freenetis-github/application/services/core/AclService.php @ cd149dd5
18ac9009 | Ondřej Fibich | <?php
|
|
/*
|
|||
* This file is part of open source system FreenetIS
|
|||
* and it is release under GPLv3 licence.
|
|||
*
|
|||
* More info about licence can be found:
|
|||
* http://www.gnu.org/licenses/gpl-3.0.html
|
|||
*
|
|||
* More info about project can be found:
|
|||
* http://www.freenetis.org/
|
|||
*/
|
|||
namespace freenetis\service\core;
|
|||
/**
|
|||
* Service that handles access security check (ACL).
|
|||
*
|
|||
* @author Ondřej Fibich <ondrej.fibich@gmail.com>
|
|||
* @since 1.2
|
|||
*/
|
|||
class AclService extends \AbstractService
|
|||
{
|
|||
/**
|
|||
* @var \Groups_aro_map_Model
|
|||
*/
|
|||
private static $resolver = NULL;
|
|||
/**
|
|||
* Creates service.
|
|||
*
|
|||
* @param \ServiceFactory $factory
|
|||
*/
|
|||
public function __construct(\ServiceFactory $factory)
|
|||
{
|
|||
parent::__construct($factory);
|
|||
// singleton resolver instance
|
|||
cd149dd5 | Ondřej Fibich | if (empty(self::$resolver))
|
|
18ac9009 | Ondřej Fibich | {
|
|
cd149dd5 | Ondřej Fibich | self::$resolver = new \Groups_aro_map_Model();
|
|
18ac9009 | Ondřej Fibich | }
|
|
}
|
|||
/**
|
|||
* Checks user's access to system.
|
|||
*
|
|||
* @param type $axo_section AXO section value
|
|||
* @param type $axo_value AXO value
|
|||
* @param type $aco_type ACO type of action (view, new, edit, delete)
|
|||
* @param integer $member_id Member who ask for access
|
|||
* @param boolean $force_own Force to use own rules for not logged user
|
|||
* @return bool
|
|||
*/
|
|||
private function can($axo_section, $axo_value, $aco_type,
|
|||
$member_id = NULL, $force_own = FALSE)
|
|||
{
|
|||
// check own?
|
|||
if (($member_id == $_SESSION['member_id']) || $force_own)
|
|||
{
|
|||
// check own access
|
|||
cd149dd5 | Ondřej Fibich | if (self::$resolver->has_access(
|
|
18ac9009 | Ondřej Fibich | $_SESSION['user_id'], $aco_type . '_own',
|
|
$axo_section, $axo_value
|
|||
))
|
|||
{
|
|||
// access valid
|
|||
return true;
|
|||
}
|
|||
}
|
|||
// check all
|
|||
cd149dd5 | Ondřej Fibich | return self::$resolver->has_access(
|
|
18ac9009 | Ondřej Fibich | $_SESSION['user_id'], $aco_type . '_all',
|
|
$axo_section, $axo_value
|
|||
);
|
|||
}
|
|||
/**
|
|||
* Checks if user is in ARO group.
|
|||
*
|
|||
* @param integer $aro_group_id ARO group ID
|
|||
* @param integer $aro_id User ID
|
|||
* @return boolean true if exists false otherwise
|
|||
*/
|
|||
public function is_user_in_group($aro_group_id, $aro_id)
|
|||
{
|
|||
cd149dd5 | Ondřej Fibich | return self::$resolver->groups_aro_map_exists($aro_group_id, $aro_id);
|
|
18ac9009 | Ondřej Fibich | }
|
|
/**
|
|||
* Fuction that checks access rights for viewing of objects protected by
|
|||
* passed AXOs for current logged user that.
|
|||
* <p>
|
|||
* There are two types of access:
|
|||
* <ul>
|
|||
* <li>own - passed member ID is owner of this object and all its user may
|
|||
* have access,
|
|||
* <li>all - all users may be accessed.
|
|||
* </ul>
|
|||
*
|
|||
* @param $axo_section AXO section name
|
|||
* @param $axo_value ACO value
|
|||
* @param $member_id Object owner ID [optional]
|
|||
* @param boolean $force_own Force to use own rules for not logged user
|
|||
* [optional]
|
|||
*/
|
|||
public function can_view($axo_section, $axo_value, $member_id = NULL,
|
|||
$force_own = FALSE)
|
|||
{
|
|||
return $this->can($axo_section, $axo_value, 'view', $member_id, $force_own);
|
|||
}
|
|||
/**
|
|||
* Fuction that checks access rights for editing of objects protected by
|
|||
* passed AXOs for current logged user that.
|
|||
* <p>
|
|||
* There are two types of access:
|
|||
* <ul>
|
|||
* <li>own - passed member ID is owner of this object and all its user may
|
|||
* have access,
|
|||
* <li>all - all users may be accessed.
|
|||
* </ul>
|
|||
*
|
|||
* @param $axo_section AXO section name
|
|||
* @param $axo_value ACO value
|
|||
* @param $member_id Object owner ID [optional]
|
|||
* @param boolean $force_own Force to use own rules for not logged user
|
|||
* [optional]
|
|||
*/
|
|||
public function can_edit($axo_section, $axo_value, $member_id = NULL,
|
|||
$force_own = FALSE)
|
|||
{
|
|||
return $this->can($axo_section, $axo_value, 'edit', $member_id, $force_own);
|
|||
}
|
|||
/**
|
|||
* Fuction that checks access rights for creating of objects protected by
|
|||
* passed AXOs for current logged user that.
|
|||
* <p>
|
|||
* There are two types of access:
|
|||
* <ul>
|
|||
* <li>own - passed member ID is owner of this object and all its user may
|
|||
* have access,
|
|||
* <li>all - all users may be accessed.
|
|||
* </ul>
|
|||
*
|
|||
* @param $axo_section AXO section name
|
|||
* @param $axo_value ACO value
|
|||
* @param $member_id Object owner ID [optional]
|
|||
* @param boolean $force_own Force to use own rules for not logged user
|
|||
* [optional]
|
|||
*/
|
|||
public function can_create($axo_section, $axo_value, $member_id = NULL,
|
|||
$force_own = FALSE)
|
|||
{
|
|||
return $this->can($axo_section, $axo_value, 'new', $member_id, $force_own);
|
|||
}
|
|||
/**
|
|||
* Fuction that checks access rights for deletion of objects protected by
|
|||
* passed AXOs for current logged user that.
|
|||
* <p>
|
|||
* There are two types of access:
|
|||
* <ul>
|
|||
* <li>own - passed member ID is owner of this object and all its user may
|
|||
* have access,
|
|||
* <li>all - all users may be accessed.
|
|||
* </ul>
|
|||
*
|
|||
* @param $axo_section AXO section name
|
|||
* @param $axo_value ACO value
|
|||
* @param $member_id Object owner ID [optional]
|
|||
* @param boolean $force_own Force to use own rules for not logged user
|
|||
* [optional]
|
|||
*/
|
|||
public function can_delete($axo_section, $axo_value, $member_id = NULL,
|
|||
$force_own = FALSE)
|
|||
{
|
|||
return $this->can($axo_section, $axo_value, 'delete', $member_id, $force_own);
|
|||
}
|
|||
}
|