Improve ACL handling.
This commit is contained in:
parent
bcd50a8453
commit
80a8cdca3f
2 changed files with 87 additions and 47 deletions
|
|
@ -2,50 +2,93 @@
|
|||
|
||||
namespace Httpcb;
|
||||
|
||||
use Phalcon\Acl\Role,
|
||||
Phalcon\Acl\Adapter\Memory as AclList;
|
||||
use Phalcon\Config,
|
||||
Phalcon\Acl\Role,
|
||||
Phalcon\Acl\Adapter\Memory as Adapter;
|
||||
|
||||
class Acl extends AclList
|
||||
class Acl
|
||||
{
|
||||
const ROLE_USER = 'user';
|
||||
const ROLE_GUEST = 'guest';
|
||||
|
||||
public function __construct()
|
||||
/**
|
||||
* @var Adapter
|
||||
*/
|
||||
protected $_adapter = null;
|
||||
|
||||
public function __construct(Config $config)
|
||||
{
|
||||
$this->_adapter = new Adapter();
|
||||
|
||||
// Deny access to everything by default.
|
||||
$this->setDefaultAction(\Phalcon\Acl::DENY);
|
||||
$this->_adapter->setDefaultAction(\Phalcon\Acl::DENY);
|
||||
|
||||
// Roles
|
||||
$guest = new Role(self::ROLE_GUEST);
|
||||
$user = new Role(self::ROLE_USER);
|
||||
|
||||
$this->addRole($guest);
|
||||
$this->addRole($user, $guest);
|
||||
|
||||
// Public Resources
|
||||
$public = array(
|
||||
'index',
|
||||
'error',
|
||||
'auth',
|
||||
'api',
|
||||
);
|
||||
|
||||
$this->_grant($guest, $public);
|
||||
|
||||
// Protected Resources
|
||||
$protected = array(
|
||||
'callback',
|
||||
'user',
|
||||
);
|
||||
|
||||
$this->_grant($user, $protected);
|
||||
$this->fromConfig($config);
|
||||
}
|
||||
|
||||
protected function _grant(Role $role, array $resources)
|
||||
/**
|
||||
* @param $role
|
||||
* @param $resource
|
||||
* @return bool
|
||||
*/
|
||||
public function isAllowed($role, $resource)
|
||||
{
|
||||
foreach($resources as $resource) {
|
||||
$this->addResource($resource, 'Read');
|
||||
$this->allow($role->getName(), $resource, 'Read');
|
||||
return $this->_adapter->isAllowed($role, $resource, 'All') == \Phalcon\Acl::ALLOW;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $resource
|
||||
* @return bool
|
||||
*/
|
||||
public function hasResource($resource)
|
||||
{
|
||||
return $this->_adapter->isResource($resource);
|
||||
}
|
||||
|
||||
public function fromConfig(Config $config)
|
||||
{
|
||||
// Add roles.
|
||||
foreach($config->roles as $name => $def) {
|
||||
|
||||
$inherits = null;
|
||||
$description = null;
|
||||
|
||||
if ($def instanceof Config) {
|
||||
$inherits = $def->get('inherits');
|
||||
$description = $def->get('description');
|
||||
|
||||
}
|
||||
|
||||
$role = new Role($name, $description);
|
||||
$this->_adapter->addRole($role, $inherits);
|
||||
}
|
||||
|
||||
// Zones
|
||||
foreach($config->zones as $name => $resources) {
|
||||
|
||||
if (!($resources instanceof Config)) {
|
||||
$resources = new Config([ $resources ]);
|
||||
}
|
||||
|
||||
foreach($resources as $resource) {
|
||||
$this->_adapter->addResource($resource, 'All');
|
||||
}
|
||||
}
|
||||
|
||||
// Grant access for roles and resources.
|
||||
foreach($config->roles as $name => $def) {
|
||||
|
||||
$zones = $def->get('allowed-zones', []);
|
||||
|
||||
if (is_string($zones)) {
|
||||
$zones = [ $zones ];
|
||||
}
|
||||
|
||||
foreach($zones as $zone) {
|
||||
foreach($config->zones->get($zone) as $resource) {
|
||||
$this->_adapter->allow($name, $resource, 'All');
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue