Browse Source

Finished AccessControl.

tags/2.0.0-beta
Qiang Xue 12 years ago
parent
commit
5f0f721c4a
  1. 46
      framework/web/AccessRule.php

46
framework/web/AccessRule.php

@ -35,22 +35,16 @@ class AccessRule extends Component
*/ */
public $controllers; public $controllers;
/** /**
* @var array list of user names that this rule applies to. The comparison is case-insensitive. * @var array list of roles that this rule applies to. Two special roles are recognized, and
* If not set or empty, it means this rule applies to all users. Two special tokens are recognized: * they are checked via [[User::isGuest]]:
* *
* - `?`: matches a guest user (not authenticated yet) * - `?`: matches a guest user (not authenticated yet)
* - `@`: matches an authenticated user * - `@`: matches an authenticated user
* *
* @see \yii\web\Application::user * Using additional role names requires RBAC (Role-Based Access Control), and
*/ * [[User::hasAccess()]] will be called.
public $users; *
/** * If this property is not set or empty, it means this rule applies to all roles.
* @var array list of roles that this rule applies to. For each role, the current user's
* {@link CWebUser::checkAccess} method will be invoked. If one of the invocations
* returns true, the rule will be applied.
* Note, you should mainly use roles in an "allow" rule because by definition,
* a role represents a permission collection.
* If not set or empty, it means this rule applies to all roles.
*/ */
public $roles; public $roles;
/** /**
@ -106,7 +100,6 @@ class AccessRule extends Component
public function allows($action, $user, $request) public function allows($action, $user, $request)
{ {
if ($this->matchAction($action) if ($this->matchAction($action)
&& $this->matchUser($user)
&& $this->matchRole($user) && $this->matchRole($user)
&& $this->matchIP($request->getUserIP()) && $this->matchIP($request->getUserIP())
&& $this->matchVerb($request->getRequestMethod()) && $this->matchVerb($request->getRequestMethod())
@ -138,27 +131,6 @@ class AccessRule extends Component
} }
/** /**
* @param User $user the user
* @return boolean whether the rule applies to the user
*/
protected function matchUser($user)
{
if (empty($this->users)) {
return true;
}
foreach ($this->users as $u) {
if ($u === '?' && $user->getIsGuest()) {
return true;
} elseif ($u === '@' && !$user->getIsGuest()) {
return true;
} elseif (!strcasecmp($u, $user->getName())) {
return true;
}
}
return false;
}
/**
* @param User $user the user object * @param User $user the user object
* @return boolean whether the rule applies to the role * @return boolean whether the rule applies to the role
*/ */
@ -168,7 +140,11 @@ class AccessRule extends Component
return true; return true;
} }
foreach ($this->roles as $role) { foreach ($this->roles as $role) {
if ($user->checkAccess($role)) { if ($role === '?' && $user->getIsGuest()) {
return true;
} elseif ($role === '@' && !$user->getIsGuest()) {
return true;
} elseif ($user->hasAccess($role)) {
return true; return true;
} }
} }

Loading…
Cancel
Save