search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added the zend framework 2 library, the path is specified in line no.26 in zend_modul...
[openemr.git] / interface / modules / zend_modules / library / Zend / Permissions / Acl / Acl.php
bloba9cad33928ac4383976eef0f612cf298cc92cf39
1 <?php
2 /**
3 * Zend Framework (http://framework.zend.com/)
4 *
5 * @link http://github.com/zendframework/zf2 for the canonical source repository
6 * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
7 * @license http://framework.zend.com/license/new-bsd New BSD License
8 */
9
10 namespace Zend\Permissions\Acl;
11
12 class Acl implements AclInterface
13 {
14 /**
15 * Rule type: allow
16 */
17 const TYPE_ALLOW = 'TYPE_ALLOW';
18
19 /**
20 * Rule type: deny
21 */
22 const TYPE_DENY = 'TYPE_DENY';
23
24 /**
25 * Rule operation: add
26 */
27 const OP_ADD = 'OP_ADD';
28
29 /**
30 * Rule operation: remove
31 */
32 const OP_REMOVE = 'OP_REMOVE';
33
34 /**
35 * Role registry
36 *
37 * @var Role\Registry
38 */
39 protected $roleRegistry = null;
40
41 /**
42 * Resource tree
43 *
44 * @var array
45 */
46 protected $resources = array();
47
48 /**
49 * @var Role\RoleInterface
50 */
51 protected $isAllowedRole = null;
52
53 /**
54 * @var Resource
55 */
56 protected $isAllowedResource = null;
57
58 /**
59 * @var string
60 */
61 protected $isAllowedPrivilege = null;
62
63 /**
64 * ACL rules; whitelist (deny everything to all) by default
65 *
66 * @var array
67 */
68 protected $rules = array(
69 'allResources' => array(
70 'allRoles' => array(
71 'allPrivileges' => array(
72 'type' => self::TYPE_DENY,
73 'assert' => null
74 ),
75 'byPrivilegeId' => array()
76 ),
77 'byRoleId' => array()
78 ),
79 'byResourceId' => array()
80 );
81
82 /**
83 * Adds a Role having an identifier unique to the registry
84 *
85 * The $parents parameter may be a reference to, or the string identifier for,
86 * a Role existing in the registry, or $parents may be passed as an array of
87 * these - mixing string identifiers and objects is ok - to indicate the Roles
88 * from which the newly added Role will directly inherit.
89 *
90 * In order to resolve potential ambiguities with conflicting rules inherited
91 * from different parents, the most recently added parent takes precedence over
92 * parents that were previously added. In other words, the first parent added
93 * will have the least priority, and the last parent added will have the
94 * highest priority.
95 *
96 * @param Role\RoleInterface|string $role
97 * @param Role\RoleInterface|string|array $parents
98 * @throws Exception\InvalidArgumentException
99 * @return Acl Provides a fluent interface
100 */
101 public function addRole($role, $parents = null)
102 {
103 if (is_string($role)) {
104 $role = new Role\GenericRole($role);
105 } elseif (!$role instanceof Role\RoleInterface) {
106 throw new Exception\InvalidArgumentException(
107 'addRole() expects $role to be of type Zend\Permissions\Acl\Role\RoleInterface'
108 );
109 }
110
111
112 $this->getRoleRegistry()->add($role, $parents);
113
114 return $this;
115 }
116
117 /**
118 * Returns the identified Role
119 *
120 * The $role parameter can either be a Role or Role identifier.
121 *
122 * @param Role\RoleInterface|string $role
123 * @return Role\RoleInterface
124 */
125 public function getRole($role)
126 {
127 return $this->getRoleRegistry()->get($role);
128 }
129
130 /**
131 * Returns true if and only if the Role exists in the registry
132 *
133 * The $role parameter can either be a Role or a Role identifier.
134 *
135 * @param Role\RoleInterface|string $role
136 * @return bool
137 */
138 public function hasRole($role)
139 {
140 return $this->getRoleRegistry()->has($role);
141 }
142
143 /**
144 * Returns true if and only if $role inherits from $inherit
145 *
146 * Both parameters may be either a Role or a Role identifier. If
147 * $onlyParents is true, then $role must inherit directly from
148 * $inherit in order to return true. By default, this method looks
149 * through the entire inheritance DAG to determine whether $role
150 * inherits from $inherit through its ancestor Roles.
151 *
152 * @param Role\RoleInterface|string $role
153 * @param Role\RoleInterface|string $inherit
154 * @param bool $onlyParents
155 * @return bool
156 */
157 public function inheritsRole($role, $inherit, $onlyParents = false)
158 {
159 return $this->getRoleRegistry()->inherits($role, $inherit, $onlyParents);
160 }
161
162 /**
163 * Removes the Role from the registry
164 *
165 * The $role parameter can either be a Role or a Role identifier.
166 *
167 * @param Role\RoleInterface|string $role
168 * @return Acl Provides a fluent interface
169 */
170 public function removeRole($role)
171 {
172 $this->getRoleRegistry()->remove($role);
173
174 if ($role instanceof Role\RoleInterface) {
175 $roleId = $role->getRoleId();
176 } else {
177 $roleId = $role;
178 }
179
180 foreach ($this->rules['allResources']['byRoleId'] as $roleIdCurrent => $rules) {
181 if ($roleId === $roleIdCurrent) {
182 unset($this->rules['allResources']['byRoleId'][$roleIdCurrent]);
183 }
184 }
185 foreach ($this->rules['byResourceId'] as $resourceIdCurrent => $visitor) {
186 if (array_key_exists('byRoleId', $visitor)) {
187 foreach ($visitor['byRoleId'] as $roleIdCurrent => $rules) {
188 if ($roleId === $roleIdCurrent) {
189 unset($this->rules['byResourceId'][$resourceIdCurrent]['byRoleId'][$roleIdCurrent]);
190 }
191 }
192 }
193 }
194
195 return $this;
196 }
197
198 /**
199 * Removes all Roles from the registry
200 *
201 * @return Acl Provides a fluent interface
202 */
203 public function removeRoleAll()
204 {
205 $this->getRoleRegistry()->removeAll();
206
207 foreach ($this->rules['allResources']['byRoleId'] as $roleIdCurrent => $rules) {
208 unset($this->rules['allResources']['byRoleId'][$roleIdCurrent]);
209 }
210 foreach ($this->rules['byResourceId'] as $resourceIdCurrent => $visitor) {
211 foreach ($visitor['byRoleId'] as $roleIdCurrent => $rules) {
212 unset($this->rules['byResourceId'][$resourceIdCurrent]['byRoleId'][$roleIdCurrent]);
213 }
214 }
215
216 return $this;
217 }
218
219 /**
220 * Adds a Resource having an identifier unique to the ACL
221 *
222 * The $parent parameter may be a reference to, or the string identifier for,
223 * the existing Resource from which the newly added Resource will inherit.
224 *
225 * @param Resource\ResourceInterface|string $resource
226 * @param Resource\ResourceInterface|string $parent
227 * @throws Exception\InvalidArgumentException
228 * @return Acl Provides a fluent interface
229 */
230 public function addResource($resource, $parent = null)
231 {
232 if (is_string($resource)) {
233 $resource = new Resource\GenericResource($resource);
234 } elseif (!$resource instanceof Resource\ResourceInterface) {
235 throw new Exception\InvalidArgumentException(
236 'addResource() expects $resource to be of type Zend\Permissions\Acl\Resource\ResourceInterface'
237 );
238 }
239
240 $resourceId = $resource->getResourceId();
241
242 if ($this->hasResource($resourceId)) {
243 throw new Exception\InvalidArgumentException("Resource id '$resourceId' already exists in the ACL");
244 }
245
246 $resourceParent = null;
247
248 if (null !== $parent) {
249 try {
250 if ($parent instanceof Resource\ResourceInterface) {
251 $resourceParentId = $parent->getResourceId();
252 } else {
253 $resourceParentId = $parent;
254 }
255 $resourceParent = $this->getResource($resourceParentId);
256 } catch (\Exception $e) {
257 throw new Exception\InvalidArgumentException(sprintf(
258 'Parent Resource id "%s" does not exist',
259 $resourceParentId
260 ), 0, $e);
261 }
262 $this->resources[$resourceParentId]['children'][$resourceId] = $resource;
263 }
264
265 $this->resources[$resourceId] = array(
266 'instance' => $resource,
267 'parent' => $resourceParent,
268 'children' => array()
269 );
270
271 return $this;
272 }
273
274 /**
275 * Returns the identified Resource
276 *
277 * The $resource parameter can either be a Resource or a Resource identifier.
278 *
279 * @param Resource\ResourceInterface|string $resource
280 * @throws Exception\InvalidArgumentException
281 * @return Resource
282 */
283 public function getResource($resource)
284 {
285 if ($resource instanceof Resource\ResourceInterface) {
286 $resourceId = $resource->getResourceId();
287 } else {
288 $resourceId = (string) $resource;
289 }
290
291 if (!$this->hasResource($resource)) {
292 throw new Exception\InvalidArgumentException("Resource '$resourceId' not found");
293 }
294
295 return $this->resources[$resourceId]['instance'];
296 }
297
298 /**
299 * Returns true if and only if the Resource exists in the ACL
300 *
301 * The $resource parameter can either be a Resource or a Resource identifier.
