[evolvis-commits] r15099: More implementation of the PFO RBAC spec
mirabilos at evolvis.org
mirabilos at evolvis.org
Mon Feb 28 23:40:08 CET 2011
Author: mirabilos
Date: 2011-02-28 23:40:08 +0100 (Mon, 28 Feb 2011)
New Revision: 15099
Modified:
trunk/gforge_base/evolvisforge-5.1/gforge/common/include/PFO-RBAC.interface.php
trunk/gforge_base/evolvisforge-5.1/gforge/common/include/RBAC.php
trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Role.class.php
Log:
More implementation of the PFO RBAC spec
Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/PFO-RBAC.interface.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/PFO-RBAC.interface.php 2011-02-28 22:39:58 UTC (rev 15098)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/PFO-RBAC.interface.php 2011-02-28 22:40:08 UTC (rev 15099)
@@ -52,8 +52,8 @@
public function getUsers() ;
public function hasUser($user) ;
- public function hasPermission($section, $reference, $permission) ;
- public function hasGlobalPermission($section, $permission) ;
+ public function hasPermission($section, $reference, $action) ;
+ public function hasGlobalPermission($section, $action) ;
public function normalizeData() ;
public function getSettings() ;
public function setSettings($data) ;
Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/RBAC.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/RBAC.php 2011-02-28 22:39:58 UTC (rev 15098)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/RBAC.php 2011-02-28 22:40:08 UTC (rev 15099)
@@ -34,11 +34,11 @@
public function hasUser($user) {
throw new Exception ("Not implemented") ;
}
- public function hasPermission($section, $reference, $permission) {
+ public function hasPermission($section, $reference, $action) {
throw new Exception ("Not implemented") ;
}
- public function hasGlobalPermission($section, $permission) {
- throw new Exception ("Not implemented") ;
+ function hasGlobalPermission($section, $action = NULL) {
+ return $this->hasPermission ($section, -1, $action) ;
}
public function getSettings() {
throw new Exception ("Not implemented") ;
@@ -75,6 +75,17 @@
}
class RoleAnonymous extends BaseRole implements PFO_RoleAnonymous {
+ // This role is implemented as a singleton
+ private static $_instance ;
+ public static function getInstance() {
+ if (!isset(self::$_instance)) {
+ $c = __CLASS__;
+ self::$_instance = new $c;
+ }
+
+ return self::$_instance;
+ }
+
public function getID () {
return -PFO_ROLE_ANONYMOUS ;
}
@@ -96,6 +107,17 @@
}
class RoleLoggedIn extends BaseRole implements PFO_RoleLoggedIn {
+ // This role is implemented as a singleton
+ private static $_instance ;
+ public static function getInstance() {
+ if (!isset(self::$_instance)) {
+ $c = __CLASS__;
+ self::$_instance = new $c;
+ }
+
+ return self::$_instance;
+ }
+
public function getID () {
return -PFO_ROLE_LOGGEDIN ;
}
Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Role.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Role.class.php 2011-02-28 22:39:58 UTC (rev 15098)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/Role.class.php 2011-02-28 22:40:08 UTC (rev 15099)
@@ -26,10 +26,13 @@
require_once $gfcommon.'include/rbac_texts.php' ;
require_once $gfcommon.'include/RBAC.php' ;
+define ('USE_PFO_RBAC', false) ;
+
class Role extends RoleExplicit implements PFO_RoleExplicit {
var $data_array;
var $setting_array;
+ var $perms_array ;
var $role_vals;
var $Group;
var $role_values = array(
@@ -425,6 +428,8 @@
