PHP Acl::allow方法代码示例

 /**
  * @return Acl
  */
 protected function roleAcl()
 {
     if (!$this->roleAcl) {
         $id = $this->objId();
         $this->roleAcl = new Acl();
         $this->roleAcl->addRole(new Role($id));
         $this->roleAcl->addResource(new Resource('admin'));
         $q = '
         select
             `denied`,
             `allowed`,
             `superuser`
         from
             `charcoal_admin_acl_roles`
         where
             ident = :id';
         $db = \Charcoal\App\App::instance()->getContainer()->get('database');
         $sth = $db->prepare($q);
         $sth->bindParam(':id', $id);
         $sth->execute();
         $permissions = $sth->fetch(\PDO::FETCH_ASSOC);
         $this->roleAllowed = explode(',', trim($permissions['allowed']));
         $this->roleDenied = explode(',', trim($permissions['denied']));
         foreach ($this->roleAllowed as $allowed) {
             $this->roleAcl->allow($id, 'admin', $allowed);
         }
         foreach ($this->roleDenied as $denied) {
             $this->roleAcl->deny($id, 'admin', $denied);
         }
     }
     return $this->roleAcl;
 }

 /**
  * AccessControl constructor.
  * @param $config
  * @param $entityManager
  * @param $userMapper
  * @param $roleMapper
  * @param $resourceMapper
  */
 public function __construct($config, $entityManager, $userMapper, $roleMapper, $resourceMapper)
 {
     $this->setConfig($config);
     $this->setEntityManager($entityManager);
     $this->setUserMapper($userMapper);
     $this->setRoleMapper($roleMapper);
     $this->setResourceMapper($resourceMapper);
     $this->modules = $this->getConfig()['mfcc_admin']['modules'];
     $this->acl = new Acl();
     foreach ($this->getRoleMapper()->getAll() as $index => $role) {
         /* @var $role RoleEntity */
         $this->acl->addRole(new Role($role->getName()));
     }
     foreach ($this->modules as $index => $module) {
         $this->acl->addResource(new GenericResource($module['module_name']));
     }
     $this->acl->addResource(new GenericResource('Users'));
     $this->acl->addResource(new GenericResource('Roles'));
     foreach ($this->getResourceMapper()->getAll() as $index => $resource) {
         /* @var $resource ResourceEntity */
         $this->acl->allow($resource->getRole()->getName(), $resource->getResource(), $resource->getPermission());
         if ($resource->getPermission() == self::WRITE) {
             $this->acl->allow($resource->getRole()->getName(), $resource->getResource(), self::READ);
         }
     }
 }

 private function addAllowAndDeny(Acl $acl)
 {
     foreach ($this->config as $roleName => $roleConfig) {
         $allowList = isset($roleConfig['allow']) ? $roleConfig['allow'] : [];
         foreach ($allowList as $resource => $privilegeList) {
             if (empty($privilegeList)) {
                 $acl->allow($roleName, strtolower($resource));
             } else {
                 foreach ((array) $privilegeList as $privilege) {
                     $acl->allow($roleName, strtolower($resource), strtolower($privilege));
                 }
             }
         }
         $denyList = isset($roleConfig['deny']) ? $roleConfig['deny'] : [];
         foreach ($denyList as $resource => $privilegeList) {
             if (empty($privilegeList)) {
                 $acl->deny($roleName, strtolower($resource));
             } else {
                 foreach ((array) $privilegeList as $privilege) {
                     $acl->deny($roleName, strtolower($resource), strtolower($privilege));
                 }
             }
         }
     }
 }

 /**
  * Constructor
  * 
  * @param array $roles
  * @param array $resources
  */
 public function __construct($roles, $resources)
 {
     //Create brand new Acl object
     $this->acl = new Acl();
     //Add each resources
     foreach ($resources as $resource) {
         //Add the resource
         $this->acl->addResource(new Resource($resource));
     }
     //Add each roles
     foreach ($roles as $role => $resources) {
         //Add the role
         $this->acl->addRole(new Role($role));
         //If we want to grant all privileges on all resources
         if ($resources === true) {
             //Allow all privileges
             $this->acl->allow($role);
             //Else if we have specific privileges for the role
         } elseif (is_array($resources)) {
             //Create each resource permissions
             foreach ($resources as $resource => $permissions) {
                 //Add resource permissions of the role
                 $this->acl->allow($role, $resource, $permissions);
             }
         }
     }
 }

 public function initialAclRole($e, $serviceAdministratorConfigManager, $authenticationServiceStorage)
 {
     $oAcl = new Acl();
     $oAcl->deny();
     $oAcl->addRole(new Role('staff_1'));
     $oAcl->addRole(new Role('staff_2'));
     $oAcl->addRole(new Role('administrator'));
     $oAcl->addResource('administrator');
     $oAcl->addResource('api');
     $oAcl->allow('staff_1', 'administrator', 'index:index');
     $oAcl->allow('staff_1', 'administrator', 'user:profile');
     $oAcl->allow('staff_1', 'administrator', 'user:list');
     $oAcl->allow('staff_1', 'administrator', 'menu:list');
     $controllerClass = get_class($e->getTarget());
     $moduleName = strtolower(substr($controllerClass, 0, strpos($controllerClass, '\\')));
     $routeMatch = $e->getRouteMatch();
     $aName = strtolower($routeMatch->getParam('action', 'not-found'));
     $cName = strtolower($routeMatch->getParam('__CONTROLLER__', 'not-found'));
     /*
     if (!$oAcl->isAllowed("staff_1",$moduleName, "{$cName}:{$aName}"))
     {
     	$response = $e->getResponse();
     	$response->setStatusCode(302);
     	$response->getHeaders()->addHeaderLine('Location', $e->getRouter()->assemble($serviceAdministratorConfigManager['options']['constraints'], 
     			array('name' => $_SERVER['HTTP_HOST']. '/'. 'default')));
     	$e->stopPropagation();
     }
     */
 }

 public function doAuthorization($e)
 {
     //setting ACL...
     $acl = new Acl();
     //add role ..
     $acl->addRole(new Role('anonymous'));
     $acl->addRole(new Role('user'), 'anonymous');
     $acl->addRole(new Role('admin'), 'user');
     $acl->addResource(new Resource('Application'));
     $acl->addResource(new Resource('Login'));
     $acl->addResource(new Resource('ZfcAdmin'));
     $acl->deny('anonymous', 'Application', 'view');
     $acl->allow('anonymous', 'Login', 'view');
     $acl->allow('user', array('Application'), array('view'));
     //admin is child of user, can publish, edit, and view too !
     $acl->allow('admin', array('Application'), array('publish', 'edit'));
     $controller = $e->getTarget();
     $controllerClass = get_class($controller);
     //echo "<pre>";print_r($controllerClass);exit;
     $namespace = substr($controllerClass, 0, strpos($controllerClass, '\\'));
     // echo "<pre>";print_r($namespace);exit;
     $role = !$this->getSessContainer()->role ? 'anonymous' : $this->getSessContainer()->role;
     if (!isset($_SESSION['admin']['user_id']) && $namespace == 'ZfcAdmin') {
         $router = $e->getRouter();
         $url = $router->assemble(array(), array('name' => 'zfcadmin'));
         $response = $e->getResponse();
         $response->setStatusCode(302);
         //redirect to login route...
         /* change with header('location: '.$url); if code below not working */
         $response->getHeaders()->addHeaderLine('Location', $url);
         $e->stopPropagation();
     }
 }

 public function doAuthorization($e)
 {
     return;
     //setting ACL...
     $acl = new Acl();
     //add role ..
     $acl->addRole(new Role('anonymous'));
     $acl->addRole(new Role('user'), 'anonymous');
     $acl->addRole(new Role('admin'), 'user');
     $acl->addResource(new Resource('Stick'));
     $acl->addResource(new Resource('Auth'));
     $acl->deny('anonymous', 'Stick', 'list');
     $acl->allow('anonymous', 'Auth', 'login');
     $acl->allow('anonymous', 'Auth', 'signup');
     $acl->allow('user', 'Stick', 'add');
     $acl->allow('user', 'Auth', 'logout');
     //admin is child of user, can publish, edit, and view too !
     $acl->allow('admin', 'Stick');
     $controller = $e->getTarget();
     $controllerClass = get_class($controller);
     $namespace = substr($controllerClass, strrpos($controllerClass, '\\') + 1);
     $role = !$this->getSessContainer()->role ? 'anonymous' : $this->getSessContainer()->role;
     echo $role;
     exit;
     if (!$acl->isAllowed($role, $namespace, 'view')) {
         $router = $e->getRouter();
         $url = $router->assemble(array(), array('name' => 'Login/auth'));
         $response = $e->getResponse();
         $response->setStatusCode(302);
         //redirect to login route...
         $response->getHeaders()->addHeaderLine('Location', $url);
     }
 }

 public function getAcl()
 {
     if (!$this->acl) {
         $acl = new Acl();
         $roleGuest = new Role('guest');
         $acl->addRole($roleGuest);
         $acl->addRole(new Role('admin'), $roleGuest);
         $acl->allow($roleGuest, null, 'view');
         $acl->allow('admin', null, array('add', 'edit', 'delete'));
         $this->acl = $acl;
     }
     return $this->acl;
 }

 public function fillResources(array $resourcesConfig)
 {
     foreach ($resourcesConfig as $resource => $options) {
         $inherit = $this->getOption($options, self::INHERIT);
         if (null !== $inherit && !is_string($inherit) && !$inherit instanceof ResourceInterface) {
             throw new Exceptions\RuntimeException('Inherit option must be a string or implement ResourceInterface for resources');
         }
         $this->acl->addResource($resource, $inherit);
         $privileges = $this->getOption($options, self::PRIVILEGES, []);
         foreach ($privileges as $role => $actions) {
             $this->acl->allow([$role], [$resource], $actions);
         }
     }
 }

 public function build()
 {
     $authService = $this->getServiceLocator()->get('user-service-auth');
     $role = $authService->getRole();
     $repositoryPerfil = $this->getEm('Admin\\Entity\\Perfil');
     $repositoryResource = $this->getEm('Admin\\Entity\\Resource');
     $repositoryAcl = $this->getEm('Admin\\Entity\\Acl');
     $config = $repositoryAcl->listaAcl();
     $config['acl']['roles'] = $repositoryPerfil->getRoles();
     $config['acl']['roles']['visitante'] = null;
     $config['acl']['resources'] = $repositoryResource->getResources();
     $acl = new ZendAcl();
     foreach ($config['acl']['roles'] as $role => $parent) {
         $acl->addRole(new GenericRole($role), $parent);
     }
     foreach ($config['acl']['resources'] as $resouce) {
         $acl->addResource(new GenericResource($resouce));
     }
     if (isset($config['acl']['previlege'])) {
         foreach ($config['acl']['previlege'] as $role => $privilege) {
             if (isset($privilege['allow'])) {
                 foreach ($privilege['allow'] as $permissao) {
                     $acl->allow($role, $permissao);
                 }
             }
             if (isset($privilege['deny'])) {
                 foreach ($privilege['deny'] as $permissao) {
                     $acl->deny($role, $permissao);
                 }
             }
         }
     }
     return $acl;
 }

 public function initAcl(MvcEvent $e)
 {
     //Creamos el objeto ACL
     $acl = new Acl();
     //Incluimos la lista de roles y permisos, nos devuelve un array
     $roles = (require 'config/autoload/acl.roles.php');
     foreach ($roles as $role => $resources) {
         //Indicamos que el rol será genérico
         $role = new \Zend\Permissions\Acl\Role\GenericRole($role);
         //Añadimos el rol al ACL
         $acl->addRole($role);
         //Recorremos los recursos o rutas permitidas
         foreach ($resources["allow"] as $resource) {
             //Si el recurso no existe lo añadimos
             if (!$acl->hasResource($resource)) {
                 $acl->addResource(new \Zend\Permissions\Acl\Resource\GenericResource($resource));
             }
             //Permitimos a ese rol ese recurso
             $acl->allow($role, $resource);
         }
         foreach ($resources["deny"] as $resource) {
             //Si el recurso no existe lo añadimos
             if (!$acl->hasResource($resource)) {
                 $acl->addResource(new \Zend\Permissions\Acl\Resource\GenericResource($resource));
             }
             //Denegamos a ese rol ese recurso
             $acl->deny($role, $resource);
         }
     }
     //Establecemos la lista de control de acceso
     $e->getViewModel()->acl = $acl;
 }

