Новый модуль Rbac для продвинутого управления правами на основе ролей и разрешений. Модуль заменит собой старый модуль ACL.

2024-06-16 23:00:51 +03:00 · 2014-01-27 19:10:36 +07:00 · 2014-01-27 19:10:36 +07:00 · 6185d99c9b
parent 3203910ec8
commit 6185d99c9b
8 changed files with 428 additions and 2 deletions
--- a/application/classes/modules/rbac/Rbac.class.php
+++ b/application/classes/modules/rbac/Rbac.class.php
@ -0,0 +1,172 @@
+<?php
+/**
+ * LiveStreet CMS
+ * Copyright © 2013 OOO "ЛС-СОФТ"
+ *
+ * ------------------------------------------------------
+ *
+ * Official site: www.livestreetcms.com
+ * Contact e-mail: office@livestreetcms.com
+ *
+ * GNU General Public License, version 2:
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ *
+ * ------------------------------------------------------
+ *
+ * @link http://www.livestreetcms.com
+ * @copyright 2013 OOO "ЛС-СОФТ"
+ * @author Maxim Mzhelskiy <rus.engine@gmail.com>
+ *
+ */
+
+/**
+ * Модуль управления правами на основе ролей и разрешений
+ */
+class ModuleRbac extends ModuleORM {
+
+	const ROLE_CODE_GUEST='guest';
+
+	const PERMISSION_STATE_ACTIVE=1;
+	const PERMISSION_STATE_INACTIVE=0;
+
+	const ROLE_STATE_ACTIVE=1;
+	const ROLE_STATE_INACTIVE=0;
+
+	protected $aUserRoleCache=array();
+	protected $aRoleCache=array();
+	protected $aRulePermissionCache=array();
+	protected $aPermissionCache=array();
+
+	protected $sMessageLast=null;
+
+	protected $oMapper=null;
+
+	public function Init() {
+		parent::Init();
+		$this->oMapper=Engine::GetMapper(__CLASS__);
+	}
+	/**
+	 * Проверяет разрешение для текущего авторизованного пользователя
+	 *
+	 * @param string $sPermissionCode
+	 * @param array $aParams
+	 *
+	 * @return bool
+	 */
+	public function IsAllow($sPermissionCode,$aParams=array()) {
+		return $this->IsAllowUser($this->User_GetUserCurrent(),$sPermissionCode,$aParams);
+	}
+
+	public function IsAllowUser($oUser,$sPermissionCode,$aParams=array()) {
+		if (!$sPermissionCode) {
+			return false;
+		}
+		/**
+		 * Загружаем все роли и пермишены
+		 */
+		$this->LoadRoleAndPermissions();
+		$sUserId=self::ROLE_CODE_GUEST;
+		if ($oUser) {
+			$sUserId=$oUser->getId();
+		}
+		/**
+		 * Смотрим роли в кеше
+		 */
+		if (!isset($this->aUserRoleCache[$sUserId])) {
+			if ($sUserId==self::ROLE_CODE_GUEST) {
+				$aRoles=$this->GetRoleByCodeAndState(self::ROLE_CODE_GUEST,self::ROLE_STATE_ACTIVE);
+				$aRoles=$aRoles ? array($aRoles) : array();
+			} else {
+				$aRoles=$oUser->getRolesActive();
+			}
+			$this->aUserRoleCache[$sUserId]=$aRoles;
+		} else {
+			$aRoles=$this->aUserRoleCache[$sUserId];
+		}
+		/**
+		 * Получаем пермишены для ролей
+		 */
+		$sPermissionCode=func_underscore($sPermissionCode);
+		foreach($aRoles as $oRole) {
+			if ($this->CheckPermissionByRole($oRole,$sPermissionCode)) {
+				/**
+				 * У роли есть необходимый пермишен, теперь проверим на возможную кастомную обработку с параметрами
+				 */
+				$sMethod='CheckCustom'.func_camelize($sPermissionCode);
+				if (method_exists($this,$sMethod)) {
+					if (call_user_func(array($this,$sMethod),$oUser,$aParams)) {
+						return true;
+					}
+				} else {
+					return true;
+				}
+			}
+		}
+		if (isset($this->aPermissionCache[$sPermissionCode])) {
+			$aPerm=$this->aPermissionCache[$sPermissionCode];
+			if ($aPerm['msg_error']) {
+				$sMsg=$aPerm['msg_error'];
+			} else {
+				$sMsg='У вас нет прав на "'.($aPerm['title'] ? $aPerm['title'] : $aPerm['code']).'"';
+			}
+		} else {
+			$sMsg='У вас нет прав на "'.$sPermissionCode.'"';
+		}
+		$this->sMessageLast=$sMsg;
+		return false;
+	}
+
+	protected function LoadRoleAndPermissions() {
+		/**
+		 * Роли
+		 */
+		$this->LoadRoles();
+		/**
+		 * Пермишены
+		 */
+		$this->LoadPermissions();
+	}
+
+	protected function LoadPermissions() {
+		if ($this->aRulePermissionCache) {
+			return;
+		}
+		$aResult=$this->oMapper->GetRoleWithPermissions();
+		foreach($aResult as $aRow) {
+			$this->aRulePermissionCache[$aRow['role_id']][]=$aRow['code'];
+			$this->aPermissionCache[$aRow['code']]=$aRow;
+		}
+	}
+
+	protected function LoadRoles() {
+		if ($this->aRoleCache) {
+			return;
+		}
+		$aRoles=$this->GetRoleItemsByState(self::ROLE_STATE_ACTIVE);
+		foreach($aRoles as $oRole) {
+			$this->aRoleCache[$oRole->getId()]=$oRole;
+		}
+	}
+
+	protected function CheckPermissionByRole($oRole,$sPermissionCode) {
+		/**
+		 * Проверяем наличие пермишена в текущей роли
+		 */
+		if (isset($this->aRulePermissionCache[$oRole->getId()])) {
+			if (in_array($sPermissionCode,$this->aRulePermissionCache[$oRole->getId()])) {
+				return true;
+			}
+		}
+		/**
+		 * Смотрим родительскую роль
+		 */
+		if ($oRole->getPid() and isset($this->aRoleCache[$oRole->getPid()])) {
+			return $this->CheckPermissionByRole($this->aRoleCache[$oRole->getPid()],$sPermissionCode);
+		}
+		return false;
+	}
+
+	public function GetMsgLast() {
+		return $this->sMessageLast;
+	}
+}
--- a/application/classes/modules/rbac/entity/Permission.entity.class.php
+++ b/application/classes/modules/rbac/entity/Permission.entity.class.php
@ -0,0 +1,26 @@
+<?php
+/**
+ * LiveStreet CMS
+ * Copyright © 2013 OOO "ЛС-СОФТ"
+ *
+ * ------------------------------------------------------
+ *
+ * Official site: www.livestreetcms.com
+ * Contact e-mail: office@livestreetcms.com
+ *
+ * GNU General Public License, version 2:
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ *
+ * ------------------------------------------------------
+ *
+ * @link http://www.livestreetcms.com
+ * @copyright 2013 OOO "ЛС-СОФТ"
+ * @author Maxim Mzhelskiy <rus.engine@gmail.com>
+ *
+ */
+
+class ModuleRbac_EntityPermission extends EntityORM {
+
+
+
+}
--- a/application/classes/modules/rbac/entity/Role.entity.class.php
+++ b/application/classes/modules/rbac/entity/Role.entity.class.php
@ -0,0 +1,28 @@
+<?php
+/**
+ * LiveStreet CMS
+ * Copyright © 2013 OOO "ЛС-СОФТ"
+ *
+ * ------------------------------------------------------
+ *
+ * Official site: www.livestreetcms.com
+ * Contact e-mail: office@livestreetcms.com
+ *
+ * GNU General Public License, version 2:
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ *
+ * ------------------------------------------------------
+ *
+ * @link http://www.livestreetcms.com
+ * @copyright 2013 OOO "ЛС-СОФТ"
+ * @author Maxim Mzhelskiy <rus.engine@gmail.com>
+ *
+ */
+
+class ModuleRbac_EntityRole extends EntityORM {
+
+	protected $aRelations=array(
+		'permissions' => array(self::RELATION_TYPE_MANY_TO_MANY,'ModuleRbac_EntityPermission', 'permission_id', 'db.table.rbac_role_permission', 'role_id'),
+	);
+
+}
--- a/application/classes/modules/rbac/entity/RolePermission.entity.class.php
+++ b/application/classes/modules/rbac/entity/RolePermission.entity.class.php
@ -0,0 +1,26 @@
+<?php
+/**
+ * LiveStreet CMS
+ * Copyright © 2013 OOO "ЛС-СОФТ"
+ *
+ * ------------------------------------------------------
+ *
+ * Official site: www.livestreetcms.com
+ * Contact e-mail: office@livestreetcms.com
+ *
+ * GNU General Public License, version 2:
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ *
+ * ------------------------------------------------------
+ *
+ * @link http://www.livestreetcms.com
+ * @copyright 2013 OOO "ЛС-СОФТ"
+ * @author Maxim Mzhelskiy <rus.engine@gmail.com>
+ *
+ */
+
+class ModuleRbac_EntityRolePermission extends EntityORM {
+
+
+
+}
--- a/application/classes/modules/rbac/entity/UserRole.entity.class.php
+++ b/application/classes/modules/rbac/entity/UserRole.entity.class.php
@ -0,0 +1,26 @@
+<?php
+/**
+ * LiveStreet CMS
+ * Copyright © 2013 OOO "ЛС-СОФТ"
+ *
+ * ------------------------------------------------------
+ *
+ * Official site: www.livestreetcms.com
+ * Contact e-mail: office@livestreetcms.com
+ *
+ * GNU General Public License, version 2:
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ *
+ * ------------------------------------------------------
+ *
+ * @link http://www.livestreetcms.com
+ * @copyright 2013 OOO "ЛС-СОФТ"
+ * @author Maxim Mzhelskiy <rus.engine@gmail.com>
+ *
+ */
+
+class ModuleRbac_EntityUserRole extends EntityORM {
+
+
+
+}
--- a/application/classes/modules/rbac/mapper/Rbac.mapper.class.php
+++ b/application/classes/modules/rbac/mapper/Rbac.mapper.class.php
@ -0,0 +1,47 @@
+<?php
+/**
+ * LiveStreet CMS
+ * Copyright © 2013 OOO "ЛС-СОФТ"
+ *
+ * ------------------------------------------------------
+ *
+ * Official site: www.livestreetcms.com
+ * Contact e-mail: office@livestreetcms.com
+ *
+ * GNU General Public License, version 2:
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ *
+ * ------------------------------------------------------
+ *
+ * @link http://www.livestreetcms.com
+ * @copyright 2013 OOO "ЛС-СОФТ"
+ * @author Maxim Mzhelskiy <rus.engine@gmail.com>
+ *
+ */
+
+/**
+ * Маппер для работы с БД
+ *
+ * @package modules.rbac
+ * @since 1.0
+ */
+class ModuleRbac_MapperRbac extends Mapper {
+
+
+	public function GetRoleWithPermissions() {
+		$sql = "SELECT
+					r.role_id,
+					p.code,
+					p.title,
+					p.msg_error
+				FROM
+					".Config::Get('db.table.rbac_role_permission')." as r
+					LEFT JOIN ".Config::Get('db.table.rbac_permission')." as p ON r.permission_id=p.id
+				WHERE
+					p.state = ?d ; ";
+		if ($aRows=$this->oDb->select($sql,ModuleRbac::PERMISSION_STATE_ACTIVE)) {
+			return $aRows;
+		}
+		return null;
+	}
+}
--- a/application/config/config.php
+++ b/application/config/config.php
@ -295,8 +295,12 @@ $config['db']['table']['property_select'] 	  = '___db.table.prefix___property_se
 $config['db']['table']['property_value'] 	  = '___db.table.prefix___property_value';
 $config['db']['table']['property_value_tag']  = '___db.table.prefix___property_value_tag';
 $config['db']['table']['property_value_select']  = '___db.table.prefix___property_value_select';
-$config['db']['table']['media']  = '___db.table.prefix___media';
-$config['db']['table']['media_target']  = '___db.table.prefix___media_target';
+$config['db']['table']['media']  			  = '___db.table.prefix___media';
+$config['db']['table']['media_target']  	  = '___db.table.prefix___media_target';
+$config['db']['table']['rbac_role'] 		  = '___db.table.prefix___rbac_role';
+$config['db']['table']['rbac_permission'] 	  = '___db.table.prefix___rbac_permission';
+$config['db']['table']['rbac_role_permission']= '___db.table.prefix___rbac_role_permission';
+$config['db']['table']['rbac_user_role'] 	  = '___db.table.prefix___rbac_user_role';

 $config['db']['tables']['engine'] = 'InnoDB';  // InnoDB или MyISAM

--- a/install/patch.sql
+++ b/install/patch.sql
@ -274,3 +274,100 @@ CREATE TABLE IF NOT EXISTS `prefix_user_complaint` (
 ALTER TABLE `prefix_user_complaint`
 ADD CONSTRAINT `prefix_user_complaint_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `prefix_user` (`user_id`) ON DELETE CASCADE ON UPDATE CASCADE,
 ADD CONSTRAINT `prefix_user_complaint_ibfk_1` FOREIGN KEY (`target_user_id`) REFERENCES `prefix_user` (`user_id`) ON DELETE CASCADE ON UPDATE CASCADE;
+
+
+-- 27.01.2014
+--
+-- Структура таблицы `prefix_rbac_permission`
+--
+
+CREATE TABLE IF NOT EXISTS `prefix_rbac_permission` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `code` varchar(50) NOT NULL,
+  `title` varchar(250) NOT NULL,
+  `msg_error` varchar(250) NOT NULL,
+  `date_create` datetime NOT NULL,
+  `state` tinyint(1) NOT NULL DEFAULT '1',
+  PRIMARY KEY (`id`),
+  KEY `code` (`code`),
+  KEY `date_create` (`date_create`),
+  KEY `state` (`state`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+--
+-- Структура таблицы `prefix_rbac_role`
+--
+
+CREATE TABLE IF NOT EXISTS `prefix_rbac_role` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `pid` int(11) DEFAULT NULL,
+  `code` varchar(50) NOT NULL,
+  `title` varchar(250) NOT NULL,
+  `date_create` datetime NOT NULL,
+  `state` tinyint(1) NOT NULL DEFAULT '1',
+  PRIMARY KEY (`id`),
+  KEY `pid` (`pid`),
+  KEY `state` (`state`),
+  KEY `date_create` (`date_create`),
+  KEY `code` (`code`)
+) ENGINE=InnoDB  DEFAULT CHARSET=utf8;
+
+--
+-- Дамп данных таблицы `prefix_rbac_role`
+--
+
+INSERT INTO `prefix_rbac_role` (`id`, `pid`, `code`, `title`, `date_create`, `state`) VALUES
+(1, NULL, 'guest', 'Гость', '2014-01-27 00:00:00', 1);
+
+-- --------------------------------------------------------
+
+--
+-- Структура таблицы `prefix_rbac_role_permission`
+--
+
+CREATE TABLE IF NOT EXISTS `prefix_rbac_role_permission` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `role_id` int(11) NOT NULL,
+  `permission_id` int(11) NOT NULL,
+  `date_create` datetime NOT NULL,
+  PRIMARY KEY (`id`),
+  KEY `role_id` (`role_id`),
+  KEY `permission_id` (`permission_id`),
+  KEY `date_create` (`date_create`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+--
+-- Структура таблицы `prefix_rbac_user_role`
+--
+
+CREATE TABLE IF NOT EXISTS `prefix_rbac_user_role` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `user_id` int(11) unsigned NOT NULL,
+  `role_id` int(11) NOT NULL,
+  `date_create` datetime NOT NULL,
+  PRIMARY KEY (`id`),
+  KEY `user_id` (`user_id`),
+  KEY `role_id` (`role_id`),
+  KEY `date_create` (`date_create`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+--
+-- Ограничения внешнего ключа сохраненных таблиц
+--
+
+--
+-- Ограничения внешнего ключа таблицы `prefix_rbac_role_permission`
+--
+ALTER TABLE `prefix_rbac_role_permission`
+  ADD CONSTRAINT `prefix_rbac_role_permission_ibfk_1` FOREIGN KEY (`role_id`) REFERENCES `prefix_rbac_role` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
+
+--
+-- Ограничения внешнего ключа таблицы `prefix_rbac_user_role`
+--
+ALTER TABLE `prefix_rbac_user_role`
+  ADD CONSTRAINT `prefix_rbac_user_role_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `prefix_user` (`user_id`) ON DELETE CASCADE ON UPDATE CASCADE,
+  ADD CONSTRAINT `prefix_rbac_user_role_ibfk_1` FOREIGN KEY (`role_id`) REFERENCES `prefix_rbac_role` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;