| 13532 |
anikendra |
1 |
<?php
|
|
|
2 |
/**
|
|
|
3 |
* This is the PHP base ACL configuration file.
|
|
|
4 |
*
|
|
|
5 |
* Use it to configure access control of your CakePHP application.
|
|
|
6 |
*
|
|
|
7 |
* CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
|
|
|
8 |
* Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
|
|
9 |
*
|
|
|
10 |
* Licensed under The MIT License
|
|
|
11 |
* For full copyright and license information, please see the LICENSE.txt
|
|
|
12 |
* Redistributions of files must retain the above copyright notice.
|
|
|
13 |
*
|
|
|
14 |
* @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
|
|
15 |
* @link http://cakephp.org CakePHP(tm) Project
|
|
|
16 |
* @package app.Config
|
|
|
17 |
* @since CakePHP(tm) v 2.1
|
|
|
18 |
* @license http://www.opensource.org/licenses/mit-license.php MIT License
|
|
|
19 |
*/
|
|
|
20 |
|
|
|
21 |
/**
|
|
|
22 |
* Example
|
|
|
23 |
* -------
|
|
|
24 |
*
|
|
|
25 |
* Assumptions:
|
|
|
26 |
*
|
|
|
27 |
* 1. In your application you created a User model with the following properties:
|
|
|
28 |
* username, group_id, password, email, firstname, lastname and so on.
|
|
|
29 |
* 2. You configured AuthComponent to authorize actions via
|
|
|
30 |
* $this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers/'),...)
|
|
|
31 |
*
|
|
|
32 |
* Now, when a user (i.e. jeff) authenticates successfully and requests a controller action (i.e. /invoices/delete)
|
|
|
33 |
* that is not allowed by default (e.g. via $this->Auth->allow('edit') in the Invoices controller) then AuthComponent
|
|
|
34 |
* will ask the configured ACL interface if access is granted. Under the assumptions 1. and 2. this will be
|
|
|
35 |
* done via a call to Acl->check() with
|
|
|
36 |
*
|
|
|
37 |
* array('User' => array('username' => 'jeff', 'group_id' => 4, ...))
|
|
|
38 |
*
|
|
|
39 |
* as ARO and
|
|
|
40 |
*
|
|
|
41 |
* '/controllers/invoices/delete'
|
|
|
42 |
*
|
|
|
43 |
* as ACO.
|
|
|
44 |
*
|
|
|
45 |
* If the configured map looks like
|
|
|
46 |
*
|
|
|
47 |
* $config['map'] = array(
|
|
|
48 |
* 'User' => 'User/username',
|
|
|
49 |
* 'Role' => 'User/group_id',
|
|
|
50 |
* );
|
|
|
51 |
*
|
|
|
52 |
* then PhpAcl will lookup if we defined a role like User/jeff. If that role is not found, PhpAcl will try to
|
|
|
53 |
* find a definition for Role/4. If the definition isn't found then a default role (Role/default) will be used to
|
|
|
54 |
* check rules for the given ACO. The search can be expanded by defining aliases in the alias configuration.
|
|
|
55 |
* E.g. if you want to use a more readable name than Role/4 in your definitions you can define an alias like
|
|
|
56 |
*
|
|
|
57 |
* $config['alias'] = array(
|
|
|
58 |
* 'Role/4' => 'Role/editor',
|
|
|
59 |
* );
|
|
|
60 |
*
|
|
|
61 |
* In the roles configuration you can define roles on the lhs and inherited roles on the rhs:
|
|
|
62 |
*
|
|
|
63 |
* $config['roles'] = array(
|
|
|
64 |
* 'Role/admin' => null,
|
|
|
65 |
* 'Role/accountant' => null,
|
|
|
66 |
* 'Role/editor' => null,
|
|
|
67 |
* 'Role/manager' => 'Role/editor, Role/accountant',
|
|
|
68 |
* 'User/jeff' => 'Role/manager',
|
|
|
69 |
* );
|
|
|
70 |
*
|
|
|
71 |
* In this example manager inherits all rules from editor and accountant. Role/admin doesn't inherit from any role.
|
|
|
72 |
* Lets define some rules:
|
|
|
73 |
*
|
|
|
74 |
* $config['rules'] = array(
|
|
|
75 |
* 'allow' => array(
|
|
|
76 |
* '*' => 'Role/admin',
|
|
|
77 |
* 'controllers/users/(dashboard|profile)' => 'Role/default',
|
|
|
78 |
* 'controllers/invoices/*' => 'Role/accountant',
|
|
|
79 |
* 'controllers/articles/*' => 'Role/editor',
|
|
|
80 |
* 'controllers/users/*' => 'Role/manager',
|
|
|
81 |
* 'controllers/invoices/delete' => 'Role/manager',
|
|
|
82 |
* ),
|
|
|
83 |
* 'deny' => array(
|
|
|
84 |
* 'controllers/invoices/delete' => 'Role/accountant, User/jeff',
|
|
|
85 |
* 'controllers/articles/(delete|publish)' => 'Role/editor',
|
|
|
86 |
* ),
|
|
|
87 |
* );
|
|
|
88 |
*
|
|
|
89 |
* Ok, so as jeff inherits from Role/manager he's matched every rule that references User/jeff, Role/manager,
|
|
|
90 |
* Role/editor, Role/accountant and Role/default. However, for jeff, rules for User/jeff are more specific than
|
|
|
91 |
* rules for Role/manager, rules for Role/manager are more specific than rules for Role/editor and so on.
|
|
|
92 |
* This is important when allow and deny rules match for a role. E.g. Role/accountant is allowed
|
|
|
93 |
* controllers/invoices/* but at the same time controllers/invoices/delete is denied. But there is a more
|
|
|
94 |
* specific rule defined for Role/manager which is allowed controllers/invoices/delete. However, the most specific
|
|
|
95 |
* rule denies access to the delete action explicitly for User/jeff, so he'll be denied access to the resource.
|
|
|
96 |
*
|
|
|
97 |
* If we would remove the role definition for User/jeff, then jeff would be granted access as he would be resolved
|
|
|
98 |
* to Role/manager and Role/manager has an allow rule.
|
|
|
99 |
*/
|
|
|
100 |
|
|
|
101 |
/**
|
|
|
102 |
* The role map defines how to resolve the user record from your application
|
|
|
103 |
* to the roles you defined in the roles configuration.
|
|
|
104 |
*/
|
|
|
105 |
$config['map'] = array(
|
|
|
106 |
'User' => 'User/username',
|
|
|
107 |
'Role' => 'User/group_id',
|
|
|
108 |
);
|
|
|
109 |
|
|
|
110 |
/**
|
|
|
111 |
* define aliases to map your model information to
|
|
|
112 |
* the roles defined in your role configuration.
|
|
|
113 |
*/
|
|
|
114 |
$config['alias'] = array(
|
|
|
115 |
'Role/4' => 'Role/editor',
|
|
|
116 |
);
|
|
|
117 |
|
|
|
118 |
/**
|
|
|
119 |
* role configuration
|
|
|
120 |
*/
|
|
|
121 |
$config['roles'] = array(
|
|
|
122 |
'Role/admin' => null,
|
|
|
123 |
);
|
|
|
124 |
|
|
|
125 |
/**
|
|
|
126 |
* rule configuration
|
|
|
127 |
*/
|
|
|
128 |
$config['rules'] = array(
|
|
|
129 |
'allow' => array(
|
|
|
130 |
'*' => 'Role/admin',
|
|
|
131 |
),
|
|
|
132 |
'deny' => array(),
|
|
|
133 |
);
|