 /**
  * Constroi a ACL de acordo com as entities
  * @see Core\Entity\System\Roles
  * @todo Inclusao das ACLS no Cache
  * @return Acl
  */
 public function build()
 {
     $em = $this->getServiceManager()->get('Doctrine\\ORM\\EntityManager');
     $roles = $em->getRepository('Core\\Entity\\System\\Roles')->findAll();
     $resources = $em->getRepository('Core\\Entity\\System\\Resources')->findAll();
     $acl = new Acl();
     foreach ($roles as $role) {
         $acl->addRole(new Role($role->getRoleName()), $role->getRoleParent());
     }
     foreach ($resources as $r) {
         $acl->addResource(new Resource($r->getResourceName()));
     }
     foreach ($roles as $role) {
         $rolename = $role->getRoleName();
         $allowed = $em->getRepository('Core\\Entity\\System\\Permissions')->findBy(array('idRole' => $role->getId(), 'permission' => 'allow'));
         foreach ($allowed as $allow) {
             $resources = $em->getRepository('Core\\Entity\\System\\Resources')->find($allow->getIdResource());
             $acl->allow($rolename, $resources->getResourceName());
         }
         $denyed = $em->getRepository('Core\\Entity\\System\\Permissions')->findBy(array('idRole' => $role->getId(), 'permission' => 'deny'));
         foreach ($denyed as $deny) {
             $resources = $em->getRepository('Core\\Entity\\System\\Resources')->find($deny->getIdResource());
             $acl->deny($rolename, $resources->getResourceName());
         }
     }
     return $acl;
 }

 /**
  * @group 4226
  */
 public function testAllowNullPermissionAfterResourcesExistShouldAllowAllPermissionsForRole()
 {
     $this->_acl->addRole('admin');
     $this->_acl->addResource('newsletter');
     $this->_acl->allow('admin');
     $this->assertTrue($this->_acl->isAllowed('admin'));
 }

 /**
  * getAcl - This cannot be called before resources are parsed
  *
  * @param string $resourceId resourceId
  * @param string $providerId  @deprecated No Longer Required - providerId
  *
  * @return Acl
  */
 public function getAcl($resourceId, $providerId)
 {
     if (!isset($this->acl)) {
         $this->buildAcl();
     }
     /* resources privileges
            we load the every time so they maybe updated dynamically
        */
     $resources = $this->getResources($resourceId, $providerId);
     foreach ($resources as $resource) {
         if (!$this->acl->hasResource($resource)) {
             $this->acl->addResource($resource, $resource->getParentResource());
         }
         $privileges = $resource->getPrivileges();
         if (!empty($privileges)) {
             foreach ($privileges as $privilege) {
                 if (!$this->acl->hasResource($privilege)) {
                     $this->acl->addResource($privilege, $resource);
                 }
             }
         }
     }
     // get only for resources
     $rules = $this->getRules($resources);
     /** @var AclRule $aclRule */
     foreach ($rules as $aclRule) {
         if ($aclRule->getRule() == AclRule::RULE_ALLOW) {
             $this->acl->allow($aclRule->getRoleId(), $aclRule->getResourceId(), $aclRule->getPrivileges(), $aclRule->getAssertion());
         } elseif ($aclRule->getRule() == AclRule::RULE_DENY) {
             $this->acl->deny($aclRule->getRoleId(), $aclRule->getResourceId(), $aclRule->getPrivileges(), $aclRule->getAssertion());
         }
     }
     return $this->acl;
 }

 /**
  * autentica o usuário
  */
 public function autenticaAction()
 {
     if ($this->getRequest()->isPost()) {
         $this->adapter->setOptions(array('object_manager' => Conn::getConn(), 'identity_class' => 'MyClasses\\Entities\\AclUsuario', 'identity_property' => 'login', 'credential_property' => 'senha'));
         $this->adapter->setIdentityValue($this->getRequest()->getPost('login'));
         $this->adapter->setCredentialValue(sha1($this->getRequest()->getPost('senha')));
         $result = $this->auth->authenticate($this->adapter);
         if ($result->isValid()) {
             $equipes = $result->getIdentity()->getEquipes();
             $acl = new Acl();
             $acl->addRole(new Role($equipes[0]->getPerfil()));
             $recursos = $equipes[0]->getRecursos();
             foreach ($recursos as $recurso) {
                 if (!$acl->hasResource($recurso->getRecurso())) {
                     /* echo "add recurso: ".
                        $perfil->getPerfil().", ".
                        $recurso->getRecurso()->getRecurso().", ".
                        $recurso->getPermissao(); */
                     $acl->addResource(new Resource($recurso->getRecurso()));
                     $acl->allow($equipes[0]->getPerfil(), $recurso->getRecurso());
                 }
             }
             $this->auth->getStorage()->write(array($result->getIdentity(), $equipes[0]->getPerfil(), $acl));
             $this->layout()->id = $result->getIdentity()->getId();
             $this->layout()->nome = $result->getIdentity()->getNome();
             return new ViewModel(array('nome' => $result->getIdentity()->getNome()));
         } else {
             return new ViewModel(array('erro' => array_pop($result->getMessages())));
         }
     }
 }