Class NPermission
Access control list (ACL) functionality and privileges management.
This solution is mostly based on Zend_Acl (c) Zend Technologies USA Inc. (http://www.zend.com), new BSD license
NObject | --NPermission
Implements interfaces:
Public Method Summary | |
---|---|
NPermission |
addResource
(string $resource, [string $parent =
NULL ])
Adds a Resource having an identifier unique to the list.
|
NPermission |
addRole
(string $role, [string|array $parents =
NULL ])
Adds a Role to the list.
|
NPermission |
allow
([string|array|NPermission::ALL $roles =
self::ALL ], [string|array|NPermission::ALL $resources = self::ALL ], [string|array|NPermission::ALL $privileges = self::ALL ], [IPermissionAssertion $assertion = NULL ])
Adds an "allow" rule to the list. A rule is added that would allow one or more Roles access to [certain $privileges upon] the specified Resource(s).
|
NPermission |
deny
([string|array|NPermission::ALL $roles =
self::ALL ], [string|array|NPermission::ALL $resources = self::ALL ], [string|array|NPermission::ALL $privileges = self::ALL ], [IPermissionAssertion $assertion = NULL ])
Adds a "deny" rule to the list. A rule is added that would deny one or more Roles access to [certain $privileges upon] the specified Resource(s).
|
mixed |
Returns real currently queried Resource. Use by IPermissionAssertion::asert().
|
mixed |
Returns real currently queried Role. Use by IPermissionAssertion::asert().
|
array |
getRoleParents
(string $role)
Returns an array of an existing Role's parents.
|
bool |
hasResource
(string $resource)
Returns TRUE if the Resource exists in the list.
|
bool |
hasRole
(string $role)
Returns TRUE if the Role exists in the list.
|
bool |
isAllowed
([string|NPermission::ALL|IRole $role =
self::ALL ], [string|NPermission::ALL|IResource $resource = self::ALL ], [string|NPermission::ALL $privilege = self::ALL ])
Returns TRUE if and only if the Role has access to the Resource.
|
NPermission |
removeAllow
([string|array|NPermission::ALL $roles =
self::ALL ], [string|array|NPermission::ALL $resources = self::ALL ], [string|array|NPermission::ALL $privileges = self::ALL ])
Removes "allow" permissions from the list. The rule is removed only in the context of the given Roles, Resources, and privileges. Existing rules to which the remove operation does not apply would remain in the
|
NPermission |
Removes all Resources.
|
NPermission |
Removes all Roles from the list.
|
NPermission |
removeDeny
([string|array|NPermission::ALL $roles =
self::ALL ], [string|array|NPermission::ALL $resources = self::ALL ], [string|array|NPermission::ALL $privileges = self::ALL ])
Removes "deny" restrictions from the list. The rule is removed only in the context of the given Roles, Resources, and privileges. Existing rules to which the remove operation does not apply would remain in the
|
NPermission |
removeResource
(string $resource)
Removes a Resource and all of its children.
|
NPermission |
removeRole
(string $role)
Removes the Role from the list.
|
bool |
resourceInheritsFrom
(string $resource, string $inherit, [boolean $onlyParent =
FALSE ])
Returns TRUE if $resource inherits from $inherit.
|
bool |
roleInheritsFrom
(string $role, string $inherit, [boolean $onlyParents =
FALSE ])
Returns TRUE if $role inherits from $inherit.
|
Protected Method Summary | |
---|---|
protected NPermission |
setRule
(bool $toAdd, bool $type, string|array|NPermission::ALL $roles, string|array|NPermission::ALL $resources, string|array|NPermission::ALL $privileges, [IPermissionAssertion $assertion =
NULL ])
Performs operations on Access NControl List rules.
|
Methods Inherited From NObject |
---|
extensionMethod(), getClass(), getReflection(), __call(), __callStatic(), __get(), __isset(), __set(), __unset() |
Method Details | |||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
line 281 addResourcepublic NPermission addResource (string $resource, [string $parent = Adds a Resource having an identifier unique to the list.
|
|||||||||||||||||||||||||||||||||
line 87 addRolepublic NPermission addRole (string $role, [string|array $parents = Adds a Role to the list. The $parents parameter may be a Role identifier (or array of identifiers) to indicate the Roles from which the newly added Role will directly inherit. In order to resolve potential ambiguities with conflicting rules inherited from different parents, the most recently added parent takes precedence over parents that were previously added. In other words, the first parent added will have the least priority, and the last parent added will have the highest priority.
|
|||||||||||||||||||||||||||||||||
line 462 allowpublic NPermission allow ([string|array|NPermission::ALL $roles = Adds an "allow" rule to the list. A rule is added that would allow one or more Roles access to [certain $privileges upon] the specified Resource(s). If either $roles or $resources is NPermission::ALL, then the rule applies to all Roles or all Resources, respectively. Both may be NPermission::ALL in order to work with the default rule of the ACL. The $privileges parameter may be used to further specify that the rule applies only to certain privileges upon the Resource(s) in question. This may be specified to be a single privilege with a string, and multiple privileges may be specified as an array of strings. If $assertion is provided, then its assert() method must return TRUE in order for the rule to apply. If $assertion is provided with $roles, $resources, and $privileges all equal to NULL, then a rule will imply a type of DENY when the rule's assertion fails.
|
|||||||||||||||||||||||||||||||||
line 491 denypublic NPermission deny ([string|array|NPermission::ALL $roles = Adds a "deny" rule to the list. A rule is added that would deny one or more Roles access to [certain $privileges upon] the specified Resource(s). If either $roles or $resources is NPermission::ALL, then the rule applies to all Roles or all Resources, respectively. Both may be NPermission::ALL in order to work with the default rule of the ACL. The $privileges parameter may be used to further specify that the rule applies only to certain privileges upon the Resource(s) in question. This may be specified to be a single privilege with a string, and multiple privileges may be specified as an array of strings. If $assertion is provided, then its assert() method must return TRUE in order for the rule to apply. If $assertion is provided with $roles, $resources, and $privileges all equal to NULL, then a rule will imply a type of ALLOW when the rule's assertion fails.
|
|||||||||||||||||||||||||||||||||
line 762 getQueriedResourcepublic mixed getQueriedResource () Returns real currently queried Resource. Use by IPermissionAssertion::asert().
|
|||||||||||||||||||||||||||||||||
line 751 getQueriedRolepublic mixed getQueriedRole () Returns real currently queried Role. Use by IPermissionAssertion::asert().
|
|||||||||||||||||||||||||||||||||
line 163 getRoleParentspublic array getRoleParents (string $role) Returns an array of an existing Role's parents. The parent Roles are ordered in this array by ascending priority. The highest priority parent Role, last in the array, corresponds with the parent Role most recently added. If the Role does not have any parents, then an empty array is returned.
|
|||||||||||||||||||||||||||||||||
line 309 hasResourcepublic bool hasResource (string $resource) Returns TRUE if the Resource exists in the list.
|
|||||||||||||||||||||||||||||||||
line 124 hasRolepublic bool hasRole (string $role) Returns TRUE if the Role exists in the list.
|
|||||||||||||||||||||||||||||||||
line 672 isAllowedpublic bool isAllowed ([string|NPermission::ALL|IRole $role = Returns TRUE if and only if the Role has access to the Resource. If either $role or $resource is NPermission::ALL, then the query applies to all Roles or all Resources, respectively. Both may be NPermission::ALL to query whether the ACL has a "blacklist" rule (allow everything to all). By default, NPermission creates a "whitelist" rule (deny everything to all), and this method would return FALSE unless this default has been overridden (i.e., by executing $acl->allow()). If a $privilege is not provided, then this method returns FALSE if and only if the Role is denied access to at least one privilege upon the Resource. In other words, this method returns TRUE if and only if the Role is allowed all privileges on the Resource. This method checks Role inheritance using a depth-first traversal of the Role list. The highest priority parent (i.e., the parent most recently added) is checked first, and its respective parents are checked similarly before the lower-priority parents of the Role are checked. Implementation of:
|
|||||||||||||||||||||||||||||||||
line 509 removeAllowpublic NPermission removeAllow ([string|array|NPermission::ALL $roles = Removes "allow" permissions from the list. The rule is removed only in the context of the given Roles, Resources, and privileges. Existing rules to which the remove operation does not apply would remain in the
|
|||||||||||||||||||||||||||||||||
line 421 removeAllResourcespublic NPermission removeAllResources () Removes all Resources.
|
|||||||||||||||||||||||||||||||||
line 250 removeAllRolespublic NPermission removeAllRoles () Removes all Roles from the list.
|
|||||||||||||||||||||||||||||||||
line 527 removeDenypublic NPermission removeDeny ([string|array|NPermission::ALL $roles = Removes "deny" restrictions from the list. The rule is removed only in the context of the given Roles, Resources, and privileges. Existing rules to which the remove operation does not apply would remain in the
|
|||||||||||||||||||||||||||||||||
line 386 removeResourcepublic NPermission removeResource (string $resource) Removes a Resource and all of its children.
|
|||||||||||||||||||||||||||||||||
line 214 removeRolepublic NPermission removeRole (string $role) Removes the Role from the list.
|
|||||||||||||||||||||||||||||||||
line 350 resourceInheritsFrompublic bool resourceInheritsFrom (string $resource, string $inherit, [boolean $onlyParent = Returns TRUE if $resource inherits from $inherit. If $onlyParents is TRUE, then $resource must inherit directly from $inherit in order to return TRUE. By default, this method looks through the entire inheritance tree to determine whether $resource inherits from $inherit through its ancestor Resources.
|
|||||||||||||||||||||||||||||||||
line 185 roleInheritsFrompublic bool roleInheritsFrom (string $role, string $inherit, [boolean $onlyParents = Returns TRUE if $role inherits from $inherit. If $onlyParents is TRUE, then $role must inherit directly from $inherit in order to return TRUE. By default, this method looks through the entire inheritance DAG to determine whether $role inherits from $inherit through its ancestor Roles.
|
|||||||||||||||||||||||||||||||||
line 547 setRuleprotected NPermission setRule (bool $toAdd, bool $type, string|array|NPermission::ALL $roles, string|array|NPermission::ALL $resources, string|array|NPermission::ALL $privileges, [IPermissionAssertion $assertion = Performs operations on Access NControl List rules.
|