Navigation

← Previous Changeset
Next Changeset →

Changeset 3141

Timestamp:

05/03/08 12:48:25 (2 months ago)

Author:

pmjones

Message:

Various changes and (very weak) breaks to Solar_Access, and adding an Sql adapter.

Solar_Access_Adapter

* [BRK] Method isAllowed() no longer honors 'process' key. Removed this per

discussion with Antti Holvikari, Jeff Surgeson, and others.

* [BRK] Method isAllowed() now uses a different 3rd param, $content, and

optionally checks for ownership of that content when an 'owner' control
type is requested (vice 'handle' or 'role'). The ownership check is
implemented via the new isOwner() method.

* [ADD] Abstract method isOwner($content), to check if the user is the owner

of a particular piece of content. This is expected to be very application-
specific in implementation, so if you need this, override the adapter to
provide your own mechanism for checking ownership on content.

* [CHG] Method load() now optionally takes a Solar_Auth_Adapter object and

Solar_Role_Adapter object in place of a handle string and role array,
respectively. If objects are passed as the params, the objects are
retained in the new $_auth and $_role properties. This is to facilitate
content ownership checks in the new isOwner() method.

Solar_Access_Adapter_File

* [CHG] Method fetch() now allows for comment lines starting with #, as well

as for blank lines.

* [CHG] Method fetch() now returns the 'type' and 'name' values in the access

list array, but no longer returns the 'process' value (since it has been
removed from Solar_Access_Adapter).

* [CHG] Method fetch() now picks up 'owner' access control types.

* [ADD] Method isOwner() implemented in a brain-dead fashion to always return

true. This is to allow existing applications to implement ownership checks
at lower application levels without having to override Solar_Access_Adapter
until they're ready.

Solar_Access_Adapter_None

* [CHG] Method fetch() now returns the 'type' and 'name' values in the access

list array, but no longer returns the 'process' value (since it has been
removed from Solar_Access_Adapter).

* [ADD] Method isOwner() implemented to always return false, since all other

permissions are false as well.

Solar_Access_Adapter_Open

* [CHG] Method fetch() now returns the 'type' and 'name' values in the access

list array, but no longer returns the 'process' value (since it has been
removed from Solar_Access_Adapter).

* [ADD] Method isOwner() implemented to always return true, since all other

permissions are true as well.

Solar_Access_Adapter_Sql

* [NEW] Thanks, Antti Holvikari, for providing this new adapter class from

Lux. Modified to group the logic portions, and to honor 'owner' control
types.

Note that method isOwner() is implemented in a brain-dead fashion to always
return true. This is to allow existing applications to implement ownership
checks at lower application levels without having to override
Solar_Access_Adapter until they're ready.

Files:

trunk/Solar/Access/Adapter.php (modified) (5 diffs)
trunk/Solar/Access/Adapter/File.php (modified) (4 diffs)
trunk/Solar/Access/Adapter/None.php (modified) (1 diff)
trunk/Solar/Access/Adapter/Open.php (modified) (1 diff)
trunk/Solar/Access/Adapter/Sql.php (added)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/Solar/Access/Adapter.php

r2926	r3141
28	28	/**
29	29	*
	30	* A Solar_Auth object representing the current user.
	31	*
	32	* @var Solar_Auth_Adapter
	33	*
	34	*/
	35	protected $_auth;
	36
	37	/**
	38	*
	39	* A Solar_Role object representing the current user.
	40	*
	41	* @var Solar_Role_Adapter
	42	*
	43	*/
	44	protected $_role;
	45
	46	/**
	47	*
30	48	* Fetches the access list from the adapter into $this->list.
31	49	*
32		* @param string $handle The username handle to fetch access
33		* controls for.
	50	* @param string\|Solar_Auth_Adapter $auth_spec Fetch access controls for
	51	* this user handle. If a string, is assumed to be the handle directly;
	52	* otherwise, the handle is pulled from a Solar_Auth_Adapter object.
34	53	*
35		* @param array $roles The user roles to fetch access controls for.
	54	* @param array\|Solar_Auth_Adapter $auth_spec Fetch access controls for
	55	* these user roles. If an array, is assumed to be the roles directly;
	56	* otherwise, the roles are pulled from a Solar_Role_Adapter object.
36	57	*
37	58	* @return void
38	59	*
39	60	*/
40		public function load($~~handle, $roles~~)
	61	public function load($auth_spec, $role_spec)
41	62	{
	63	// clear out previous values
42	64	$this->reset();
	65
	66	if ($auth_spec instanceof Solar_Auth_Adapter) {
	67	$this->_auth = $auth_spec;
	68	$handle = $this->_auth->handle;
	69	} else {
	70	$handle = $auth_spec;
	71	}
	72
	73	if ($role_spec instanceof Solar_Role_Adapter) {
	74	$this->_role = $role_spec;
	75	$roles = $this->_role->list;
	76	} else {
	77	$roles = $role_spec;
	78	}
	79
	80	// get the access list
	81	$list = $this->fetch($handle, $roles);
	82
43	83	// reverse so that last ones are checked first
44		$this->list = array_reverse($~~this->fetch($handle, $roles)~~);
	84	$this->list = array_reverse($list);
45	85	}
46	86
…	…
49	89	* Tells whether or not to allow access to a class/action/process combination.
50	90	*
51		* @param string $class The ~~class name of the~~ control; use '*' for
	91	* @param string $class The name of the class to control; use '*' for
52	92	* all values.
53	93	*
54	94	* @param string $action The action within that class; use '*' for
55		* all values.
	95	* all values. For handle types, use '+' to indicate any non-empty
	96	* handle (i.e., any authenticated user).
56	97	*
57		* @param ~~string $process The process value within the action; use~~
58		* ~~'*' for all values~~.
	98	* @param mixed $content A content item (application-specific) to check
	99	* ownership on.
59	100	*
60	101	* @return bool True if the current handle or role is allowed
61	102	* access, false if not.
62	103	*
	104	* @see isOwner()
	105	*
63	106	*/
64		public function isAllowed($class = '', $action = '', $~~process = '*'~~)
	107	public function isAllowed($class = '', $action = '', $content = null)
65	108	{
66	109	foreach ($this->list as $info) {
67	110	$class_match = ($info['class'] == $class \|\| $info['class'] == '*');
68	111	$action_match = ($info['action'] == $action \|\| $info['action'] == '*');
69		$process_match = ($info['process'] == $process \|\| $info['process'] == '*');
70		if ($class_match && $action_match && $process_match) {
71		// all params match, return the flag (true or false)
	112	if ($class_match && $action_match) {
	113	// do we also need to be the owner?
	114	if ($info['type'] == 'owner' && ! $this->isOwner($content)) {
	115	// not the owner, skip to the next control item
	116	continue;
	117	}
	118
	119	// class and action matched (and optionally owner).
	120	// return the flag.
72	121	return (bool) $info['allow'];
73	122	}
74	123	}
	124
75	125	// no matching params, deny by default
76	126	return false;
…	…
79	129	/**
80	130	*
81		* Resets the current access controls to a blank array.
	131	* Resets the current access controls to a blank array, along with the
	132	* $_auth and $_role properties.
82	133	*
83	134	* @return void
…	…
86	137	public function reset()
87	138	{
	139	$this->_auth = null;
	140	$this->_role = null;
88	141	$this->list = array();
89	142	}
…	…
101	154	*/
102	155	abstract public function fetch($handle, $roles);
	156
	157	/**
	158	*
	159	* Checks to see if the current user is the owner of application-specific
	160	* content.
	161	*
	162	* @param mixed $content The content to check ownership of.
	163	*
	164	* @return bool
	165	*
	166	*/
	167	abstract public function isOwner($content);
103	168	}

trunk/Solar/Access/Adapter/File.php

r3140	r3141
78	78	foreach ($lines as $line) {
79	79
80		$~~trim~~ = trim($line);
	80	$line = trim($line);
81	81
82	82	// allow blank lines
83		if ($~~trim~~ == '') {
	83	if ($line == '') {
84	84	continue;
85	85	}
86	86
87	87	// allow comment lines
88		$char = substr($~~trim~~, 0, 1);
	88	$char = substr($line, 0, 1);
89	89	if ($char == '#') {
90	90	continue;
…	…
93	93	// $info keys are ...
94	94	// 0 => "allow" or "deny"
95		// 1 => "handle" ~~or "role~~"
96		// 2 => handle/role name
	95	// 1 => "handle", "role", or "owner"
	96	// 2 => handle/role name (not used by 'owner' type)
97	97	// 3 => class name
98	98	// 4 => action name
99		~~// 5 => process name~~
100	99	$info = explode(' ', $line);
101	100	if ($info[1] == 'handle' && $info[2] == $handle \|\| // direct user handle match
…	…
103	102	$info[1] == 'handle' && $info[2] == '*' \|\| // any user (incl anon)
104	103	$info[1] == 'role' && in_array($info[2], $roles) \|\| // direct role match
105		$info[1] == 'role' && $info[2] == '*') { // any role (incl anon)
	104	$info[1] == 'role' && $info[2] == '*' // any role (incl anon)
	105	$info[1] == 'owner' ) { // content owner
106	106
107	107	// keep the line
108	108	$list[] = array(
109	109	'allow' => ($info[0] == 'allow' ? true : false),
	110	'type' => $info[1],
	111	'name' => $info[2],
110	112	'class' => $info[3],
111	113	'action' => $info[4],
112		~~'process' => $info[5],~~
113	114	);
114	115	}
…	…
116	117	return $list;
117	118	}
	119
	120	public function isOwner($content)
	121	{
	122	return true;
	123	}
118	124	}

trunk/Solar/Access/Adapter/None.php

r2926	r3141
33	33	array(
34	34	'allow' => false,
	35	'type' => '*',
	36	'name' => '*',
35	37	'class' => '*',
36	38	'action' => '*',
37		~~'process' => '*',~~
38	39	),
39	40	);
40	41	}
	42
	43	public function isOwner($content)
	44	{
	45	return false;
	46	}
41	47	}

trunk/Solar/Access/Adapter/Open.php

r2926	r3141
33	33	array(
34	34	'allow' => true,
	35	'type' => '*',
	36	'name' => '*',
35	37	'class' => '*',
36	38	'action' => '*',
37		~~'process' => '*',~~
38	39	),
39	40	);
40	41	}
	42
	43	public function isOwner($content)
	44	{
	45	return true;
	46	}
41	47	}

Navigation

Changeset 3141

Legend:

trunk/Solar/Access/Adapter.php

trunk/Solar/Access/Adapter/File.php

trunk/Solar/Access/Adapter/None.php

trunk/Solar/Access/Adapter/Open.php

Download in other formats: