|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* RBAC implementation for HiPanel |
|
4
|
|
|
* |
|
5
|
|
|
* @link https://github.com/hiqdev/hipanel-rbac |
|
6
|
|
|
* @package hipanel-rbac |
|
7
|
|
|
* @license BSD-3-Clause |
|
8
|
|
|
* @copyright Copyright (c) 2016-2020, HiQDev (http://hiqdev.com/) |
|
9
|
|
|
*/ |
|
10
|
|
|
|
|
11
|
|
|
namespace hipanel\rbac; |
|
12
|
|
|
|
|
13
|
|
|
use hiqdev\yii\compat\yii; |
|
14
|
|
|
use yii\base\Configurable; |
|
15
|
|
|
use yii\rbac\RuleFactory; |
|
16
|
|
|
|
|
17
|
|
|
/** |
|
18
|
|
|
* HiPanel AuthManager. |
|
19
|
|
|
* |
|
20
|
|
|
* @author Andrii Vasyliev <[email protected]> |
|
21
|
|
|
*/ |
|
22
|
|
|
class AuthManager extends \yii\rbac\PhpManager implements Configurable |
|
23
|
|
|
{ |
|
24
|
|
|
use SetterTrait; |
|
25
|
|
|
|
|
26
|
|
|
public $itemFile = __DIR__ . '/files/items.php'; |
|
27
|
|
|
public $ruleFile = __DIR__ . '/files/rules.php'; |
|
28
|
|
|
public $assignmentFile = __DIR__ . '/files/assignments.php'; |
|
29
|
|
|
|
|
30
|
31 |
|
public function __construct(array $config = []) |
|
31
|
|
|
{ |
|
32
|
31 |
|
if (yii::is2()) { |
|
33
|
31 |
|
parent::__construct($config); |
|
34
|
31 |
|
parent::init(); |
|
35
|
|
|
} else { |
|
36
|
|
|
$dir = __DIR__ . '/files'; |
|
37
|
|
|
parent::__construct($dir, new RuleFactory()); |
|
|
|
|
|
|
38
|
|
|
} |
|
39
|
31 |
|
} |
|
40
|
|
|
|
|
41
|
|
|
/** |
|
42
|
|
|
* We don't keep all the assignments, only persistent. |
|
43
|
|
|
* @see persistAssignments |
|
44
|
|
|
*/ |
|
45
|
31 |
|
protected function saveAssignments() |
|
46
|
|
|
{ |
|
47
|
31 |
|
} |
|
48
|
|
|
|
|
49
|
|
|
/** |
|
50
|
|
|
* Does real assignments saving. |
|
51
|
|
|
* The idea is to split persistent assignments from session only. |
|
52
|
|
|
*/ |
|
53
|
|
|
public function persistAssignments() |
|
54
|
|
|
{ |
|
55
|
|
|
parent::saveAssignments(); |
|
56
|
|
|
} |
|
57
|
|
|
|
|
58
|
30 |
|
public function checkAccess($userId, $permission, $params = []) |
|
59
|
|
|
{ |
|
60
|
30 |
|
if (empty($this->getAssignments($userId))) { |
|
61
|
2 |
|
$this->applyUserAssignments($userId); |
|
62
|
|
|
} |
|
63
|
|
|
|
|
64
|
30 |
|
return parent::checkAccess($userId, $permission, $params) |
|
65
|
30 |
|
&& !parent::checkAccess($userId, "deny:$permission", $params); |
|
66
|
|
|
} |
|
67
|
|
|
|
|
68
|
2 |
|
public function applyUserAssignments($userId) |
|
69
|
|
|
{ |
|
70
|
2 |
|
$roles = ''; |
|
71
|
|
|
|
|
72
|
2 |
|
if (isset(yii::getApp()->user)) { |
|
73
|
|
|
$user = yii::getApp()->user->identity; |
|
74
|
|
|
if ((!$user || $user->id !== $userId) && $userId) { |
|
75
|
|
|
$user = call_user_func([yii::getApp()->user->identityClass, 'findIdentity'], $userId); |
|
76
|
|
|
} |
|
77
|
|
|
if (isset($user->roles)) { |
|
78
|
|
|
$roles = $user->roles; |
|
79
|
|
|
} |
|
80
|
|
|
} |
|
81
|
|
|
|
|
82
|
2 |
|
if (empty($userId)) { |
|
83
|
2 |
|
$userId = ''; |
|
84
|
2 |
|
$roles = 'role:unauthorized'; |
|
85
|
|
|
} |
|
86
|
|
|
|
|
87
|
2 |
|
if ($roles) { |
|
88
|
2 |
|
$this->setAssignments($roles, $userId); |
|
89
|
|
|
} |
|
90
|
2 |
|
} |
|
91
|
|
|
|
|
92
|
|
|
public function getAllChildren(): array |
|
93
|
|
|
{ |
|
94
|
|
|
return $this->children; |
|
95
|
|
|
} |
|
96
|
|
|
} |
|
97
|
|
|
|
hiqdev /
hipanel-rbac
Andrii Vasyliev
Loading history...
This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.
If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. Please note the @ignore annotation hint above.