/**
* Allow access by users with roles
*/
Const HAS_ROLE = 2;
/**
* Allow access by a user without a role
*/
Const NO_ROLE = 3;
/**
* A resource-role associated with a defined role can be accessed.
*/
Const ALLOCATE_ROLES = 4;
// Define the relevant table name
Public $ tbResources = 'aclresources ';
Public $ tbRoles = 'aclroles ';
Public $ tbRefResourcesRoles = 'ref _ aclresources_aclroles ';
Public $ tbRefUsersRoles = 'ref _ users_aclroles ';
/**
* Format the resource access permission and return
*
* @ Return int
*/
Static function formatAccessValue ($ access ){
Static $ arr = array (self: NOBODY, self: EVERYONE, self: HAS_ROLE, self: NO_ROLE, self: ALLOCATE_ROLES );
Return in_array ($ access, $ arr )? $ Access: self: NOBODY;
}
/**
* Create a resource and return the primary key of the resource record.
*
* @ Param string $ rsid
* @ Param int $ access
* @ Param string $ desc
*
* @ Return int
*/
Function createResource ($ rsid, $ access, $ desc ){
If (empty ($ rsid) return false;
/**
* Create a role and return the primary key of the role record.
*
* @ Param string $ rolename
* @ Param string $ desc
*
* @ Return int
*/
Function createRole ($ rolename, $ desc ){
If (empty ($ rolename) return false;
Return SingleTableCRUD: insert ($ this-> tbRoles, $ role );
}
/**
* Modify the role and return the successful status.
*
* @ Param array $ role
* @ Return int
*/
Function updateRole (array $ role ){
If (! Isset ($ role ['id']) return false;
If (isset ($ role ['rolename']) unset ($ role ['rolename']);
$ Role ['updated _ at'] = CURRENT_TIMESTAMP;
/**
* Delete a role
*
* @ Param int $ role_id
* @ Return int
*/
Function deleteRole ($ role_id ){
If (empty ($ role_id) return false;
Return SingleTableCRUD: delete ($ this-> tbRoles, array ('role _ id' => (int) $ role_id ));
}
/**
* Specify a role for the resource. each time, all relevant records in the table are removed before being inserted.
*
* @ Param int $ rsid
* @ Param mixed $ roleIds
* @ Param boolean $ setNull whether to clear resources from the associated table if the role id does not exist
*/
Function allocateRolesForResource ($ rsid, $ roleIds, $ setNull = false, $ defaultAccess =-1 ){
If (empty ($ rsid) return false;
/**
* Allocate resources to the role. each time, all relevant records in the table are removed before being inserted.
*
* @ Param int $ role_id
* @ Param mixed $ rsids
*
* @ Return boolean
*/
Function allocateResourcesForRole ($ role_id, $ rsids ){
If (empty ($ role_id) return false;
/**
* Assign a role to the user. each time, all relevant records in the table are removed before being inserted.
*
* In this case, many users may have performance problems... how to optimize it later?
*
* @ Param int $ user_id
* @ Param mixed $ roleIds
*
* @ Return boolean
*/
Function allocateRolesForUser ($ user_id, $ roleIds ){
If (empty ($ user_id) return false;
/**
* Clear user role information
*
* @ Param int $ user_id
*
* @ Return boolean
*/
Function cleanRolesForUser ($ user_id ){
If (empty ($ user_id) return false;
Return SingleTableCRUD: delete ($ this-> tbRefUsersRoles, array ('User _ id' => (int) $ user_id ));
}
/**
* Clear the user association of a role.
*
* @ Param int $ role_id
*
* @ Return boolean
*/
Function cleanUsersForRole ($ role_id ){
If (empty ($ role_id) return false;
Return SingleTableCRUD: delete ($ this-> tbRefUsersRoles, array ('role _ id' => (int) $ role_id ));
}
}
The specific detection code is as follows:
The code is as follows:
/**
* Perform acl verification on resources
*
* @ Param string $ rsid resource ID
* @ Param array $ user specific user. If this parameter is not specified, the current user is verified.
*
* @ Return boolean
*/
Function aclVerity ($ rsid, array $ user = null ){
If (empty ($ rsid) return false;
If (! CoreApp: $ defaacl ACL ){
CoreApp: $ defaacl ACL = new AclFlat ();
}
$ RsRow = aclGetResource ($ rsid );
// No default resource access policy defined
If (! $ RsRow) return false;
// Allow anyone to access
If (AclBase: EVERYONE ==$ rsRow ['access']) return true;
// No one is allowed to access
If (AclBase: NOBODY = $ rsRow ['access']) return false;
// Obtain user information
If (empty ($ user) $ user = isset ($ _ SESSION ['si-sysuser'])? $ _ SESSION ['si-sysuser']: null;
// If the user is not logged on, the user is deemed to have no access permission.
If (empty ($ user) return false;
$ User ['roles '] = empty ($ user ['roles'])? Null: normalize ($ user ['roles '],'; ');
$ UserHasRoles =! Empty ($ user ['roles ']);
/**
* Allow access by a user without a role
*/
If (AclBase: NO_ROLE = $ rsRow ['access']) return $ userHasRoles? False: true;
/**
* Allow access by users with roles
*/
If (AclBase: HAS_ROLE = $ rsRow ['access']) return $ userHasRoles? True: false;
// --- Perform resource verification for the user <-> role
If ($ userHasRoles ){
Foreach ($ user ['roles '] as $ role_id ){
If (aclGetRefResourcesRoles ($ rsid, $ role_id ))
Return true;
}
Dump ($ user );
}
Return false;
}
The code is as follows:
/**
* Perform acl verification on resources
*
* @ Param string $ rsid resource ID
* @ Param array $ user specific user. If this parameter is not specified, the current user is verified.
*
* @ Return boolean
*/
Function aclVerity ($ rsid, array $ user = null ){
If (empty ($ rsid) return false;
If (! CoreApp: $ defaacl ACL ){
CoreApp: $ defaacl ACL = new AclFlat ();
}
$ RsRow = aclGetResource ($ rsid );
// No default resource access policy defined
If (! $ RsRow) return false;
CoreApp: writeLog ($ rsRow, 'test ');
/*
* The verification procedure is as follows:
*
* 1. verify the access attribute of the resource.
* EVERYONE => true, NOBODY => false * verify other attributes below
* 2. obtain the role id set from the session (or user session table ).
* 3. if a user has a role, HAS_ROLE => true, NO_ROLE => false; and vice versa.
* 4. if resource access = ALLOCATE_ROLES
* 1. obtain the role id set corresponding to the resource from the cache (or $ tbRefResourcesRoles)
* 2. intersection the user's role id set with the role id set corresponding to the resource
* 3. intersection exists => true; otherwise => false
*/
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.