gyro/core/behaviour/base/accesscontrolbase.cls.php

Go to the documentation of this file.
00001 <?php
00002 /**
00003  * Base class for Access Control Cheching
00004  * 
00005  * @ingroup Behaviour
00006  */
00007 class AccessControlBase implements IAccessControl {
00008         /**
00009          * Old implementation to delegate to  
00010          *
00011          * @var IAccessControl
00012          */
00013         private $delegate = null;
00014         /**
00015          * Array of item types, this implementation is responsible
00016          *
00017          * @var array
00018          */
00019         private $types = null;
00020         
00021         /**
00022          * If returned by do_is_allowed() functions, will set return value of is_allowed() to false
00023          */
00024         const NOT_ALLOWED = 0;
00025         /**
00026          * If returned by do_is_allowed() functions, will set return value of is_allowed() to true 
00027          */
00028         const ALLOWED = 1;
00029         /**
00030          * If returned by do_is_allowed() functions, will force delegate to be called (if any) 
00031          */
00032         const NOT_RESPONSIBLE = -1;
00033         
00034         /**
00035          * Pass types (=model names), the implementation is responsible of 
00036          *
00037          * @param string|array $item_types
00038          */
00039         public function __construct($item_types = false) {
00040                 if (!empty($item_types)) {
00041                         $this->types = Arr::force($item_types, false);
00042                 }
00043         }
00044         
00045         /**
00046          * Check if action on object is allowed for user
00047          *
00048          * @param string $action The action to perform (edit, delete, ....)  
00049          * @param mixed $item Item to perform the action on (may be a DataObject, e.g.)
00050          * @param mixed $user A user, role, ACO, depending on user management chosen
00051          * @return bool 
00052          */
00053         public function is_allowed($action, $item, $user, $params = false) {
00054                 $ret = false;
00055                 $result = $this->do_is_allowed($action, $item, $user, $params);
00056                 if ($result === true) {
00057                         $result = self::ALLOWED;
00058                 }
00059                 switch ($result) {
00060                         case self::NOT_RESPONSIBLE:
00061                                 if ($this->delegate) {
00062                                         $ret = $this->delegate->is_allowed($action, $item, $user, $params);
00063                                 }
00064                                 break; 
00065                         default:
00066                                 $ret = ($result) ? true : false;
00067                                 break;                  
00068                 }
00069                 return $ret;
00070         }
00071         
00072         /**
00073          * Overloadable. Check if action on object is allowed for user
00074          *
00075          * @param string $action The action to perform (edit, delete, ....)  
00076          * @param mixed $item Item to perform the action on (may be a DataObject, e.g.)
00077          * @param mixed $user A user, role, ACO, depending on user management chosen
00078          * @return int One of Constants ALLOWED, NOT_ALLOWED and NOT_RESPONSIBLE
00079          */
00080         protected function do_is_allowed($action, $item, $user, $params = false) {
00081                 // Check type based responsibility
00082                 if (!empty($this->types)) {
00083                         $resposible = false;
00084                         $item_type = $this->get_item_type($item);
00085                         foreach($this->types as $type) {        
00086                                 if ($type === $item_type) {
00087                                         $resposible = true;
00088                                         break;
00089                                 }
00090                         }
00091                         if (!$resposible) {
00092                                 return self::NOT_RESPONSIBLE;
00093                         }
00094                 }
00095 
00096                 // We are responsible
00097                 if (!empty($user)) {
00098                         return $this->do_is_allowed_for_user($action, $item, $user, $params);
00099                 }
00100                 else {
00101                         return $this->do_is_allowed_for_anonymous($action, $item, $params);
00102                 }
00103         }
00104 
00105         /**
00106          * Overloadable. Check if action on object is allowed for given user
00107          *
00108          * User is always valid
00109          * 
00110          * @param string $action The action to perform (edit, delete, ....)  
00111          * @param mixed $item Item to perform the action on (may be a DataObject, e.g.)
00112          * @param mixed $user A user, role, ACO, depending on user management chosen
00113          * @return int One of Constants ALLOWED, NOT_ALLOWED and NOT_RESPONSIBLE
00114          */
00115         protected function do_is_allowed_for_user($action, $item, $user, $params = false) {
00116                 return self::NOT_RESPONSIBLE;
00117         }
00118         
00119         /**
00120          * Overloadable. Check if action on object is allowed for no user
00121          *
00122          * User is always valid
00123          * 
00124          * @param string $action The action to perform (edit, delete, ....)  
00125          * @param mixed $item Item to perform the action on (may be a DataObject, e.g.)
00126          * @return int One of Constants ALLOWED, NOT_ALLOWED and NOT_RESPONSIBLE
00127          */
00128         protected function do_is_allowed_for_anonymous($action, $item, $params = false) {
00129                 return self::NOT_RESPONSIBLE;
00130         }
00131         
00132         /**
00133          * Convert Bool to tri-state
00134          *
00135          * @param bool $bool
00136          * @return int
00137          */
00138         protected function to_result($bool) {
00139                 return ($bool) ? self::ALLOWED : self::NOT_ALLOWED;
00140         }
00141         
00142         /**
00143          * Returns type of item
00144          *
00145          * @param mixed $item
00146          * @return string
00147          */
00148         protected function get_item_type($item) {
00149                 $ret = $item;
00150                 if ($item instanceof IDBTable) {
00151                         $ret = $item->get_table_name();
00152                 }
00153                 else if (is_object($item)) {
00154                         $ret = get_class($item); 
00155                 }
00156                 else if (is_null($item)) {
00157                         $ret = '';
00158                 }
00159                 return $ret;            
00160         }
00161         
00162         /**
00163          * Set old implementation. Requests not handled should be delegated to this
00164          *
00165          * @param IAccessControl $implementation
00166          */
00167         public function set_old_implementation(IAccessControl $implementation) {
00168                 $this->delegate = $implementation;
00169         }
00170 }