Error202
/
yii2-bootstrap
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Merge branch 'master' of https://github.com/yiisoft/yii2

tags/2.0.0-beta
Qiang Xue 12 years ago
parent
22ca2922d2 1c1b2da5b1
commit
4feec1d530
17 changed files with 2314 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. BIN
      docs/internals/exception_hierarchy.png
  2. BIN
      docs/internals/exception_hierarchy.vsd
  3. 248
      tests/unit/framework/rbac/ManagerTestBase.php
  4. 34
      tests/unit/framework/rbac/PhpManagerTest.php
  5. 6
      yii/base/Application.php
  6. 106
      yii/rbac/Assignment.php
  7. 573
      yii/rbac/DbManager.php
  8. 275
      yii/rbac/Item.php
  9. 312
      yii/rbac/Manager.php
  10. 516
      yii/rbac/PhpManager.php
  11. 43
      yii/rbac/schema-mssql.sql
  12. 43
      yii/rbac/schema-mysql.sql
  13. 43
      yii/rbac/schema-oci.sql
  14. 43
      yii/rbac/schema-pgsql.sql
  15. 43
      yii/rbac/schema-sqlite.sql
  16. 40
      yii/web/User.php
  17. 4
      yii/yiic.php

BIN
docs/internals/exception_hierarchy.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 63 KiB

BIN
docs/internals/exception_hierarchy.vsd
View File

Binary file not shown.

248
tests/unit/framework/rbac/ManagerTestBase.php
Unescape View File

@ -0,0 +1,248 @@
<?php
namespace yiiunit\framework\rbac;
use yii\rbac\Assignment;
use yii\rbac\Item;
use yiiunit\TestCase;
abstract class ManagerTestBase extends TestCase
{
/** @var \yii\rbac\PhpManager|\yii\rbac\DbManager */
protected $auth;
public function testCreateItem()
{
$type = Item::TYPE_TASK;
$name = 'editUser';
$description = 'edit a user';
$bizRule = 'checkUserIdentity()';
$data = array(1, 2, 3);
$item = $this->auth->createItem($name, $type, $description, $bizRule, $data);
$this->assertTrue($item instanceof Item);
$this->assertEquals($item->type, $type);
$this->assertEquals($item->name, $name);
$this->assertEquals($item->description, $description);
$this->assertEquals($item->bizRule, $bizRule);
$this->assertEquals($item->data, $data);
// test shortcut
$name2 = 'createUser';
$item2 = $this->auth->createRole($name2, $description, $bizRule, $data);
$this->assertEquals($item2->type, Item::TYPE_ROLE);
// test adding an item with the same name
$this->setExpectedException('Exception');
$this->auth->createItem($name, $type, $description, $bizRule, $data);
}
public function testGetItem()
{
$this->assertTrue($this->auth->getItem('readPost') instanceof Item);
$this->assertTrue($this->auth->getItem('reader') instanceof Item);
$this->assertNull($this->auth->getItem('unknown'));
}
public function testRemoveAuthItem()
{
$this->assertTrue($this->auth->getItem('updatePost') instanceof Item);
$this->assertTrue($this->auth->removeItem('updatePost'));
$this->assertNull($this->auth->getItem('updatePost'));
$this->assertFalse($this->auth->removeItem('updatePost'));
}
public function testChangeItemName()
{
$item = $this->auth->getItem('readPost');
$this->assertTrue($item instanceof Item);
$this->assertTrue($this->auth->hasItemChild('reader', 'readPost'));
$item->name = 'readPost2';
$this->assertNull($this->auth->getItem('readPost'));
$this->assertEquals($this->auth->getItem('readPost2'), $item);
$this->assertFalse($this->auth->hasItemChild('reader', 'readPost'));
$this->assertTrue($this->auth->hasItemChild('reader', 'readPost2'));
}
public function testAddItemChild()
{
$this->auth->addItemChild('createPost', 'updatePost');
// test adding upper level item to lower one
$this->setExpectedException('Exception');
$this->auth->addItemChild('readPost', 'reader');
}
public function testAddItemChild2()
{
// test adding inexistent items
$this->setExpectedException('Exception');
$this->assertFalse($this->auth->addItemChild('createPost2', 'updatePost'));
}
public function testRemoveItemChild()
{
$this->assertTrue($this->auth->hasItemChild('reader', 'readPost'));
$this->assertTrue($this->auth->removeItemChild('reader', 'readPost'));
$this->assertFalse($this->auth->hasItemChild('reader', 'readPost'));
$this->assertFalse($this->auth->removeItemChild('reader', 'readPost'));
}
public function testGetItemChildren()
{
$this->assertEquals(array(), $this->auth->getItemChildren('readPost'));
$children = $this->auth->getItemChildren('author');
$this->assertEquals(3, count($children));
$this->assertTrue(reset($children) instanceof Item);
}
public function testAssign()
{
$auth = $this->auth->assign('new user', 'createPost', 'rule', 'data');
$this->assertTrue($auth instanceof Assignment);
$this->assertEquals($auth->userId, 'new user');
$this->assertEquals($auth->itemName, 'createPost');
$this->assertEquals($auth->bizRule, 'rule');
$this->assertEquals($auth->data, 'data');
$this->setExpectedException('Exception');
$this->auth->assign('new user', 'createPost2', 'rule', 'data');
}
public function testRevoke()
{
$this->assertTrue($this->auth->isAssigned('author B', 'author'));
$auth = $this->auth->getAssignment('author B', 'author');
$this->assertTrue($auth instanceof Assignment);
$this->assertTrue($this->auth->revoke('author B', 'author'));
$this->assertFalse($this->auth->isAssigned('author B', 'author'));
$this->assertFalse($this->auth->revoke('author B', 'author'));
}
public function testGetAssignments()
{
$this->auth->assign('author B', 'deletePost');
$auths = $this->auth->getAssignments('author B');
$this->assertEquals(2, count($auths));
$this->assertTrue(reset($auths) instanceof Assignment);
}
public function testGetItems()
{
$this->assertEquals(count($this->auth->getRoles()), 4);
$this->assertEquals(count($this->auth->getOperations()), 4);
$this->assertEquals(count($this->auth->getTasks()), 1);
$this->assertEquals(count($this->auth->getItems()), 9);
$this->assertEquals(count($this->auth->getItems('author B', null)), 1);
$this->assertEquals(count($this->auth->getItems('author C', null)), 0);
$this->assertEquals(count($this->auth->getItems('author B', Item::TYPE_ROLE)), 1);
$this->assertEquals(count($this->auth->getItems('author B', Item::TYPE_OPERATION)), 0);
}
public function testClearAll()
{
$this->auth->clearAll();
$this->assertEquals(count($this->auth->getRoles()), 0);
$this->assertEquals(count($this->auth->getOperations()), 0);
$this->assertEquals(count($this->auth->getTasks()), 0);
$this->assertEquals(count($this->auth->getItems()), 0);
$this->assertEquals(count($this->auth->getAssignments('author B')), 0);
}
public function testClearAssignments()
{
$this->auth->clearAssignments();
$this->assertEquals(count($this->auth->getAssignments('author B')), 0);
}
public function testDetectLoop()
{
$this->setExpectedException('Exception');
$this->auth->addItemChild('readPost', 'readPost');
}
public function testExecuteBizRule()
{
$this->assertTrue($this->auth->executeBizRule(null, array(), null));
$this->assertTrue($this->auth->executeBizRule('return 1==true;', array(), null));
$this->assertTrue($this->auth->executeBizRule('return $params[0]==$params[1];', array(1, '1'), null));
$this->assertFalse($this->auth->executeBizRule('invalid', array(), null));
}
public function testCheckAccess()
{
$results = array(
'reader A' => array(
'createPost' => false,
'readPost' => true,
'updatePost' => false,
'updateOwnPost' => false,
'deletePost' => false,
),
'author B' => array(
'createPost' => true,
'readPost' => true,
'updatePost' => true,
'updateOwnPost' => true,
'deletePost' => false,
),
'editor C' => array(
'createPost' => false,
'readPost' => true,
'updatePost' => true,
'updateOwnPost' => false,
'deletePost' => false,
),
'admin D' => array(
'createPost' => true,
'readPost' => true,
'updatePost' => true,
'updateOwnPost' => false,
'deletePost' => true,
),
);
$params = array('authorID' => 'author B');
foreach (array('reader A', 'author B', 'editor C', 'admin D') as $user) {
$params['userID'] = $user;
foreach (array('createPost', 'readPost', 'updatePost', 'updateOwnPost', 'deletePost') as $operation) {
$result = $this->auth->checkAccess($user, $operation, $params);
$this->assertEquals($results[$user][$operation], $result);
}
}
}
protected function prepareData()
{
$this->auth->createOperation('createPost', 'create a post');
$this->auth->createOperation('readPost', 'read a post');
$this->auth->createOperation('updatePost', 'update a post');
$this->auth->createOperation('deletePost', 'delete a post');
$task = $this->auth->createTask('updateOwnPost', 'update a post by author himself', 'return $params["authorID"]==$params["userID"];');
$task->addChild('updatePost');
$role = $this->auth->createRole('reader');
$role->addChild('readPost');
$role = $this->auth->createRole('author');
$role->addChild('reader');
$role->addChild('createPost');
$role->addChild('updateOwnPost');
$role = $this->auth->createRole('editor');
$role->addChild('reader');
$role->addChild('updatePost');
$role = $this->auth->createRole('admin');
$role->addChild('editor');
$role->addChild('author');
$role->addChild('deletePost');
$this->auth->assign('reader A', 'reader');
$this->auth->assign('author B', 'author');
$this->auth->assign('editor C', 'editor');
$this->auth->assign('admin D', 'admin');
}
}

34
tests/unit/framework/rbac/PhpManagerTest.php
Unescape View File

@ -0,0 +1,34 @@
<?php
namespace yiiunit\framework\rbac;
use Yii;
use yii\rbac\PhpManager;
require_once(__DIR__ . '/ManagerTestBase.php');
class PhpManagerTest extends ManagerTestBase
{
public function setUp()
{
$authFile = Yii::$app->getRuntimePath() . '/rbac.php';
@unlink($authFile);
$this->auth = new PhpManager;
$this->auth->authFile = $authFile;
$this->auth->init();
$this->prepareData();
}
public function tearDown()
{
@unlink($this->auth->authFile);
}
public function testSaveLoad()
{
$this->auth->save();
$this->auth->clearAll();
$this->auth->load();
$this->testCheckAccess();
}
}

6
yii/base/Application.php
Unescape View File

@ -305,12 +305,12 @@ class Application extends Module
} }
/** /**
* @return null|Component * Returns the auth manager for this application.
* @todo * @return \yii\rbac\Manager the auth manager for this application.
*/ */
public function getAuthManager() public function getAuthManager()
{ {
return $this->getComponent('auth'); return $this->getComponent('authManager');
} }
/** /**

106
yii/rbac/Assignment.php
Unescape View File

@ -0,0 +1,106 @@
<?php
/**
* @link http://www.yiiframework.com/
* @copyright Copyright (c) 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
*/
namespace yii\rbac;
use Yii;
use yii\base\Object;
/**
* Assignment represents an assignment of a role to a user.
* It includes additional assignment information such as [[bizRule]] and [[data]].
* Do not create a Assignment instance using the 'new' operator.
* Instead, call [[Manager::assign()]].
*
* @property mixed $userId User ID (see [[User::id]]).
* @property string $itemName The authorization item name.
* @property string $bizRule The business rule associated with this assignment.
* @property mixed $data Additional data for this assignment.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @since 2.0
*/
class Assignment extends Object
{
private $_auth;
private $_userId;
private $_itemName;
private $_bizRule;
private $_data;
/**
* Constructor.
* @param Manager $auth the authorization manager
* @param mixed $userId user ID (see [[User::id]])
* @param string $itemName authorization item name
* @param string $bizRule the business rule associated with this assignment
* @param mixed $data additional data for this assignment
*/
public function __construct($auth, $userId, $itemName, $bizRule = null, $data = null)
{
$this->_auth = $auth;
$this->_userId = $userId;
$this->_itemName = $itemName;
$this->_bizRule = $bizRule;
$this->_data = $data;
}
/**
* @return mixed user ID (see [[User::id]])
*/
public function getUserId()
{
return $this->_userId;
}
/**
* @return string the authorization item name
*/
public function getItemName()
{
return $this->_itemName;
}
/**
* @return string the business rule associated with this assignment
*/
public function getBizRule()
{
return $this->_bizRule;
}
/**
* @param string $value the business rule associated with this assignment
*/
public function setBizRule($value)
{
if ($this->_bizRule !== $value) {
$this->_bizRule = $value;
$this->_auth->saveAssignment($this);
}
}
/**
* @return mixed additional data for this assignment
*/
public function getData()
{
return $this->_data;
}
/**
* @param mixed $value additional data for this assignment
*/
public function setData($value)
{
if ($this->_data !== $value) {
$this->_data = $value;
$this->_auth->saveAssignment($this);
}
}
}

573
yii/rbac/DbManager.php
Unescape View File

@ -0,0 +1,573 @@
<?php
/**
* @link http://www.yiiframework.com/
* @copyright Copyright (c) 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
*/
namespace yii\rbac;
use Yii;
use yii\db\Connection;
use yii\db\Query;
use yii\db\Expression;
use yii\base\Exception;
use yii\base\InvalidConfigException;
use yii\base\InvalidCallException;
use yii\base\InvalidParamException;
/**
* DbManager represents an authorization manager that stores authorization information in database.
*
* The database connection is specified by [[db]]. And the database schema
* should be as described in "framework/rbac/*.sql". You may change the names of
* the three tables used to store the authorization data by setting [[itemTable]],
* [[itemChildTable]] and [[assignmentTable]].
*
* @property array $authItems The authorization items of the specific type.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @since 2.0
*/
class DbManager extends Manager
{
/**
* @var Connection|string the DB connection object or the application component ID of the DB connection.
* After the DbManager object is created, if you want to change this property, you should only assign it
* with a DB connection object.
*/
public $db = 'db';
/**
* @var string the name of the table storing authorization items. Defaults to 'tbl_auth_item'.
*/
public $itemTable = 'tbl_auth_item';
/**
* @var string the name of the table storing authorization item hierarchy. Defaults to 'tbl_auth_item_child'.
*/
public $itemChildTable = 'tbl_auth_item_child';
/**
* @var string the name of the table storing authorization item assignments. Defaults to 'tbl_auth_assignment'.
*/
public $assignmentTable = 'tbl_auth_assignment';
private $_usingSqlite;
/**
* Initializes the application component.
* This method overrides the parent implementation by establishing the database connection.
*/
public function init()
{
if (is_string($this->db)) {
$this->db = Yii::$app->getComponent($this->db);
}
if (!$this->db instanceof Connection) {
throw new InvalidConfigException("DbManager::db must be either a DB connection instance or the application component ID of a DB connection.");
}
$this->_usingSqlite = !strncmp($this->db->getDriverName(), 'sqlite', 6);
parent::init();
}
/**
* Performs access check for the specified user.
* @param mixed $userId the user ID. This should can be either an integer or a string representing
* the unique identifier of a user. See [[User::id]].
* @param string $itemName the name of the operation that need access check
* @param array $params name-value pairs that would be passed to biz rules associated
* with the tasks and roles assigned to the user. A param with name 'userId' is added to this array,
* which holds the value of `$userId`.
* @return boolean whether the operations can be performed by the user.
*/
public function checkAccess($userId, $itemName, $params = array())
{
$assignments = $this->getAssignments($userId);
return $this->checkAccessRecursive($userId, $itemName, $params, $assignments);
}
/**
* Performs access check for the specified user.
* This method is internally called by [[checkAccess()]].
* @param mixed $userId the user ID. This should can be either an integer or a string representing
* the unique identifier of a user. See [[User::id]].
* @param string $itemName the name of the operation that need access check
* @param array $params name-value pairs that would be passed to biz rules associated
* with the tasks and roles assigned to the user. A param with name 'userId' is added to this array,
* which holds the value of `$userId`.
* @param Assignment[] $assignments the assignments to the specified user
* @return boolean whether the operations can be performed by the user.
*/
protected function checkAccessRecursive($userId, $itemName, $params, $assignments)
{
if (($item = $this->getItem($itemName)) === null) {
return false;
}
Yii::trace('Checking permission: ' . $item->getName(), __METHOD__);
if (!isset($params['userId'])) {
$params['userId'] = $userId;
}
if ($this->executeBizRule($item->getBizRule(), $params, $item->getData())) {
if (in_array($itemName, $this->defaultRoles)) {
return true;
}
if (isset($assignments[$itemName])) {
$assignment = $assignments[$itemName];
if ($this->executeBizRule($assignment->getBizRule(), $params, $assignment->getData())) {
return true;
}
}
$query = new Query;
$parents = $query->select(array('parent'))
->from($this->itemChildTable)
->where(array('child' => $itemName))
->createCommand($this->db)
->queryColumn();
foreach ($parents as $parent) {
if ($this->checkAccessRecursive($userId, $parent, $params, $assignments)) {
return true;
}
}
}
return false;
}
/**
* Adds an item as a child of another item.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the item is added successfully
* @throws Exception if either parent or child doesn't exist.
* @throws InvalidCallException if a loop has been detected.
*/
public function addItemChild($itemName, $childName)
{
if ($itemName === $childName) {
throw new Exception("Cannot add '$itemName' as a child of itself.");
}
$query = new Query;
$rows = $query->from($this->itemTable)
->where(array('or', 'name=:name1', 'name=:name2'), array(
':name1' => $itemName,
':name2' => $childName
))
->createCommand($this->db)
->queryAll();
if (count($rows) == 2) {
if ($rows[0]['name'] === $itemName) {
$parentType = $rows[0]['type'];
$childType = $rows[1]['type'];
} else {
$childType = $rows[0]['type'];
$parentType = $rows[1]['type'];
}
$this->checkItemChildType($parentType, $childType);
if ($this->detectLoop($itemName, $childName)) {
throw new InvalidCallException("Cannot add '$childName' as a child of '$itemName'. A loop has been detected.");
}
$this->db->createCommand()
->insert($this->itemChildTable, array(
'parent' => $itemName,
'child' => $childName,
));
return true;
} else {
throw new Exception("Either '$itemName' or '$childName' does not exist.");
}
}
/**
* Removes a child from its parent.
* Note, the child item is not deleted. Only the parent-child relationship is removed.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the removal is successful
*/
public function removeItemChild($itemName, $childName)
{
return $this->db->createCommand()
->delete($this->itemChildTable, array(
'parent' => $itemName,
'child' => $childName
)) > 0;
}
/**
* Returns a value indicating whether a child exists within a parent.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the child exists
*/
public function hasItemChild($itemName, $childName)
{
$query = new Query;
return $query->select(array('parent'))
->from($this->itemChildTable)
->where(array(
'parent' => $itemName,
'child' => $childName
))
->createCommand($this->db)
->queryScalar() !== false;
}
/**
* Returns the children of the specified item.
* @param mixed $names the parent item name. This can be either a string or an array.
* The latter represents a list of item names.
* @return Item[] all child items of the parent
*/
public function getItemChildren($names)
{
$query = new Query;
$rows = $query->select(array('name', 'type', 'description', 'bizrule', 'data'))
->from(array(
$this->itemTable,
$this->itemChildTable
))
->where(array('parent' => $names, 'name' => new Expression('child')))
->createCommand($this->db)
->queryAll();
$children = array();
foreach ($rows as $row) {
if (($data = @unserialize($row['data'])) === false) {
$data = null;
}
$children[$row['name']] = new Item($this, $row['name'], $row['type'], $row['description'], $row['bizrule'], $data);
}
return $children;
}
/**
* Assigns an authorization item to a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @param string $bizRule the business rule to be executed when [[checkAccess()]] is called
* for this particular authorization item.
* @param mixed $data additional data associated with this assignment
* @return Assignment the authorization assignment information.
* @throws InvalidParamException if the item does not exist or if the item has already been assigned to the user
*/
public function assign($userId, $itemName, $bizRule = null, $data = null)
{
if ($this->usingSqlite() && $this->getItem($itemName) === null) {
throw new InvalidParamException("The item '$itemName' does not exist.");
}
$this->db->createCommand()
->insert($this->assignmentTable, array(
'user_id' => $userId,
'item_name' => $itemName,
'bizrule' => $bizRule,
'data' => serialize($data)
));
return new Assignment($this, $userId, $itemName, $bizRule, $data);
}
/**
* Revokes an authorization assignment from a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return boolean whether removal is successful
*/
public function revoke($userId, $itemName)
{
return $this->db->createCommand()
->delete($this->assignmentTable, array(
'user_id' => $userId,
'item_name' => $itemName
)) > 0;
}
/**
* Returns a value indicating whether the item has been assigned to the user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return boolean whether the item has been assigned to the user.
*/
public function isAssigned($itemName, $userId)
{
$query = new Query;
return $query->select(array('item_name'))
->from($this->assignmentTable)
->where(array(
'user_id' => $userId,
'item_name' => $itemName
))
->createCommand($this->db)
->queryScalar() !== false;
}
/**
* Returns the item assignment information.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return Assignment the item assignment information. Null is returned if
* the item is not assigned to the user.
*/
public function getAssignment($userId, $itemName)
{
$query = new Query;
$row = $query->from($this->assignmentTable)
->where(array(
'user_id' => $userId,
'item_name' => $itemName
))
->createCommand($this->db)
->queryRow();
if ($row !== false) {
if (($data = @unserialize($row['data'])) === false) {
$data = null;
}
return new Assignment($this, $row['user_id'], $row['item_name'], $row['bizrule'], $data);
} else {
return null;
}
}
/**
* Returns the item assignments for the specified user.
* @param mixed $userId the user ID (see [[User::id]])
* @return Assignment[] the item assignment information for the user. An empty array will be
* returned if there is no item assigned to the user.
*/
public function getAssignments($userId)
{
$query = new Query;
$rows = $query->from($this->assignmentTable)
->where(array('user_id' => $userId))
->createCommand($this->db)
->queryAll();
$assignments = array();
foreach ($rows as $row) {
if (($data = @unserialize($row['data'])) === false) {
$data = null;
}
$assignments[$row['item_name']] = new Assignment($this, $row['user_id'], $row['item_name'], $row['bizrule'], $data);
}
return $assignments;
}
/**
* Saves the changes to an authorization assignment.
* @param Assignment $assignment the assignment that has been changed.
*/
public function saveAssignment($assignment)
{
$this->db->createCommand()
->update($this->assignmentTable, array(
'bizrule' => $assignment->getBizRule(),
'data' => serialize($assignment->getData()),
), array(
'user_id' => $assignment->getUserId(),
'item_name' => $assignment->getItemName()
));
}
/**
* Returns the authorization items of the specific type and user.
* @param mixed $userId the user ID. Defaults to null, meaning returning all items even if
* they are not assigned to a user.
* @param integer $type the item type (0: operation, 1: task, 2: role). Defaults to null,
* meaning returning all items regardless of their type.
* @return Item[] the authorization items of the specific type.
*/
public function getItems($userId = null, $type = null)
{
$query = new Query;
if ($userId === null && $type === null) {
$command = $query->from($this->itemTable)
->createCommand($this->db);
} elseif ($userId === null) {
$command = $query->from($this->itemTable)
->where(array('type' => $type))
->createCommand($this->db);
} elseif ($type === null) {
$command = $query->select(array('name', 'type', 'description', 't1.bizrule', 't1.data'))
->from(array(
$this->itemTable . ' t1',
$this->assignmentTable . ' t2'
))
->where(array('user_id' => $userId, 'name' => new Expression('item_name')))
->createCommand($this->db);
} else {
$command = $query->select('name', 'type', 'description', 't1.bizrule', 't1.data')
->from(array(
$this->itemTable . ' t1',
$this->assignmentTable . ' t2'
))
->where(array(
'user_id' => $userId,
'type' => $type,
'name' => new Expression('item_name'),
))
->createCommand($this->db);
}
$items = array();
foreach ($command->queryAll() as $row) {
if (($data = @unserialize($row['data'])) === false) {
$data = null;
}
$items[$row['name']] = new Item($this, $row['name'], $row['type'], $row['description'], $row['bizrule'], $data);
}
return $items;
}
/**
* Creates an authorization item.
* An authorization item represents an action permission (e.g. creating a post).
* It has three types: operation, task and role.
* Authorization items form a hierarchy. Higher level items inheirt permissions representing
* by lower level items.
* @param string $name the item name. This must be a unique identifier.
* @param integer $type the item type (0: operation, 1: task, 2: role).
* @param string $description description of the item
* @param string $bizRule business rule associated with the item. This is a piece of
* PHP code that will be executed when [[checkAccess()]] is called for the item.
* @param mixed $data additional data associated with the item.
* @return Item the authorization item
* @throws Exception if an item with the same name already exists
*/
public function createItem($name, $type, $description = '', $bizRule = null, $data = null)
{
$this->db->createCommand()
->insert($this->itemTable, array(
'name' => $name,
'type' => $type,
'description' => $description,
'bizrule' => $bizRule,
'data' => serialize($data)
));
return new Item($this, $name, $type, $description, $bizRule, $data);
}
/**
* Removes the specified authorization item.
* @param string $name the name of the item to be removed
* @return boolean whether the item exists in the storage and has been removed
*/
public function removeItem($name)
{
if ($this->usingSqlite()) {
$this->db->createCommand()
->delete($this->itemChildTable, array('or', 'parent=:name1', 'child=:name2'), array(
':name1' => $name,
':name2' => $name
));
$this->db->createCommand()->delete($this->assignmentTable, array('item_name' => $name));
}
return $this->db->createCommand()->delete($this->itemTable, array('name' => $name)) > 0;
}
/**
* Returns the authorization item with the specified name.
* @param string $name the name of the item
* @return Item the authorization item. Null if the item cannot be found.
*/
public function getItem($name)
{
$query = new Query;
$row = $query->from($this->itemTable)
->where(array('name' => $name))
->createCommand($this->db)
->queryRow();
if ($row !== false) {
if (($data = @unserialize($row['data'])) === false) {
$data = null;
}
return new Item($this, $row['name'], $row['type'], $row['description'], $row['bizrule'], $data);
} else
return null;
}
/**
* Saves an authorization item to persistent storage.
* @param Item $item the item to be saved.
* @param string $oldName the old item name. If null, it means the item name is not changed.
*/
public function saveItem($item, $oldName = null)
{
if ($this->usingSqlite() && $oldName !== null && $item->getName() !== $oldName) {
$this->db->createCommand()
->update($this->itemChildTable, array(
'parent' => $item->getName(),
), array(
'parent' => $oldName,
));
$this->db->createCommand()
->update($this->itemChildTable, array(
'child' => $item->getName(),
), array(
'child' => $oldName,
));
$this->db->createCommand()
->update($this->assignmentTable, array(
'item_name' => $item->getName(),
), array(
'item_name' => $oldName,
));
}
$this->db->createCommand()
->update($this->itemTable, array(
'name' => $item->getName(),
'type' => $item->getType(),
'description' => $item->getDescription(),
'bizrule' => $item->getBizRule(),
'data' => serialize($item->getData()),
), array(
'name' => $oldName === null ? $item->getName() : $oldName,
));
}
/**
* Saves the authorization data to persistent storage.
*/
public function save()
{
}
/**
* Removes all authorization data.
*/
public function clearAll()
{
$this->clearAssignments();
$this->db->createCommand()->delete($this->itemChildTable);
$this->db->createCommand()->delete($this->itemTable);
}
/**
* Removes all authorization assignments.
*/
public function clearAssignments()
{
$this->db->createCommand()->delete($this->assignmentTable);
}
/**
* Checks whether there is a loop in the authorization item hierarchy.
* @param string $itemName parent item name
* @param string $childName the name of the child item that is to be added to the hierarchy
* @return boolean whether a loop exists
*/
protected function detectLoop($itemName, $childName)
{
if ($childName === $itemName) {
return true;
}
foreach ($this->getItemChildren($childName) as $child) {
if ($this->detectLoop($itemName, $child->getName())) {
return true;
}
}
return false;
}
/**
* @return boolean whether the database is a SQLite database
*/
protected function usingSqlite()
{
return $this->_usingSqlite;
}
}

275
yii/rbac/Item.php
Unescape View File

@ -0,0 +1,275 @@
<?php
/**
* @link http://www.yiiframework.com/
* @copyright Copyright (c) 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
*/
namespace yii\rbac;
use Yii;
use yii\base\Object;
/**
* Item represents an authorization item.
* An authorization item can be an operation, a task or a role.
* They form an authorization hierarchy. Items on higher levels of the hierarchy
* inherit the permissions represented by items on lower levels.
* A user may be assigned one or several authorization items (called [[Assignment]] assignments).
* He can perform an operation only when it is among his assigned items.
*
* @property Manager $authManager The authorization manager.
* @property integer $type The authorization item type. This could be 0 (operation), 1 (task) or 2 (role).
* @property string $name The item name.
* @property string $description The item description.
* @property string $bizRule The business rule associated with this item.
* @property mixed $data The additional data associated with this item.
* @property array $children All child items of this item.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @since 2.0
*/
class Item extends Object
{
const TYPE_OPERATION = 0;
const TYPE_TASK = 1;
const TYPE_ROLE = 2;
private $_auth;
private $_type;
private $_name;
private $_description;
private $_bizRule;
private $_data;
/**
* Constructor.
* @param Manager $auth authorization manager
* @param string $name authorization item name
* @param integer $type authorization item type. This can be 0 (operation), 1 (task) or 2 (role).
* @param string $description the description
* @param string $bizRule the business rule associated with this item
* @param mixed $data additional data for this item
*/
public function __construct($auth, $name, $type, $description = '', $bizRule = null, $data = null)
{
$this->_type = (int)$type;
$this->_auth = $auth;
$this->_name = $name;
$this->_description = $description;
$this->_bizRule = $bizRule;
$this->_data = $data;
}
/**
* Checks to see if the specified item is within the hierarchy starting from this item.
* This method is expected to be internally used by the actual implementations
* of the [[Manager::checkAccess()]].
* @param string $itemName the name of the item to be checked
* @param array $params the parameters to be passed to business rule evaluation
* @return boolean whether the specified item is within the hierarchy starting from this item.
*/
public function checkAccess($itemName, $params = array())
{
Yii::trace('Checking permission: ' . $this->_name, __METHOD__);
if ($this->_auth->executeBizRule($this->_bizRule, $params, $this->_data)) {
if ($this->_name == $itemName) {
return true;
}
foreach ($this->_auth->getItemChildren($this->_name) as $item) {
if ($item->checkAccess($itemName, $params)) {
return true;
}
}
}
return false;
}
/**
* @return Manager the authorization manager
*/
public function getManager()
{
return $this->_auth;
}
/**
* @return integer the authorization item type. This could be 0 (operation), 1 (task) or 2 (role).
*/
public function getType()
{
return $this->_type;
}
/**
* @return string the item name
*/
public function getName()
{
return $this->_name;
}
/**
* @param string $value the item name
*/
public function setName($value)
{
if ($this->_name !== $value) {
$oldName = $this->_name;
$this->_name = $value;
$this->_auth->saveItem($this, $oldName);
}
}
/**
* @return string the item description
*/
public function getDescription()
{
return $this->_description;
}
/**
* @param string $value the item description
*/
public function setDescription($value)
{
if ($this->_description !== $value) {
$this->_description = $value;
$this->_auth->saveItem($this);
}
}
/**
* @return string the business rule associated with this item
*/
public function getBizRule()
{
return $this->_bizRule;
}
/**
* @param string $value the business rule associated with this item
*/
public function setBizRule($value)
{
if ($this->_bizRule !== $value) {
$this->_bizRule = $value;
$this->_auth->saveItem($this);
}
}
/**
* @return mixed the additional data associated with this item
*/
public function getData()
{
return $this->_data;
}
/**
* @param mixed $value the additional data associated with this item
*/
public function setData($value)
{
if ($this->_data !== $value) {
$this->_data = $value;
$this->_auth->saveItem($this);
}
}
/**
* Adds a child item.
* @param string $name the name of the child item
* @return boolean whether the item is added successfully
* @throws \yii\base\Exception if either parent or child doesn't exist or if a loop has been detected.
* @see Manager::addItemChild
*/
public function addChild($name)
{
return $this->_auth->addItemChild($this->_name, $name);
}
/**
* Removes a child item.
* Note, the child item is not deleted. Only the parent-child relationship is removed.
* @param string $name the child item name
* @return boolean whether the removal is successful
* @see Manager::removeItemChild
*/
public function removeChild($name)
{
return $this->_auth->removeItemChild($this->_name, $name);
}
/**
* Returns a value indicating whether a child exists
* @param string $name the child item name
* @return boolean whether the child exists
* @see Manager::hasItemChild
*/
public function hasChild($name)
{
return $this->_auth->hasItemChild($this->_name, $name);
}
/**
* Returns the children of this item.
* @return Item[] all child items of this item.
* @see Manager::getItemChildren
*/
public function getChildren()
{
return $this->_auth->getItemChildren($this->_name);
}
/**
* Assigns this item to a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $bizRule the business rule to be executed when [[checkAccess()]] is called
* for this particular authorization item.
* @param mixed $data additional data associated with this assignment
* @return Assignment the authorization assignment information.
* @throws \yii\base\Exception if the item has already been assigned to the user
* @see Manager::assign
*/
public function assign($userId, $bizRule = null, $data = null)
{
return $this->_auth->assign($userId, $this->_name, $bizRule, $data);
}
/**
* Revokes an authorization assignment from a user.
* @param mixed $userId the user ID (see [[User::id]])
* @return boolean whether removal is successful
* @see Manager::revoke
*/
public function revoke($userId)
{
return $this->_auth->revoke($userId, $this->_name);
}
/**
* Returns a value indicating whether this item has been assigned to the user.
* @param mixed $userId the user ID (see [[User::id]])
* @return boolean whether the item has been assigned to the user.
* @see Manager::isAssigned
*/
public function isAssigned($userId)
{
return $this->_auth->isAssigned($userId, $this->_name);
}
/**
* Returns the item assignment information.
* @param mixed $userId the user ID (see [[User::id]])
* @return Assignment the item assignment information. Null is returned if
* this item is not assigned to the user.
* @see Manager::getAssignment
*/
public function getAssignment($userId)
{
return $this->_auth->getAssignment($userId, $this->_name);
}
}

312
yii/rbac/Manager.php
Unescape View File

@ -0,0 +1,312 @@
<?php
/**
* @link http://www.yiiframework.com/
* @copyright Copyright (c) 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
*/
namespace yii\rbac;
use Yii;
use yii\base\Component;
use yii\base\InvalidParamException;
/**
* Manager is the base class for authorization manager classes.
*
* Manager extends [[Component]] and implements some methods
* that are common among authorization manager classes.
*
* Manager together with its concrete child classes implement the Role-Based
* Access Control (RBAC).
*
* The main idea is that permissions are organized as a hierarchy of
* [[Item]] authorization items. Items on higer level inherit the permissions
* represented by items on lower level. And roles are simply top-level authorization items
* that may be assigned to individual users. A user is said to have a permission
* to do something if the corresponding authorization item is inherited by one of his roles.
*
* Using authorization manager consists of two aspects. First, the authorization hierarchy
* and assignments have to be established. Manager and its child classes
* provides APIs to accomplish this task. Developers may need to develop some GUI
* so that it is more intuitive to end-users. Second, developers call [[Manager::checkAccess()]]
* at appropriate places in the application code to check if the current user
* has the needed permission for an operation.
*
* @property array $roles Roles (name=>Item).
* @property array $tasks Tasks (name=>Item).
* @property array $operations Operations (name=>Item).
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @since 2.0
*/
abstract class Manager extends Component
{
/**
* @var boolean Enable error reporting for bizRules.
*/
public $showErrors = false;
/**
* @var array list of role names that are assigned to all users implicitly.
* These roles do not need to be explicitly assigned to any user.
* When calling [[checkAccess()]], these roles will be checked first.
* For performance reason, you should minimize the number of such roles.
* A typical usage of such roles is to define an 'authenticated' role and associate
* it with a biz rule which checks if the current user is authenticated.
* And then declare 'authenticated' in this property so that it can be applied to
* every authenticated user.
*/
public $defaultRoles = array();
/**
* Creates a role.
* This is a shortcut method to [[Manager::createItem()]].
* @param string $name the item name
* @param string $description the item description.
* @param string $bizRule the business rule associated with this item
* @param mixed $data additional data to be passed when evaluating the business rule
* @return Item the authorization item
*/
public function createRole($name, $description = '', $bizRule = null, $data = null)
{
return $this->createItem($name, Item::TYPE_ROLE, $description, $bizRule, $data);
}
/**
* Creates a task.
* This is a shortcut method to [[Manager::createItem()]].
* @param string $name the item name
* @param string $description the item description.
* @param string $bizRule the business rule associated with this item
* @param mixed $data additional data to be passed when evaluating the business rule
* @return Item the authorization item
*/
public function createTask($name, $description = '', $bizRule = null, $data = null)
{
return $this->createItem($name, Item::TYPE_TASK, $description, $bizRule, $data);
}
/**
* Creates an operation.
* This is a shortcut method to [[Manager::createItem()]].
* @param string $name the item name
* @param string $description the item description.
* @param string $bizRule the business rule associated with this item
* @param mixed $data additional data to be passed when evaluating the business rule
* @return Item the authorization item
*/
public function createOperation($name, $description = '', $bizRule = null, $data = null)
{
return $this->createItem($name, Item::TYPE_OPERATION, $description, $bizRule, $data);
}
/**
* Returns roles.
* This is a shortcut method to [[Manager::getItems()]].
* @param mixed $userId the user ID. If not null, only the roles directly assigned to the user
* will be returned. Otherwise, all roles will be returned.
* @return Item[] roles (name=>AuthItem)
*/
public function getRoles($userId = null)
{
return $this->getItems($userId, Item::TYPE_ROLE);
}
/**
* Returns tasks.
* This is a shortcut method to [[Manager::getItems()]].
* @param mixed $userId the user ID. If not null, only the tasks directly assigned to the user
* will be returned. Otherwise, all tasks will be returned.
* @return Item[] tasks (name=>AuthItem)
*/
public function getTasks($userId = null)
{
return $this->getItems($userId, Item::TYPE_TASK);
}
/**
* Returns operations.
* This is a shortcut method to [[Manager::getItems()]].
* @param mixed $userId the user ID. If not null, only the operations directly assigned to the user
* will be returned. Otherwise, all operations will be returned.
* @return Item[] operations (name=>AuthItem)
*/
public function getOperations($userId = null)
{
return $this->getItems($userId, Item::TYPE_OPERATION);
}
/**
* Executes the specified business rule.
* @param string $bizRule the business rule to be executed.
* @param array $params parameters passed to [[Manager::checkAccess()]].
* @param mixed $data additional data associated with the authorization item or assignment.
* @return boolean whether the business rule returns true.
* If the business rule is empty, it will still return true.
*/
public function executeBizRule($bizRule, $params, $data)
{
return $bizRule === '' || $bizRule === null || ($this->showErrors ? eval($bizRule) != 0 : @eval($bizRule) != 0);
}
/**
* Checks the item types to make sure a child can be added to a parent.
* @param integer $parentType parent item type
* @param integer $childType child item type
* @throws InvalidParamException if the item cannot be added as a child due to its incompatible type.
*/
protected function checkItemChildType($parentType, $childType)
{
static $types = array('operation', 'task', 'role');
if ($parentType < $childType) {
throw new InvalidParamException("Cannot add an item of type '$types[$childType]' to an item of type '$types[$parentType]'.");
}
}
/**
* Performs access check for the specified user.
* @param mixed $userId the user ID. This should be either an integer or a string representing
* the unique identifier of a user. See [[User::id]].
* @param string $itemName the name of the operation that we are checking access to
* @param array $params name-value pairs that would be passed to biz rules associated
* with the tasks and roles assigned to the user.
* @return boolean whether the operations can be performed by the user.
*/
abstract public function checkAccess($userId, $itemName, $params = array());
/**
* Creates an authorization item.
* An authorization item represents an action permission (e.g. creating a post).
* It has three types: operation, task and role.
* Authorization items form a hierarchy. Higher level items inheirt permissions representing
* by lower level items.
* @param string $name the item name. This must be a unique identifier.
* @param integer $type the item type (0: operation, 1: task, 2: role).
* @param string $description description of the item
* @param string $bizRule business rule associated with the item. This is a piece of
* PHP code that will be executed when [[checkAccess()]] is called for the item.
* @param mixed $data additional data associated with the item.
* @throws \yii\base\Exception if an item with the same name already exists
* @return Item the authorization item
*/
abstract public function createItem($name, $type, $description = '', $bizRule = null, $data = null);
/**
* Removes the specified authorization item.
* @param string $name the name of the item to be removed
* @return boolean whether the item exists in the storage and has been removed
*/
abstract public function removeItem($name);
/**
* Returns the authorization items of the specific type and user.
* @param mixed $userId the user ID. Defaults to null, meaning returning all items even if
* they are not assigned to a user.
* @param integer $type the item type (0: operation, 1: task, 2: role). Defaults to null,
* meaning returning all items regardless of their type.
* @return Item[] the authorization items of the specific type.
*/
abstract public function getItems($userId = null, $type = null);
/**
* Returns the authorization item with the specified name.
* @param string $name the name of the item
* @return Item the authorization item. Null if the item cannot be found.
*/
abstract public function getItem($name);
/**
* Saves an authorization item to persistent storage.
* @param Item $item the item to be saved.
* @param string $oldName the old item name. If null, it means the item name is not changed.
*/
abstract public function saveItem($item, $oldName = null);
/**
* Adds an item as a child of another item.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @throws \yii\base\Exception if either parent or child doesn't exist or if a loop has been detected.
*/
abstract public function addItemChild($itemName, $childName);
/**
* Removes a child from its parent.
* Note, the child item is not deleted. Only the parent-child relationship is removed.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the removal is successful
*/
abstract public function removeItemChild($itemName, $childName);
/**
* Returns a value indicating whether a child exists within a parent.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the child exists
*/
abstract public function hasItemChild($itemName, $childName);
/**
* Returns the children of the specified item.
* @param mixed $itemName the parent item name. This can be either a string or an array.
* The latter represents a list of item names.
* @return Item[] all child items of the parent
*/
abstract public function getItemChildren($itemName);
/**
* Assigns an authorization item to a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @param string $bizRule the business rule to be executed when [[checkAccess()]] is called
* for this particular authorization item.
* @param mixed $data additional data associated with this assignment
* @return Assignment the authorization assignment information.
* @throws \yii\base\Exception if the item does not exist or if the item has already been assigned to the user
*/
abstract public function assign($userId, $itemName, $bizRule = null, $data = null);
/**
* Revokes an authorization assignment from a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return boolean whether removal is successful
*/
abstract public function revoke($userId, $itemName);
/**
* Returns a value indicating whether the item has been assigned to the user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return boolean whether the item has been assigned to the user.
*/
abstract public function isAssigned($userId, $itemName);
/**
* Returns the item assignment information.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return Assignment the item assignment information. Null is returned if
* the item is not assigned to the user.
*/
abstract public function getAssignment($userId, $itemName);
/**
* Returns the item assignments for the specified user.
* @param mixed $userId the user ID (see [[User::id]])
* @return Item[] the item assignment information for the user. An empty array will be
* returned if there is no item assigned to the user.
*/
abstract public function getAssignments($userId);
/**
* Saves the changes to an authorization assignment.
* @param Assignment $assignment the assignment that has been changed.
*/
abstract public function saveAssignment($assignment);
/**
* Removes all authorization data.
*/
abstract public function clearAll();
/**
* Removes all authorization assignments.
*/
abstract public function clearAssignments();
/**
* Saves authorization data into persistent storage.
* If any change is made to the authorization data, please make
* sure you call this method to save the changed data into persistent storage.
*/
abstract public function save();
}

516
yii/rbac/PhpManager.php
Unescape View File

@ -0,0 +1,516 @@
<?php
/**
* @link http://www.yiiframework.com/
* @copyright Copyright (c) 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
*/
namespace yii\rbac;
use Yii;
use yii\base\Exception;
use yii\base\InvalidCallException;
use yii\base\InvalidParamException;
/**
* PhpManager represents an authorization manager that stores authorization
* information in terms of a PHP script file.
*
* The authorization data will be saved to and loaded from a file
* specified by [[authFile]], which defaults to 'protected/data/rbac.php'.
*
* PhpManager is mainly suitable for authorization data that is not too big
* (for example, the authorization data for a personal blog system).
* Use [[DbManager]] for more complex authorization data.
*
* @property array $authItems The authorization items of the specific type.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @since 2.0
*/
class PhpManager extends Manager
{
/**
* @var string the path of the PHP script that contains the authorization data.
* If not set, it will be using 'protected/data/rbac.php' as the data file.
* Make sure this file is writable by the Web server process if the authorization
* needs to be changed.
* @see loadFromFile
* @see saveToFile
*/
public $authFile;
private $_items = array(); // itemName => item
private $_children = array(); // itemName, childName => child
private $_assignments = array(); // userId, itemName => assignment
/**
* Initializes the application component.
* This method overrides parent implementation by loading the authorization data
* from PHP script.
*/
public function init()
{
parent::init();
if ($this->authFile === null) {
$this->authFile = Yii::getAlias('@app/data/rbac') . '.php';
}
$this->load();
}
/**
* Performs access check for the specified user.
* @param mixed $userId the user ID. This can be either an integer or a string representing
* @param string $itemName the name of the operation that need access check
* the unique identifier of a user. See [[User::id]].
* @param array $params name-value pairs that would be passed to biz rules associated
* with the tasks and roles assigned to the user. A param with name 'userId' is added to
* this array, which holds the value of `$userId`.
* @return boolean whether the operations can be performed by the user.
*/
public function checkAccess($userId, $itemName, $params = array())
{
if (!isset($this->_items[$itemName])) {
return false;
}
/** @var $item Item */
$item = $this->_items[$itemName];
Yii::trace('Checking permission: ' . $item->getName(), __METHOD__);
if (!isset($params['userId'])) {
$params['userId'] = $userId;
}
if ($this->executeBizRule($item->getBizRule(), $params, $item->getData())) {
if (in_array($itemName, $this->defaultRoles)) {
return true;
}
if (isset($this->_assignments[$userId][$itemName])) {
/** @var $assignment Assignment */
$assignment = $this->_assignments[$userId][$itemName];
if ($this->executeBizRule($assignment->getBizRule(), $params, $assignment->getData())) {
return true;
}
}
foreach ($this->_children as $parentName => $children) {
if (isset($children[$itemName]) && $this->checkAccess($userId, $parentName, $params)) {
return true;
}
}
}
return false;
}
/**
* Adds an item as a child of another item.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the item is added successfully
* @throws Exception if either parent or child doesn't exist.
* @throws InvalidCallException if item already has a child with $itemName or if a loop has been detected.
*/
public function addItemChild($itemName, $childName)
{
if (!isset($this->_items[$childName], $this->_items[$itemName])) {
throw new Exception("Either '$itemName' or '$childName' does not exist.");
}
/** @var $child Item */
$child = $this->_items[$childName];
/** @var $item Item */
$item = $this->_items[$itemName];
$this->checkItemChildType($item->getType(), $child->getType());
if ($this->detectLoop($itemName, $childName)) {
throw new InvalidCallException("Cannot add '$childName' as a child of '$itemName'. A loop has been detected.");
}
if (isset($this->_children[$itemName][$childName])) {
throw new InvalidCallException("The item '$itemName' already has a child '$childName'.");
}
$this->_children[$itemName][$childName] = $this->_items[$childName];
return true;
}
/**
* Removes a child from its parent.
* Note, the child item is not deleted. Only the parent-child relationship is removed.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the removal is successful
*/
public function removeItemChild($itemName, $childName)
{
if (isset($this->_children[$itemName][$childName])) {
unset($this->_children[$itemName][$childName]);
return true;
} else {
return false;
}
}
/**
* Returns a value indicating whether a child exists within a parent.
* @param string $itemName the parent item name
* @param string $childName the child item name
* @return boolean whether the child exists
*/
public function hasItemChild($itemName, $childName)
{
return isset($this->_children[$itemName][$childName]);
}
/**
* Returns the children of the specified item.
* @param mixed $names the parent item name. This can be either a string or an array.
* The latter represents a list of item names.
* @return Item[] all child items of the parent
*/
public function getItemChildren($names)
{
if (is_string($names)) {
return isset($this->_children[$names]) ? $this->_children[$names] : array();
}
$children = array();
foreach ($names as $name) {
if (isset($this->_children[$name])) {
$children = array_merge($children, $this->_children[$name]);
}
}
return $children;
}
/**
* Assigns an authorization item to a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @param string $bizRule the business rule to be executed when [[checkAccess()]] is called
* for this particular authorization item.
* @param mixed $data additional data associated with this assignment
* @return Assignment the authorization assignment information.
* @throws InvalidParamException if the item does not exist or if the item has already been assigned to the user
*/
public function assign($userId, $itemName, $bizRule = null, $data = null)
{
if (!isset($this->_items[$itemName])) {
throw new InvalidParamException("Unknown authorization item '$itemName'.");
} elseif (isset($this->_assignments[$userId][$itemName])) {
throw new InvalidParamException("Authorization item '$itemName' has already been assigned to user '$userId'.");
} else {
return $this->_assignments[$userId][$itemName] = new Assignment($this, $userId, $itemName, $bizRule, $data);
}
}
/**
* Revokes an authorization assignment from a user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return boolean whether removal is successful
*/
public function revoke($userId, $itemName)
{
if (isset($this->_assignments[$userId][$itemName])) {
unset($this->_assignments[$userId][$itemName]);
return true;
} else {
return false;
}
}
/**
* Returns a value indicating whether the item has been assigned to the user.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return boolean whether the item has been assigned to the user.
*/
public function isAssigned($userId, $itemName)
{
return isset($this->_assignments[$userId][$itemName]);
}
/**
* Returns the item assignment information.
* @param mixed $userId the user ID (see [[User::id]])
* @param string $itemName the item name
* @return Assignment the item assignment information. Null is returned if
* the item is not assigned to the user.
*/
public function getAssignment($userId, $itemName)
{
return isset($this->_assignments[$userId][$itemName]) ? $this->_assignments[$userId][$itemName] : null;
}
/**
* Returns the item assignments for the specified user.
* @param mixed $userId the user ID (see [[User::id]])
* @return Assignment[] the item assignment information for the user. An empty array will be
* returned if there is no item assigned to the user.
*/
public function getAssignments($userId)
{
return isset($this->_assignments[$userId]) ? $this->_assignments[$userId] : array();
}
/**
* Returns the authorization items of the specific type and user.
* @param mixed $userId the user ID. Defaults to null, meaning returning all items even if
* they are not assigned to a user.
* @param integer $type the item type (0: operation, 1: task, 2: role). Defaults to null,
* meaning returning all items regardless of their type.
* @return Item[] the authorization items of the specific type.
*/
public function getItems($userId = null, $type = null)
{
if ($userId === null && $type === null) {
return $this->_items;
}
$items = array();
if ($userId === null) {
foreach ($this->_items as $name => $item) {
/** @var $item Item */
if ($item->getType() == $type) {
$items[$name] = $item;
}
}
} elseif (isset($this->_assignments[$userId])) {
foreach ($this->_assignments[$userId] as $assignment) {
/** @var $assignment Assignment */
$name = $assignment->getItemName();
if (isset($this->_items[$name]) && ($type === null || $this->_items[$name]->getType() == $type)) {
$items[$name] = $this->_items[$name];
}
}
}
return $items;
}
/**
* Creates an authorization item.
* An authorization item represents an action permission (e.g. creating a post).
* It has three types: operation, task and role.
* Authorization items form a hierarchy. Higher level items inheirt permissions representing
* by lower level items.
* @param string $name the item name. This must be a unique identifier.
* @param integer $type the item type (0: operation, 1: task, 2: role).
* @param string $description description of the item
* @param string $bizRule business rule associated with the item. This is a piece of
* PHP code that will be executed when [[checkAccess()]] is called for the item.
* @param mixed $data additional data associated with the item.
* @return Item the authorization item
* @throws Exception if an item with the same name already exists
*/
public function createItem($name, $type, $description = '', $bizRule = null, $data = null)
{
if (isset($this->_items[$name])) {
throw new Exception('Unable to add an item whose name is the same as an existing item.');
}
return $this->_items[$name] = new Item($this, $name, $type, $description, $bizRule, $data);
}
/**
* Removes the specified authorization item.
* @param string $name the name of the item to be removed
* @return boolean whether the item exists in the storage and has been removed
*/
public function removeItem($name)
{
if (isset($this->_items[$name])) {
foreach ($this->_children as &$children) {
unset($children[$name]);
}
foreach ($this->_assignments as &$assignments) {
unset($assignments[$name]);
}
unset($this->_items[$name]);
return true;
} else {
return false;
}
}
/**
* Returns the authorization item with the specified name.
* @param string $name the name of the item
* @return Item the authorization item. Null if the item cannot be found.
*/
public function getItem($name)
{
return isset($this->_items[$name]) ? $this->_items[$name] : null;
}
/**
* Saves an authorization item to persistent storage.
* @param Item $item the item to be saved.
* @param string $oldName the old item name. If null, it means the item name is not changed.
* @throws InvalidParamException if an item with the same name already taken
*/
public function saveItem($item, $oldName = null)
{
if ($oldName !== null && ($newName = $item->getName()) !== $oldName) // name changed
{
if (isset($this->_items[$newName])) {
throw new InvalidParamException("Unable to change the item name. The name '$newName' is already used by another item.");
}
if (isset($this->_items[$oldName]) && $this->_items[$oldName] === $item) {
unset($this->_items[$oldName]);
$this->_items[$newName] = $item;
if (isset($this->_children[$oldName])) {
$this->_children[$newName] = $this->_children[$oldName];
unset($this->_children[$oldName]);
}
foreach ($this->_children as &$children) {
if (isset($children[$oldName])) {
$children[$newName] = $children[$oldName];
unset($children[$oldName]);
}
}
foreach ($this->_assignments as &$assignments) {
if (isset($assignments[$oldName])) {
$assignments[$newName] = $assignments[$oldName];
unset($assignments[$oldName]);
}
}
}
}
}
/**
* Saves the changes to an authorization assignment.
* @param Assignment $assignment the assignment that has been changed.
*/
public function saveAssignment($assignment)
{
}
/**
* Saves authorization data into persistent storage.
* If any change is made to the authorization data, please make
* sure you call this method to save the changed data into persistent storage.
*/
public function save()
{
$items = array();
foreach ($this->_items as $name => $item) {
/** @var $item Item */
$items[$name] = array(
'type' => $item->getType(),
'description' => $item->getDescription(),
'bizRule' => $item->getBizRule(),
'data' => $item->getData(),
);
if (isset($this->_children[$name])) {
foreach ($this->_children[$name] as $child) {
/** @var $child Item */
$items[$name]['children'][] = $child->getName();
}
}
}
foreach ($this->_assignments as $userId => $assignments) {
foreach ($assignments as $name => $assignment) {
/** @var $assignment Assignment */
if (isset($items[$name])) {
$items[$name]['assignments'][$userId] = array(
'bizRule' => $assignment->getBizRule(),
'data' => $assignment->getData(),
);
}
}
}
$this->saveToFile($items, $this->authFile);
}
/**
* Loads authorization data.
*/
public function load()
{
$this->clearAll();
$items = $this->loadFromFile($this->authFile);
foreach ($items as $name => $item) {
$this->_items[$name] = new Item($this, $name, $item['type'], $item['description'], $item['bizRule'], $item['data']);
}
foreach ($items as $name => $item) {
if (isset($item['children'])) {
foreach ($item['children'] as $childName) {
if (isset($this->_items[$childName])) {
$this->_children[$name][$childName] = $this->_items[$childName];
}
}
}
if (isset($item['assignments'])) {
foreach ($item['assignments'] as $userId => $assignment) {
$this->_assignments[$userId][$name] = new Assignment($this, $name, $userId, $assignment['bizRule'], $assignment['data']);
}
}
}
}
/**
* Removes all authorization data.
*/
public function clearAll()
{
$this->clearAssignments();
$this->_children = array();
$this->_items = array();
}
/**
* Removes all authorization assignments.
*/
public function clearAssignments()
{
$this->_assignments = array();
}
/**
* Checks whether there is a loop in the authorization item hierarchy.
* @param string $itemName parent item name
* @param string $childName the name of the child item that is to be added to the hierarchy
* @return boolean whether a loop exists
*/
protected function detectLoop($itemName, $childName)
{
if ($childName === $itemName) {
return true;
}
if (!isset($this->_children[$childName], $this->_items[$itemName])) {
return false;
}
foreach ($this->_children[$childName] as $child) {
/** @var $child Item */
if ($this->detectLoop($itemName, $child->getName())) {
return true;
}
}
return false;
}
/**
* Loads the authorization data from a PHP script file.
* @param string $file the file path.
* @return array the authorization data
* @see saveToFile
*/
protected function loadFromFile($file)
{
if (is_file($file)) {
return require($file);
} else {
return array();
}
}
/**
* Saves the authorization data to a PHP script file.
* @param array $data the authorization data
* @param string $file the file path.
* @see loadFromFile
*/
protected function saveToFile($data, $file)
{
file_put_contents($file, "<?php\nreturn " . var_export($data, true) . ";\n", LOCK_EX);
}
}

43
yii/rbac/schema-mssql.sql
Unescape View File

@ -0,0 +1,43 @@
/**
* Database schema required by \yii\rbac\DbManager.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @link http://www.yiiframework.com/
* @copyright 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
* @since 2.0
*/
drop table if exists [tbl_auth_assignment];
drop table if exists [tbl_auth_item_child];
drop table if exists [tbl_auth_item];
create table [tbl_auth_item]
(
[name] varchar(64) not null,
[type] integer not null,
[description] text,
[bizrule] text,
[data] text,
primary key ([name])
);
create table [tbl_auth_item_child]
(
[parent] varchar(64) not null,
[child] varchar(64) not null,
primary key ([parent],[child]),
foreign key ([parent]) references [tbl_auth_item] ([name]) on delete cascade on update cascade,
foreign key ([child]) references [tbl_auth_item] ([name]) on delete cascade on update cascade
);
create table [tbl_auth_assignment]
(
[item_name] varchar(64) not null,
[user_id] varchar(64) not null,
[bizrule] text,
[data] text,
primary key ([item_name],[user_id]),
foreign key ([item_name]) references [tbl_auth_item] ([name]) on delete cascade on update cascade
);

43
yii/rbac/schema-mysql.sql
Unescape View File

@ -0,0 +1,43 @@
/**
* Database schema required by \yii\rbac\DbManager.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @link http://www.yiiframework.com/
* @copyright 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
* @since 2.0
*/
drop table if exists `tbl_auth_assignment`;
drop table if exists `tbl_auth_item_child`;
drop table if exists `tbl_auth_item`;
create table `tbl_auth_item`
(
`name` varchar(64) not null,
`type` integer not null,
`description` text,
`bizrule` text,
`data` text,
primary key (`name`)
) engine InnoDB;
create table `tbl_auth_item_child`
(
`parent` varchar(64) not null,
`child` varchar(64) not null,
primary key (`parent`,`child`),
foreign key (`parent`) references `tbl_auth_item` (`name`) on delete cascade on update cascade,
foreign key (`child`) references `tbl_auth_item` (`name`) on delete cascade on update cascade
) engine InnoDB;
create table `tbl_auth_assignment`
(
`item_name` varchar(64) not null,
`user_id` varchar(64) not null,
`bizrule` text,
`data` text,
primary key (`item_name`,`user_id`),
foreign key (`item_name`) references `tbl_auth_item` (`name`) on delete cascade on update cascade
) engine InnoDB;

43
yii/rbac/schema-oci.sql
Unescape View File

@ -0,0 +1,43 @@
/**
* Database schema required by \yii\rbac\DbManager.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @link http://www.yiiframework.com/
* @copyright 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
* @since 2.0
*/
drop table if exists "tbl_auth_assignment";
drop table if exists "tbl_auth_item_child";
drop table if exists "tbl_auth_item";
create table "tbl_auth_item"
(
"name" varchar(64) not null,
"type" integer not null,
"description" text,
"bizrule" text,
"data" text,
primary key ("name")
);
create table "tbl_auth_item_child"
(
"parent" varchar(64) not null,
"child" varchar(64) not null,
primary key ("parent","child"),
foreign key ("parent") references "tbl_auth_item" ("name") on delete cascade on update cascade,
foreign key ("child") references "tbl_auth_item" ("name") on delete cascade on update cascade
);
create table "tbl_auth_assignment"
(
"item_name" varchar(64) not null,
"user_id" varchar(64) not null,
"bizrule" text,
"data" text,
primary key ("item_name","user_id"),
foreign key ("item_name") references "tbl_auth_item" ("name") on delete cascade on update cascade
);

43
yii/rbac/schema-pgsql.sql
Unescape View File

@ -0,0 +1,43 @@
/**
* Database schema required by \yii\rbac\DbManager.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @link http://www.yiiframework.com/
* @copyright 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
* @since 2.0
*/
drop table if exists "tbl_auth_assignment";
drop table if exists "tbl_auth_item_child";
drop table if exists "tbl_auth_item";
create table "tbl_auth_item"
(
"name" varchar(64) not null,
"type" integer not null,
"description" text,
"bizrule" text,
"data" text,
primary key ("name")
);
create table "tbl_auth_item_child"
(
"parent" varchar(64) not null,
"child" varchar(64) not null,
primary key ("parent","child"),
foreign key ("parent") references "tbl_auth_item" ("name") on delete cascade on update cascade,
foreign key ("child") references "tbl_auth_item" ("name") on delete cascade on update cascade
);
create table "tbl_auth_assignment"
(
"item_name" varchar(64) not null,
"user_id" varchar(64) not null,
"bizrule" text,
"data" text,
primary key ("item_name","user_id"),
foreign key ("item_name") references "tbl_auth_item" ("name") on delete cascade on update cascade
);

43
yii/rbac/schema-sqlite.sql
Unescape View File

@ -0,0 +1,43 @@
/**
* Database schema required by \yii\rbac\DbManager.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @author Alexander Kochetov <creocoder@gmail.com>
* @link http://www.yiiframework.com/
* @copyright 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
* @since 2.0
*/
drop table if exists 'tbl_auth_assignment';
drop table if exists 'tbl_auth_item_child';
drop table if exists 'tbl_auth_item';
create table 'tbl_auth_item'
(
"name" varchar(64) not null,
"type" integer not null,
"description" text,
"bizrule" text,
"data" text,
primary key ("name")
);
create table 'tbl_auth_item_child'
(
"parent" varchar(64) not null,
"child" varchar(64) not null,
primary key ("parent","child"),
foreign key ("parent") references 'tbl_auth_item' ("name") on delete cascade on update cascade,
foreign key ("child") references 'tbl_auth_item' ("name") on delete cascade on update cascade
);
create table 'tbl_auth_assignment'
(
"item_name" varchar(64) not null,
"user_id" varchar(64) not null,
"bizrule" text,
"data" text,
primary key ("item_name","user_id"),
foreign key ("item_name") references 'tbl_auth_item' ("name") on delete cascade on update cascade
);

40
yii/web/User.php
Unescape View File

@ -40,11 +40,11 @@ class User extends Component
*/ */
public $enableAutoLogin = false; public $enableAutoLogin = false;
/** /**
* @var string|array the URL for login when [[loginRequired()]] is called. * @var string|array the URL for login when [[loginRequired()]] is called.
* If an array is given, [[UrlManager::createUrl()]] will be called to create the corresponding URL. * If an array is given, [[UrlManager::createUrl()]] will be called to create the corresponding URL.
* The first element of the array should be the route to the login action, and the rest of * The first element of the array should be the route to the login action, and the rest of
* the name-value pairs are GET parameters used to construct the login URL. For example, * the name-value pairs are GET parameters used to construct the login URL. For example,
* *
* ~~~ * ~~~
* array('site/login', 'ref' => 1) * array('site/login', 'ref' => 1)
* ~~~ * ~~~
@ -86,6 +86,8 @@ class User extends Component
*/ */
public $returnUrlVar = '__returnUrl'; public $returnUrlVar = '__returnUrl';
private $_access = array();
/** /**
* Initializes the application component. * Initializes the application component.
@ -449,19 +451,33 @@ class User extends Component
} }
/** /**
* Checks whether the user has access to the specified operation. * Performs access check for this user.
* @param $operator * @param string $operation the name of the operation that need access check.
* @param array $params * @param array $params name-value pairs that would be passed to business rules associated
* @return bool * with the tasks and roles assigned to the user. A param with name 'userId' is added to
* @todo * this array, which holds the value of [[id]] when [[DbAuthManager]] or
* [[PhpAuthManager]] is used.
* @param boolean $allowCaching whether to allow caching the result of access check.
* When this parameter is true (default), if the access check of an operation was performed
* before, its result will be directly returned when calling this method to check the same
* operation. If this parameter is false, this method will always call
* [[AuthManager::checkAccess()]] to obtain the up-to-date access result. Note that this
* caching is effective only within the same request and only works when `$params = array()`.
* @return boolean whether the operations can be performed by this user.
*/ */
public function checkAccess($operation, $params = array()) public function checkAccess($operation, $params = array(), $allowCaching = true)
{ {
$auth = Yii::$app->getAuthManager(); $auth = Yii::$app->getAuthManager();
if ($auth !== null) { if ($auth === null) {
return $auth->checkAccess($this->getId(), $operation, $params);
} else {
return false; return false;
} }
if ($allowCaching && empty($params) && isset($this->_access[$operation])) {
return $this->_access[$operation];
}
$access = $auth->checkAccess($this->getId(), $operation, $params);
if ($allowCaching && empty($params)) {
$this->_access[$operation] = $access;
}
return $access;
} }
} }

4
yii/yiic.php
Unescape View File

@ -7,6 +7,10 @@
* @license http://www.yiiframework.com/license/ * @license http://www.yiiframework.com/license/
*/ */
if(!ini_get('date.timezone')) {
date_default_timezone_set('UTC');
}
defined('YII_DEBUG') or define('YII_DEBUG', true); defined('YII_DEBUG') or define('YII_DEBUG', true);
// fcgi doesn't have STDIN defined by default // fcgi doesn't have STDIN defined by default

Write Preview
Loading…
Cancel
Save