function fetchData($role_id) {
unset($this->data_array);
unset($this->setting_array);
+ unset($this->perms_array);
+
$res = db_query_params ('SELECT * FROM role WHERE role_id=$1',
array ($role_id)) ;
if (!$res || db_numrows($res) < 1) {
@@ -432,6 +437,7 @@
return false;
}
$this->data_array =& db_fetch_array($res);
+
$res = db_query_params ('SELECT * FROM role_setting WHERE role_id=$1',
array ($role_id)) ;
if (!$res) {
@@ -442,9 +448,157 @@
while ($arr =& db_fetch_array($res)) {
$this->setting_array[$arr['section_name']][$arr['ref_id']] = $arr['value'];
}
+
+ if (USE_PFO_RBAC) {
+ $res = db_query_params ('SELECT section, reference, value FROM role_perms WHERE role_id=$1',
+ array ($role_id)) ;
+ if (!$res) {
+ $this->setError('Role::fetchData()::'.db_error());
+ return false;
+ }
+ $this->perms_array=array();
+ while ($arr =& db_fetch_array($res)) {
+ $this->perms_array[$arr['section']][$arr['reference']] = $arr['value'];
+ }
+ }
+
return true;
}
+ function hasPermission($section, $reference, $action = NULL) {
+ $result = false ;
+ if (isset ($this->perms_array[$section][$reference])) {
+ $value = $this->perms_array[$section][$reference] ;
+ } else {
+ $value = 0 ;
+ }
+ $min = PHP_INT_MAX ;
+ $mask = 0 ;
+
+ switch ($section) {
+ case 'forge_admin':
+ if ($value == 1) {
+ return true ;
+ }
+ break ;
+
+ case 'approve_projects':
+ case 'approve_news':
+ if (($value == 1)
+ || $this->hasGlobalPermission('forge_admin')) {
+ return true ;
+ }
+ break ;
+
+ case 'project_admin':
+ if (($value == 1)
+ || $this->hasGlobalPermission('forge_admin')) {
+ return true ;
+ }
+ break ;
+
+ case 'project_read':
+ case 'tracker_admin':
+ case 'pm_admin':
+ case 'forum_admin':
+ if (($value == 1)
+ || $this->hasPermission ('project_admin', $reference)) {
+ return true ;
+ }
+ break ;
+
+ case 'scm':
+ switch ($action) {
+ case 'read':
+ $min = 1 ;
+ break ;
+ case 'write':
+ $min = 2 ;
+ break ;
+ }
+ if (($value >= $min)
+ || $this->hasPermission ('project_admin', $reference)) {
+ return true ;
+ }
+ break ;
+
+ case 'docman':
+ switch ($action) {
+ case 'read':
+ $min = 1 ;
+ break ;
+ case 'submit':
+ $min = 2 ;
+ break ;
+ case 'approve':
+ $min = 3 ;
+ break ;
+ case 'admin':
+ $min = 4 ;
+ break ;
+ }
+ if (($value >= $min)
+ || $this->hasPermission ('project_admin', $reference)) {
+ return true ;
+ }
+ break ;
+
+ case 'frs':
+ switch ($action) {
+ case 'read':
+ $min = 1 ;
+ break ;
+ case 'write':
+ $min = 2 ;
+ break ;
+ }
+ if (($value >= $min)
+ || $this->hasPermission ('project_admin', $reference)) {
+ return true ;
+ }
+ break ;
+
+ case 'forum':
+ switch ($action) {
+ case 'read':
+ $min = 1 ;
+ break ;
+ case 'post':
+ $min = 2 ;
+ break ;
+ case 'moderate':
+ $min = 3 ;
+ break ;
+ }
+ if (($value >= $min)
+ || $this->hasPermission ('project_admin', $reference)) {
+ return true ;
+ }
+ break ;
+
+ case 'tracker':
+ switch ($action) {
+ case 'read':
+ $mask = 1 ;
+ break ;
+ case 'tech':
+ $mask = 2 ;
+ break ;
+ case 'manager':
+ $mask = 4 ;
+ break ;
+ }
+ $o = artifactType_get_object ($reference) ;
+
+ if (($value & $mask == true)
+ || $this->hasPermission ('project_admin', $reference)
+ || $this->hasPermission ('project_admin', $reference)) {
+ return true ;
+ }
+ break ;
+ }
+ }
+
function normalizeDataForSection (&$new_sa, $section) {
if (array_key_exists ($section, $this->setting_array)) {
$new_sa[$section][0] = $this->setting_array[$section][0] ;
More information about the evolvis-commits
mailing list