Magento 2 Documentation  2.3
Documentation for Magento 2 CMS v2.3 (December 2018)
Public Member Functions | Data Fields | Protected Member Functions | Protected Attributes
Zend_Acl Class Reference
Inheritance diagram for Zend_Acl:
Acl

Public Member Functions

 addRole ($role, $parents=null)
 
 getRole ($role)
 
 hasRole ($role)
 
 inheritsRole ($role, $inherit, $onlyParents=false)
 
 removeRole ($role)
 
 removeRoleAll ()
 
 addResource ($resource, $parent=null)
 
 add (Zend_Acl_Resource_Interface $resource, $parent=null)
 
 get ($resource)
 
 has ($resource)
 
 inherits ($resource, $inherit, $onlyParent=false)
 
 remove ($resource)
 
 removeAll ()
 
 allow ($roles=null, $resources=null, $privileges=null, Zend_Acl_Assert_Interface $assert=null)
 
 deny ($roles=null, $resources=null, $privileges=null, Zend_Acl_Assert_Interface $assert=null)
 
 removeAllow ($roles=null, $resources=null, $privileges=null)
 
 removeDeny ($roles=null, $resources=null, $privileges=null)
 
 setRule ($operation, $type, $roles=null, $resources=null, $privileges=null, Zend_Acl_Assert_Interface $assert=null)
 
 isAllowed ($role=null, $resource=null, $privilege=null)
 
 getRegisteredRoles ()
 
 getRoles ()
 
 getResources ()
 

Data Fields

const TYPE_ALLOW = 'TYPE_ALLOW'
 
const TYPE_DENY = 'TYPE_DENY'
 
const OP_ADD = 'OP_ADD'
 
const OP_REMOVE = 'OP_REMOVE'
 

Protected Member Functions

 _getRoleRegistry ()
 
 _roleDFSAllPrivileges (Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null)
 
 _roleDFSVisitAllPrivileges (Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null, &$dfs=null)
 
 _roleDFSOnePrivilege (Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null, $privilege=null)
 
 _roleDFSVisitOnePrivilege (Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null, $privilege=null, &$dfs=null)
 
 _getRuleType (Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $privilege=null)
 
_getRules (Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $create=false)
 

Protected Attributes

 $_roleRegistry = null
 
 $_resources = array()
 
 $_isAllowedRole = null
 
 $_isAllowedResource = null
 
 $_isAllowedPrivilege = null
 
 $_rules
 

Detailed Description

Definition at line 59 of file Acl.php.

Member Function Documentation

◆ _getRoleRegistry()

_getRoleRegistry ( )
protected

Returns the Role registry for this ACL

If no Role registry has been created yet, a new default Role registry is created and returned.

Returns
Zend_Acl_Role_Registry

Definition at line 907 of file Acl.php.

908  {
909  if (null === $this->_roleRegistry) {
910  $this->_roleRegistry = new Zend_Acl_Role_Registry();
911  }
912  return $this->_roleRegistry;
913  }
$_roleRegistry
Definition: Acl.php:86

◆ _getRules()

& _getRules ( Zend_Acl_Resource_Interface  $resource = null,
Zend_Acl_Role_Interface  $role = null,
  $create = false 
)
protected

Returns the rules associated with a Resource and a Role, or null if no such rules exist

If either $resource or $role is null, this means that the rules returned are for all Resources or all Roles, respectively. Both can be null to return the default rule set for all Resources and all Roles.

If the $create parameter is true, then a rule set is first created and then returned to the caller.

Parameters
Zend_Acl_Resource_Interface$resource
Zend_Acl_Role_Interface$role
boolean$create
Returns
array|null

Definition at line 1161 of file Acl.php.

1163  {
1164  // create a reference to null
1165  $null = null;
1166  $nullRef =& $null;
1167 
1168  // follow $resource
1169  do {
1170  if (null === $resource) {
1171  $visitor =& $this->_rules['allResources'];
1172  break;
1173  }
1174  $resourceId = $resource->getResourceId();
1175  if (!isset($this->_rules['byResourceId'][$resourceId])) {
1176  if (!$create) {
1177  return $nullRef;
1178  }
1179  $this->_rules['byResourceId'][$resourceId] = array();
1180  }
1181  $visitor =& $this->_rules['byResourceId'][$resourceId];
1182  } while (false);
1183 
1184 
1185  // follow $role
1186  if (null === $role) {
1187  if (!isset($visitor['allRoles'])) {
1188  if (!$create) {
1189  return $nullRef;
1190  }
1191  $visitor['allRoles']['byPrivilegeId'] = array();
1192  }
1193  return $visitor['allRoles'];
1194  }
1195  $roleId = $role->getRoleId();
1196  if (!isset($visitor['byRoleId'][$roleId])) {
1197  if (!$create) {
1198  return $nullRef;
1199  }
1200  $visitor['byRoleId'][$roleId]['byPrivilegeId'] = array();
1201  $visitor['byRoleId'][$roleId]['allPrivileges'] = array('type' => null, 'assert' => null);
1202  }
1203  return $visitor['byRoleId'][$roleId];
1204  }
$resource
Definition: bulk.php:12
$roleId
Definition: webapi_user.php:22

◆ _getRuleType()

_getRuleType ( Zend_Acl_Resource_Interface  $resource = null,
Zend_Acl_Role_Interface  $role = null,
  $privilege = null 
)
protected

Returns the rule type associated with the specified Resource, Role, and privilege combination.

If a rule does not exist or its attached assertion fails, which means that the rule is not applicable, then this method returns null. Otherwise, the rule type applies and is returned as either TYPE_ALLOW or TYPE_DENY.

If $resource or $role is null, then this means that the rule must apply to all Resources or Roles, respectively.

If $privilege is null, then the rule must apply to all privileges.

If all three parameters are null, then the default ACL rule type is returned, based on whether its assertion method passes.

Parameters
Zend_Acl_Resource_Interface$resource
Zend_Acl_Role_Interface$role
string$privilege
Returns
string|null

Definition at line 1105 of file Acl.php.

1107  {
1108  // get the rules for the $resource and $role
1109  if (null === ($rules = $this->_getRules($resource, $role))) {
1110  return null;
1111  }
1112 
1113  // follow $privilege
1114  if (null === $privilege) {
1115  if (isset($rules['allPrivileges'])) {
1116  $rule = $rules['allPrivileges'];
1117  } else {
1118  return null;
1119  }
1120  } else if (!isset($rules['byPrivilegeId'][$privilege])) {
1121  return null;
1122  } else {
1123  $rule = $rules['byPrivilegeId'][$privilege];
1124  }
1125 
1126  // check assertion first
1127  if ($rule['assert']) {
1128  $assertion = $rule['assert'];
1129  $assertionValue = $assertion->assert(
1130  $this,
1131  ($this->_isAllowedRole instanceof Zend_Acl_Role_Interface) ? $this->_isAllowedRole : $role,
1132  ($this->_isAllowedResource instanceof Zend_Acl_Resource_Interface) ? $this->_isAllowedResource : $resource,
1133  $this->_isAllowedPrivilege
1134  );
1135  }
1136 
1137  if (null === $rule['assert'] || $assertionValue) {
1138  return $rule['type'];
1139  } else if (null !== $resource || null !== $role || null !== $privilege) {
1140  return null;
1141  } else if (self::TYPE_ALLOW === $rule['type']) {
1142  return self::TYPE_DENY;
1143  } else {
1144  return self::TYPE_ALLOW;
1145  }
1146  }
const TYPE_ALLOW
Definition: Acl.php:64
& _getRules(Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $create=false)
Definition: Acl.php:1161
const TYPE_DENY
Definition: Acl.php:69
$resource
Definition: bulk.php:12

◆ _roleDFSAllPrivileges()

_roleDFSAllPrivileges ( Zend_Acl_Role_Interface  $role,
Zend_Acl_Resource_Interface  $resource = null 
)
protected

Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule allowing/denying $role access to all privileges upon $resource

This method returns true if a rule is found and allows access. If a rule exists and denies access, then this method returns false. If no applicable rule is found, then this method returns null.

Parameters
Zend_Acl_Role_Interface$role
Zend_Acl_Resource_Interface$resource
Returns
boolean|null

Definition at line 926 of file Acl.php.

927  {
928  $dfs = array(
929  'visited' => array(),
930  'stack' => array()
931  );
932 
933  if (null !== ($result = $this->_roleDFSVisitAllPrivileges($role, $resource, $dfs))) {
934  return $result;
935  }
936 
937  while (null !== ($role = array_pop($dfs['stack']))) {
938  if (!isset($dfs['visited'][$role->getRoleId()])) {
939  if (null !== ($result = $this->_roleDFSVisitAllPrivileges($role, $resource, $dfs))) {
940  return $result;
941  }
942  }
943  }
944 
945  return null;
946  }
$resource
Definition: bulk.php:12
_roleDFSVisitAllPrivileges(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null, &$dfs=null)
Definition: Acl.php:962

◆ _roleDFSOnePrivilege()

_roleDFSOnePrivilege ( Zend_Acl_Role_Interface  $role,
Zend_Acl_Resource_Interface  $resource = null,
  $privilege = null 
)
protected

Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule allowing/denying $role access to a $privilege upon $resource

This method returns true if a rule is found and allows access. If a rule exists and denies access, then this method returns false. If no applicable rule is found, then this method returns null.

Parameters
Zend_Acl_Role_Interface$role
Zend_Acl_Resource_Interface$resource
string$privilege
Returns
boolean|null
Exceptions
Zend_Acl_Exception
See also
Zend_Acl_Exception

Definition at line 1005 of file Acl.php.

1007  {
1008  if (null === $privilege) {
1012  #require_once 'Zend/Acl/Exception.php';
1013  throw new Zend_Acl_Exception('$privilege parameter may not be null');
1014  }
1015 
1016  $dfs = array(
1017  'visited' => array(),
1018  'stack' => array()
1019  );
1020 
1021  if (null !== ($result = $this->_roleDFSVisitOnePrivilege($role, $resource, $privilege, $dfs))) {
1022  return $result;
1023  }
1024 
1025  while (null !== ($role = array_pop($dfs['stack']))) {
1026  if (!isset($dfs['visited'][$role->getRoleId()])) {
1027  if (null !== ($result = $this->_roleDFSVisitOnePrivilege($role, $resource, $privilege, $dfs))) {
1028  return $result;
1029  }
1030  }
1031  }
1032 
1033  return null;
1034  }
$resource
Definition: bulk.php:12
_roleDFSVisitOnePrivilege(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null, $privilege=null, &$dfs=null)
Definition: Acl.php:1051

◆ _roleDFSVisitAllPrivileges()

_roleDFSVisitAllPrivileges ( Zend_Acl_Role_Interface  $role,
Zend_Acl_Resource_Interface  $resource = null,
$dfs = null 
)
protected

Visits an $role in order to look for a rule allowing/denying $role access to all privileges upon $resource

This method returns true if a rule is found and allows access. If a rule exists and denies access, then this method returns false. If no applicable rule is found, then this method returns null.

This method is used by the internal depth-first search algorithm and may modify the DFS data structure.

Parameters
Zend_Acl_Role_Interface$role
Zend_Acl_Resource_Interface$resource
array$dfs
Returns
boolean|null
Exceptions
Zend_Acl_Exception
See also
Zend_Acl_Exception

Definition at line 962 of file Acl.php.

964  {
965  if (null === $dfs) {
969  #require_once 'Zend/Acl/Exception.php';
970  throw new Zend_Acl_Exception('$dfs parameter may not be null');
971  }
972 
973  if (null !== ($rules = $this->_getRules($resource, $role))) {
974  foreach ($rules['byPrivilegeId'] as $privilege => $rule) {
975  if (self::TYPE_DENY === ($ruleTypeOnePrivilege = $this->_getRuleType($resource, $role, $privilege))) {
976  return false;
977  }
978  }
979  if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, $role, null))) {
980  return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
981  }
982  }
983 
984  $dfs['visited'][$role->getRoleId()] = true;
985  foreach ($this->_getRoleRegistry()->getParents($role) as $roleParentId => $roleParent) {
986  $dfs['stack'][] = $roleParent;
987  }
988 
989  return null;
990  }
_getRoleRegistry()
Definition: Acl.php:907
& _getRules(Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $create=false)
Definition: Acl.php:1161
_getRuleType(Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $privilege=null)
Definition: Acl.php:1105

◆ _roleDFSVisitOnePrivilege()

_roleDFSVisitOnePrivilege ( Zend_Acl_Role_Interface  $role,
Zend_Acl_Resource_Interface  $resource = null,
  $privilege = null,
$dfs = null 
)
protected

Visits an $role in order to look for a rule allowing/denying $role access to a $privilege upon $resource

This method returns true if a rule is found and allows access. If a rule exists and denies access, then this method returns false. If no applicable rule is found, then this method returns null.

This method is used by the internal depth-first search algorithm and may modify the DFS data structure.

Parameters
Zend_Acl_Role_Interface$role
Zend_Acl_Resource_Interface$resource
string$privilege
array$dfs
Returns
boolean|null
Exceptions
Zend_Acl_Exception
See also
Zend_Acl_Exception
Zend_Acl_Exception

Definition at line 1051 of file Acl.php.

1053  {
1054  if (null === $privilege) {
1058  #require_once 'Zend/Acl/Exception.php';
1059  throw new Zend_Acl_Exception('$privilege parameter may not be null');
1060  }
1061 
1062  if (null === $dfs) {
1066  #require_once 'Zend/Acl/Exception.php';
1067  throw new Zend_Acl_Exception('$dfs parameter may not be null');
1068  }
1069 
1070  if (null !== ($ruleTypeOnePrivilege = $this->_getRuleType($resource, $role, $privilege))) {
1071  return self::TYPE_ALLOW === $ruleTypeOnePrivilege;
1072  } else if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, $role, null))) {
1073  return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
1074  }
1075 
1076  $dfs['visited'][$role->getRoleId()] = true;
1077  foreach ($this->_getRoleRegistry()->getParents($role) as $roleParentId => $roleParent) {
1078  $dfs['stack'][] = $roleParent;
1079  }
1080 
1081  return null;
1082  }
_getRoleRegistry()
Definition: Acl.php:907
_getRuleType(Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $privilege=null)
Definition: Acl.php:1105

◆ add()

add ( Zend_Acl_Resource_Interface  $resource,
  $parent = null 
)

Adds a Resource having an identifier unique to the ACL

The $parent parameter may be a reference to, or the string identifier for, the existing Resource from which the newly added Resource will inherit.

Deprecated:
in version 1.9.1 and will be available till 2.0. New code should use addResource() instead.
Parameters
Zend_Acl_Resource_Interface$resource
Zend_Acl_Resource_Interface | string$parent
Exceptions
Zend_Acl_Exception
Returns
Zend_Acl Provides a fluent interface

Definition at line 341 of file Acl.php.

342  {
343  return $this->addResource($resource, $parent);
344  }
addResource($resource, $parent=null)
Definition: Acl.php:283

◆ addResource()

addResource (   $resource,
  $parent = null 
)

Adds a Resource having an identifier unique to the ACL

The $parent parameter may be a reference to, or the string identifier for, the existing Resource from which the newly added Resource will inherit.

Parameters
Zend_Acl_Resource_Interface | string$resource
Zend_Acl_Resource_Interface | string$parent
Exceptions
Zend_Acl_Exception
Returns
Zend_Acl Provides a fluent interface

Definition at line 283 of file Acl.php.

284  {
285  if (is_string($resource)) {
287  }
288 
289  if (!$resource instanceof Zend_Acl_Resource_Interface) {
290  #require_once 'Zend/Acl/Exception.php';
291  throw new Zend_Acl_Exception('addResource() expects $resource to be of type Zend_Acl_Resource_Interface');
292  }
293 
294  $resourceId = $resource->getResourceId();
295 
296  if ($this->has($resourceId)) {
297  #require_once 'Zend/Acl/Exception.php';
298  throw new Zend_Acl_Exception("Resource id '$resourceId' already exists in the ACL");
299  }
300 
301  $resourceParent = null;
302 
303  if (null !== $parent) {
304  try {
305  if ($parent instanceof Zend_Acl_Resource_Interface) {
306  $resourceParentId = $parent->getResourceId();
307  } else {
308  $resourceParentId = $parent;
309  }
310  $resourceParent = $this->get($resourceParentId);
311  } catch (Zend_Acl_Exception $e) {
312  #require_once 'Zend/Acl/Exception.php';
313  throw new Zend_Acl_Exception("Parent Resource id '$resourceParentId' does not exist", 0, $e);
314  }
315  $this->_resources[$resourceParentId]['children'][$resourceId] = $resource;
316  }
317 
318  $this->_resources[$resourceId] = array(
319  'instance' => $resource,
320  'parent' => $resourceParent,
321  'children' => array()
322  );
323 
324  return $this;
325  }
$resource
Definition: bulk.php:12
has($resource)
Definition: Acl.php:379

◆ addRole()

addRole (   $role,
  $parents = null 
)

Adds a Role having an identifier unique to the registry

The $parents parameter may be a reference to, or the string identifier for, a Role existing in the registry, or $parents may be passed as an array of these - mixing string identifiers and objects is ok - to indicate the Roles from which the newly added Role will directly inherit.

In order to resolve potential ambiguities with conflicting rules inherited from different parents, the most recently added parent takes precedence over parents that were previously added. In other words, the first parent added will have the least priority, and the last parent added will have the highest priority.

Parameters
Zend_Acl_Role_Interface | string$role
Zend_Acl_Role_Interface | string | array$parents@uses Zend_Acl_Role_Registry::add()
Returns
Zend_Acl Provides a fluent interface

Definition at line 148 of file Acl.php.

149  {
150  if (is_string($role)) {
151  $role = new Zend_Acl_Role($role);
152  }
153 
154  if (!$role instanceof Zend_Acl_Role_Interface) {
155  #require_once 'Zend/Acl/Exception.php';
156  throw new Zend_Acl_Exception('addRole() expects $role to be of type Zend_Acl_Role_Interface');
157  }
158 
159 
160  $this->_getRoleRegistry()->add($role, $parents);
161 
162  return $this;
163  }
_getRoleRegistry()
Definition: Acl.php:907

◆ allow()

allow (   $roles = null,
  $resources = null,
  $privileges = null,
Zend_Acl_Assert_Interface  $assert = null 
)

Adds an "allow" rule to the ACL

Parameters
Zend_Acl_Role_Interface | string | array$roles
Zend_Acl_Resource_Interface | string | array$resources
string | array$privileges
Zend_Acl_Assert_Interface$assert@uses Zend_Acl::setRule()
Returns
Zend_Acl Provides a fluent interface

Definition at line 506 of file Acl.php.

507  {
508  return $this->setRule(self::OP_ADD, self::TYPE_ALLOW, $roles, $resources, $privileges, $assert);
509  }
setRule($operation, $type, $roles=null, $resources=null, $privileges=null, Zend_Acl_Assert_Interface $assert=null)
Definition: Acl.php:606

◆ deny()

deny (   $roles = null,
  $resources = null,
  $privileges = null,
Zend_Acl_Assert_Interface  $assert = null 
)

Adds a "deny" rule to the ACL

Parameters
Zend_Acl_Role_Interface | string | array$roles
Zend_Acl_Resource_Interface | string | array$resources
string | array$privileges
Zend_Acl_Assert_Interface$assert@uses Zend_Acl::setRule()
Returns
Zend_Acl Provides a fluent interface

Definition at line 521 of file Acl.php.

522  {
523  return $this->setRule(self::OP_ADD, self::TYPE_DENY, $roles, $resources, $privileges, $assert);
524  }
setRule($operation, $type, $roles=null, $resources=null, $privileges=null, Zend_Acl_Assert_Interface $assert=null)
Definition: Acl.php:606

◆ get()

get (   $resource)

Returns the identified Resource

The $resource parameter can either be a Resource or a Resource identifier.

Parameters
Zend_Acl_Resource_Interface | string$resource
Exceptions
Zend_Acl_Exception
Returns
Zend_Acl_Resource_Interface

Definition at line 355 of file Acl.php.

356  {
357  if ($resource instanceof Zend_Acl_Resource_Interface) {
358  $resourceId = $resource->getResourceId();
359  } else {
360  $resourceId = (string) $resource;
361  }
362 
363  if (!$this->has($resource)) {
364  #require_once 'Zend/Acl/Exception.php';
365  throw new Zend_Acl_Exception("Resource '$resourceId' not found");
366  }
367 
368  return $this->_resources[$resourceId]['instance'];
369  }
$resource
Definition: bulk.php:12
has($resource)
Definition: Acl.php:379

◆ getRegisteredRoles()

getRegisteredRoles ( )
Returns
array of registered roles (Deprecated)
Deprecated:
Deprecated since version 1.10 (December 2009)

Definition at line 1211 of file Acl.php.

1212  {
1213  trigger_error('The method getRegisteredRoles() was deprecated as of '
1214  . 'version 1.0, and may be removed. You\'re encouraged '
1215  . 'to use getRoles() instead.');
1216 
1217  return $this->_getRoleRegistry()->getRoles();
1218  }
_getRoleRegistry()
Definition: Acl.php:907

◆ getResources()

getResources ( )
Returns
array of registered resources

Definition at line 1236 of file Acl.php.

1237  {
1238  return array_keys($this->_resources);
1239  }

◆ getRole()

getRole (   $role)

Returns the identified Role

The $role parameter can either be a Role or Role identifier.

Parameters
Zend_Acl_Role_Interface | string$role@uses Zend_Acl_Role_Registry::get()
Returns
Zend_Acl_Role_Interface

Definition at line 174 of file Acl.php.

175  {
176  return $this->_getRoleRegistry()->get($role);
177  }
_getRoleRegistry()
Definition: Acl.php:907

◆ getRoles()

getRoles ( )

Returns an array of registered roles.

Note that this method does not return instances of registered roles, but only the role identifiers.

Returns
array of registered roles

Definition at line 1228 of file Acl.php.

1229  {
1230  return array_keys($this->_getRoleRegistry()->getRoles());
1231  }
_getRoleRegistry()
Definition: Acl.php:907
getRoles()
Definition: Acl.php:1228

◆ has()

has (   $resource)

Returns true if and only if the Resource exists in the ACL

The $resource parameter can either be a Resource or a Resource identifier.

Parameters
Zend_Acl_Resource_Interface | string$resource
Returns
boolean

Definition at line 379 of file Acl.php.

380  {
381  if ($resource instanceof Zend_Acl_Resource_Interface) {
382  $resourceId = $resource->getResourceId();
383  } else {
384  $resourceId = (string) $resource;
385  }
386 
387  return isset($this->_resources[$resourceId]);
388  }
$resource
Definition: bulk.php:12

◆ hasRole()

hasRole (   $role)

Returns true if and only if the Role exists in the registry

The $role parameter can either be a Role or a Role identifier.

Parameters
Zend_Acl_Role_Interface | string$role@uses Zend_Acl_Role_Registry::has()
Returns
boolean

Definition at line 188 of file Acl.php.

189  {
190  return $this->_getRoleRegistry()->has($role);
191  }
_getRoleRegistry()
Definition: Acl.php:907

◆ inherits()

inherits (   $resource,
  $inherit,
  $onlyParent = false 
)

Returns true if and only if $resource inherits from $inherit

Both parameters may be either a Resource or a Resource identifier. If $onlyParent is true, then $resource must inherit directly from $inherit in order to return true. By default, this method looks through the entire inheritance tree to determine whether $resource inherits from $inherit through its ancestor Resources.

Parameters
Zend_Acl_Resource_Interface | string$resource
Zend_Acl_Resource_Interface | string$inherit
boolean$onlyParent
Exceptions
Zend_Acl_Resource_Registry_Exception
Returns
boolean

Definition at line 405 of file Acl.php.

406  {
407  try {
408  $resourceId = $this->get($resource)->getResourceId();
409  $inheritId = $this->get($inherit)->getResourceId();
410  } catch (Zend_Acl_Exception $e) {
411  #require_once 'Zend/Acl/Exception.php';
412  throw new Zend_Acl_Exception($e->getMessage(), $e->getCode(), $e);
413  }
414 
415  if (null !== $this->_resources[$resourceId]['parent']) {
416  $parentId = $this->_resources[$resourceId]['parent']->getResourceId();
417  if ($inheritId === $parentId) {
418  return true;
419  } else if ($onlyParent) {
420  return false;
421  }
422  } else {
423  return false;
424  }
425 
426  while (null !== $this->_resources[$parentId]['parent']) {
427  $parentId = $this->_resources[$parentId]['parent']->getResourceId();
428  if ($inheritId === $parentId) {
429  return true;
430  }
431  }
432 
433  return false;
434  }
$resource
Definition: bulk.php:12

◆ inheritsRole()

inheritsRole (   $role,
  $inherit,
  $onlyParents = false 
)

Returns true if and only if $role inherits from $inherit

Both parameters may be either a Role or a Role identifier. If $onlyParents is true, then $role must inherit directly from $inherit in order to return true. By default, this method looks through the entire inheritance DAG to determine whether $role inherits from $inherit through its ancestor Roles.

Parameters
Zend_Acl_Role_Interface | string$role
Zend_Acl_Role_Interface | string$inherit
boolean$onlyParents@uses Zend_Acl_Role_Registry::inherits()
Returns
boolean

Definition at line 208 of file Acl.php.

209  {
210  return $this->_getRoleRegistry()->inherits($role, $inherit, $onlyParents);
211  }
_getRoleRegistry()
Definition: Acl.php:907

◆ isAllowed()

isAllowed (   $role = null,
  $resource = null,
  $privilege = null 
)

Returns true if and only if the Role has access to the Resource

The $role and $resource parameters may be references to, or the string identifiers for, an existing Resource and Role combination.

If either $role or $resource is null, then the query applies to all Roles or all Resources, respectively. Both may be null to query whether the ACL has a "blacklist" rule (allow everything to all). By default, Zend_Acl creates a "whitelist" rule (deny everything to all), and this method would return false unless this default has been overridden (i.e., by executing $acl->allow()).

If a $privilege is not provided, then this method returns false if and only if the Role is denied access to at least one privilege upon the Resource. In other words, this method returns true if and only if the Role is allowed all privileges on the Resource.

This method checks Role inheritance using a depth-first traversal of the Role registry. The highest priority parent (i.e., the parent most recently added) is checked first, and its respective parents are checked similarly before the lower-priority parents of the Role are checked.

Parameters
Zend_Acl_Role_Interface | string$role
Zend_Acl_Resource_Interface | string$resource
string$privilege@uses Zend_Acl::get() @uses Zend_Acl_Role_Registry::get()
Returns
boolean

Definition at line 827 of file Acl.php.

828  {
829  // reset role & resource to null
830  $this->_isAllowedRole = null;
831  $this->_isAllowedResource = null;
832  $this->_isAllowedPrivilege = null;
833 
834  if (null !== $role) {
835  // keep track of originally called role
836  $this->_isAllowedRole = $role;
837  $role = $this->_getRoleRegistry()->get($role);
838  if (!$this->_isAllowedRole instanceof Zend_Acl_Role_Interface) {
839  $this->_isAllowedRole = $role;
840  }
841  }
842 
843  if (null !== $resource) {
844  // keep track of originally called resource
845  $this->_isAllowedResource = $resource;
846  $resource = $this->get($resource);
847  if (!$this->_isAllowedResource instanceof Zend_Acl_Resource_Interface) {
848  $this->_isAllowedResource = $resource;
849  }
850  }
851 
852  if (null === $privilege) {
853  // query on all privileges
854  do {
855  // depth-first search on $role if it is not 'allRoles' pseudo-parent
856  if (null !== $role && null !== ($result = $this->_roleDFSAllPrivileges($role, $resource, $privilege))) {
857  return $result;
858  }
859 
860  // look for rule on 'allRoles' psuedo-parent
861  if (null !== ($rules = $this->_getRules($resource, null))) {
862  foreach ($rules['byPrivilegeId'] as $privilege => $rule) {
863  if (self::TYPE_DENY === ($ruleTypeOnePrivilege = $this->_getRuleType($resource, null, $privilege))) {
864  return false;
865  }
866  }
867  if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, null, null))) {
868  return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
869  }
870  }
871 
872  // try next Resource
873  $resource = $this->_resources[$resource->getResourceId()]['parent'];
874 
875  } while (true); // loop terminates at 'allResources' pseudo-parent
876  } else {
877  $this->_isAllowedPrivilege = $privilege;
878  // query on one privilege
879  do {
880  // depth-first search on $role if it is not 'allRoles' pseudo-parent
881  if (null !== $role && null !== ($result = $this->_roleDFSOnePrivilege($role, $resource, $privilege))) {
882  return $result;
883  }
884 
885  // look for rule on 'allRoles' pseudo-parent
886  if (null !== ($ruleType = $this->_getRuleType($resource, null, $privilege))) {
887  return self::TYPE_ALLOW === $ruleType;
888  } else if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, null, null))) {
889  return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
890  }
891 
892  // try next Resource
893  $resource = $this->_resources[$resource->getResourceId()]['parent'];
894 
895  } while (true); // loop terminates at 'allResources' pseudo-parent
896  }
897  }
_getRoleRegistry()
Definition: Acl.php:907
& _getRules(Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $create=false)
Definition: Acl.php:1161
_roleDFSAllPrivileges(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null)
Definition: Acl.php:926
$resource
Definition: bulk.php:12
_getRuleType(Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $privilege=null)
Definition: Acl.php:1105
_roleDFSOnePrivilege(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource=null, $privilege=null)
Definition: Acl.php:1005

◆ remove()

remove (   $resource)

Removes a Resource and all of its children

The $resource parameter can either be a Resource or a Resource identifier.

Parameters
Zend_Acl_Resource_Interface | string$resource
Exceptions
Zend_Acl_Exception
Returns
Zend_Acl Provides a fluent interface

Definition at line 445 of file Acl.php.

446  {
447  try {
448  $resourceId = $this->get($resource)->getResourceId();
449  } catch (Zend_Acl_Exception $e) {
450  #require_once 'Zend/Acl/Exception.php';
451  throw new Zend_Acl_Exception($e->getMessage(), $e->getCode(), $e);
452  }
453 
454  $resourcesRemoved = array($resourceId);
455  if (null !== ($resourceParent = $this->_resources[$resourceId]['parent'])) {
456  unset($this->_resources[$resourceParent->getResourceId()]['children'][$resourceId]);
457  }
458  foreach ($this->_resources[$resourceId]['children'] as $childId => $child) {
459  $this->remove($childId);
460  $resourcesRemoved[] = $childId;
461  }
462 
463  foreach ($resourcesRemoved as $resourceIdRemoved) {
464  foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $rules) {
465  if ($resourceIdRemoved === $resourceIdCurrent) {
466  unset($this->_rules['byResourceId'][$resourceIdCurrent]);
467  }
468  }
469  }
470 
471  unset($this->_resources[$resourceId]);
472 
473  return $this;
474  }
$resource
Definition: bulk.php:12

◆ removeAll()

removeAll ( )

Removes all Resources

Returns
Zend_Acl Provides a fluent interface

Definition at line 481 of file Acl.php.

482  {
483  foreach ($this->_resources as $resourceId => $resource) {
484  foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $rules) {
485  if ($resourceId === $resourceIdCurrent) {
486  unset($this->_rules['byResourceId'][$resourceIdCurrent]);
487  }
488  }
489  }
490 
491  $this->_resources = array();
492 
493  return $this;
494  }
$resource
Definition: bulk.php:12

◆ removeAllow()

removeAllow (   $roles = null,
  $resources = null,
  $privileges = null 
)

Removes "allow" permissions from the ACL

Parameters
Zend_Acl_Role_Interface | string | array$roles
Zend_Acl_Resource_Interface | string | array$resources
string | array$privileges@uses Zend_Acl::setRule()
Returns
Zend_Acl Provides a fluent interface

Definition at line 535 of file Acl.php.

536  {
537  return $this->setRule(self::OP_REMOVE, self::TYPE_ALLOW, $roles, $resources, $privileges);
538  }
setRule($operation, $type, $roles=null, $resources=null, $privileges=null, Zend_Acl_Assert_Interface $assert=null)
Definition: Acl.php:606

◆ removeDeny()

removeDeny (   $roles = null,
  $resources = null,
  $privileges = null 
)

Removes "deny" restrictions from the ACL

Parameters
Zend_Acl_Role_Interface | string | array$roles
Zend_Acl_Resource_Interface | string | array$resources
string | array$privileges@uses Zend_Acl::setRule()
Returns
Zend_Acl Provides a fluent interface

Definition at line 549 of file Acl.php.

550  {
551  return $this->setRule(self::OP_REMOVE, self::TYPE_DENY, $roles, $resources, $privileges);
552  }
setRule($operation, $type, $roles=null, $resources=null, $privileges=null, Zend_Acl_Assert_Interface $assert=null)
Definition: Acl.php:606

◆ removeRole()

removeRole (   $role)

Removes the Role from the registry

The $role parameter can either be a Role or a Role identifier.

Parameters
Zend_Acl_Role_Interface | string$role@uses Zend_Acl_Role_Registry::remove()
Returns
Zend_Acl Provides a fluent interface

Definition at line 222 of file Acl.php.

223  {
224  $this->_getRoleRegistry()->remove($role);
225 
226  if ($role instanceof Zend_Acl_Role_Interface) {
227  $roleId = $role->getRoleId();
228  } else {
229  $roleId = $role;
230  }
231 
232  foreach ($this->_rules['allResources']['byRoleId'] as $roleIdCurrent => $rules) {
233  if ($roleId === $roleIdCurrent) {
234  unset($this->_rules['allResources']['byRoleId'][$roleIdCurrent]);
235  }
236  }
237  foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $visitor) {
238  if (array_key_exists('byRoleId', $visitor)) {
239  foreach ($visitor['byRoleId'] as $roleIdCurrent => $rules) {
240  if ($roleId === $roleIdCurrent) {
241  unset($this->_rules['byResourceId'][$resourceIdCurrent]['byRoleId'][$roleIdCurrent]);
242  }
243  }
244  }
245  }
246 
247  return $this;
248  }
_getRoleRegistry()
Definition: Acl.php:907
$roleId
Definition: webapi_user.php:22

◆ removeRoleAll()

removeRoleAll ( )

Removes all Roles from the registry

@uses Zend_Acl_Role_Registry::removeAll()

Returns
Zend_Acl Provides a fluent interface

Definition at line 256 of file Acl.php.

257  {
258  $this->_getRoleRegistry()->removeAll();
259 
260  foreach ($this->_rules['allResources']['byRoleId'] as $roleIdCurrent => $rules) {
261  unset($this->_rules['allResources']['byRoleId'][$roleIdCurrent]);
262  }
263  foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $visitor) {
264  foreach ($visitor['byRoleId'] as $roleIdCurrent => $rules) {
265  unset($this->_rules['byResourceId'][$resourceIdCurrent]['byRoleId'][$roleIdCurrent]);
266  }
267  }
268 
269  return $this;
270  }
_getRoleRegistry()
Definition: Acl.php:907

◆ setRule()

setRule (   $operation,
  $type,
  $roles = null,
  $resources = null,
  $privileges = null,
Zend_Acl_Assert_Interface  $assert = null 
)

Performs operations on ACL rules

The $operation parameter may be either OP_ADD or OP_REMOVE, depending on whether the user wants to add or remove a rule, respectively:

OP_ADD specifics:

 A rule is added that would allow one or more Roles access to [certain $privileges
 upon] the specified Resource(s).

OP_REMOVE specifics:

 The rule is removed only in the context of the given Roles, Resources, and privileges.
 Existing rules to which the remove operation does not apply would remain in the
 ACL.

The $type parameter may be either TYPE_ALLOW or TYPE_DENY, depending on whether the rule is intended to allow or deny permission, respectively.

The $roles and $resources parameters may be references to, or the string identifiers for, existing Resources/Roles, or they may be passed as arrays of these - mixing string identifiers and objects is ok - to indicate the Resources and Roles to which the rule applies. If either $roles or $resources is null, then the rule applies to all Roles or all Resources, respectively. Both may be null in order to work with the default rule of the ACL.

The $privileges parameter may be used to further specify that the rule applies only to certain privileges upon the Resource(s) in question. This may be specified to be a single privilege with a string, and multiple privileges may be specified as an array of strings.

If $assert is provided, then its assert() method must return true in order for the rule to apply. If $assert is provided with $roles, $resources, and $privileges all equal to null, then a rule having a type of:

 TYPE_ALLOW will imply a type of TYPE_DENY, and

 TYPE_DENY will imply a type of TYPE_ALLOW

when the rule's assertion fails. This is because the ACL needs to provide expected behavior when an assertion upon the default ACL rule fails.

Parameters
string$operation
string$type
Zend_Acl_Role_Interface | string | array$roles
Zend_Acl_Resource_Interface | string | array$resources
string | array$privileges
Zend_Acl_Assert_Interface$assert
Exceptions
Zend_Acl_Exception@uses Zend_Acl_Role_Registry::get() @uses Zend_Acl::get()
Returns
Zend_Acl Provides a fluent interface

since null (all resources) was passed to this setRule() call, we need clean up all the rules for the global allResources, as well as the indivually set resources (per privilege as well)

Definition at line 606 of file Acl.php.

608  {
609  // ensure that the rule type is valid; normalize input to uppercase
610  $type = strtoupper($type);
611  if (self::TYPE_ALLOW !== $type && self::TYPE_DENY !== $type) {
612  #require_once 'Zend/Acl/Exception.php';
613  throw new Zend_Acl_Exception("Unsupported rule type; must be either '" . self::TYPE_ALLOW . "' or '"
614  . self::TYPE_DENY . "'");
615  }
616 
617  // ensure that all specified Roles exist; normalize input to array of Role objects or null
618  if (!is_array($roles)) {
619  $roles = array($roles);
620  } else if (0 === count($roles)) {
621  $roles = array(null);
622  }
623  $rolesTemp = $roles;
624  $roles = array();
625  foreach ($rolesTemp as $role) {
626  if (null !== $role) {
627  $roles[] = $this->_getRoleRegistry()->get($role);
628  } else {
629  $roles[] = null;
630  }
631  }
632  unset($rolesTemp);
633 
634  // ensure that all specified Resources exist; normalize input to array of Resource objects or null
635  if ($resources !== null) {
636  if (!is_array($resources)) {
637  $resources = array($resources);
638  } else if (0 === count($resources)) {
639  $resources = array(null);
640  }
641  $resourcesTemp = $resources;
642  $resources = array();
643  foreach ($resourcesTemp as $resource) {
644  if (null !== $resource) {
645  $resources[] = $this->get($resource);
646  } else {
647  $resources[] = null;
648  }
649  }
650  unset($resourcesTemp, $resource);
651  } else {
652  $allResources = array(); // this might be used later if resource iteration is required
653  foreach ($this->_resources as $rTarget) {
654  $allResources[] = $rTarget['instance'];
655  }
656  unset($rTarget);
657  }
658 
659  // normalize privileges to array
660  if (null === $privileges) {
661  $privileges = array();
662  } else if (!is_array($privileges)) {
663  $privileges = array($privileges);
664  }
665 
666  switch ($operation) {
667 
668  // add to the rules
669  case self::OP_ADD:
670  if ($resources !== null) {
671  // this block will iterate the provided resources
672  foreach ($resources as $resource) {
673  foreach ($roles as $role) {
674  $rules =& $this->_getRules($resource, $role, true);
675  if (0 === count($privileges)) {
676  $rules['allPrivileges']['type'] = $type;
677  $rules['allPrivileges']['assert'] = $assert;
678  if (!isset($rules['byPrivilegeId'])) {
679  $rules['byPrivilegeId'] = array();
680  }
681  } else {
682  foreach ($privileges as $privilege) {
683  $rules['byPrivilegeId'][$privilege]['type'] = $type;
684  $rules['byPrivilegeId'][$privilege]['assert'] = $assert;
685  }
686  }
687  }
688  }
689  } else {
690  // this block will apply to all resources in a global rule
691  foreach ($roles as $role) {
692  $rules =& $this->_getRules(null, $role, true);
693  if (0 === count($privileges)) {
694  $rules['allPrivileges']['type'] = $type;
695  $rules['allPrivileges']['assert'] = $assert;
696  } else {
697  foreach ($privileges as $privilege) {
698  $rules['byPrivilegeId'][$privilege]['type'] = $type;
699  $rules['byPrivilegeId'][$privilege]['assert'] = $assert;
700  }
701  }
702  }
703  }
704  break;
705 
706  // remove from the rules
707  case self::OP_REMOVE:
708  if ($resources !== null) {
709  // this block will iterate the provided resources
710  foreach ($resources as $resource) {
711  foreach ($roles as $role) {
712  $rules =& $this->_getRules($resource, $role);
713  if (null === $rules) {
714  continue;
715  }
716  if (0 === count($privileges)) {
717  if (null === $resource && null === $role) {
718  if ($type === $rules['allPrivileges']['type']) {
719  $rules = array(
720  'allPrivileges' => array(
721  'type' => self::TYPE_DENY,
722  'assert' => null
723  ),
724  'byPrivilegeId' => array()
725  );
726  }
727  continue;
728  }
729 
730  if (isset($rules['allPrivileges']['type']) &&
731  $type === $rules['allPrivileges']['type'])
732  {
733  unset($rules['allPrivileges']);
734  }
735  } else {
736  foreach ($privileges as $privilege) {
737  if (isset($rules['byPrivilegeId'][$privilege]) &&
738  $type === $rules['byPrivilegeId'][$privilege]['type'])
739  {
740  unset($rules['byPrivilegeId'][$privilege]);
741  }
742  }
743  }
744  }
745  }
746  } else {
747  // this block will apply to all resources in a global rule
748  foreach ($roles as $role) {
754  foreach (array_merge(array(null), $allResources) as $resource) {
755  $rules =& $this->_getRules($resource, $role, true);
756  if (null === $rules) {
757  continue;
758  }
759  if (0 === count($privileges)) {
760  if (null === $role) {
761  if ($type === $rules['allPrivileges']['type']) {
762  $rules = array(
763  'allPrivileges' => array(
764  'type' => self::TYPE_DENY,
765  'assert' => null
766  ),
767  'byPrivilegeId' => array()
768  );
769  }
770  continue;
771  }
772 
773  if (isset($rules['allPrivileges']['type']) && $type === $rules['allPrivileges']['type']) {
774  unset($rules['allPrivileges']);
775  }
776  } else {
777  foreach ($privileges as $privilege) {
778  if (isset($rules['byPrivilegeId'][$privilege]) &&
779  $type === $rules['byPrivilegeId'][$privilege]['type'])
780  {
781  unset($rules['byPrivilegeId'][$privilege]);
782  }
783  }
784  }
785  }
786  }
787  }
788  break;
789 
790  default:
791  #require_once 'Zend/Acl/Exception.php';
792  throw new Zend_Acl_Exception("Unsupported operation; must be either '" . self::OP_ADD . "' or '"
793  . self::OP_REMOVE . "'");
794  }
795 
796  return $this;
797  }
_getRoleRegistry()
Definition: Acl.php:907
& _getRules(Zend_Acl_Resource_Interface $resource=null, Zend_Acl_Role_Interface $role=null, $create=false)
Definition: Acl.php:1161
const OP_ADD
Definition: Acl.php:74
$resource
Definition: bulk.php:12
const OP_REMOVE
Definition: Acl.php:79
$type
Definition: item.phtml:13

Field Documentation

◆ $_isAllowedPrivilege

$_isAllowedPrivilege = null
protected

Definition at line 108 of file Acl.php.

◆ $_isAllowedResource

$_isAllowedResource = null
protected

Definition at line 103 of file Acl.php.

◆ $_isAllowedRole

$_isAllowedRole = null
protected

Definition at line 98 of file Acl.php.

◆ $_resources

$_resources = array()
protected

Definition at line 93 of file Acl.php.

◆ $_roleRegistry

$_roleRegistry = null
protected

Definition at line 86 of file Acl.php.

◆ $_rules

$_rules
protected
Initial value:
= array(
'allResources' => array(
'allRoles' => array(
'allPrivileges' => array(
'type' => self::TYPE_DENY,
'assert' => null
),
'byPrivilegeId' => array()
),
'byRoleId' => array()
),
'byResourceId' => array()
)

Definition at line 115 of file Acl.php.

◆ OP_ADD

const OP_ADD = 'OP_ADD'

Rule operation: add

Definition at line 74 of file Acl.php.

◆ OP_REMOVE

const OP_REMOVE = 'OP_REMOVE'

Rule operation: remove

Definition at line 79 of file Acl.php.

◆ TYPE_ALLOW

const TYPE_ALLOW = 'TYPE_ALLOW'

Rule type: allow

Definition at line 64 of file Acl.php.

◆ TYPE_DENY

const TYPE_DENY = 'TYPE_DENY'

Rule type: deny

Definition at line 69 of file Acl.php.


The documentation for this class was generated from the following file: