Add generic authorization class

3 files changed, 159 insertions, 0 deletions

diff --git a/app/Core/Security/AccessMap.php b/app/Core/Security/AccessMap.php
new file mode 100644
index 00000000..10a29e1f
--- /dev/null
+++ b/app/Core/Security/AccessMap.php
@@ -0,0 +1,92 @@
+<?php
+
+namespace Kanboard\Core\Security;
+
+/**
+ * Access Map Definition
+ *
+ * @package  security
+ * @author   Frederic Guillot
+ */
+class AccessMap
+{
+    /**
+     * Default role
+     *
+     * @access private
+     * @var string
+     */
+    private $defaultRole = '';
+
+    /**
+     * Access map
+     *
+     * @access private
+     * @var array
+     */
+    private $map = array();
+
+    /**
+     * Define the default role when nothing match
+     *
+     * @access public
+     * @param  string $role
+     * @return Acl
+     */
+    public function setDefaultRole($role)
+    {
+        $this->defaultRole = $role;
+        return $this;
+    }
+
+    /**
+     * Add new access rules
+     *
+     * @access public
+     * @param  string $controller
+     * @param  string $method
+     * @param  array  $roles
+     * @return Acl
+     */
+    public function add($controller, $method, array $roles)
+    {
+        $controller = strtolower($controller);
+        $method = strtolower($method);
+
+        if (! isset($this->map[$controller])) {
+            $this->map[$controller] = array();
+        }
+
+        if (! isset($this->map[$controller][$method])) {
+            $this->map[$controller][$method] = array();
+        }
+
+        $this->map[$controller][$method] = $roles;
+
+        return $this;
+    }
+
+    /**
+     * Get roles that match the given controller/method
+     *
+     * @access public
+     * @param  string $controller
+     * @param  string $method
+     * @return boolean
+     */
+    public function getRoles($controller, $method)
+    {
+        $controller = strtolower($controller);
+        $method = strtolower($method);
+
+        if (isset($this->map[$controller][$method])) {
+            return $this->map[$controller][$method];
+        }
+
+        if (isset($this->map[$controller]['*'])) {
+            return $this->map[$controller]['*'];
+        }
+
+        return array($this->defaultRole);
+    }
+}
diff --git a/app/Core/Security/Authorization.php b/app/Core/Security/Authorization.php
new file mode 100644
index 00000000..a04b3720
--- /dev/null
+++ b/app/Core/Security/Authorization.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace Kanboard\Core\Security;
+
+/**
+ * Authorization Handler
+ *
+ * @package  security
+ * @author   Frederic Guillot
+ */
+class Authorization
+{
+    /**
+     * Access Map
+     *
+     * @access private
+     * @var AccessMap
+     */
+    private $acl;
+
+    /**
+     * Constructor
+     *
+     * @access public
+     * @param  AccessMap  $acl
+     */
+    public function __construct(AccessMap $acl)
+    {
+        $this->acl = $acl;
+    }
+
+    /**
+     * Check if the given role is allowed to access to the specified resource
+     *
+     * @access public
+     * @param  string  $controller
+     * @param  string  $method
+     * @param  string  $role
+     * @return boolean
+     */
+    public function isAllowed($controller, $method, $role)
+    {
+        $roles = $this->acl->getRoles($controller, $method);
+        return in_array($role, $roles);
+    }
+}
diff --git a/app/Core/Security/Role.php b/app/Core/Security/Role.php
new file mode 100644
index 00000000..079ce14b
--- /dev/null
+++ b/app/Core/Security/Role.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace Kanboard\Core\Security;
+
+/**
+ * Role Definitions
+ *
+ * @package  security
+ * @author   Frederic Guillot
+ */
+class Role
+{
+    const APP_ADMIN       = 'app-admin';
+    const APP_MANAGER     = 'app-manager';
+    const APP_USER        = 'app-user';
+    const APP_PUBLIC      = 'app-public';
+
+    const PROJECT_MANAGER = 'project-manager';
+    const PROJECT_MEMBER  = 'project-member';
+    const PROJECT_VIEWER  = 'project-viewer';
+}