302 *
303 * @param Resource\ResourceInterface|string $resource
304 * @return bool
305 */
306 public function hasResource($resource)
307 {
308 if ($resource instanceof Resource\ResourceInterface) {
309 $resourceId = $resource->getResourceId();
310 } else {
311 $resourceId = (string) $resource;
312 }
313
314 return isset($this->resources[$resourceId]);
315 }
316
317 /**
318 * Returns true if and only if $resource inherits from $inherit
319 *
320 * Both parameters may be either a Resource or a Resource identifier. If
321 * $onlyParent is true, then $resource must inherit directly from
322 * $inherit in order to return true. By default, this method looks
323 * through the entire inheritance tree to determine whether $resource
324 * inherits from $inherit through its ancestor Resources.
325 *
326 * @param Resource\ResourceInterface|string $resource
327 * @param Resource\ResourceInterface|string inherit
328 * @param bool $onlyParent
329 * @throws Exception\InvalidArgumentException
330 * @return bool
331 */
332 public function inheritsResource($resource, $inherit, $onlyParent = false)
333 {
334 try {
335 $resourceId = $this->getResource($resource)->getResourceId();
336 $inheritId = $this->getResource($inherit)->getResourceId();
337 } catch (Exception\ExceptionInterface $e) {
338 throw new Exception\InvalidArgumentException($e->getMessage(), $e->getCode(), $e);
339 }
340
341 if (null !== $this->resources[$resourceId]['parent']) {
342 $parentId = $this->resources[$resourceId]['parent']->getResourceId();
343 if ($inheritId === $parentId) {
344 return true;
345 } elseif ($onlyParent) {
346 return false;
347 }
348 } else {
349 return false;
350 }
351
352 while (null !== $this->resources[$parentId]['parent']) {
353 $parentId = $this->resources[$parentId]['parent']->getResourceId();
354 if ($inheritId === $parentId) {
355 return true;
356 }
357 }
358
359 return false;
360 }
361
362 /**
363 * Removes a Resource and all of its children
364 *
365 * The $resource parameter can either be a Resource or a Resource identifier.
366 *
367 * @param Resource\ResourceInterface|string $resource
368 * @throws Exception\InvalidArgumentException
369 * @return Acl Provides a fluent interface
370 */
371 public function removeResource($resource)
372 {
373 try {
374 $resourceId = $this->getResource($resource)->getResourceId();
375 } catch (Exception\ExceptionInterface $e) {
376 throw new Exception\InvalidArgumentException($e->getMessage(), $e->getCode(), $e);
377 }
378
379 $resourcesRemoved = array($resourceId);
380 if (null !== ($resourceParent = $this->resources[$resourceId]['parent'])) {
381 unset($this->resources[$resourceParent->getResourceId()]['children'][$resourceId]);
382 }
383 foreach ($this->resources[$resourceId]['children'] as $childId => $child) {
384 $this->removeResource($childId);
385 $resourcesRemoved[] = $childId;
386 }
387
388 foreach ($resourcesRemoved as $resourceIdRemoved) {
389 foreach ($this->rules['byResourceId'] as $resourceIdCurrent => $rules) {
390 if ($resourceIdRemoved === $resourceIdCurrent) {
391 unset($this->rules['byResourceId'][$resourceIdCurrent]);
392 }
393 }
394 }
395
396 unset($this->resources[$resourceId]);
397
398 return $this;
399 }
400
401 /**
402 * Removes all Resources
403 *
404 * @return Acl Provides a fluent interface
405 */
406 public function removeResourceAll()
407 {
408 foreach ($this->resources as $resourceId => $resource) {
409 foreach ($this->rules['byResourceId'] as $resourceIdCurrent => $rules) {
410 if ($resourceId === $resourceIdCurrent) {
411 unset($this->rules['byResourceId'][$resourceIdCurrent]);
412 }
413 }
414 }
415
416 $this->resources = array();
417
418 return $this;
419 }
420
421 /**
422 * Adds an "allow" rule to the ACL
423 *
424 * @param Role\RoleInterface|string|array $roles
425 * @param Resource\ResourceInterface|string|array $resources
426 * @param string|array $privileges
427 * @param Assertion\AssertionInterface $assert
428 * @return Acl Provides a fluent interface
429 */
430 public function allow($roles = null, $resources = null, $privileges = null, Assertion\AssertionInterface $assert = null)
431 {
432 return $this->setRule(self::OP_ADD, self::TYPE_ALLOW, $roles, $resources, $privileges, $assert);
433 }
434
435 /**
436 * Adds a "deny" rule to the ACL
437 *
438 * @param Role\RoleInterface|string|array $roles
439 * @param Resource\ResourceInterface|string|array $resources
440 * @param string|array $privileges
441 * @param Assertion\AssertionInterface $assert
442 * @return Acl Provides a fluent interface
443 */
444 public function deny($roles = null, $resources = null, $privileges = null, Assertion\AssertionInterface $assert = null)
445 {
446 return $this->setRule(self::OP_ADD, self::TYPE_DENY, $roles, $resources, $privileges, $assert);
447 }
448
449 /**
450 * Removes "allow" permissions from the ACL
451 *
452 * @param Role\RoleInterface|string|array $roles
453 * @param Resource\ResourceInterface|string|array $resources
454 * @param string|array $privileges
455 * @return Acl Provides a fluent interface
456 */
457 public function removeAllow($roles = null, $resources = null, $privileges = null)
458 {
459 return $this->setRule(self::OP_REMOVE, self::TYPE_ALLOW, $roles, $resources, $privileges);
460 }
461
462 /**
463 * Removes "deny" restrictions from the ACL
464 *
465 * @param Role\RoleInterface|string|array $roles
466 * @param Resource\ResourceInterface|string|array $resources
467 * @param string|array $privileges
468 * @return Acl Provides a fluent interface
469 */
470 public function removeDeny($roles = null, $resources = null, $privileges = null)
471 {
472 return $this->setRule(self::OP_REMOVE, self::TYPE_DENY, $roles, $resources, $privileges);
473 }
474
475 /**
476 * Performs operations on ACL rules
477 *
478 * The $operation parameter may be either OP_ADD or OP_REMOVE, depending on whether the
479 * user wants to add or remove a rule, respectively:
480 *
481 * OP_ADD specifics:
482 *
483 * A rule is added that would allow one or more Roles access to [certain $privileges
484 * upon] the specified Resource(s).
485 *
486 * OP_REMOVE specifics:
487 *
488 * The rule is removed only in the context of the given Roles, Resources, and privileges.
489 * Existing rules to which the remove operation does not apply would remain in the
490 * ACL.
491 *
492 * The $type parameter may be either TYPE_ALLOW or TYPE_DENY, depending on whether the
493 * rule is intended to allow or deny permission, respectively.
494 *
495 * The $roles and $resources parameters may be references to, or the string identifiers for,
496 * existing Resources/Roles, or they may be passed as arrays of these - mixing string identifiers
497 * and objects is ok - to indicate the Resources and Roles to which the rule applies. If either
498 * $roles or $resources is null, then the rule applies to all Roles or all Resources, respectively.
499 * Both may be null in order to work with the default rule of the ACL.
500 *
501 * The $privileges parameter may be used to further specify that the rule applies only
502 * to certain privileges upon the Resource(s) in question. This may be specified to be a single
503 * privilege with a string, and multiple privileges may be specified as an array of strings.
504 *
505 * If $assert is provided, then its assert() method must return true in order for
506 * the rule to apply. If $assert is provided with $roles, $resources, and $privileges all
507 * equal to null, then a rule having a type of:
508 *
509 * TYPE_ALLOW will imply a type of TYPE_DENY, and
510 *
511 * TYPE_DENY will imply a type of TYPE_ALLOW
512 *
513 * when the rule's assertion fails. This is because the ACL needs to provide expected
514 * behavior when an assertion upon the default ACL rule fails.
515 *
516 * @param string $operation
517 * @param string $type
518 * @param Role\RoleInterface|string|array $roles
519 * @param Resource\ResourceInterface|string|array $resources
520 * @param string|array $privileges
521 * @param Assertion\AssertionInterface $assert
522 * @throws Exception\InvalidArgumentException
523 * @return Acl Provides a fluent interface
524 */
525 public function setRule($operation, $type, $roles = null, $resources = null,
526 $privileges = null, Assertion\AssertionInterface $assert = null
527 ) {
528 // ensure that the rule type is valid; normalize input to uppercase
529 $type = strtoupper($type);
530 if (self::TYPE_ALLOW !== $type && self::TYPE_DENY !== $type) {
531 throw new Exception\InvalidArgumentException(sprintf(
532 'Unsupported rule type; must be either "%s" or "%s"',
533 self::TYPE_ALLOW,
534 self::TYPE_DENY
535 ));
536 }
537
538 // ensure that all specified Roles exist; normalize input to array of Role objects or null
539 if (!is_array($roles)) {
540 $roles = array($roles);
541 } elseif (0 === count($roles)) {
542 $roles = array(null);
543 }
544 $rolesTemp = $roles;
545 $roles = array();
546 foreach ($rolesTemp as $role) {
547 if (null !== $role) {
548 $roles[] = $this->getRoleRegistry()->get($role);
549 } else {
550 $roles[] = null;
551 }
552 }
553 unset($rolesTemp);
554
555 // ensure that all specified Resources exist; normalize input to array of Resource objects or null
556 if (!is_array($resources)) {
557 if (null === $resources && count($this->resources) > 0) {
558 $resources = array_keys($this->resources);
559 // Passing a null resource; make sure "global" permission is also set!
