Subversion Repositories SmartDukaan

<?php

/**

 * PHP configuration based AclInterface implementation

 *

 * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)

 * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)

 *

 * Licensed under The MIT License

 * For full copyright and license information, please see the LICENSE.txt

 * Redistributions of files must retain the above copyright notice.

 *

 * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)

 * @link          http://cakephp.org CakePHP(tm) Project

 * @package       Cake.Controller.Component.Acl

 * @since         CakePHP(tm) v 2.1

 * @license       http://www.opensource.org/licenses/mit-license.php MIT License

 */

/**

 * PhpAcl implements an access control system using a plain PHP configuration file.

 * An example file can be found in app/Config/acl.php

 *

 * @package Cake.Controller.Component.Acl

 */

class PhpAcl extends Object implements AclInterface {

/**

 * Constant for deny

 */

	const DENY = false;

/**

 * Constant for allow

 */

	const ALLOW = true;

/**

 * Options:

 *  - policy: determines behavior of the check method. Deny policy needs explicit allow rules, allow policy needs explicit deny rules

 *  - config: absolute path to config file that contains the acl rules (@see app/Config/acl.php)

 *

 * @var array

 */

	public $options = array();

/**

 * Aro Object

 *

 * @var PhpAro

 */

	public $Aro = null;

/**

 * Aco Object

 *

 * @var PhpAco

 */

	public $Aco = null;

/**

 * Constructor

 *

 * Sets a few default settings up.

 */

	public function __construct() {

		$this->options = array(

			'policy' => self::DENY,

			'config' => APP . 'Config' . DS . 'acl.php',

		);

	}

/**

 * Initialize method

 *

 * @param AclComponent $Component Component instance

 * @return void

 */

	public function initialize(Component $Component) {

		if (!empty($Component->settings['adapter'])) {

			$this->options = array_merge($this->options, $Component->settings['adapter']);

		}

		App::uses('PhpReader', 'Configure');

		$Reader = new PhpReader(dirname($this->options['config']) . DS);

		$config = $Reader->read(basename($this->options['config']));

		$this->build($config);

		$Component->Aco = $this->Aco;

		$Component->Aro = $this->Aro;

	}

/**

 * build and setup internal ACL representation

 *

 * @param array $config configuration array, see docs

 * @return void

 * @throws AclException When required keys are missing.

 */

	public function build(array $config) {

		if (empty($config['roles'])) {

			throw new AclException(__d('cake_dev', '"roles" section not found in configuration.'));

		}

		if (empty($config['rules']['allow']) && empty($config['rules']['deny'])) {

			throw new AclException(__d('cake_dev', 'Neither "allow" nor "deny" rules were provided in configuration.'));

		}

		$rules['allow'] = !empty($config['rules']['allow']) ? $config['rules']['allow'] : array();

		$rules['deny'] = !empty($config['rules']['deny']) ? $config['rules']['deny'] : array();

		$roles = !empty($config['roles']) ? $config['roles'] : array();

		$map = !empty($config['map']) ? $config['map'] : array();

		$alias = !empty($config['alias']) ? $config['alias'] : array();

		$this->Aro = new PhpAro($roles, $map, $alias);

		$this->Aco = new PhpAco($rules);

	}

/**

 * No op method, allow cannot be done with PhpAcl

 *

 * @param string $aro ARO The requesting object identifier.

 * @param string $aco ACO The controlled object identifier.

 * @param string $action Action (defaults to *)

 * @return boolean Success

 */

	public function allow($aro, $aco, $action = "*") {

		return $this->Aco->access($this->Aro->resolve($aro), $aco, $action, 'allow');

	}

/**

 * deny ARO access to ACO

 *

 * @param string $aro ARO The requesting object identifier.

 * @param string $aco ACO The controlled object identifier.

 * @param string $action Action (defaults to *)

 * @return boolean Success

 */

	public function deny($aro, $aco, $action = "*") {

		return $this->Aco->access($this->Aro->resolve($aro), $aco, $action, 'deny');

	}

/**

 * No op method

 *

 * @param string $aro ARO The requesting object identifier.

 * @param string $aco ACO The controlled object identifier.

 * @param string $action Action (defaults to *)

 * @return boolean Success

 */

	public function inherit($aro, $aco, $action = "*") {

		return false;

	}

/**

 * Main ACL check function. Checks to see if the ARO (access request object) has access to the

 * ACO (access control object).

 *

 * @param string $aro ARO

 * @param string $aco ACO

 * @param string $action Action

 * @return boolean true if access is granted, false otherwise

 */

	public function check($aro, $aco, $action = "*") {

		$allow = $this->options['policy'];

		$prioritizedAros = $this->Aro->roles($aro);

		if ($action && $action !== "*") {

			$aco .= '/' . $action;

		}

		$path = $this->Aco->path($aco);

		if (empty($path)) {

			return $allow;

		}

		foreach ($path as $node) {

			foreach ($prioritizedAros as $aros) {

				if (!empty($node['allow'])) {

					$allow = $allow || count(array_intersect($node['allow'], $aros));

				}

				if (!empty($node['deny'])) {

					$allow = $allow && !count(array_intersect($node['deny'], $aros));

				}

			}

		}

		return $allow;

	}

}

/**

 * Access Control Object

 *

 */

class PhpAco {

/**

 * holds internal ACO representation

 *

 * @var array

 */

	protected $_tree = array();

/**

 * map modifiers for ACO paths to their respective PCRE pattern

 *

 * @var array

 */

	public static $modifiers = array(

		'*' => '.*',

	);

/**

 * Constructor

 *

 * @param array $rules Rules array

 */

	public function __construct(array $rules = array()) {

		foreach (array('allow', 'deny') as $type) {

			if (empty($rules[$type])) {

				$rules[$type] = array();

			}

		}

		$this->build($rules['allow'], $rules['deny']);

	}

/**

 * return path to the requested ACO with allow and deny rules attached on each level

 *

 * @param string $aco ACO string

 * @return array

 */

	public function path($aco) {

		$aco = $this->resolve($aco);

		$path = array();

		$level = 0;

		$root = $this->_tree;

		$stack = array(array($root, 0));

		while (!empty($stack)) {

			list($root, $level) = array_pop($stack);

			if (empty($path[$level])) {

				$path[$level] = array();

			}

			foreach ($root as $node => $elements) {

				$pattern = '/^' . str_replace(array_keys(self::$modifiers), array_values(self::$modifiers), $node) . '$/';

				if ($node == $aco[$level] || preg_match($pattern, $aco[$level])) {

					// merge allow/denies with $path of current level

					foreach (array('allow', 'deny') as $policy) {

						if (!empty($elements[$policy])) {

							if (empty($path[$level][$policy])) {

								$path[$level][$policy] = array();

							}

							$path[$level][$policy] = array_merge($path[$level][$policy], $elements[$policy]);

						}

					}

					// traverse

					if (!empty($elements['children']) && isset($aco[$level + 1])) {

						array_push($stack, array($elements['children'], $level + 1));

					}

				}

			}

		}

		return $path;

	}

/**

 * allow/deny ARO access to ARO

 *

 * @param string $aro ARO string

 * @param string $aco ACO string

 * @param string $action Action string

 * @param string $type access type

 * @return void

 */

	public function access($aro, $aco, $action, $type = 'deny') {

		$aco = $this->resolve($aco);

		$depth = count($aco);

		$root = $this->_tree;

		$tree = &$root;

		foreach ($aco as $i => $node) {

			if (!isset($tree[$node])) {

				$tree[$node] = array(

					'children' => array(),

				);

			}

			if ($i < $depth - 1) {

				$tree = &$tree[$node]['children'];

			} else {

				if (empty($tree[$node][$type])) {

					$tree[$node][$type] = array();

				}

				$tree[$node][$type] = array_merge(is_array($aro) ? $aro : array($aro), $tree[$node][$type]);

			}

		}

		$this->_tree = &$root;

	}

/**

 * resolve given ACO string to a path

 *

 * @param string $aco ACO string

 * @return array path

 */

	public function resolve($aco) {

		if (is_array($aco)) {

			return array_map('strtolower', $aco);

		}

		// strip multiple occurrences of '/'

		$aco = preg_replace('#/+#', '/', $aco);

		// make case insensitive

		$aco = ltrim(strtolower($aco), '/');

		return array_filter(array_map('trim', explode('/', $aco)));

	}

/**

 * build a tree representation from the given allow/deny informations for ACO paths

 *

 * @param array $allow ACO allow rules

 * @param array $deny ACO deny rules

 * @return void

 */

	public function build(array $allow, array $deny = array()) {

		$this->_tree = array();

		foreach ($allow as $dotPath => $aros) {

			if (is_string($aros)) {

				$aros = array_map('trim', explode(',', $aros));

			}

			$this->access($aros, $dotPath, null, 'allow');

		}

		foreach ($deny as $dotPath => $aros) {

			if (is_string($aros)) {

				$aros = array_map('trim', explode(',', $aros));

			}

			$this->access($aros, $dotPath, null, 'deny');

		}

	}

}

/**

 * Access Request Object

 *

 */

class PhpAro {

/**

 * role to resolve to when a provided ARO is not listed in

 * the internal tree

 */

	const DEFAULT_ROLE = 'Role/default';

/**

 * map external identifiers. E.g. if

 *

 * array('User' => array('username' => 'jeff', 'role' => 'editor'))

 *

 * is passed as an ARO to one of the methods of AclComponent, PhpAcl

 * will check if it can be resolved to an User or a Role defined in the

 * configuration file.

