/
IniAcl.php
172 lines (151 loc) · 4.57 KB
/
IniAcl.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
<?php
/**
* CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
* Copyright 2005-2011, Cake Software Foundation, Inc. (http://cakefoundation.org)
*
* Licensed under The MIT License
* Redistributions of files must retain the above copyright notice.
*
* @copyright Copyright 2005-2011, Cake Software Foundation, Inc. (http://cakefoundation.org)
* @link http://cakephp.org CakePHP(tm) Project
* @package Cake.Controller.Component
* @since CakePHP(tm) v 0.10.0.1076
* @license MIT License (http://www.opensource.org/licenses/mit-license.php)
*/
App::uses('AclInterface', 'Controller/Component/Acl');
/**
* IniAcl implements an access control system using an INI file. An example
* of the ini file used can be found in /config/acl.ini.php.
*
* @package Cake.Controller.Component
*/
class IniAcl extends Object implements AclInterface {
/**
* Array with configuration, parsed from ini file
*
* @var array
*/
public $config = null;
/**
* The Set::classicExtract() path to the user/aro identifier in the
* acl.ini file. This path will be used to extract the string
* representation of a user used in the ini file.
*
* @var string
*/
public $userPath = 'User.username';
/**
* Initialize method
*
* @param AclBase $component
* @return void
*/
public function initialize(Component $component) {
}
/**
* No op method, allow cannot be done with IniAcl
*
* @param string $aro ARO The requesting object identifier.
* @param string $aco ACO The controlled object identifier.
* @param string $action Action (defaults to *)
* @return boolean Success
*/
public function allow($aro, $aco, $action = "*") {
}
/**
* No op method, deny cannot be done with IniAcl
*
* @param string $aro ARO The requesting object identifier.
* @param string $aco ACO The controlled object identifier.
* @param string $action Action (defaults to *)
* @return boolean Success
*/
public function deny($aro, $aco, $action = "*") {
}
/**
* No op method, inherit cannot be done with IniAcl
*
* @param string $aro ARO The requesting object identifier.
* @param string $aco ACO The controlled object identifier.
* @param string $action Action (defaults to *)
* @return boolean Success
*/
public function inherit($aro, $aco, $action = "*") {
}
/**
* Main ACL check function. Checks to see if the ARO (access request object) has access to the
* ACO (access control object).Looks at the acl.ini.php file for permissions
* (see instructions in /config/acl.ini.php).
*
* @param string $aro ARO
* @param string $aco ACO
* @param string $action Action
* @return boolean Success
*/
public function check($aro, $aco, $action = null) {
if ($this->config == null) {
$this->config = $this->readConfigFile(APP . 'Config' . DS . 'acl.ini.php');
}
$aclConfig = $this->config;
if (is_array($aro)) {
$aro = Set::classicExtract($aro, $this->userPath);
}
if (isset($aclConfig[$aro]['deny'])) {
$userDenies = $this->arrayTrim(explode(",", $aclConfig[$aro]['deny']));
if (array_search($aco, $userDenies)) {
return false;
}
}
if (isset($aclConfig[$aro]['allow'])) {
$userAllows = $this->arrayTrim(explode(",", $aclConfig[$aro]['allow']));
if (array_search($aco, $userAllows)) {
return true;
}
}
if (isset($aclConfig[$aro]['groups'])) {
$userGroups = $this->arrayTrim(explode(",", $aclConfig[$aro]['groups']));
foreach ($userGroups as $group) {
if (array_key_exists($group, $aclConfig)) {
if (isset($aclConfig[$group]['deny'])) {
$groupDenies = $this->arrayTrim(explode(",", $aclConfig[$group]['deny']));
if (array_search($aco, $groupDenies)) {
return false;
}
}
if (isset($aclConfig[$group]['allow'])) {
$groupAllows = $this->arrayTrim(explode(",", $aclConfig[$group]['allow']));
if (array_search($aco, $groupAllows)) {
return true;
}
}
}
}
}
return false;
}
/**
* Parses an INI file and returns an array that reflects the
* INI file's section structure. Double-quote friendly.
*
* @param string $filename File
* @return array INI section structure
*/
public function readConfigFile($filename) {
App::uses('IniReader', 'Configure');
$iniFile = new IniReader(dirname($filename) . DS);
return $iniFile->read(basename($filename));
}
/**
* Removes trailing spaces on all array elements (to prepare for searching)
*
* @param array $array Array to trim
* @return array Trimmed array
*/
public function arrayTrim($array) {
foreach ($array as $key => $value) {
$array[$key] = trim($value);
}
array_unshift($array, "");
return $array;
}
}