Inicio Explorar Ayuda
Iniciar sesión
boarspring
/
repo_zf1
espejo de https://github.com/bluescreen/zf1-php7.2.git
2
0
Fork 1
Archivos Incidencias 0 Wiki
Árbol: 564ae65a65
Ramas Etiquetas
repo_zf1
/
library
/
Zend
/
Acl.php

Acl.php 41 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * Zend Framework
    4. 

  4.  *
    5. 

  5.  * LICENSE
    6. 

  6.  *
    7. 

  7.  * This source file is subject to the new BSD license that is bundled
    8. 

  8.  * with this package in the file LICENSE.txt.
    9. 

  9.  * It is also available through the world-wide-web at this URL:
    10. 

  10.  * http://framework.zend.com/license/new-bsd
    11. 

  11.  * If you did not receive a copy of the license and are unable to
    12. 

  12.  * obtain it through the world-wide-web, please send an email
    13. 

  13.  * to license@zend.com so we can send you a copy immediately.
    14. 

  14.  *
    15. 

  15.  * @category   Zend
    16. 

  16.  * @package    Zend_Acl
    17. 

  17.  * @copyright  Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
    18. 

  18.  * @license    http://framework.zend.com/license/new-bsd     New BSD License
    19. 

  19.  * @version    $Id$
    20. 

  20.  */
    21. 

  21. 

  22. 

  23. /**
    24. 

  24.  * @see Zend_Acl_Resource_Interface
    25. 

  25.  */
    26. 

  26. require_once 'Zend/Acl/Resource/Interface.php';
    27. 

  27. 

  28. 

  29. /**
    30. 

  30.  * @see Zend_Acl_Role_Registry
    31. 

  31.  */
    32. 

  32. require_once 'Zend/Acl/Role/Registry.php';
    33. 

  33. 

  34. 

  35. /**
    36. 

  36.  * @see Zend_Acl_Assert_Interface
    37. 

  37.  */
    38. 

  38. require_once 'Zend/Acl/Assert/Interface.php';
    39. 

  39. 

  40. 

  41. /**
    42. 

  42.  * @category   Zend
    43. 

  43.  * @package    Zend_Acl
    44. 

  44.  * @copyright  Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
    45. 

  45.  * @license    http://framework.zend.com/license/new-bsd     New BSD License
    46. 

  46.  */
    47. 

  47. class Zend_Acl
    48. 

  48. {
    49. 

  49.     /**
    50. 

  50.      * Rule type: allow
    51. 

  51.      */
    52. 

  52.     const TYPE_ALLOW = 'TYPE_ALLOW';
    53. 

  53. 

  54.     /**
    55. 

  55.      * Rule type: deny
    56. 

  56.      */
    57. 

  57.     const TYPE_DENY  = 'TYPE_DENY';
    58. 

  58. 

  59.     /**
    60. 

  60.      * Rule operation: add
    61. 

  61.      */
    62. 

  62.     const OP_ADD = 'OP_ADD';
    63. 

  63. 

  64.     /**
    65. 

  65.      * Rule operation: remove
    66. 

  66.      */
    67. 

  67.     const OP_REMOVE = 'OP_REMOVE';
    68. 

  68. 

  69.     /**
    70. 

  70.      * Role registry
    71. 

  71.      *
    72. 

  72.      * @var Zend_Acl_Role_Registry
    73. 

  73.      */
    74. 

  74.     protected $_roleRegistry = null;
    75. 

  75. 

  76.     /**
    77. 

  77.      * Resource tree
    78. 

  78.      *
    79. 

  79.      * @var array
    80. 

  80.      */
    81. 

  81.     protected $_resources = array();
    82. 

  82. 

  83.     /**
    84. 

  84.      * @var Zend_Acl_Role_Interface
    85. 

  85.      */
    86. 

  86.     protected $_isAllowedRole     = null;
    87. 

  87. 

  88.     /**
    89. 

  89.      * @var Zend_Acl_Resource_Interface
    90. 

  90.      */
    91. 

  91.     protected $_isAllowedResource = null;
    92. 

  92. 

  93.     /**
    94. 

  94.      * ACL rules; whitelist (deny everything to all) by default
    95. 

  95.      *
    96. 

  96.      * @var array
    97. 

  97.      */
    98. 

  98.     protected $_rules = array(
    99. 

  99.         'allResources' => array(
    100. 

  100.             'allRoles' => array(
    101. 

  101.                 'allPrivileges' => array(
    102. 

  102.                     'type'   => self::TYPE_DENY,
    103. 

  103.                     'assert' => null
    104. 

  104.                     ),
    105. 

  105.                 'byPrivilegeId' => array()
    106. 

  106.                 ),
    107. 

  107.             'byRoleId' => array()
    108. 

  108.             ),
    109. 

  109.         'byResourceId' => array()
    110. 

  110.         );
    111. 

  111. 

  112.     /**
    113. 

  113.      * Adds a Role having an identifier unique to the registry
    114. 

  114.      *
    115. 

  115.      * The $parents parameter may be a reference to, or the string identifier for,
    116. 

  116.      * a Role existing in the registry, or $parents may be passed as an array of
    117. 

  117.      * these - mixing string identifiers and objects is ok - to indicate the Roles
    118. 

  118.      * from which the newly added Role will directly inherit.
    119. 

  119.      *
    120. 

  120.      * In order to resolve potential ambiguities with conflicting rules inherited
    121. 

  121.      * from different parents, the most recently added parent takes precedence over
    122. 

  122.      * parents that were previously added. In other words, the first parent added
    123. 

  123.      * will have the least priority, and the last parent added will have the
    124. 

  124.      * highest priority.
    125. 

  125.      *
    126. 

  126.      * @param  Zend_Acl_Role_Interface              $role
    127. 

  127.      * @param  Zend_Acl_Role_Interface|string|array $parents
    128. 

  128.      * @uses   Zend_Acl_Role_Registry::add()
    129. 

  129.      * @return Zend_Acl Provides a fluent interface
    130. 

  130.      */
    131. 

  131.     public function addRole($role, $parents = null)
    132. 

  132.     {
    133. 

  133.         if (is_string($role)) {
    134. 

  134.             $role = new Zend_Acl_Role($role);
    135. 

  135.         }
    136. 

  136. 

  137.         if (!$role instanceof Zend_Acl_Role_Interface) {
    138. 

  138.             require_once 'Zend/Acl/Exception.php';
    139. 

  139.             throw new Zend_Acl_Exception('addRole() expects $role to be of type Zend_Acl_Role_Interface');
    140. 

  140.         }
    141. 

  141. 

  142. 

  143.         $this->_getRoleRegistry()->add($role, $parents);
    144. 

  144. 

  145.         return $this;
    146. 

  146.     }
    147. 

  147. 

  148.     /**
    149. 

  149.      * Returns the identified Role
    150. 

  150.      *
    151. 

  151.      * The $role parameter can either be a Role or Role identifier.
    152. 

  152.      *
    153. 

  153.      * @param  Zend_Acl_Role_Interface|string $role
    154. 

  154.      * @uses   Zend_Acl_Role_Registry::get()
    155. 

  155.      * @return Zend_Acl_Role_Interface
    156. 

  156.      */
    157. 

  157.     public function getRole($role)
    158. 

  158.     {
    159. 

  159.         return $this->_getRoleRegistry()->get($role);
    160. 

  160.     }
    161. 

  161. 

  162.     /**
    163. 

  163.      * Returns true if and only if the Role exists in the registry
    164. 

  164.      *
    165. 

  165.      * The $role parameter can either be a Role or a Role identifier.
    166. 

  166.      *
    167. 

  167.      * @param  Zend_Acl_Role_Interface|string $role
    168. 

  168.      * @uses   Zend_Acl_Role_Registry::has()
    169. 

  169.      * @return boolean
    170. 

  170.      */
    171. 

  171.     public function hasRole($role)
    172. 

  172.     {
    173. 

  173.         return $this->_getRoleRegistry()->has($role);
    174. 

  174.     }
    175. 

  175. 

  176.     /**
    177. 

  177.      * Returns true if and only if $role inherits from $inherit
    178. 

  178.      *
    179. 

  179.      * Both parameters may be either a Role or a Role identifier. If
    180. 

  180.      * $onlyParents is true, then $role must inherit directly from
    181. 

  181.      * $inherit in order to return true. By default, this method looks
    182. 

  182.      * through the entire inheritance DAG to determine whether $role
    183. 

  183.      * inherits from $inherit through its ancestor Roles.
    184. 

  184.      *
    185. 

  185.      * @param  Zend_Acl_Role_Interface|string $role
    186. 

  186.      * @param  Zend_Acl_Role_Interface|string $inherit
    187. 

  187.      * @param  boolean                        $onlyParents
    188. 

  188.      * @uses   Zend_Acl_Role_Registry::inherits()
    189. 

  189.      * @return boolean
    190. 

  190.      */
    191. 

  191.     public function inheritsRole($role, $inherit, $onlyParents = false)
    192. 

  192.     {
    193. 

  193.         return $this->_getRoleRegistry()->inherits($role, $inherit, $onlyParents);
    194. 

  194.     }
    195. 

  195. 

  196.     /**
    197. 

  197.      * Removes the Role from the registry
    198. 

  198.      *
    199. 

  199.      * The $role parameter can either be a Role or a Role identifier.
    200. 

  200.      *
    201. 

  201.      * @param  Zend_Acl_Role_Interface|string $role
    202. 

  202.      * @uses   Zend_Acl_Role_Registry::remove()
    203. 

  203.      * @return Zend_Acl Provides a fluent interface
    204. 

  204.      */
    205. 

  205.     public function removeRole($role)
    206. 

  206.     {
    207. 

  207.         $this->_getRoleRegistry()->remove($role);
    208. 

  208. 

  209.         if ($role instanceof Zend_Acl_Role_Interface) {
    210. 

  210.             $roleId = $role->getRoleId();
    211. 

  211.         } else {
    212. 

  212.             $roleId = $role;
    213. 

  213.         }
    214. 

  214. 

  215.         foreach ($this->_rules['allResources']['byRoleId'] as $roleIdCurrent => $rules) {
    216. 

  216.             if ($roleId === $roleIdCurrent) {
    217. 

  217.                 unset($this->_rules['allResources']['byRoleId'][$roleIdCurrent]);
    218. 

  218.             }
    219. 

  219.         }
    220. 

  220.         foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $visitor) {
    221. 

  221.             foreach ($visitor['byRoleId'] as $roleIdCurrent => $rules) {
    222. 

  222.                 if ($roleId === $roleIdCurrent) {
    223. 

  223.                     unset($this->_rules['byResourceId'][$resourceIdCurrent]['byRoleId'][$roleIdCurrent]);
    224. 

  224.                 }
    225. 

  225.             }
    226. 

  226.         }
    227. 

  227. 

  228.         return $this;
    229. 

  229.     }
    230. 

  230. 

  231.     /**
    232. 

  232.      * Removes all Roles from the registry
    233. 

  233.      *
    234. 

  234.      * @uses   Zend_Acl_Role_Registry::removeAll()
    235. 

  235.      * @return Zend_Acl Provides a fluent interface
    236. 

  236.      */
    237. 

  237.     public function removeRoleAll()
    238. 

  238.     {
    239. 

  239.         $this->_getRoleRegistry()->removeAll();
    240. 

  240. 

  241.         foreach ($this->_rules['allResources']['byRoleId'] as $roleIdCurrent => $rules) {
    242. 

  242.             unset($this->_rules['allResources']['byRoleId'][$roleIdCurrent]);
    243. 

  243.         }
    244. 

  244.         foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $visitor) {
    245. 

  245.             foreach ($visitor['byRoleId'] as $roleIdCurrent => $rules) {
    246. 

  246.                 unset($this->_rules['byResourceId'][$resourceIdCurrent]['byRoleId'][$roleIdCurrent]);
    247. 

  247.             }
    248. 

  248.         }
    249. 

  249. 

  250.         return $this;
    251. 

  251.     }
    252. 

  252. 

  253.     /**
    254. 

  254.      * Adds a Resource having an identifier unique to the ACL
    255. 

  255.      *
    256. 

  256.      * The $parent parameter may be a reference to, or the string identifier for,
    257. 

  257.      * the existing Resource from which the newly added Resource will inherit.
    258. 

  258.      *
    259. 

  259.      * @param  Zend_Acl_Resource_Interface|string $resource
    260. 

  260.      * @param  Zend_Acl_Resource_Interface|string $parent
    261. 

  261.      * @throws Zend_Acl_Exception
    262. 

  262.      * @return Zend_Acl Provides a fluent interface
    263. 

  263.      */
    264. 

  264.     public function addResource($resource, $parent = null)
    265. 

  265.     {
    266. 

  266.         if (is_string($resource)) {
    267. 

  267.             $resource = new Zend_Acl_Resource($resource);
    268. 

  268.         }
    269. 

  269. 

  270.         if (!$resource instanceof Zend_Acl_Resource_Interface) {
    271. 

  271.             require_once 'Zend/Acl/Exception.php';
    272. 

  272.             throw new Zend_Acl_Exception('addResource() expects $resource to be of type Zend_Acl_Resource_Interface');
    273. 

  273.         }
    274. 

  274. 

  275.         $resourceId = $resource->getResourceId();
    276. 

  276. 

  277.         if ($this->has($resourceId)) {
    278. 

  278.             require_once 'Zend/Acl/Exception.php';
    279. 

  279.             throw new Zend_Acl_Exception("Resource id '$resourceId' already exists in the ACL");
    280. 

  280.         }
    281. 

  281. 

  282.         $resourceParent = null;
    283. 

  283. 

  284.         if (null !== $parent) {
    285. 

  285.             try {
    286. 

  286.                 if ($parent instanceof Zend_Acl_Resource_Interface) {
    287. 

  287.                     $resourceParentId = $parent->getResourceId();
    288. 

  288.                 } else {
    289. 

  289.                     $resourceParentId = $parent;
    290. 

  290.                 }
    291. 

  291.                 $resourceParent = $this->get($resourceParentId);
    292. 

  292.             } catch (Zend_Acl_Exception $e) {
    293. 

  293.                 throw new Zend_Acl_Exception("Parent Resource id '$resourceParentId' does not exist");
    294. 

  294.             }
    295. 

  295.             $this->_resources[$resourceParentId]['children'][$resourceId] = $resource;
    296. 

  296.         }
    297. 

  297. 

  298.         $this->_resources[$resourceId] = array(
    299. 

  299.             'instance' => $resource,
    300. 

  300.             'parent'   => $resourceParent,
    301. 

  301.             'children' => array()
    302. 

  302.             );
    303. 

  303. 

  304.         return $this;
    305. 

  305.     }
    306. 

  306. 

  307.     /**
    308. 

  308.      * Adds a Resource having an identifier unique to the ACL
    309. 

  309.      *
    310. 

  310.      * The $parent parameter may be a reference to, or the string identifier for,
    311. 

  311.      * the existing Resource from which the newly added Resource will inherit.
    312. 

  312.      *
    313. 

  313.      * @deprecated in version 1.9.1 and will be available till 2.0.  New code
    314. 

  314.      *             should use addResource() instead.
    315. 

  315.      *
    316. 

  316.      * @param  Zend_Acl_Resource_Interface        $resource
    317. 

  317.      * @param  Zend_Acl_Resource_Interface|string $parent
    318. 

  318.      * @throws Zend_Acl_Exception
    319. 

  319.      * @return Zend_Acl Provides a fluent interface
    320. 

  320.      */
    321. 

  321.     public function add(Zend_Acl_Resource_Interface $resource, $parent = null)
    322. 

  322.     {
    323. 

  323.         return $this->addResource($resource, $parent);
    324. 

  324.     }
    325. 

  325. 

  326.     /**
    327. 

  327.      * Returns the identified Resource
    328. 

  328.      *
    329. 

  329.      * The $resource parameter can either be a Resource or a Resource identifier.
    330. 

  330.      *
    331. 

  331.      * @param  Zend_Acl_Resource_Interface|string $resource
    332. 

  332.      * @throws Zend_Acl_Exception
    333. 

  333.      * @return Zend_Acl_Resource_Interface
    334. 

  334.      */
    335. 

  335.     public function get($resource)
    336. 

  336.     {
    337. 

  337.         if ($resource instanceof Zend_Acl_Resource_Interface) {
    338. 

  338.             $resourceId = $resource->getResourceId();
    339. 

  339.         } else {
    340. 

  340.             $resourceId = (string) $resource;
    341. 

  341.         }
    342. 

  342. 

  343.         if (!$this->has($resource)) {
    344. 

  344.             require_once 'Zend/Acl/Exception.php';
    345. 

  345.             throw new Zend_Acl_Exception("Resource '$resourceId' not found");
    346. 

  346.         }
    347. 

  347. 

  348.         return $this->_resources[$resourceId]['instance'];
    349. 

  349.     }
    350. 

  350. 

  351.     /**
    352. 

  352.      * Returns true if and only if the Resource exists in the ACL
    353. 

  353.      *
    354. 

  354.      * The $resource parameter can either be a Resource or a Resource identifier.
    355. 

  355.      *
    356. 

  356.      * @param  Zend_Acl_Resource_Interface|string $resource
    357. 

  357.      * @return boolean
    358. 

  358.      */
    359. 

  359.     public function has($resource)
    360. 

  360.     {
    361. 

  361.         if ($resource instanceof Zend_Acl_Resource_Interface) {
    362. 

  362.             $resourceId = $resource->getResourceId();
    363. 

  363.         } else {
    364. 

  364.             $resourceId = (string) $resource;
    365. 

  365.         }
    366. 

  366. 

  367.         return isset($this->_resources[$resourceId]);
    368. 

  368.     }
    369. 

  369. 

  370.     /**
    371. 

  371.      * Returns true if and only if $resource inherits from $inherit
    372. 

  372.      *
    373. 

  373.      * Both parameters may be either a Resource or a Resource identifier. If
    374. 

  374.      * $onlyParent is true, then $resource must inherit directly from
    375. 

  375.      * $inherit in order to return true. By default, this method looks
    376. 

  376.      * through the entire inheritance tree to determine whether $resource
    377. 

  377.      * inherits from $inherit through its ancestor Resources.
    378. 

  378.      *
    379. 

  379.      * @param  Zend_Acl_Resource_Interface|string $resource
    380. 

  380.      * @param  Zend_Acl_Resource_Interface|string $inherit
    381. 

  381.      * @param  boolean                            $onlyParent
    382. 

  382.      * @throws Zend_Acl_Resource_Registry_Exception
    383. 

  383.      * @return boolean
    384. 

  384.      */
    385. 

  385.     public function inherits($resource, $inherit, $onlyParent = false)
    386. 

  386.     {
    387. 

  387.         try {
    388. 

  388.             $resourceId     = $this->get($resource)->getResourceId();
    389. 

  389.             $inheritId = $this->get($inherit)->getResourceId();
    390. 

  390.         } catch (Zend_Acl_Exception $e) {
    391. 

  391.             throw $e;
    392. 

  392.         }
    393. 

  393. 

  394.         if (null !== $this->_resources[$resourceId]['parent']) {
    395. 

  395.             $parentId = $this->_resources[$resourceId]['parent']->getResourceId();
    396. 

  396.             if ($inheritId === $parentId) {
    397. 

  397.                 return true;
    398. 

  398.             } else if ($onlyParent) {
    399. 

  399.                 return false;
    400. 

  400.             }
    401. 

  401.         } else {
    402. 

  402.             return false;
    403. 

  403.         }
    404. 

  404. 

  405.         while (null !== $this->_resources[$parentId]['parent']) {
    406. 

  406.             $parentId = $this->_resources[$parentId]['parent']->getResourceId();
    407. 

  407.             if ($inheritId === $parentId) {
    408. 

  408.                 return true;
    409. 

  409.             }
    410. 

  410.         }
    411. 

  411. 

  412.         return false;
    413. 

  413.     }
    414. 

  414. 

  415.     /**
    416. 

  416.      * Removes a Resource and all of its children
    417. 

  417.      *
    418. 

  418.      * The $resource parameter can either be a Resource or a Resource identifier.
    419. 

  419.      *
    420. 

  420.      * @param  Zend_Acl_Resource_Interface|string $resource
    421. 

  421.      * @throws Zend_Acl_Exception
    422. 

  422.      * @return Zend_Acl Provides a fluent interface
    423. 

  423.      */
    424. 

  424.     public function remove($resource)
    425. 

  425.     {
    426. 

  426.         try {
    427. 

  427.             $resourceId = $this->get($resource)->getResourceId();
    428. 

  428.         } catch (Zend_Acl_Exception $e) {
    429. 

  429.             throw $e;
    430. 

  430.         }
    431. 

  431. 

  432.         $resourcesRemoved = array($resourceId);
    433. 

  433.         if (null !== ($resourceParent = $this->_resources[$resourceId]['parent'])) {
    434. 

  434.             unset($this->_resources[$resourceParent->getResourceId()]['children'][$resourceId]);
    435. 

  435.         }
    436. 

  436.         foreach ($this->_resources[$resourceId]['children'] as $childId => $child) {
    437. 

  437.             $this->remove($childId);
    438. 

  438.             $resourcesRemoved[] = $childId;
    439. 

  439.         }
    440. 

  440. 

  441.         foreach ($resourcesRemoved as $resourceIdRemoved) {
    442. 

  442.             foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $rules) {
    443. 

  443.                 if ($resourceIdRemoved === $resourceIdCurrent) {
    444. 

  444.                     unset($this->_rules['byResourceId'][$resourceIdCurrent]);
    445. 

  445.                 }
    446. 

  446.             }
    447. 

  447.         }
    448. 

  448. 

  449.         unset($this->_resources[$resourceId]);
    450. 

  450. 

  451.         return $this;
    452. 

  452.     }
    453. 

  453. 

  454.     /**
    455. 

  455.      * Removes all Resources
    456. 

  456.      *
    457. 

  457.      * @return Zend_Acl Provides a fluent interface
    458. 

  458.      */
    459. 

  459.     public function removeAll()
    460. 

  460.     {
    461. 

  461.         foreach ($this->_resources as $resourceId => $resource) {
    462. 

  462.             foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $rules) {
    463. 

  463.                 if ($resourceId === $resourceIdCurrent) {
    464. 

  464.                     unset($this->_rules['byResourceId'][$resourceIdCurrent]);
    465. 

  465.                 }
    466. 

  466.             }
    467. 

  467.         }
    468. 

  468. 

  469.         $this->_resources = array();
    470. 

  470. 

  471.         return $this;
    472. 

  472.     }
    473. 

  473. 

  474.     /**
    475. 

  475.      * Adds an "allow" rule to the ACL
    476. 

  476.      *
    477. 

  477.      * @param  Zend_Acl_Role_Interface|string|array     $roles
    478. 

  478.      * @param  Zend_Acl_Resource_Interface|string|array $resources
    479. 

  479.      * @param  string|array                             $privileges
    480. 

  480.      * @param  Zend_Acl_Assert_Interface                $assert
    481. 

  481.      * @uses   Zend_Acl::setRule()
    482. 

  482.      * @return Zend_Acl Provides a fluent interface
    483. 

  483.      */
    484. 

  484.     public function allow($roles = null, $resources = null, $privileges = null, Zend_Acl_Assert_Interface $assert = null)
    485. 

  485.     {
    486. 

  486.         return $this->setRule(self::OP_ADD, self::TYPE_ALLOW, $roles, $resources, $privileges, $assert);
    487. 

  487.     }
    488. 

  488. 

  489.     /**
    490. 

  490.      * Adds a "deny" rule to the ACL
    491. 

  491.      *
    492. 

  492.      * @param  Zend_Acl_Role_Interface|string|array     $roles
    493. 

  493.      * @param  Zend_Acl_Resource_Interface|string|array $resources
    494. 

  494.      * @param  string|array                             $privileges
    495. 

  495.      * @param  Zend_Acl_Assert_Interface                $assert
    496. 

  496.      * @uses   Zend_Acl::setRule()
    497. 

  497.      * @return Zend_Acl Provides a fluent interface
    498. 

  498.      */
    499. 

  499.     public function deny($roles = null, $resources = null, $privileges = null, Zend_Acl_Assert_Interface $assert = null)
    500. 

  500.     {
    501. 

  501.         return $this->setRule(self::OP_ADD, self::TYPE_DENY, $roles, $resources, $privileges, $assert);
    502. 

  502.     }
    503. 

  503. 

  504.     /**
    505. 

  505.      * Removes "allow" permissions from the ACL
    506. 

  506.      *
    507. 

  507.      * @param  Zend_Acl_Role_Interface|string|array     $roles
    508. 

  508.      * @param  Zend_Acl_Resource_Interface|string|array $resources
    509. 

  509.      * @param  string|array                             $privileges
    510. 

  510.      * @uses   Zend_Acl::setRule()
    511. 

  511.      * @return Zend_Acl Provides a fluent interface
    512. 

  512.      */
    513. 

  513.     public function removeAllow($roles = null, $resources = null, $privileges = null)
    514. 

  514.     {
    515. 

  515.         return $this->setRule(self::OP_REMOVE, self::TYPE_ALLOW, $roles, $resources, $privileges);
    516. 

  516.     }
    517. 

  517. 

  518.     /**
    519. 

  519.      * Removes "deny" restrictions from the ACL
    520. 

  520.      *
    521. 

  521.      * @param  Zend_Acl_Role_Interface|string|array     $roles
    522. 

  522.      * @param  Zend_Acl_Resource_Interface|string|array $resources
    523. 

  523.      * @param  string|array                             $privileges
    524. 

  524.      * @uses   Zend_Acl::setRule()
    525. 

  525.      * @return Zend_Acl Provides a fluent interface
    526. 

  526.      */
    527. 

  527.     public function removeDeny($roles = null, $resources = null, $privileges = null)
    528. 

  528.     {
    529. 

  529.         return $this->setRule(self::OP_REMOVE, self::TYPE_DENY, $roles, $resources, $privileges);
    530. 

  530.     }
    531. 

  531. 

  532.     /**
    533. 

  533.      * Performs operations on ACL rules
    534. 

  534.      *
    535. 

  535.      * The $operation parameter may be either OP_ADD or OP_REMOVE, depending on whether the
    536. 

  536.      * user wants to add or remove a rule, respectively:
    537. 

  537.      *
    538. 

  538.      * OP_ADD specifics:
    539. 

  539.      *
    540. 

  540.      *      A rule is added that would allow one or more Roles access to [certain $privileges
    541. 

  541.      *      upon] the specified Resource(s).
    542. 

  542.      *
    543. 

  543.      * OP_REMOVE specifics:
    544. 

  544.      *
    545. 

  545.      *      The rule is removed only in the context of the given Roles, Resources, and privileges.
    546. 

  546.      *      Existing rules to which the remove operation does not apply would remain in the
    547. 

  547.      *      ACL.
    548. 

  548.      *
    549. 

  549.      * The $type parameter may be either TYPE_ALLOW or TYPE_DENY, depending on whether the
    550. 

  550.      * rule is intended to allow or deny permission, respectively.
    551. 

  551.      *
    552. 

  552.      * The $roles and $resources parameters may be references to, or the string identifiers for,
    553. 

  553.      * existing Resources/Roles, or they may be passed as arrays of these - mixing string identifiers
    554. 

  554.      * and objects is ok - to indicate the Resources and Roles to which the rule applies. If either
    555. 

  555.      * $roles or $resources is null, then the rule applies to all Roles or all Resources, respectively.
    556. 

  556.      * Both may be null in order to work with the default rule of the ACL.
    557. 

  557.      *
    558. 

  558.      * The $privileges parameter may be used to further specify that the rule applies only
    559. 

  559.      * to certain privileges upon the Resource(s) in question. This may be specified to be a single
    560. 

  560.      * privilege with a string, and multiple privileges may be specified as an array of strings.
    561. 

  561.      *
    562. 

  562.      * If $assert is provided, then its assert() method must return true in order for
    563. 

  563.      * the rule to apply. If $assert is provided with $roles, $resources, and $privileges all
    564. 

  564.      * equal to null, then a rule having a type of:
    565. 

  565.      *
    566. 

  566.      *      TYPE_ALLOW will imply a type of TYPE_DENY, and
    567. 

  567.      *
    568. 

  568.      *      TYPE_DENY will imply a type of TYPE_ALLOW
    569. 

  569.      *
    570. 

  570.      * when the rule's assertion fails. This is because the ACL needs to provide expected
    571. 

  571.      * behavior when an assertion upon the default ACL rule fails.
    572. 

  572.      *
    573. 

  573.      * @param  string                                   $operation
    574. 

  574.      * @param  string                                   $type
    575. 

  575.      * @param  Zend_Acl_Role_Interface|string|array     $roles
    576. 

  576.      * @param  Zend_Acl_Resource_Interface|string|array $resources
    577. 

  577.      * @param  string|array                             $privileges
    578. 

  578.      * @param  Zend_Acl_Assert_Interface                $assert
    579. 

  579.      * @throws Zend_Acl_Exception
    580. 

  580.      * @uses   Zend_Acl_Role_Registry::get()
    581. 

  581.      * @uses   Zend_Acl::get()
    582. 

  582.      * @return Zend_Acl Provides a fluent interface
    583. 

  583.      */
    584. 

  584.     public function setRule($operation, $type, $roles = null, $resources = null, $privileges = null,
    585. 

  585.                             Zend_Acl_Assert_Interface $assert = null)
    586. 

  586.     {
    587. 

  587.         // ensure that the rule type is valid; normalize input to uppercase
    588. 

  588.         $type = strtoupper($type);
    589. 

  589.         if (self::TYPE_ALLOW !== $type && self::TYPE_DENY !== $type) {
    590. 

  590.             require_once 'Zend/Acl/Exception.php';
    591. 

  591.             throw new Zend_Acl_Exception("Unsupported rule type; must be either '" . self::TYPE_ALLOW . "' or '"
    592. 

  592.                                        . self::TYPE_DENY . "'");
    593. 

  593.         }
    594. 

  594. 

  595.         // ensure that all specified Roles exist; normalize input to array of Role objects or null
    596. 

  596.         if (!is_array($roles)) {
    597. 

  597.             $roles = array($roles);
    598. 

  598.         } else if (0 === count($roles)) {
    599. 

  599.             $roles = array(null);
    600. 

  600.         }
    601. 

  601.         $rolesTemp = $roles;
    602. 

  602.         $roles = array();
    603. 

  603.         foreach ($rolesTemp as $role) {
    604. 

  604.             if (null !== $role) {
    605. 

  605.                 $roles[] = $this->_getRoleRegistry()->get($role);
    606. 

  606.             } else {
    607. 

  607.                 $roles[] = null;
    608. 

  608.             }
    609. 

  609.         }
    610. 

  610.         unset($rolesTemp);
    611. 

  611. 

  612.         // ensure that all specified Resources exist; normalize input to array of Resource objects or null
    613. 

  613.         if (!is_array($resources)) {
    614. 

  614.             $resources = array($resources);
    615. 

  615.         } else if (0 === count($resources)) {
    616. 

  616.             $resources = array(null);
    617. 

  617.         }
    618. 

  618.         $resourcesTemp = $resources;
    619. 

  619.         $resources = array();
    620. 

  620.         foreach ($resourcesTemp as $resource) {
    621. 

  621.             if (null !== $resource) {
    622. 

  622.                 $resources[] = $this->get($resource);
    623. 

  623.             } else {
    624. 

  624.                 $resources[] = null;
    625. 

  625.             }
    626. 

  626.         }
    627. 

  627.         unset($resourcesTemp);
    628. 

  628. 

  629.         // normalize privileges to array
    630. 

  630.         if (null === $privileges) {
    631. 

  631.             $privileges = array();
    632. 

  632.         } else if (!is_array($privileges)) {
    633. 

  633.             $privileges = array($privileges);
    634. 

  634.         }
    635. 

  635. 

  636.         switch ($operation) {
    637. 

  637. 

  638.             // add to the rules
    639. 

  639.             case self::OP_ADD:
    640. 

  640.                 foreach ($resources as $resource) {
    641. 

  641.                     foreach ($roles as $role) {
    642. 

  642.                         $rules =& $this->_getRules($resource, $role, true);
    643. 

  643.                         if (0 === count($privileges)) {
    644. 

  644.                             $rules['allPrivileges']['type']   = $type;
    645. 

  645.                             $rules['allPrivileges']['assert'] = $assert;
    646. 

  646.                             if (!isset($rules['byPrivilegeId'])) {
    647. 

  647.                                 $rules['byPrivilegeId'] = array();
    648. 

  648.                             }
    649. 

  649.                         } else {
    650. 

  650.                             foreach ($privileges as $privilege) {
    651. 

  651.                                 $rules['byPrivilegeId'][$privilege]['type']   = $type;
    652. 

  652.                                 $rules['byPrivilegeId'][$privilege]['assert'] = $assert;
    653. 

  653.                             }
    654. 

  654.                         }
    655. 

  655.                     }
    656. 

  656.                 }
    657. 

  657.                 break;
    658. 

  658. 

  659.             // remove from the rules
    660. 

  660.             case self::OP_REMOVE:
    661. 

  661.                 foreach ($resources as $resource) {
    662. 

  662.                     foreach ($roles as $role) {
    663. 

  663.                         $rules =& $this->_getRules($resource, $role);
    664. 

  664.                         if (null === $rules) {
    665. 

  665.                             continue;
    666. 

  666.                         }
    667. 

  667.                         if (0 === count($privileges)) {
    668. 

  668.                             if (null === $resource && null === $role) {
    669. 

  669.                                 if ($type === $rules['allPrivileges']['type']) {
    670. 

  670.                                     $rules = array(
    671. 

  671.                                         'allPrivileges' => array(
    672. 

  672.                                             'type'   => self::TYPE_DENY,
    673. 

  673.                                             'assert' => null
    674. 

  674.                                             ),
    675. 

  675.                                         'byPrivilegeId' => array()
    676. 

  676.                                         );
    677. 

  677.                                 }
    678. 

  678.                                 continue;
    679. 

  679.                             }
    680. 

  680.                             if ($type === $rules['allPrivileges']['type']) {
    681. 

  681.                                 unset($rules['allPrivileges']);
    682. 

  682.                             }
    683. 

  683.                         } else {
    684. 

  684.                             foreach ($privileges as $privilege) {
    685. 

  685.                                 if (isset($rules['byPrivilegeId'][$privilege]) &&
    686. 

  686.                                     $type === $rules['byPrivilegeId'][$privilege]['type']) {
    687. 

  687.                                     unset($rules['byPrivilegeId'][$privilege]);
    688. 

  688.                                 }
    689. 

  689.                             }
    690. 

  690.                         }
    691. 

  691.                     }
    692. 

  692.                 }
    693. 

  693.                 break;
    694. 

  694. 

  695.             default:
    696. 

  696.                 require_once 'Zend/Acl/Exception.php';
    697. 

  697.                 throw new Zend_Acl_Exception("Unsupported operation; must be either '" . self::OP_ADD . "' or '"
    698. 

  698.                                            . self::OP_REMOVE . "'");
    699. 

  699.         }
    700. 

  700. 

  701.         return $this;
    702. 

  702.     }
    703. 

  703. 

  704.     /**
    705. 

  705.      * Returns true if and only if the Role has access to the Resource
    706. 

  706.      *
    707. 

  707.      * The $role and $resource parameters may be references to, or the string identifiers for,
    708. 

  708.      * an existing Resource and Role combination.
    709. 

  709.      *
    710. 

  710.      * If either $role or $resource is null, then the query applies to all Roles or all Resources,
    711. 

  711.      * respectively. Both may be null to query whether the ACL has a "blacklist" rule
    712. 

  712.      * (allow everything to all). By default, Zend_Acl creates a "whitelist" rule (deny
    713. 

  713.      * everything to all), and this method would return false unless this default has
    714. 

  714.      * been overridden (i.e., by executing $acl->allow()).
    715. 

  715.      *
    716. 

  716.      * If a $privilege is not provided, then this method returns false if and only if the
    717. 

  717.      * Role is denied access to at least one privilege upon the Resource. In other words, this
    718. 

  718.      * method returns true if and only if the Role is allowed all privileges on the Resource.
    719. 

  719.      *
    720. 

  720.      * This method checks Role inheritance using a depth-first traversal of the Role registry.
    721. 

  721.      * The highest priority parent (i.e., the parent most recently added) is checked first,
    722. 

  722.      * and its respective parents are checked similarly before the lower-priority parents of
    723. 

  723.      * the Role are checked.
    724. 

  724.      *
    725. 

  725.      * @param  Zend_Acl_Role_Interface|string     $role
    726. 

  726.      * @param  Zend_Acl_Resource_Interface|string $resource
    727. 

  727.      * @param  string                             $privilege
    728. 

  728.      * @uses   Zend_Acl::get()
    729. 

  729.      * @uses   Zend_Acl_Role_Registry::get()
    730. 

  730.      * @return boolean
    731. 

  731.      */
    732. 

  732.     public function isAllowed($role = null, $resource = null, $privilege = null)
    733. 

  733.     {
    734. 

  734.         // reset role & resource to null
    735. 

  735.         $this->_isAllowedRole = $this->_isAllowedResource = null;
    736. 

  736. 

  737.         if (null !== $role) {
    738. 

  738.             // keep track of originally called role
    739. 

  739.             $this->_isAllowedRole = $role;
    740. 

  740.             $role = $this->_getRoleRegistry()->get($role);
    741. 

  741.             if (!$this->_isAllowedRole instanceof Zend_Acl_Role_Interface) {
    742. 

  742.                 $this->_isAllowedRole = $role;
    743. 

  743.             }
    744. 

  744.         }
    745. 

  745. 

  746.         if (null !== $resource) {
    747. 

  747.             // keep track of originally called resource
    748. 

  748.             $this->_isAllowedResource = $resource;
    749. 

  749.             $resource = $this->get($resource);
    750. 

  750.             if (!$this->_isAllowedResource instanceof Zend_Acl_Resource_Interface) {
    751. 

  751.                 $this->_isAllowedResource = $resource;
    752. 

  752.             }
    753. 

  753.         }
    754. 

  754. 

  755.         if (null === $privilege) {
    756. 

  756.             // query on all privileges
    757. 

  757.             do {
    758. 

  758.                 // depth-first search on $role if it is not 'allRoles' pseudo-parent
    759. 

  759.                 if (null !== $role && null !== ($result = $this->_roleDFSAllPrivileges($role, $resource, $privilege))) {
    760. 

  760.                     return $result;
    761. 

  761.                 }
    762. 

  762. 

  763.                 // look for rule on 'allRoles' psuedo-parent
    764. 

  764.                 if (null !== ($rules = $this->_getRules($resource, null))) {
    765. 

  765.                     foreach ($rules['byPrivilegeId'] as $privilege => $rule) {
    766. 

  766.                         if (self::TYPE_DENY === ($ruleTypeOnePrivilege = $this->_getRuleType($resource, null, $privilege))) {
    767. 

  767.                             return false;
    768. 

  768.                         }
    769. 

  769.                     }
    770. 

  770.                     if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, null, null))) {
    771. 

  771.                         return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
    772. 

  772.                     }
    773. 

  773.                 }
    774. 

  774. 

  775.                 // try next Resource
    776. 

  776.                 $resource = $this->_resources[$resource->getResourceId()]['parent'];
    777. 

  777. 

  778.             } while (true); // loop terminates at 'allResources' pseudo-parent
    779. 

  779.         } else {
    780. 

  780.             // query on one privilege
    781. 

  781.             do {
    782. 

  782.                 // depth-first search on $role if it is not 'allRoles' pseudo-parent
    783. 

  783.                 if (null !== $role && null !== ($result = $this->_roleDFSOnePrivilege($role, $resource, $privilege))) {
    784. 

  784.                     return $result;
    785. 

  785.                 }
    786. 

  786. 

  787.                 // look for rule on 'allRoles' pseudo-parent
    788. 

  788.                 if (null !== ($ruleType = $this->_getRuleType($resource, null, $privilege))) {
    789. 

  789.                     return self::TYPE_ALLOW === $ruleType;
    790. 

  790.                 } else if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, null, null))) {
    791. 

  791.                     return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
    792. 

  792.                 }
    793. 

  793. 

  794.                 // try next Resource
    795. 

  795.                 $resource = $this->_resources[$resource->getResourceId()]['parent'];
    796. 

  796. 

  797.             } while (true); // loop terminates at 'allResources' pseudo-parent
    798. 

  798.         }
    799. 

  799.     }
    800. 

  800. 

  801.     /**
    802. 

  802.      * Returns the Role registry for this ACL
    803. 

  803.      *
    804. 

  804.      * If no Role registry has been created yet, a new default Role registry
    805. 

  805.      * is created and returned.
    806. 

  806.      *
    807. 

  807.      * @return Zend_Acl_Role_Registry
    808. 

  808.      */
    809. 

  809.     protected function _getRoleRegistry()
    810. 

  810.     {
    811. 

  811.         if (null === $this->_roleRegistry) {
    812. 

  812.             $this->_roleRegistry = new Zend_Acl_Role_Registry();
    813. 

  813.         }
    814. 

  814.         return $this->_roleRegistry;
    815. 

  815.     }
    816. 

  816. 

  817.     /**
    818. 

  818.      * Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule
    819. 

  819.      * allowing/denying $role access to all privileges upon $resource
    820. 

  820.      *
    821. 

  821.      * This method returns true if a rule is found and allows access. If a rule exists and denies access,
    822. 

  822.      * then this method returns false. If no applicable rule is found, then this method returns null.
    823. 

  823.      *
    824. 

  824.      * @param  Zend_Acl_Role_Interface     $role
    825. 

  825.      * @param  Zend_Acl_Resource_Interface $resource
    826. 

  826.      * @return boolean|null
    827. 

  827.      */
    828. 

  828.     protected function _roleDFSAllPrivileges(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource = null)
    829. 

  829.     {
    830. 

  830.         $dfs = array(
    831. 

  831.             'visited' => array(),
    832. 

  832.             'stack'   => array()
    833. 

  833.             );
    834. 

  834. 

  835.         if (null !== ($result = $this->_roleDFSVisitAllPrivileges($role, $resource, $dfs))) {
    836. 

  836.             return $result;
    837. 

  837.         }
    838. 

  838. 

  839.         while (null !== ($role = array_pop($dfs['stack']))) {
    840. 

  840.             if (!isset($dfs['visited'][$role->getRoleId()])) {
    841. 

  841.                 if (null !== ($result = $this->_roleDFSVisitAllPrivileges($role, $resource, $dfs))) {
    842. 

  842.                     return $result;
    843. 

  843.                 }
    844. 

  844.             }
    845. 

  845.         }
    846. 

  846. 

  847.         return null;
    848. 

  848.     }
    849. 

  849. 

  850.     /**
    851. 

  851.      * Visits an $role in order to look for a rule allowing/denying $role access to all privileges upon $resource
    852. 

  852.      *
    853. 

  853.      * This method returns true if a rule is found and allows access. If a rule exists and denies access,
    854. 

  854.      * then this method returns false. If no applicable rule is found, then this method returns null.
    855. 

  855.      *
    856. 

  856.      * This method is used by the internal depth-first search algorithm and may modify the DFS data structure.
    857. 

  857.      *
    858. 

  858.      * @param  Zend_Acl_Role_Interface     $role
    859. 

  859.      * @param  Zend_Acl_Resource_Interface $resource
    860. 

  860.      * @param  array                  $dfs
    861. 

  861.      * @return boolean|null
    862. 

  862.      * @throws Zend_Acl_Exception
    863. 

  863.      */
    864. 

  864.     protected function _roleDFSVisitAllPrivileges(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource = null,
    865. 

  865.                                                  &$dfs = null)
    866. 

  866.     {
    867. 

  867.         if (null === $dfs) {
    868. 

  868.             /**
    869. 

  869.              * @see Zend_Acl_Exception
    870. 

  870.              */
    871. 

  871.             require_once 'Zend/Acl/Exception.php';
    872. 

  872.             throw new Zend_Acl_Exception('$dfs parameter may not be null');
    873. 

  873.         }
    874. 

  874. 

  875.         if (null !== ($rules = $this->_getRules($resource, $role))) {
    876. 

  876.             foreach ($rules['byPrivilegeId'] as $privilege => $rule) {
    877. 

  877.                 if (self::TYPE_DENY === ($ruleTypeOnePrivilege = $this->_getRuleType($resource, $role, $privilege))) {
    878. 

  878.                     return false;
    879. 

  879.                 }
    880. 

  880.             }
    881. 

  881.             if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, $role, null))) {
    882. 

  882.                 return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
    883. 

  883.             }
    884. 

  884.         }
    885. 

  885. 

  886.         $dfs['visited'][$role->getRoleId()] = true;
    887. 

  887.         foreach ($this->_getRoleRegistry()->getParents($role) as $roleParentId => $roleParent) {
    888. 

  888.             $dfs['stack'][] = $roleParent;
    889. 

  889.         }
    890. 

  890. 

  891.         return null;
    892. 

  892.     }
    893. 

  893. 

  894.     /**
    895. 

  895.      * Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule
    896. 

  896.      * allowing/denying $role access to a $privilege upon $resource
    897. 

  897.      *
    898. 

  898.      * This method returns true if a rule is found and allows access. If a rule exists and denies access,
    899. 

  899.      * then this method returns false. If no applicable rule is found, then this method returns null.
    900. 

  900.      *
    901. 

  901.      * @param  Zend_Acl_Role_Interface     $role
    902. 

  902.      * @param  Zend_Acl_Resource_Interface $resource
    903. 

  903.      * @param  string                      $privilege
    904. 

  904.      * @return boolean|null
    905. 

  905.      * @throws Zend_Acl_Exception
    906. 

  906.      */
    907. 

  907.     protected function _roleDFSOnePrivilege(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource = null,
    908. 

  908.                                             $privilege = null)
    909. 

  909.     {
    910. 

  910.         if (null === $privilege) {
    911. 

  911.             /**
    912. 

  912.              * @see Zend_Acl_Exception
    913. 

  913.              */
    914. 

  914.             require_once 'Zend/Acl/Exception.php';
    915. 

  915.             throw new Zend_Acl_Exception('$privilege parameter may not be null');
    916. 

  916.         }
    917. 

  917. 

  918.         $dfs = array(
    919. 

  919.             'visited' => array(),
    920. 

  920.             'stack'   => array()
    921. 

  921.             );
    922. 

  922. 

  923.         if (null !== ($result = $this->_roleDFSVisitOnePrivilege($role, $resource, $privilege, $dfs))) {
    924. 

  924.             return $result;
    925. 

  925.         }
    926. 

  926. 

  927.         while (null !== ($role = array_pop($dfs['stack']))) {
    928. 

  928.             if (!isset($dfs['visited'][$role->getRoleId()])) {
    929. 

  929.                 if (null !== ($result = $this->_roleDFSVisitOnePrivilege($role, $resource, $privilege, $dfs))) {
    930. 

  930.                     return $result;
    931. 

  931.                 }
    932. 

  932.             }
    933. 

  933.         }
    934. 

  934. 

  935.         return null;
    936. 

  936.     }
    937. 

  937. 

  938.     /**
    939. 

  939.      * Visits an $role in order to look for a rule allowing/denying $role access to a $privilege upon $resource
    940. 

  940.      *
    941. 

  941.      * This method returns true if a rule is found and allows access. If a rule exists and denies access,
    942. 

  942.      * then this method returns false. If no applicable rule is found, then this method returns null.
    943. 

  943.      *
    944. 

  944.      * This method is used by the internal depth-first search algorithm and may modify the DFS data structure.
    945. 

  945.      *
    946. 

  946.      * @param  Zend_Acl_Role_Interface     $role
    947. 

  947.      * @param  Zend_Acl_Resource_Interface $resource
    948. 

  948.      * @param  string                      $privilege
    949. 

  949.      * @param  array                       $dfs
    950. 

  950.      * @return boolean|null
    951. 

  951.      * @throws Zend_Acl_Exception
    952. 

  952.      */
    953. 

  953.     protected function _roleDFSVisitOnePrivilege(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource = null,
    954. 

  954.                                                 $privilege = null, &$dfs = null)
    955. 

  955.     {
    956. 

  956.         if (null === $privilege) {
    957. 

  957.             /**
    958. 

  958.              * @see Zend_Acl_Exception
    959. 

  959.              */
    960. 

  960.             require_once 'Zend/Acl/Exception.php';
    961. 

  961.             throw new Zend_Acl_Exception('$privilege parameter may not be null');
    962. 

  962.         }
    963. 

  963. 

  964.         if (null === $dfs) {
    965. 

  965.             /**
    966. 

  966.              * @see Zend_Acl_Exception
    967. 

  967.              */
    968. 

  968.             require_once 'Zend/Acl/Exception.php';
    969. 

  969.             throw new Zend_Acl_Exception('$dfs parameter may not be null');
    970. 

  970.         }
    971. 

  971. 

  972.         if (null !== ($ruleTypeOnePrivilege = $this->_getRuleType($resource, $role, $privilege))) {
    973. 

  973.             return self::TYPE_ALLOW === $ruleTypeOnePrivilege;
    974. 

  974.         } else if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, $role, null))) {
    975. 

  975.             return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
    976. 

  976.         }
    977. 

  977. 

  978.         $dfs['visited'][$role->getRoleId()] = true;
    979. 

  979.         foreach ($this->_getRoleRegistry()->getParents($role) as $roleParentId => $roleParent) {
    980. 

  980.             $dfs['stack'][] = $roleParent;
    981. 

  981.         }
    982. 

  982. 

  983.         return null;
    984. 

  984.     }
    985. 

  985. 

  986.     /**
    987. 

  987.      * Returns the rule type associated with the specified Resource, Role, and privilege
    988. 

  988.      * combination.
    989. 

  989.      *
    990. 

  990.      * If a rule does not exist or its attached assertion fails, which means that
    991. 

  991.      * the rule is not applicable, then this method returns null. Otherwise, the
    992. 

  992.      * rule type applies and is returned as either TYPE_ALLOW or TYPE_DENY.
    993. 

  993.      *
    994. 

  994.      * If $resource or $role is null, then this means that the rule must apply to
    995. 

  995.      * all Resources or Roles, respectively.
    996. 

  996.      *
    997. 

  997.      * If $privilege is null, then the rule must apply to all privileges.
    998. 

  998.      *
    999. 

  999.      * If all three parameters are null, then the default ACL rule type is returned,
    1000. 

  1000.      * based on whether its assertion method passes.
    1001. 

  1001.      *
    1002. 

  1002.      * @param  Zend_Acl_Resource_Interface $resource
    1003. 

  1003.      * @param  Zend_Acl_Role_Interface     $role
    1004. 

  1004.      * @param  string                      $privilege
    1005. 

  1005.      * @return string|null
    1006. 

  1006.      */
    1007. 

  1007.     protected function _getRuleType(Zend_Acl_Resource_Interface $resource = null, Zend_Acl_Role_Interface $role = null,
    1008. 

  1008.                                     $privilege = null)
    1009. 

  1009.     {
    1010. 

  1010.         // get the rules for the $resource and $role
    1011. 

  1011.         if (null === ($rules = $this->_getRules($resource, $role))) {
    1012. 

  1012.             return null;
    1013. 

  1013.         }
    1014. 

  1014. 

  1015.         // follow $privilege
    1016. 

  1016.         if (null === $privilege) {
    1017. 

  1017.             if (isset($rules['allPrivileges'])) {
    1018. 

  1018.                 $rule = $rules['allPrivileges'];
    1019. 

  1019.             } else {
    1020. 

  1020.                 return null;
    1021. 

  1021.             }
    1022. 

  1022.         } else if (!isset($rules['byPrivilegeId'][$privilege])) {
    1023. 

  1023.             return null;
    1024. 

  1024.         } else {
    1025. 

  1025.             $rule = $rules['byPrivilegeId'][$privilege];
    1026. 

  1026.         }
    1027. 

  1027. 

  1028.         // check assertion first
    1029. 

  1029.         if ($rule['assert']) {
    1030. 

  1030.             $assertion = $rule['assert'];
    1031. 

  1031.             $assertionValue = $assertion->assert(
    1032. 

  1032.                 $this,
    1033. 

  1033.                 ($this->_isAllowedRole instanceof Zend_Acl_Role_Interface) ? $this->_isAllowedRole : $role,
    1034. 

  1034.                 ($this->_isAllowedResource instanceof Zend_Acl_Resource_Interface) ? $this->_isAllowedResource : $resource,
    1035. 

  1035.                 $privilege
    1036. 

  1036.                 );
    1037. 

  1037.         }
    1038. 

  1038. 

  1039.         if (null === $rule['assert'] || $assertionValue) {
    1040. 

  1040.             return $rule['type'];
    1041. 

  1041.         } else if (null !== $resource || null !== $role || null !== $privilege) {
    1042. 

  1042.             return null;
    1043. 

  1043.         } else if (self::TYPE_ALLOW === $rule['type']) {
    1044. 

  1044.             return self::TYPE_DENY;
    1045. 

  1045.         } else {
    1046. 

  1046.             return self::TYPE_ALLOW;
    1047. 

  1047.         }
    1048. 

  1048.     }
    1049. 

  1049. 

  1050.     /**
    1051. 

  1051.      * Returns the rules associated with a Resource and a Role, or null if no such rules exist
    1052. 

  1052.      *
    1053. 

  1053.      * If either $resource or $role is null, this means that the rules returned are for all Resources or all Roles,
    1054. 

  1054.      * respectively. Both can be null to return the default rule set for all Resources and all Roles.
    1055. 

  1055.      *
    1056. 

  1056.      * If the $create parameter is true, then a rule set is first created and then returned to the caller.
    1057. 

  1057.      *
    1058. 

  1058.      * @param  Zend_Acl_Resource_Interface $resource
    1059. 

  1059.      * @param  Zend_Acl_Role_Interface     $role
    1060. 

  1060.      * @param  boolean                     $create
    1061. 

  1061.      * @return array|null
    1062. 

  1062.      */
    1063. 

  1063.     protected function &_getRules(Zend_Acl_Resource_Interface $resource = null, Zend_Acl_Role_Interface $role = null,
    1064. 

  1064.                                   $create = false)
    1065. 

  1065.     {
    1066. 

  1066.         // create a reference to null
    1067. 

  1067.         $null = null;
    1068. 

  1068.         $nullRef =& $null;
    1069. 

  1069. 

  1070.         // follow $resource
    1071. 

  1071.         do {
    1072. 

  1072.             if (null === $resource) {
    1073. 

  1073.                 $visitor =& $this->_rules['allResources'];
    1074. 

  1074.                 break;
    1075. 

  1075.             }
    1076. 

  1076.             $resourceId = $resource->getResourceId();
    1077. 

  1077.             if (!isset($this->_rules['byResourceId'][$resourceId])) {
    1078. 

  1078.                 if (!$create) {
    1079. 

  1079.                     return $nullRef;
    1080. 

  1080.                 }
    1081. 

  1081.                 $this->_rules['byResourceId'][$resourceId] = array();
    1082. 

  1082.             }
    1083. 

  1083.             $visitor =& $this->_rules['byResourceId'][$resourceId];
    1084. 

  1084.         } while (false);
    1085. 

  1085. 

  1086. 

  1087.         // follow $role
    1088. 

  1088.         if (null === $role) {
    1089. 

  1089.             if (!isset($visitor['allRoles'])) {
    1090. 

  1090.                 if (!$create) {
    1091. 

  1091.                     return $nullRef;
    1092. 

  1092.                 }
    1093. 

  1093.                 $visitor['allRoles']['byPrivilegeId'] = array();
    1094. 

  1094.             }
    1095. 

  1095.             return $visitor['allRoles'];
    1096. 

  1096.         }
    1097. 

  1097.         $roleId = $role->getRoleId();
    1098. 

  1098.         if (!isset($visitor['byRoleId'][$roleId])) {
    1099. 

  1099.             if (!$create) {
    1100. 

  1100.                 return $nullRef;
    1101. 

  1101.             }
    1102. 

  1102.             $visitor['byRoleId'][$roleId]['byPrivilegeId'] = array();
    1103. 

  1103.         }
    1104. 

  1104.         return $visitor['byRoleId'][$roleId];
    1105. 

  1105.     }
    1106. 

  1106. 

  1107.     
    1108. 

  1108.     /**
    1109. 

  1109.      * @return array of registered roles
    1110. 

  1110.      *
    1111. 

  1111.      */
    1112. 

  1112.     public function getRegisteredRoles()
    1113. 

  1113.     { 
    1114. 

  1114.         return $this->_getRoleRegistry()->getRoles(); 
    1115. 

  1115.     } 
    1116. 

  1116. 

  1117. }
    1118.