 *

 * @var array

 * @see app/Config/acl.php

 */

	public $map = array(

		'User' => 'User/username',

		'Role' => 'User/role',

	);

/**

 * aliases to map

 *

 * @var array

 */

	public $aliases = array();

/**

 * internal ARO representation

 *

 * @var array

 */

	protected $_tree = array();

/**

 * Constructor

 *

 * @param array $aro

 * @param array $map

 * @param array $aliases

 */

	public function __construct(array $aro = array(), array $map = array(), array $aliases = array()) {

		if (!empty($map)) {

			$this->map = $map;

		}

		$this->aliases = $aliases;

		$this->build($aro);

	}

/**

 * From the perspective of the given ARO, walk down the tree and

 * collect all inherited AROs levelwise such that AROs from different

 * branches with equal distance to the requested ARO will be collected at the same

 * index. The resulting array will contain a prioritized list of (list of) roles ordered from

 * the most distant AROs to the requested one itself.

 *

 * @param string|array $aro An ARO identifier

 * @return array prioritized AROs

 */

	public function roles($aro) {

		$aros = array();

		$aro = $this->resolve($aro);

		$stack = array(array($aro, 0));

		while (!empty($stack)) {

			list($element, $depth) = array_pop($stack);

			$aros[$depth][] = $element;

			foreach ($this->_tree as $node => $children) {

				if (in_array($element, $children)) {

					array_push($stack, array($node, $depth + 1));

				}

			}

		}

		return array_reverse($aros);

	}

/**

 * resolve an ARO identifier to an internal ARO string using

 * the internal mapping information.

 *

 * @param string|array $aro ARO identifier (User.jeff, array('User' => ...), etc)

 * @return string internal aro string (e.g. User/jeff, Role/default)

 */

	public function resolve($aro) {

		foreach ($this->map as $aroGroup => $map) {

			list ($model, $field) = explode('/', $map, 2);

			$mapped = '';

			if (is_array($aro)) {

				if (isset($aro['model']) && isset($aro['foreign_key']) && $aro['model'] == $aroGroup) {

					$mapped = $aroGroup . '/' . $aro['foreign_key'];

				} elseif (isset($aro[$model][$field])) {

					$mapped = $aroGroup . '/' . $aro[$model][$field];

				} elseif (isset($aro[$field])) {

					$mapped = $aroGroup . '/' . $aro[$field];

				}

			} elseif (is_string($aro)) {

				$aro = ltrim($aro, '/');

				if (strpos($aro, '/') === false) {

					$mapped = $aroGroup . '/' . $aro;

				} else {

					list($aroModel, $aroValue) = explode('/', $aro, 2);

					$aroModel = Inflector::camelize($aroModel);

					if ($aroModel == $model || $aroModel == $aroGroup) {

						$mapped = $aroGroup . '/' . $aroValue;

					}

				}

			}

			if (isset($this->_tree[$mapped])) {

				return $mapped;

			}

			// is there a matching alias defined (e.g. Role/1 => Role/admin)?

			if (!empty($this->aliases[$mapped])) {

				return $this->aliases[$mapped];

			}

		}

		return self::DEFAULT_ROLE;

	}

/**

 * adds a new ARO to the tree

 *

 * @param array $aro one or more ARO records

 * @return void

 */

	public function addRole(array $aro) {

		foreach ($aro as $role => $inheritedRoles) {

			if (!isset($this->_tree[$role])) {

				$this->_tree[$role] = array();

			}

			if (!empty($inheritedRoles)) {

				if (is_string($inheritedRoles)) {

					$inheritedRoles = array_map('trim', explode(',', $inheritedRoles));

				}

				foreach ($inheritedRoles as $dependency) {

					// detect cycles

					$roles = $this->roles($dependency);

					if (in_array($role, Hash::flatten($roles))) {

						$path = '';

						foreach ($roles as $roleDependencies) {

							$path .= implode('|', (array)$roleDependencies) . ' -> ';

						}

						trigger_error(__d('cake_dev', 'cycle detected when inheriting %s from %s. Path: %s', $role, $dependency, $path . $role));

						continue;

					}

					if (!isset($this->_tree[$dependency])) {

						$this->_tree[$dependency] = array();

					}

					$this->_tree[$dependency][] = $role;

				}

			}

		}

	}

/**

 * adds one or more aliases to the internal map. Overwrites existing entries.

 *

 * @param array $alias alias from => to (e.g. Role/13 -> Role/editor)

 * @return void

 */

	public function addAlias(array $alias) {

		$this->aliases = array_merge($this->aliases, $alias);

	}

/**

 * build an ARO tree structure for internal processing

 *

 * @param array $aros array of AROs as key and their inherited AROs as values

 * @return void

 */

	public function build(array $aros) {

		$this->_tree = array();

		$this->addRole($aros);

	}

}