From 55c4ac1bfe565f1ca7f537fdd8b7a201be28e581 Mon Sep 17 00:00:00 2001 From: xue <> Date: Thu, 10 Nov 2005 12:47:19 +0000 Subject: Initial import of prado framework --- framework/Security/TAuthorizationRule.php | 213 ++++++++++++++++++++++++++++++ 1 file changed, 213 insertions(+) create mode 100644 framework/Security/TAuthorizationRule.php (limited to 'framework/Security/TAuthorizationRule.php') diff --git a/framework/Security/TAuthorizationRule.php b/framework/Security/TAuthorizationRule.php new file mode 100644 index 00000000..2ee6de49 --- /dev/null +++ b/framework/Security/TAuthorizationRule.php @@ -0,0 +1,213 @@ + + * @link http://www.pradosoft.com/ + * @copyright Copyright © 2005 PradoSoft + * @license http://www.pradosoft.com/license/ + * @version $Revision: $ $Date: $ + * @package System.Security + */ +/** + * TAuthorizationRule class + * + * TAuthorizationRule represents a single authorization rule. + * A rule is specified by an action (required), a list of users (optional), + * a list of roles (optional), and a verb (optional). + * Action can be either 'allow' or 'deny'. + * Guest (anonymous, unauthenticated) users are represented by question mark '?'. + * All users (including guest users) are represented by asterisk '*'. + * Users/roles are case-insensitive. + * Different users/roles are separated by comma ','. + * Verb can be either 'get' or 'post'. If it is absent, it means both. + * + * @author Qiang Xue + * @version $Revision: $ $Date: $ + * @package System.Security + * @since 3.0 + */ +class TAuthorizationRule extends TComponent +{ + /** + * @var string action, either 'allow' or 'deny' + */ + private $_action; + /** + * @var array list of user IDs + */ + private $_users; + /** + * @var array list of roles + */ + private $_roles; + /** + * @var string verb, may be empty, 'get', or 'post'. + */ + private $_verb; + /** + * @var boolean if this rule applies to everyone + */ + private $_everyone; + /** + * @var boolean if this rule applies to guest user + */ + private $_guest; + + /** + * Constructor. + * @param string action, either 'deny' or 'allow' + * @param string a comma separated user list + * @param string a comma separated role list + * @param string verb, can be empty, 'get', or 'post' + */ + public function __construct($action,$users,$roles,$verb='') + { + parent::__construct(); + $action=strtolower(trim($action)); + if($action==='allow' || $action==='deny') + $this->_action=$action; + else + throw new TInvalidDataValueException('authorizationrule_action_invalid',$action); + $this->_users=array(); + $this->_roles=array(); + $this->_everyone=false; + $this->_guest=false; + foreach(explode(',',$users) as $user) + { + if(($user=trim(strtolower($user)))!=='') + { + if($user==='*') + $this->_everyone=true; + else if($user==='?') + $this->_guest=true; + else + $this->_users[]=$user; + } + } + foreach(explode(',',$roles) as $role) + { + if(($role=trim(strtolower($role)))!=='') + $this->_roles[]=$role; + } + $verb=trim(strtolower($verb)); + if($verb==='' || $verb==='get' || $verb==='post') + $this->_verb=$verb; + else + throw new TInvalidDataValueException('authorizationrule_verb_invalid',$verb); + } + + /** + * @return string action, either 'allow' or 'deny' + */ + public function getAction() + { + return $this->_action; + } + + /** + * @return array list of user IDs + */ + public function getUsers() + { + return $this->_users; + } + + /** + * @return array list of roles + */ + public function getRoles() + { + return $this->_roles; + } + + /** + * @return string verb, may be empty, 'get', or 'post'. + */ + public function getVerb() + { + return $this->_verb; + } + + /** + * @return boolean if this rule applies to everyone + */ + public function getGuestApplied() + { + return $this->_guest; + } + + /** + * @var boolean if this rule applies to everyone + */ + public function getEveryoneApplied() + { + return $this->_everyone; + } + + /** + * @return integer 1 if the user is allowed, -1 if the user is denied, 0 if the rule does not apply to the user + */ + public function isUserAllowed(IUser $user,$verb) + { + $decision=($this->_action==='allow')?1:-1; + if($this->_verb==='' || strcasecmp($verb,$this->_verb)===0) + { + if($this->_everyone || ($this->_guest && $user->getIsGuest())) + return $decision; + if(in_array(strtolower($user->getName()),$this->_users)) + return $decision; + foreach($this->_roles as $role) + if($user->isInRole($role)) + return $decision; + } + return 0; + } +} + + +/** + * TAuthorizationRuleCollection class. + * TAuthorizationRuleCollection represents a collection of authorization rules {@link TAuthorizationRule}. + * To check if a user is allowed, call {@link isUserAllowed}. + * + * @author Qiang Xue + * @version $Revision: $ $Date: $ + * @package System.Security + * @since 3.0 + */ +class TAuthorizationRuleCollection extends TList +{ + /** + * @param IUser the user to be authorized + * @param string verb, can be empty, 'post' or 'get'. + * @return boolean whether the user is allowed + */ + public function isUserAllowed($user,$verb) + { + if($user instanceof IUser) + { + $verb=strtolower(trim($verb)); + foreach($this as $rule) + { + if(($decision=$rule->isUserAllowed($user,$verb))!==0) + return ($decision>0); + } + return true; + } + else + return false; + } + + /** + * Ensures that only instance of TAuthorizationRule is added to the collection. + * @param mixed item to be added to the collection + * @return boolean whether the item can be added to the collection + */ + protected function canAddItem($item) + { + return ($item instanceof TAuthorizationRule); + } +} + +?> \ No newline at end of file -- cgit v1.2.3