 of file RAuthorizer.php.

References Rights\module().

Referenced by getSuperusers().

{
$userClass = Rights::module()->userClass;
// We have a single user.
if ($users instanceof $userClass) {
$users->attachBehavior('rights', new RUserBehavior);
} // We have multiple user.
else if ($users===(array)$users) {
foreach ($users as $user) {
$user->attachBehavior('rights', new RUserBehavior);
}
}
return $users;
}
RAuthorizer::createAuthItem (   $name,
  $type,
  $description = '',
  $bizRule = null,
  $data = null 
)

Creates an authorization item.

Parameters
string$namethe item name. This must be a unique identifier.
integer$typethe item type (0: operation, 1: task, 2: role).
string$descriptionthe description for the item.
string$bizRulebusiness rule associated with the item. This is a piece of PHP code that will be executed when checkAccess is called for the item.
mixed$dataadditional data associated with the item.
Returns
CAuthItem the authorization item

Definition at line 58 of file RAuthorizer.php.

References sanitizeExpression().

{
$bizRule = $bizRule!=='' ? $bizRule : null;
if ($data!==null) {
$data = $data!=='' ? $this->sanitizeExpression($data.';') : null;
}
return $this->_authManager->createAuthItem($name, $type, $description, $bizRule, $data);
}
RAuthorizer::excludeInvalidAuthItems (   $items,
CAuthItem  $parent = null,
  $exclude = array() 
)
protected

Excludes invalid authorization items. When an item is provided its parents and children are excluded aswell.

Parameters
array$itemsthe authorization items to process.
CAuthItem$parentthe item to check valid authorization items for.
array$excludeadditional items to be excluded.
Returns
array valid authorization items.

Definition at line 161 of file RAuthorizer.php.

References getAuthItemParents().

Referenced by getAuthItems().

{
// We are getting authorization items valid for a certain item
// exclude its parents and children aswell.
if ($parent!==null) {
$exclude[] = $parent->name;
foreach ($parent->getChildren() as $childName => $child) {
$exclude[] = $childName;
}
// Exclude the parents recursively to avoid inheritance loops.
$parentNames = array_keys($this->getAuthItemParents($parent->name));
$exclude = array_merge($parentNames, $exclude);
}
// Unset the items that are supposed to be excluded.
foreach ($exclude as $itemName) {
if (isset($items[$itemName])) {
unset($items[$itemName]);
}
}
return $items;
}
RAuthorizer::getAuthItemChildren (   $item,
  $type = null 
)

Returns the children for the specified authorization item recursively.

Parameters
mixed$itemthe item for which to get its children.
integer$typethe item type (0: operation, 1: task, 2: role). Defaults to null, meaning returning all items regardless of their type.
Returns
array the names of the item's children.

Definition at line 261 of file RAuthorizer.php.

References attachAuthItemBehavior().

{
if (($item instanceof CAuthItem)===false) {
$item = $this->_authManager->getAuthItem($item);
}
$childrenNames = array();
foreach ($item->getChildren() as $childName => $child) {
if ($type===null || (int)$child->type===$type) {
$childrenNames[] = $childName;
}
}
$children = $this->_authManager->getAuthItemsByNames($childrenNames);
$children = $this->attachAuthItemBehavior($children, null, $item);
return $children;
}
RAuthorizer::getAuthItemParents (   $item,
  $type = null,
  $parentName = null,
  $direct = false 
)

Returns the parents of the specified authorization item.

Parameters
mixed$itemthe item name for which to get its parents.
integer$typethe item type (0: operation, 1: task, 2: role). Defaults to null, meaning returning all items regardless of their type.
string$parentNamethe name of the item in which permissions to search.
boolean$directwhether we want the specified items parent or all parents.
Returns
array the names of the parent items.

Definition at line 197 of file RAuthorizer.php.

References attachAuthItemBehavior(), and getPermissions().

Referenced by excludeInvalidAuthItems().

{
if (($item instanceof CAuthItem)===false) {
$item = $this->_authManager->getAuthItem($item);
}
$permissions = $this->getPermissions($parentName);
$parentNames = $this->getAuthItemParentsRecursive($item->name, $permissions, $direct);
$parents = $this->_authManager->getAuthItemsByNames($parentNames);
$parents = $this->attachAuthItemBehavior($parents, null, $item);
if ($type!==null) {
foreach ($parents as $parentName => $parent) {
if ((int)$parent->type!==$type) {
unset($parents[$parentName]);
}
}
}
return $parents;
}
RAuthorizer::getAuthItems (   $types = null,
  $userId = null,
CAuthItem  $parent = null,
  $sort = true,
  $exclude = array() 
)

Returns the authorization items of the specific type and user.

Parameters
mixed$typesthe item type (0: operation, 1: task, 2: role). Defaults to null, meaning returning all items regardless of their type.
mixed$userIdthe user ID. Defaults to null, meaning returning all items even if they are not assigned to a user.
CAuthItem$parentthe item for which to get the select options.
boolean$sortsort items by to weights.
array$excludethe items to be excluded.
Returns
array the authorization items of the specific type.

Definition at line 107 of file RAuthorizer.php.

References attachAuthItemBehavior(), excludeInvalidAuthItems(), and mergeAuthItems().

Referenced by getRoles().

{
// We have none or a single type.
if ($types!==(array)$types) {
$items = $this->_authManager->getAuthItems($types, $userId, $sort);
// We have multiple types.
} else {
$typeItemList = array();
foreach ($types as $type) {
$typeItemList[$type] = $this->_authManager->getAuthItems($type, $userId, $sort);
}
// Merge the authorization items preserving the keys.
$items = array();
foreach ($typeItemList as $typeItems) {
$items = $this->mergeAuthItems($items, $typeItems);
}
}
$items = $this->excludeInvalidAuthItems($items, $parent, $exclude);
$items = $this->attachAuthItemBehavior($items, $userId, $parent);
return $items;
}
RAuthorizer::getAuthManager ( )
Returns
RAuthManager the authorization manager.

Definition at line 507 of file RAuthorizer.php.

{
return $this->_authManager;
}
RAuthorizer::getPermissions (   $itemName = null)

Returns the permissions for a specific authorization item.

Parameters
string$itemNamethe name of the item for which to get permissions. Defaults to null, meaning that the full permission tree is returned.
Returns
the permission tree.

Definition at line 385 of file RAuthorizer.php.

References getRoles().

Referenced by getAuthItemParents(), and hasPermission().

{
$permissions = array();
if ($itemName!==null) {
$item = $this->_authManager->getAuthItem($itemName);
$permissions = $this->getPermissionsRecursive($item);
} else {
foreach ($this->getRoles() as $roleName => $role) {
$permissions[$roleName] = $this->getPermissionsRecursive($role);
}
}
return $permissions;
}
RAuthorizer::getRoles (   $includeSuperuser = true,
  $sort = true 
)

Returns the a list of all roles.

Parameters
boolean$includeSuperuserwhether to include the superuser.
boolean$sortwhether to sort the items by their weights.
Returns
the roles.

Definition at line 38 of file RAuthorizer.php.

References attachAuthItemBehavior(), and getAuthItems().

Referenced by getPermissions().

{
$exclude = $includeSuperuser===false ? array($this->superuserName) : array();
$roles = $this->getAuthItems(CAuthItem::TYPE_ROLE, null, null, $sort, $exclude);
$roles = $this->attachAuthItemBehavior($roles);
return $roles;
}
RAuthorizer::getSuperusers ( )

Returns the users with superuser privileges.

Exceptions
CHttpException
Returns
array

Definition at line 310 of file RAuthorizer.php.

References attachUserBehavior(), Rights\module(), and Rights\t().

{
$assignments = $this->_authManager->getAssignmentsByItemName(Rights::module()->superuserName);
$userIdList = array();
foreach ($assignments as $userId => $assignment) {
$userIdList[] = $userId;
}
$criteria = new CDbCriteria();
$criteria->addInCondition(Rights::module()->userIdColumn, $userIdList);
$userClass = Rights::module()->userClass;
$users = CActiveRecord::model($userClass)->findAll($criteria);
$users = $this->attachUserBehavior($users);
$superusers = array();
foreach ($users as $user) {
$superusers[] = $user->email;
}
// Make sure that we have superusers, otherwise we would allow full access to Rights
// if there for some reason is not any superusers.
if ($superusers===array()) {
throw new CHttpException(403, Rights::t('core', 'There must be at least one superuser!'));
}
return $superusers;
}
RAuthorizer::hasPermission (   $itemName,
  $parentName = null,
  $permissions = array() 
)

Returns the permission type for an authorization item.

Parameters
string$itemNamethe name of the item to check permission for.
string$parentNamethe name of the item in which permissions to look.
array$permissionsthe permissions.
Returns
integer the permission type (0: None, 1: Direct, 2: Inherited).

Definition at line 430 of file RAuthorizer.php.

References getPermissions().

{
if ($parentName!==null) {
if ($parentName===$this->superuserName) {
return 1;
}
$permissions = $this->getPermissions($parentName);
}
if (isset($permissions[$itemName])) {
return 1;
}
foreach ($permissions as $children) {
if ($children!==array()) {
if ($this->hasPermission($itemName, null, $children) > 0) {
return 2;
}
}
}
return 0;
}
RAuthorizer::init ( )

Initializes the authorizer.

Definition at line 23 of file RAuthorizer.php.

{
$this->_authManager = Yii::app()->getAuthManager();
}
RAuthorizer::isSuperuser (   $userId)

Returns whether the user is a superuser.

Parameters
integer$userIdthe id of the user to do the check for.
Returns
boolean whether the user is a superuser.

Definition at line 371 of file RAuthorizer.php.

{
$assignments = $this->_authManager->getAuthAssignments($userId);
return isset($assignments[$this->superuserName]);
}
RAuthorizer::mergeAuthItems (   $array1,
  $array2 
)
protected

Merges two arrays with authorization items preserving the keys.

Parameters
array$array1the items to merge to.
array$array2the items to merge from.
Returns
array the merged items.

Definition at line 140 of file RAuthorizer.php.

Referenced by getAuthItems().

{
foreach ($array2 as $itemName => $item) {
if (isset($array1[$itemName])===false) {
$array1[$itemName] = $item;
}
}
return $array1;
}
RAuthorizer::sanitizeExpression (   $code)
protected

Tries to sanitize code to make it safe for execution.

Parameters
string$codethe code to be execute.
Returns
mixed the return value of eval() or null if the code was unsafe to execute.

Definition at line 462 of file RAuthorizer.php.

Referenced by createAuthItem(), and updateAuthItem().

{
// Language consturcts.
$languageConstructs = array(
'echo',
'empty',
'isset',
'unset',
'exit',
'die',
'include',
'include_once',
'require',
'require_once',
);
// Loop through the language constructs.
foreach ($languageConstructs as $lc) {
if (preg_match('/'.$lc.'\ *\(?\ *[\"\']+/', $code) > 0) {
return null;
}
} // Language construct found, not safe for eval.
// Get a list of all defined functions
$definedFunctions = get_defined_functions();
$functions = array_merge($definedFunctions['internal'], $definedFunctions['user']);
// Loop through the functions and check the code for function calls.
// Append a '(' to the functions to avoid confusion between e.g. array() and array_merge().
foreach ($functions as $f) {
if (preg_match('/'.$f.'\ *\({1}/', $code) > 0) {
return null;
}
} // Function call found, not safe for eval.
// Evaluate the safer code
$result = @eval($code);
// Return the evaluated code or null if the result was false.
return $result!==false ? $result : null;
}
RAuthorizer::updateAuthItem (   $oldName,
  $name,
  $description = '',
  $bizRule = null,
  $data = null 
)

Updates an authorization item.

Parameters
string$oldNamethe item name. This must be a unique identifier.
integer$namethe item type (0: operation, 1: task, 2: role).
string$descriptionthe description for the item.
string$bizRulebusiness rule associated with the item. This is a piece of PHP code that will be executed when checkAccess is called for the item.
mixed$dataadditional data associated with the item.

Definition at line 79 of file RAuthorizer.php.

References sanitizeExpression().

{
$authItem = $this->_authManager->getAuthItem($oldName);
$authItem->name = $name;
$authItem->description = $description!=='' ? $description : null;
$authItem->bizRule = $bizRule!=='' ? $bizRule : null;
// Make sure that data is not already serialized.
if (@unserialize($data)===false) {
$authItem->data = $data!=='' ? $this->sanitizeExpression($data.';') : null;
}
$this->_authManager->saveAuthItem($authItem, $oldName);
}

The documentation for this class was generated from the following file: