1
0
Fork 0
mirror of https://github.com/Oreolek/ifhub.club.git synced 2024-06-16 23:00:51 +03:00

Новый модуль Rbac для продвинутого управления правами на основе ролей и разрешений. Модуль заменит собой старый модуль ACL.

This commit is contained in:
Mzhelskiy Maxim 2014-01-27 19:10:36 +07:00
parent 3203910ec8
commit 6185d99c9b
8 changed files with 428 additions and 2 deletions

View file

@ -0,0 +1,172 @@
<?php
/**
* LiveStreet CMS
* Copyright © 2013 OOO "ЛС-СОФТ"
*
* ------------------------------------------------------
*
* Official site: www.livestreetcms.com
* Contact e-mail: office@livestreetcms.com
*
* GNU General Public License, version 2:
* http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
*
* ------------------------------------------------------
*
* @link http://www.livestreetcms.com
* @copyright 2013 OOO "ЛС-СОФТ"
* @author Maxim Mzhelskiy <rus.engine@gmail.com>
*
*/
/**
* Модуль управления правами на основе ролей и разрешений
*/
class ModuleRbac extends ModuleORM {
const ROLE_CODE_GUEST='guest';
const PERMISSION_STATE_ACTIVE=1;
const PERMISSION_STATE_INACTIVE=0;
const ROLE_STATE_ACTIVE=1;
const ROLE_STATE_INACTIVE=0;
protected $aUserRoleCache=array();
protected $aRoleCache=array();
protected $aRulePermissionCache=array();
protected $aPermissionCache=array();
protected $sMessageLast=null;
protected $oMapper=null;
public function Init() {
parent::Init();
$this->oMapper=Engine::GetMapper(__CLASS__);
}
/**
* Проверяет разрешение для текущего авторизованного пользователя
*
* @param string $sPermissionCode
* @param array $aParams
*
* @return bool
*/
public function IsAllow($sPermissionCode,$aParams=array()) {
return $this->IsAllowUser($this->User_GetUserCurrent(),$sPermissionCode,$aParams);
}
public function IsAllowUser($oUser,$sPermissionCode,$aParams=array()) {
if (!$sPermissionCode) {
return false;
}
/**
* Загружаем все роли и пермишены
*/
$this->LoadRoleAndPermissions();
$sUserId=self::ROLE_CODE_GUEST;
if ($oUser) {
$sUserId=$oUser->getId();
}
/**
* Смотрим роли в кеше
*/
if (!isset($this->aUserRoleCache[$sUserId])) {
if ($sUserId==self::ROLE_CODE_GUEST) {
$aRoles=$this->GetRoleByCodeAndState(self::ROLE_CODE_GUEST,self::ROLE_STATE_ACTIVE);
$aRoles=$aRoles ? array($aRoles) : array();
} else {
$aRoles=$oUser->getRolesActive();
}
$this->aUserRoleCache[$sUserId]=$aRoles;
} else {
$aRoles=$this->aUserRoleCache[$sUserId];
}
/**
* Получаем пермишены для ролей
*/
$sPermissionCode=func_underscore($sPermissionCode);
foreach($aRoles as $oRole) {
if ($this->CheckPermissionByRole($oRole,$sPermissionCode)) {
/**
* У роли есть необходимый пермишен, теперь проверим на возможную кастомную обработку с параметрами
*/
$sMethod='CheckCustom'.func_camelize($sPermissionCode);
if (method_exists($this,$sMethod)) {
if (call_user_func(array($this,$sMethod),$oUser,$aParams)) {
return true;
}
} else {
return true;
}
}
}
if (isset($this->aPermissionCache[$sPermissionCode])) {
$aPerm=$this->aPermissionCache[$sPermissionCode];
if ($aPerm['msg_error']) {
$sMsg=$aPerm['msg_error'];
} else {
$sMsg='У вас нет прав на "'.($aPerm['title'] ? $aPerm['title'] : $aPerm['code']).'"';
}
} else {
$sMsg='У вас нет прав на "'.$sPermissionCode.'"';
}
$this->sMessageLast=$sMsg;
return false;
}
protected function LoadRoleAndPermissions() {
/**
* Роли
*/
$this->LoadRoles();
/**
* Пермишены
*/
$this->LoadPermissions();
}
protected function LoadPermissions() {
if ($this->aRulePermissionCache) {
return;
}
$aResult=$this->oMapper->GetRoleWithPermissions();
foreach($aResult as $aRow) {
$this->aRulePermissionCache[$aRow['role_id']][]=$aRow['code'];
$this->aPermissionCache[$aRow['code']]=$aRow;
}
}
protected function LoadRoles() {
if ($this->aRoleCache) {
return;
}
$aRoles=$this->GetRoleItemsByState(self::ROLE_STATE_ACTIVE);
foreach($aRoles as $oRole) {
$this->aRoleCache[$oRole->getId()]=$oRole;
}
}
protected function CheckPermissionByRole($oRole,$sPermissionCode) {
/**
* Проверяем наличие пермишена в текущей роли
*/
if (isset($this->aRulePermissionCache[$oRole->getId()])) {
if (in_array($sPermissionCode,$this->aRulePermissionCache[$oRole->getId()])) {
return true;
}
}
/**
* Смотрим родительскую роль
*/
if ($oRole->getPid() and isset($this->aRoleCache[$oRole->getPid()])) {
return $this->CheckPermissionByRole($this->aRoleCache[$oRole->getPid()],$sPermissionCode);
}
return false;
}
public function GetMsgLast() {
return $this->sMessageLast;
}
}

View file

@ -0,0 +1,26 @@
<?php
/**
* LiveStreet CMS
* Copyright © 2013 OOO "ЛС-СОФТ"
*
* ------------------------------------------------------
*
* Official site: www.livestreetcms.com
* Contact e-mail: office@livestreetcms.com
*
* GNU General Public License, version 2:
* http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
*
* ------------------------------------------------------
*
* @link http://www.livestreetcms.com
* @copyright 2013 OOO "ЛС-СОФТ"
* @author Maxim Mzhelskiy <rus.engine@gmail.com>
*
*/
class ModuleRbac_EntityPermission extends EntityORM {
}

View file

@ -0,0 +1,28 @@
<?php
/**
* LiveStreet CMS
* Copyright © 2013 OOO "ЛС-СОФТ"
*
* ------------------------------------------------------
*
* Official site: www.livestreetcms.com
* Contact e-mail: office@livestreetcms.com
*
* GNU General Public License, version 2:
* http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
*
* ------------------------------------------------------
*
* @link http://www.livestreetcms.com
* @copyright 2013 OOO "ЛС-СОФТ"
* @author Maxim Mzhelskiy <rus.engine@gmail.com>
*
*/
class ModuleRbac_EntityRole extends EntityORM {
protected $aRelations=array(
'permissions' => array(self::RELATION_TYPE_MANY_TO_MANY,'ModuleRbac_EntityPermission', 'permission_id', 'db.table.rbac_role_permission', 'role_id'),
);
}

View file

@ -0,0 +1,26 @@
<?php
/**
* LiveStreet CMS
* Copyright © 2013 OOO "ЛС-СОФТ"
*
* ------------------------------------------------------
*
* Official site: www.livestreetcms.com
* Contact e-mail: office@livestreetcms.com
*
* GNU General Public License, version 2:
* http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
*
* ------------------------------------------------------
*
* @link http://www.livestreetcms.com
* @copyright 2013 OOO "ЛС-СОФТ"
* @author Maxim Mzhelskiy <rus.engine@gmail.com>
*
*/
class ModuleRbac_EntityRolePermission extends EntityORM {
}

View file

@ -0,0 +1,26 @@
<?php
/**
* LiveStreet CMS
* Copyright © 2013 OOO "ЛС-СОФТ"
*
* ------------------------------------------------------
*
* Official site: www.livestreetcms.com
* Contact e-mail: office@livestreetcms.com
*
* GNU General Public License, version 2:
* http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
*
* ------------------------------------------------------
*
* @link http://www.livestreetcms.com
* @copyright 2013 OOO "ЛС-СОФТ"
* @author Maxim Mzhelskiy <rus.engine@gmail.com>
*
*/
class ModuleRbac_EntityUserRole extends EntityORM {
}

View file

@ -0,0 +1,47 @@
<?php
/**
* LiveStreet CMS
* Copyright © 2013 OOO "ЛС-СОФТ"
*
* ------------------------------------------------------
*
* Official site: www.livestreetcms.com
* Contact e-mail: office@livestreetcms.com
*
* GNU General Public License, version 2:
* http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
*
* ------------------------------------------------------
*
* @link http://www.livestreetcms.com
* @copyright 2013 OOO "ЛС-СОФТ"
* @author Maxim Mzhelskiy <rus.engine@gmail.com>
*
*/
/**
* Маппер для работы с БД
*
* @package modules.rbac
* @since 1.0
*/
class ModuleRbac_MapperRbac extends Mapper {
public function GetRoleWithPermissions() {
$sql = "SELECT
r.role_id,
p.code,
p.title,
p.msg_error
FROM
".Config::Get('db.table.rbac_role_permission')." as r
LEFT JOIN ".Config::Get('db.table.rbac_permission')." as p ON r.permission_id=p.id
WHERE
p.state = ?d ; ";
if ($aRows=$this->oDb->select($sql,ModuleRbac::PERMISSION_STATE_ACTIVE)) {
return $aRows;
}
return null;
}
}

View file

@ -295,8 +295,12 @@ $config['db']['table']['property_select'] = '___db.table.prefix___property_se
$config['db']['table']['property_value'] = '___db.table.prefix___property_value';
$config['db']['table']['property_value_tag'] = '___db.table.prefix___property_value_tag';
$config['db']['table']['property_value_select'] = '___db.table.prefix___property_value_select';
$config['db']['table']['media'] = '___db.table.prefix___media';
$config['db']['table']['media_target'] = '___db.table.prefix___media_target';
$config['db']['table']['media'] = '___db.table.prefix___media';
$config['db']['table']['media_target'] = '___db.table.prefix___media_target';
$config['db']['table']['rbac_role'] = '___db.table.prefix___rbac_role';
$config['db']['table']['rbac_permission'] = '___db.table.prefix___rbac_permission';
$config['db']['table']['rbac_role_permission']= '___db.table.prefix___rbac_role_permission';
$config['db']['table']['rbac_user_role'] = '___db.table.prefix___rbac_user_role';
$config['db']['tables']['engine'] = 'InnoDB'; // InnoDB или MyISAM

View file

@ -274,3 +274,100 @@ CREATE TABLE IF NOT EXISTS `prefix_user_complaint` (
ALTER TABLE `prefix_user_complaint`
ADD CONSTRAINT `prefix_user_complaint_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `prefix_user` (`user_id`) ON DELETE CASCADE ON UPDATE CASCADE,
ADD CONSTRAINT `prefix_user_complaint_ibfk_1` FOREIGN KEY (`target_user_id`) REFERENCES `prefix_user` (`user_id`) ON DELETE CASCADE ON UPDATE CASCADE;
-- 27.01.2014
--
-- Структура таблицы `prefix_rbac_permission`
--
CREATE TABLE IF NOT EXISTS `prefix_rbac_permission` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`code` varchar(50) NOT NULL,
`title` varchar(250) NOT NULL,
`msg_error` varchar(250) NOT NULL,
`date_create` datetime NOT NULL,
`state` tinyint(1) NOT NULL DEFAULT '1',
PRIMARY KEY (`id`),
KEY `code` (`code`),
KEY `date_create` (`date_create`),
KEY `state` (`state`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- --------------------------------------------------------
--
-- Структура таблицы `prefix_rbac_role`
--
CREATE TABLE IF NOT EXISTS `prefix_rbac_role` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`pid` int(11) DEFAULT NULL,
`code` varchar(50) NOT NULL,
`title` varchar(250) NOT NULL,
`date_create` datetime NOT NULL,
`state` tinyint(1) NOT NULL DEFAULT '1',
PRIMARY KEY (`id`),
KEY `pid` (`pid`),
KEY `state` (`state`),
KEY `date_create` (`date_create`),
KEY `code` (`code`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
--
-- Дамп данных таблицы `prefix_rbac_role`
--
INSERT INTO `prefix_rbac_role` (`id`, `pid`, `code`, `title`, `date_create`, `state`) VALUES
(1, NULL, 'guest', 'Гость', '2014-01-27 00:00:00', 1);
-- --------------------------------------------------------
--
-- Структура таблицы `prefix_rbac_role_permission`
--
CREATE TABLE IF NOT EXISTS `prefix_rbac_role_permission` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`role_id` int(11) NOT NULL,
`permission_id` int(11) NOT NULL,
`date_create` datetime NOT NULL,
PRIMARY KEY (`id`),
KEY `role_id` (`role_id`),
KEY `permission_id` (`permission_id`),
KEY `date_create` (`date_create`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- --------------------------------------------------------
--
-- Структура таблицы `prefix_rbac_user_role`
--
CREATE TABLE IF NOT EXISTS `prefix_rbac_user_role` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`user_id` int(11) unsigned NOT NULL,
`role_id` int(11) NOT NULL,
`date_create` datetime NOT NULL,
PRIMARY KEY (`id`),
KEY `user_id` (`user_id`),
KEY `role_id` (`role_id`),
KEY `date_create` (`date_create`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
--
-- Ограничения внешнего ключа сохраненных таблиц
--
--
-- Ограничения внешнего ключа таблицы `prefix_rbac_role_permission`
--
ALTER TABLE `prefix_rbac_role_permission`
ADD CONSTRAINT `prefix_rbac_role_permission_ibfk_1` FOREIGN KEY (`role_id`) REFERENCES `prefix_rbac_role` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
--
-- Ограничения внешнего ключа таблицы `prefix_rbac_user_role`
--
ALTER TABLE `prefix_rbac_user_role`
ADD CONSTRAINT `prefix_rbac_user_role_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `prefix_user` (`user_id`) ON DELETE CASCADE ON UPDATE CASCADE,
ADD CONSTRAINT `prefix_rbac_user_role_ibfk_1` FOREIGN KEY (`role_id`) REFERENCES `prefix_rbac_role` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;