560 if (!in_array(null, $resources)) {
561 array_unshift($resources, null);
562 }
563 } else {
564 $resources = array($resources);
565 }
566 } elseif (0 === count($resources)) {
567 $resources = array(null);
568 }
569 $resourcesTemp = $resources;
570 $resources = array();
571 foreach ($resourcesTemp as $resource) {
572 if (null !== $resource) {
573 $resourceObj = $this->getResource($resource);
574 $resourceId = $resourceObj->getResourceId();
575 $children = $this->getChildResources($resourceObj);
576 $resources = array_merge($resources, $children);
577 $resources[$resourceId] = $resourceObj;
578 } else {
579 $resources[] = null;
580 }
581 }
582 unset($resourcesTemp);
583
584 // normalize privileges to array
585 if (null === $privileges) {
586 $privileges = array();
587 } elseif (!is_array($privileges)) {
588 $privileges = array($privileges);
589 }
590
591 switch ($operation) {
592 // add to the rules
593 case self::OP_ADD:
594 foreach ($resources as $resource) {
595 foreach ($roles as $role) {
596 $rules =& $this->getRules($resource, $role, true);
597 if (0 === count($privileges)) {
598 $rules['allPrivileges']['type'] = $type;
599 $rules['allPrivileges']['assert'] = $assert;
600 if (!isset($rules['byPrivilegeId'])) {
601 $rules['byPrivilegeId'] = array();
602 }
603 } else {
604 foreach ($privileges as $privilege) {
605 $rules['byPrivilegeId'][$privilege]['type'] = $type;
606 $rules['byPrivilegeId'][$privilege]['assert'] = $assert;
607 }
608 }
609 }
610 }
611 break;
612
613 // remove from the rules
614 case self::OP_REMOVE:
615 foreach ($resources as $resource) {
616 foreach ($roles as $role) {
617 $rules =& $this->getRules($resource, $role);
618 if (null === $rules) {
619 continue;
620 }
621 if (0 === count($privileges)) {
622 if (null === $resource && null === $role) {
623 if ($type === $rules['allPrivileges']['type']) {
624 $rules = array(
625 'allPrivileges' => array(
626 'type' => self::TYPE_DENY,
627 'assert' => null
628 ),
629 'byPrivilegeId' => array()
630 );
631 }
632 continue;
633 }
634
635 if (isset($rules['allPrivileges']['type']) &&
636 $type === $rules['allPrivileges']['type'])
637 {
638 unset($rules['allPrivileges']);
639 }
640 } else {
641 foreach ($privileges as $privilege) {
642 if (isset($rules['byPrivilegeId'][$privilege]) &&
643 $type === $rules['byPrivilegeId'][$privilege]['type'])
644 {
645 unset($rules['byPrivilegeId'][$privilege]);
646 }
647 }
648 }
649 }
650 }
651 break;
652
653 default:
654 throw new Exception\InvalidArgumentException(sprintf(
655 'Unsupported operation; must be either "%s" or "%s"',
656 self::OP_ADD,
657 self::OP_REMOVE
658 ));
659 }
660
661 return $this;
662 }
663
664 /**
665 * Returns all child resources from the given resource.
666 *
667 * @param Resource\ResourceInterface|string $resource
668 * @return Resource\ResourceInterface[]
669 */
670 protected function getChildResources(Resource\ResourceInterface $resource)
671 {
672 $return = array();
673 $id = $resource->getResourceId();
674
675 $children = $this->resources[$id]['children'];
676 foreach ($children as $child) {
677 $child_return = $this->getChildResources($child);
678 $child_return[$child->getResourceId()] = $child;
679
680 $return = array_merge($return, $child_return);
681 }
682
683 return $return;
684 }
685
686 /**
687 * Returns true if and only if the Role has access to the Resource
688 *
689 * The $role and $resource parameters may be references to, or the string identifiers for,
690 * an existing Resource and Role combination.
691 *
692 * If either $role or $resource is null, then the query applies to all Roles or all Resources,
693 * respectively. Both may be null to query whether the ACL has a "blacklist" rule
694 * (allow everything to all). By default, Zend\Permissions\Acl creates a "whitelist" rule (deny
695 * everything to all), and this method would return false unless this default has
696 * been overridden (i.e., by executing $acl->allow()).
697 *
698 * If a $privilege is not provided, then this method returns false if and only if the
699 * Role is denied access to at least one privilege upon the Resource. In other words, this
700 * method returns true if and only if the Role is allowed all privileges on the Resource.
701 *
702 * This method checks Role inheritance using a depth-first traversal of the Role registry.
703 * The highest priority parent (i.e., the parent most recently added) is checked first,
704 * and its respective parents are checked similarly before the lower-priority parents of
705 * the Role are checked.
706 *
707 * @param Role\RoleInterface|string $role
708 * @param Resource\ResourceInterface|string $resource
709 * @param string $privilege
710 * @return bool
711 */
712 public function isAllowed($role = null, $resource = null, $privilege = null)
713 {
714 // reset role & resource to null
715 $this->isAllowedRole = null;
716 $this->isAllowedResource = null;
717 $this->isAllowedPrivilege = null;
718
719 if (null !== $role) {
720 // keep track of originally called role
721 $this->isAllowedRole = $role;
722 $role = $this->getRoleRegistry()->get($role);
723 if (!$this->isAllowedRole instanceof Role\RoleInterface) {
724 $this->isAllowedRole = $role;
725 }
726 }
727
728 if (null !== $resource) {
729 // keep track of originally called resource
730 $this->isAllowedResource = $resource;
731 $resource = $this->getResource($resource);
732 if (!$this->isAllowedResource instanceof Resource\ResourceInterface) {
733 $this->isAllowedResource = $resource;
734 }
735 }
736
737 if (null === $privilege) {
738 // query on all privileges
739 do {
740 // depth-first search on $role if it is not 'allRoles' pseudo-parent
741 if (null !== $role && null !== ($result = $this->roleDFSAllPrivileges($role, $resource, $privilege))) {
742 return $result;
743 }
744
745 // look for rule on 'allRoles' pseudo-parent
746 if (null !== ($rules = $this->getRules($resource, null))) {
747 foreach ($rules['byPrivilegeId'] as $privilege => $rule) {
748 if (self::TYPE_DENY === ($ruleTypeOnePrivilege = $this->getRuleType($resource, null, $privilege))) {
749 return false;
750 }
751 }
752 if (null !== ($ruleTypeAllPrivileges = $this->getRuleType($resource, null, null))) {
753 return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
754 }
755 }
756
757 // try next Resource
758 $resource = $this->resources[$resource->getResourceId()]['parent'];
759
760 } while (true); // loop terminates at 'allResources' pseudo-parent
761 } else {
762 $this->isAllowedPrivilege = $privilege;
763 // query on one privilege
764 do {
765 // depth-first search on $role if it is not 'allRoles' pseudo-parent
766 if (null !== $role && null !== ($result = $this->roleDFSOnePrivilege($role, $resource, $privilege))) {
767 return $result;
768 }
769
770 // look for rule on 'allRoles' pseudo-parent
771 if (null !== ($ruleType = $this->getRuleType($resource, null, $privilege))) {
772 return self::TYPE_ALLOW === $ruleType;
773 } elseif (null !== ($ruleTypeAllPrivileges = $this->getRuleType($resource, null, null))) {
774 $result = self::TYPE_ALLOW === $ruleTypeAllPrivileges;
775 if ($result || null === $resource) {
776 return $result;
777 }
778 }
779
780 // try next Resource
781 $resource = $this->resources[$resource->getResourceId()]['parent'];
782
783 } while (true); // loop terminates at 'allResources' pseudo-parent
784 }
785 }
786
787 /**
788 * Returns the Role registry for this ACL
789 *
790 * If no Role registry has been created yet, a new default Role registry
791 * is created and returned.
792 *
793 * @return Role\Registry
794 */
795 protected function getRoleRegistry()
796 {
797 if (null === $this->roleRegistry) {
798 $this->roleRegistry = new Role\Registry();
799 }
800 return $this->roleRegistry;
801 }
802
803 /**
804 * Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule
805 * allowing/denying $role access to all privileges upon $resource
806 *
807 * This method returns true if a rule is found and allows access. If a rule exists and denies access,
808 * then this method returns false. If no applicable rule is found, then this method returns null.
809 *
810 * @param Role\RoleInterface $role
811 * @param Resource\ResourceInterface $resource
812 * @return bool|null
813 */
814 protected function roleDFSAllPrivileges(Role\RoleInterface $role, Resource\ResourceInterface $resource = null)
815 {
816 $dfs = array(
817 'visited' => array(),
818 'stack' => array()
819 );
820
821 if (null !== ($result = $this->roleDFSVisitAllPrivileges($role, $resource, $dfs))) {
822 return $result;
823 }
824
825 // This comment is needed due to a strange php-cs-fixer bug
826 while (null !== ($role = array_pop($dfs['stack']))) {
827 if (!isset($dfs['visited'][$role->getRoleId()])) {
828 if (null !== ($result = $this->roleDFSVisitAllPrivileges($role, $resource, $dfs))) {
829 return $result;
830 }
831 }
832 }
833
834 return null;
835 }
836
837 /**
838 * Visits an $role in order to look for a rule allowing/denying $role access to all privileges upon $resource
839 *
840 * This method returns true if a rule is found and allows access. If a rule exists and denies access,
841 * then this method returns false. If no applicable rule is found, then this method returns null.
842 *
843 * This method is used by the internal depth-first search algorithm and may modify the DFS data structure.
844 *
845 * @param Role\RoleInterface $role
846 * @param Resource\ResourceInterface $resource
847 * @param array $dfs
848 * @return bool|null
849 * @throws Exception\RuntimeException
850 */
851 protected function roleDFSVisitAllPrivileges(Role\RoleInterface $role, Resource\ResourceInterface $resource = null, &$dfs = null)
852 {
853 if (null === $dfs) {
854 throw new Exception\RuntimeException('$dfs parameter may not be null');
855 }
856
857 if (null !== ($rules = $this->getRules($resource, $role))) {
858 foreach ($rules['byPrivilegeId'] as $privilege => $rule) {
859 if (self::TYPE_DENY === ($ruleTypeOnePrivilege = $this->getRuleType($resource, $role, $privilege))) {
860 return false;
861 }
862 }
863 if (null !== ($ruleTypeAllPrivileges = $this->getRuleType($resource, $role, null))) {
864 return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
865 }
866 }
867
868 $dfs['visited'][$role->getRoleId()] = true;
869 foreach ($this->getRoleRegistry()->getParents($role) as $roleParent) {
870 $dfs['stack'][] = $roleParent;
871 }
872
873 return null;
874 }
875
876 /**
877 * Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule
878 * allowing/denying $role access to a $privilege upon $resource
879 *
880 * This method returns true if a rule is found and allows access. If a rule exists and denies access,
881 * then this method returns false. If no applicable rule is found, then this method returns null.
882 *
883 * @param Role\RoleInterface $role
884 * @param Resource\ResourceInterface $resource
885 * @param string $privilege
886 * @return bool|null
887 * @throws Exception\RuntimeException
888 */
889 protected function roleDFSOnePrivilege(Role\RoleInterface $role, Resource\ResourceInterface $resource = null, $privilege = null)
890 {
891 if (null === $privilege) {
892 throw new Exception\RuntimeException('$privilege parameter may not be null');
893 }
894
895 $dfs = array(
896 'visited' => array(),
897 'stack' => array()
898 );
899
900 if (null !== ($result = $this->roleDFSVisitOnePrivilege($role, $resource, $privilege, $dfs))) {
901 return $result;
902 }
903
904 // This comment is needed due to a strange php-cs-fixer bug
905 while (null !== ($role = array_pop($dfs['stack']))) {
906 if (!isset($dfs['visited'][$role->getRoleId()])) {
907 if (null !== ($result = $this->roleDFSVisitOnePrivilege($role, $resource, $privilege, $dfs))) {
908 return $result;
909 }
910 }
911 }
912
913 return null;
914 }
915
916 /**
917 * Visits an $role in order to look for a rule allowing/denying $role access to a $privilege upon $resource
918 *
919 * This method returns true if a rule is found and allows access. If a rule exists and denies access,
920 * then this method returns false. If no applicable rule is found, then this method returns null.
921 *
922 * This method is used by the internal depth-first search algorithm and may modify the DFS data structure.
923 *
924 * @param Role\RoleInterface $role
925 * @param Resource\ResourceInterface $resource
926 * @param string $privilege
927 * @param array $dfs
928 * @return bool|null
929 * @throws Exception\RuntimeException
930 */
931 protected function roleDFSVisitOnePrivilege(Role\RoleInterface $role, Resource\ResourceInterface $resource = null,
932 $privilege = null, &$dfs = null
933 ) {
934 if (null === $privilege) {
935 /**
936 * @see Zend\Permissions\Acl\Exception
937 */
938 throw new Exception\RuntimeException('$privilege parameter may not be null');
939 }
940
941 if (null === $dfs) {
942 /**
943 * @see Zend\Permissions\Acl\Exception
944 */
945 throw new Exception\RuntimeException('$dfs parameter may not be null');
946 }
947
948 if (null !== ($ruleTypeOnePrivilege = $this->getRuleType($resource, $role, $privilege))) {
949 return self::TYPE_ALLOW === $ruleTypeOnePrivilege;
950 } elseif (null !== ($ruleTypeAllPrivileges = $this->getRuleType($resource, $role, null))) {
951 return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
952 }
953
954 $dfs['visited'][$role->getRoleId()] = true;
955 foreach ($this->getRoleRegistry()->getParents($role) as $roleParent) {
956 $dfs['stack'][] = $roleParent;
957 }
958
959 return null;
960 }
961
962 /**
963 * Returns the rule type associated with the specified Resource, Role, and privilege
964 * combination.
965 *
966 * If a rule does not exist or its attached assertion fails, which means that
967 * the rule is not applicable, then this method returns null. Otherwise, the
968 * rule type applies and is returned as either TYPE_ALLOW or TYPE_DENY.
969 *
970 * If $resource or $role is null, then this means that the rule must apply to
971 * all Resources or Roles, respectively.
972 *
973 * If $privilege is null, then the rule must apply to all privileges.
974 *
975 * If all three parameters are null, then the default ACL rule type is returned,
976 * based on whether its assertion method passes.
977 *
978 * @param null|Resource\ResourceInterface $resource
979 * @param null|Role\RoleInterface $role
980 * @param null|string $privilege
981 * @return string|null
982 */
983 protected function getRuleType(Resource\ResourceInterface $resource = null, Role\RoleInterface $role = null, $privilege = null)
984 {
985 // get the rules for the $resource and $role
986 if (null === ($rules = $this->getRules($resource, $role))) {
987 return null;
988 }
989
990 // follow $privilege
991 if (null === $privilege) {
992 if (isset($rules['allPrivileges'])) {
993 $rule = $rules['allPrivileges'];
994 } else {
995 return null;
996 }
997 } elseif (!isset($rules['byPrivilegeId'][$privilege])) {
998 return null;
999 } else {
1000 $rule = $rules['byPrivilegeId'][$privilege];
1001 }
1002
1003 // check assertion first
1004 if ($rule['assert']) {
1005 $assertion = $rule['assert'];
1006 $assertionValue = $assertion->assert(
1007 $this,
1008 ($this->isAllowedRole instanceof Role\RoleInterface) ? $this->isAllowedRole : $role,
1009 ($this->isAllowedResource instanceof Resource\ResourceInterface) ? $this->isAllowedResource : $resource,
1010 $this->isAllowedPrivilege
1011 );
1012 }
1013
1014 if (null === $rule['assert'] || $assertionValue) {
1015 return $rule['type'];
1016 } elseif (null !== $resource || null !== $role || null !== $privilege) {
1017 return null;
1018 } elseif (self::TYPE_ALLOW === $rule['type']) {
1019 return self::TYPE_DENY;
1020 }
1021
1022 return self::TYPE_ALLOW;
1023 }
1024
1025 /**
1026 * Returns the rules associated with a Resource and a Role, or null if no such rules exist
1027 *
1028 * If either $resource or $role is null, this means that the rules returned are for all Resources or all Roles,
1029 * respectively. Both can be null to return the default rule set for all Resources and all Roles.
1030 *
1031 * If the $create parameter is true, then a rule set is first created and then returned to the caller.
1032 *
1033 * @param Resource\ResourceInterface $resource
1034 * @param Role\RoleInterface $role
1035 * @param bool $create
1036 * @return array|null
1037 */
1038 protected function &getRules(Resource\ResourceInterface $resource = null, Role\RoleInterface $role = null, $create = false)
1039 {
1040 // create a reference to null
1041 $null = null;
1042 $nullRef =& $null;
1043
1044 // follow $resource
1045 do {
1046 if (null === $resource) {
1047 $visitor =& $this->rules['allResources'];
1048 break;
1049 }
1050 $resourceId = $resource->getResourceId();
1051 if (!isset($this->rules['byResourceId'][$resourceId])) {
1052 if (!$create) {
1053 return $nullRef;
1054 }
1055 $this->rules['byResourceId'][$resourceId] = array();
1056 }
1057 $visitor =& $this->rules['byResourceId'][$resourceId];
1058 } while (false);
1059
1060
1061 // follow $role
1062 if (null === $role) {
1063 if (!isset($visitor['allRoles'])) {
1064 if (!$create) {
1065 return $nullRef;
1066 }
1067 $visitor['allRoles']['byPrivilegeId'] = array();
1068 }
1069 return $visitor['allRoles'];
1070 }
1071 $roleId = $role->getRoleId();
1072 if (!isset($visitor['byRoleId'][$roleId])) {
1073 if (!$create) {
1074 return $nullRef;
1075 }
1076 $visitor['byRoleId'][$roleId]['byPrivilegeId'] = array();
1077 }
1078 return $visitor['byRoleId'][$roleId];
1079 }
1080
1081 /**
1082 * @return array of registered roles
1083 */
1084 public function getRoles()
1085 {
1086 return array_keys($this->getRoleRegistry()->getRoles());
1087 }
1088
1089 /**
1090 * @return array of registered resources
1091 */
1092 public function getResources()
1093 {
1094 return array_keys($this->resources);
1095 }
1096 }
Mirror of official OpenEMR Sourceforge repository