1: <?php
  2: /**
  3:  * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
  4:  * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
  5:  *
  6:  * Licensed under The MIT License
  7:  * For full copyright and license information, please see the LICENSE.txt
  8:  * Redistributions of files must retain the above copyright notice.
  9:  *
 10:  * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
 11:  * @link          http://cakephp.org CakePHP(tm) Project
 12:  * @package       Cake.Model
 13:  * @since         CakePHP(tm) v 0.2.9
 14:  * @license       http://www.opensource.org/licenses/mit-license.php MIT License
 15:  */
 16: 
 17: App::uses('AppModel', 'Model');
 18: 
 19: /**
 20:  * Permissions linking AROs with ACOs
 21:  *
 22:  * @package       Cake.Model
 23:  */
 24: class Permission extends AppModel {
 25: 
 26: /**
 27:  * Explicitly disable in-memory query caching
 28:  *
 29:  * @var bool
 30:  */
 31:     public $cacheQueries = false;
 32: 
 33: /**
 34:  * Override default table name
 35:  *
 36:  * @var string
 37:  */
 38:     public $useTable = 'aros_acos';
 39: 
 40: /**
 41:  * Permissions link AROs with ACOs
 42:  *
 43:  * @var array
 44:  */
 45:     public $belongsTo = array('Aro', 'Aco');
 46: 
 47: /**
 48:  * No behaviors for this model
 49:  *
 50:  * @var array
 51:  */
 52:     public $actsAs = null;
 53: 
 54: /**
 55:  * Constructor, used to tell this model to use the
 56:  * database configured for ACL
 57:  */
 58:     public function __construct() {
 59:         $config = Configure::read('Acl.database');
 60:         if (!empty($config)) {
 61:             $this->useDbConfig = $config;
 62:         }
 63:         parent::__construct();
 64:     }
 65: 
 66: /**
 67:  * Checks if the given $aro has access to action $action in $aco
 68:  *
 69:  * @param string $aro ARO The requesting object identifier.
 70:  * @param string $aco ACO The controlled object identifier.
 71:  * @param string $action Action (defaults to *)
 72:  * @return bool Success (true if ARO has access to action in ACO, false otherwise)
 73:  */
 74:     public function check($aro, $aco, $action = '*') {
 75:         if (!$aro || !$aco) {
 76:             return false;
 77:         }
 78: 
 79:         $permKeys = $this->getAcoKeys($this->schema());
 80:         $aroPath = $this->Aro->node($aro);
 81:         $acoPath = $this->Aco->node($aco);
 82: 
 83:         if (!$aroPath) {
 84:             $this->log(__d('cake_dev',
 85:                     "%s - Failed ARO node lookup in permissions check. Node references:\nAro: %s\nAco: %s",
 86:                     'DbAcl::check()',
 87:                     print_r($aro, true),
 88:                     print_r($aco, true)),
 89:                 E_USER_WARNING
 90:             );
 91:             return false;
 92:         }
 93: 
 94:         if (!$acoPath) {
 95:             $this->log(__d('cake_dev',
 96:                     "%s - Failed ACO node lookup in permissions check. Node references:\nAro: %s\nAco: %s",
 97:                     'DbAcl::check()',
 98:                     print_r($aro, true),
 99:                     print_r($aco, true)),
100:                 E_USER_WARNING
101:             );
102:             return false;
103:         }
104: 
105:         if ($action !== '*' && !in_array('_' . $action, $permKeys)) {
106:             $this->log(__d('cake_dev', "ACO permissions key %s does not exist in %s", $action, 'DbAcl::check()'), E_USER_NOTICE);
107:             return false;
108:         }
109: 
110:         $acoIDs = Hash::extract($acoPath, '{n}.' . $this->Aco->alias . '.id');
111: 
112:         $count = count($aroPath);
113:         $inherited = array();
114:         for ($i = 0; $i < $count; $i++) {
115:             $permAlias = $this->alias;
116: 
117:             $perms = $this->find('all', array(
118:                 'conditions' => array(
119:                     "{$permAlias}.aro_id" => $aroPath[$i][$this->Aro->alias]['id'],
120:                     "{$permAlias}.aco_id" => $acoIDs
121:                 ),
122:                 'order' => array($this->Aco->alias . '.lft' => 'desc'),
123:                 'recursive' => 0
124:             ));
125: 
126:             if (empty($perms)) {
127:                 continue;
128:             }
129:             $perms = Hash::extract($perms, '{n}.' . $this->alias);
130:             foreach ($perms as $perm) {
131:                 if ($action === '*') {
132:                     if (empty($perm)) {
133:                         continue;
134:                     }
135:                     foreach ($permKeys as $key) {
136:                         if ($perm[$key] == -1 && !(isset($inherited[$key]) && $inherited[$key] == 1)) {
137:                             // Deny, but only if a child node didnt't explicitly allow
138:                             return false;
139:                         } elseif ($perm[$key] == 1) {
140:                             // Allow & inherit from parent nodes
141:                             $inherited[$key] = $perm[$key];
142:                         }
143:                     }
144:                 } else {
145:                     switch ($perm['_' . $action]) {
146:                         case -1:
147:                             return false;
148:                         case 0:
149:                             continue;
150:                         case 1:
151:                             return true;
152:                     }
153:                 }
154:             }
155: 
156:             if ($action === '*' && count($inherited) === count($permKeys)) {
157:                 return true;
158:             }
159:         }
160:         return false;
161:     }
162: 
163: /**
164:  * Allow $aro to have access to action $actions in $aco
165:  *
166:  * @param string $aro ARO The requesting object identifier.
167:  * @param string $aco ACO The controlled object identifier.
168:  * @param string $actions Action (defaults to *) Invalid permissions will result in an exception
169:  * @param int $value Value to indicate access type (1 to give access, -1 to deny, 0 to inherit)
170:  * @return bool Success
171:  * @throws AclException on Invalid permission key.
172:  */
173:     public function allow($aro, $aco, $actions = '*', $value = 1) {
174:         $perms = $this->getAclLink($aro, $aco);
175:         $permKeys = $this->getAcoKeys($this->schema());
176:         $save = array();
177: 
178:         if (!$perms) {
179:             $this->log(__d('cake_dev', '%s - Invalid node', 'DbAcl::allow()'), E_USER_WARNING);
180:             return false;
181:         }
182:         if (isset($perms[0])) {
183:             $save = $perms[0][$this->alias];
184:         }
185: 
186:         if ($actions === '*') {
187:             $save = array_combine($permKeys, array_pad(array(), count($permKeys), $value));
188:         } else {
189:             if (!is_array($actions)) {
190:                 $actions = array('_' . $actions);
191:             }
192:             foreach ($actions as $action) {
193:                 if ($action{0} !== '_') {
194:                     $action = '_' . $action;
195:                 }
196:                 if (!in_array($action, $permKeys, true)) {
197:                     throw new AclException(__d('cake_dev', 'Invalid permission key "%s"', $action));
198:                 }
199:                 $save[$action] = $value;
200:             }
201:         }
202:         list($save['aro_id'], $save['aco_id']) = array($perms['aro'], $perms['aco']);
203: 
204:         if ($perms['link'] && !empty($perms['link'])) {
205:             $save['id'] = $perms['link'][0][$this->alias]['id'];
206:         } else {
207:             unset($save['id']);
208:             $this->id = null;
209:         }
210:         return ($this->save($save) !== false);
211:     }
212: 
213: /**
214:  * Get an array of access-control links between the given Aro and Aco
215:  *
216:  * @param string $aro ARO The requesting object identifier.
217:  * @param string $aco ACO The controlled object identifier.
218:  * @return array Indexed array with: 'aro', 'aco' and 'link'
219:  */
220:     public function getAclLink($aro, $aco) {
221:         $obj = array();
222:         $obj['Aro'] = $this->Aro->node($aro);
223:         $obj['Aco'] = $this->Aco->node($aco);
224: 
225:         if (empty($obj['Aro']) || empty($obj['Aco'])) {
226:             return false;
227:         }
228:         $aro = Hash::extract($obj, 'Aro.0.' . $this->Aro->alias . '.id');
229:         $aco = Hash::extract($obj, 'Aco.0.' . $this->Aco->alias . '.id');
230:         $aro = current($aro);
231:         $aco = current($aco);
232: 
233:         return array(
234:             'aro' => $aro,
235:             'aco' => $aco,
236:             'link' => $this->find('all', array('conditions' => array(
237:                 $this->alias . '.aro_id' => $aro,
238:                 $this->alias . '.aco_id' => $aco
239:             )))
240:         );
241:     }
242: 
243: /**
244:  * Get the crud type keys
245:  *
246:  * @param array $keys Permission schema
247:  * @return array permission keys
248:  */
249:     public function getAcoKeys($keys) {
250:         $newKeys = array();
251:         $keys = array_keys($keys);
252:         foreach ($keys as $key) {
253:             if (!in_array($key, array('id', 'aro_id', 'aco_id'))) {
254:                 $newKeys[] = $key;
255:             }
256:         }
257:         return $newKeys;
258:     }
259: }
260: