Ana Sayfa Keşfet Yardım
Giriş Yap
boarspring
/
repo_zf1
şunun yansıması https://github.com/bluescreen/zf1-php7.2.git
2
0
Çatalla 1
Dosyalar Sorunlar 0 Wiki
Ağaç: 737fce37f9
Dallar Biçim İmleri
repo_zf1
/
library
/
Zend
/
Acl.php

Acl.php 41 KB
Geçmiş Ham

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * Zend Framework
    4. 

  4.  *
    5. 

  5.  * LICENSE
    6. 

  6.  *
    7. 

  7.  * This source file is subject to the new BSD license that is bundled
    8. 

  8.  * with this package in the file LICENSE.txt.
    9. 

  9.  * It is also available through the world-wide-web at this URL:
    10. 

  10.  * http://framework.zend.com/license/new-bsd
    11. 

  11.  * If you did not receive a copy of the license and are unable to
    12. 

  12.  * obtain it through the world-wide-web, please send an email
    13. 

  13.  * to license@zend.com so we can send you a copy immediately.
    14. 

  14.  *
    15. 

  15.  * @category   Zend
    16. 

  16.  * @package    Zend_Acl
    17. 

  17.  * @copyright  Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
    18. 

  18.  * @license    http://framework.zend.com/license/new-bsd     New BSD License
    19. 

  19.  * @version    $Id$
    20. 

  20.  */
    21. 

  21. 

  22. 

  23. /**
    24. 

  24.  * @see Zend_Acl_Resource_Interface
    25. 

  25.  */
    26. 

  26. require_once 'Zend/Acl/Resource/Interface.php';
    27. 

  27. 

  28. 

  29. /**
    30. 

  30.  * @see Zend_Acl_Role_Registry
    31. 

  31.  */
    32. 

  32. require_once 'Zend/Acl/Role/Registry.php';
    33. 

  33. 

  34. 

  35. /**
    36. 

  36.  * @see Zend_Acl_Assert_Interface
    37. 

  37.  */
    38. 

  38. require_once 'Zend/Acl/Assert/Interface.php';
    39. 

  39. 

  40. 

  41. /**
    42. 

  42.  * @category   Zend
    43. 

  43.  * @package    Zend_Acl
    44. 

  44.  * @copyright  Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
    45. 

  45.  * @license    http://framework.zend.com/license/new-bsd     New BSD License
    46. 

  46.  */
    47. 

  47. class Zend_Acl
    48. 

  48. {
    49. 

  49.     /**
    50. 

  50.      * Rule type: allow
    51. 

  51.      */
    52. 

  52.     const TYPE_ALLOW = 'TYPE_ALLOW';
    53. 

  53. 

  54.     /**
    55. 

  55.      * Rule type: deny
    56. 

  56.      */
    57. 

  57.     const TYPE_DENY  = 'TYPE_DENY';
    58. 

  58. 

  59.     /**
    60. 

  60.      * Rule operation: add
    61. 

  61.      */
    62. 

  62.     const OP_ADD = 'OP_ADD';
    63. 

  63. 

  64.     /**
    65. 

  65.      * Rule operation: remove
    66. 

  66.      */
    67. 

  67.     const OP_REMOVE = 'OP_REMOVE';
    68. 

  68. 

  69.     /**
    70. 

  70.      * Role registry
    71. 

  71.      *
    72. 

  72.      * @var Zend_Acl_Role_Registry
    73. 

  73.      */
    74. 

  74.     protected $_roleRegistry = null;
    75. 

  75. 

  76.     /**
    77. 

  77.      * Resource tree
    78. 

  78.      *
    79. 

  79.      * @var array
    80. 

  80.      */
    81. 

  81.     protected $_resources = array();
    82. 

  82. 

  83.     /**
    84. 

  84.      * @var Zend_Acl_Role_Interface
    85. 

  85.      */
    86. 

  86.     protected $_isAllowedRole     = null;
    87. 

  87. 

  88.     /**
    89. 

  89.      * @var Zend_Acl_Resource_Interface
    90. 

  90.      */
    91. 

  91.     protected $_isAllowedResource = null;
    92. 

  92. 

  93.     /**
    94. 

  94.      * ACL rules; whitelist (deny everything to all) by default
    95. 

  95.      *
    96. 

  96.      * @var array
    97. 

  97.      */
    98. 

  98.     protected $_rules = array(
    99. 

  99.         'allResources' => array(
    100. 

  100.             'allRoles' => array(
    101. 

  101.                 'allPrivileges' => array(
    102. 

  102.                     'type'   => self::TYPE_DENY,
    103. 

  103.                     'assert' => null
    104. 

  104.                     ),
    105. 

  105.                 'byPrivilegeId' => array()
    106. 

  106.                 ),
    107. 

  107.             'byRoleId' => array()
    108. 

  108.             ),
    109. 

  109.         'byResourceId' => array()
    110. 

  110.         );
    111. 

  111. 

  112.     /**
    113. 

  113.      * Adds a Role having an identifier unique to the registry
    114. 

  114.      *
    115. 

  115.      * The $parents parameter may be a reference to, or the string identifier for,
    116. 

  116.      * a Role existing in the registry, or $parents may be passed as an array of
    117. 

  117.      * these - mixing string identifiers and objects is ok - to indicate the Roles
    118. 

  118.      * from which the newly added Role will directly inherit.
    119. 

  119.      *
    120. 

  120.      * In order to resolve potential ambiguities with conflicting rules inherited
    121. 

  121.      * from different parents, the most recently added parent takes precedence over
    122. 

  122.      * parents that were previously added. In other words, the first parent added
    123. 

  123.      * will have the least priority, and the last parent added will have the
    124. 

  124.      * highest priority.
    125. 

  125.      *
    126. 

  126.      * @param  Zend_Acl_Role_Interface              $role
    127. 

  127.      * @param  Zend_Acl_Role_Interface|string|array $parents
    128. 

  128.      * @uses   Zend_Acl_Role_Registry::add()
    129. 

  129.      * @return Zend_Acl Provides a fluent interface
    130. 

  130.      */
    131. 

  131.     public function addRole($role, $parents = null)
    132. 

  132.     {
    133. 

  133.         if (is_string($role)) {
    134. 

  134.             $role = new Zend_Acl_Role($role);
    135. 

  135.         }
    136. 

  136. 

  137.         if (!$role instanceof Zend_Acl_Role_Interface) {
    138. 

  138.             require_once 'Zend/Acl/Exception.php';
    139. 

  139.             throw new Zend_Acl_Exception('addRole() expects $role to be of type Zend_Acl_Role_Interface');
    140. 

  140.         }
    141. 

  141. 

  142. 

  143.         $this->_getRoleRegistry()->add($role, $parents);
    144. 

  144. 

  145.         return $this;
    146. 

  146.     }
    147. 

  147. 

  148.     /**
    149. 

  149.      * Returns the identified Role
    150. 

  150.      *
    151. 

  151.      * The $role parameter can either be a Role or Role identifier.
    152. 

  152.      *
    153. 

  153.      * @param  Zend_Acl_Role_Interface|string $role
    154. 

  154.      * @uses   Zend_Acl_Role_Registry::get()
    155. 

  155.      * @return Zend_Acl_Role_Interface
    156. 

  156.      */
    157. 

  157.     public function getRole($role)
    158. 

  158.     {
    159. 

  159.         return $this->_getRoleRegistry()->get($role);
    160. 

  160.     }
    161. 

  161. 

  162.     /**
    163. 

  163.      * Returns true if and only if the Role exists in the registry
    164. 

  164.      *
    165. 

  165.      * The $role parameter can either be a Role or a Role identifier.
    166. 

  166.      *
    167. 

  167.      * @param  Zend_Acl_Role_Interface|string $role
    168. 

  168.      * @uses   Zend_Acl_Role_Registry::has()
    169. 

  169.      * @return boolean
    170. 

  170.      */
    171. 

  171.     public function hasRole($role)
    172. 

  172.     {
    173. 

  173.         return $this->_getRoleRegistry()->has($role);
    174. 

  174.     }
    175. 

  175. 

  176.     /**
    177. 

  177.      * Returns true if and only if $role inherits from $inherit
    178. 

  178.      *
    179. 

  179.      * Both parameters may be either a Role or a Role identifier. If
    180. 

  180.      * $onlyParents is true, then $role must inherit directly from
    181. 

  181.      * $inherit in order to return true. By default, this method looks
    182. 

  182.      * through the entire inheritance DAG to determine whether $role
    183. 

  183.      * inherits from $inherit through its ancestor Roles.
    184. 

  184.      *
    185. 

  185.      * @param  Zend_Acl_Role_Interface|string $role
    186. 

  186.      * @param  Zend_Acl_Role_Interface|string $inherit
    187. 

  187.      * @param  boolean                        $onlyParents
    188. 

  188.      * @uses   Zend_Acl_Role_Registry::inherits()
    189. 

  189.      * @return boolean
    190. 

  190.      */
    191. 

  191.     public function inheritsRole($role, $inherit, $onlyParents = false)
    192. 

  192.     {
    193. 

  193.         return $this->_getRoleRegistry()->inherits($role, $inherit, $onlyParents);
    194. 

  194.     }
    195. 

  195. 

  196.     /**
    197. 

  197.      * Removes the Role from the registry
    198. 

  198.      *
    199. 

  199.      * The $role parameter can either be a Role or a Role identifier.
    200. 

  200.      *
    201. 

  201.      * @param  Zend_Acl_Role_Interface|string $role
    202. 

  202.      * @uses   Zend_Acl_Role_Registry::remove()
    203. 

  203.      * @return Zend_Acl Provides a fluent interface
    204. 

  204.      */
    205. 

  205.     public function removeRole($role)
    206. 

  206.     {
    207. 

  207.         $this->_getRoleRegistry()->remove($role);
    208. 

  208. 

  209.         if ($role instanceof Zend_Acl_Role_Interface) {
    210. 

  210.             $roleId = $role->getRoleId();
    211. 

  211.         } else {
    212. 

  212.             $roleId = $role;
    213. 

  213.         }
    214. 

  214. 

  215.         foreach ($this->_rules['allResources']['byRoleId'] as $roleIdCurrent => $rules) {
    216. 

  216.             if ($roleId === $roleIdCurrent) {
    217. 

  217.                 unset($this->_rules['allResources']['byRoleId'][$roleIdCurrent]);
    218. 

  218.             }
    219. 

  219.         }
    220. 

  220.         foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $visitor) {
    221. 

  221.             if (array_key_exists('byRoleId', $visitor)) {
    222. 

  222.                 foreach ($visitor['byRoleId'] as $roleIdCurrent => $rules) {
    223. 

  223.                     if ($roleId === $roleIdCurrent) {
    224. 

  224.                         unset($this->_rules['byResourceId'][$resourceIdCurrent]['byRoleId'][$roleIdCurrent]);
    225. 

  225.                     }
    226. 

  226.                 }
    227. 

  227.             }
    228. 

  228.         }
    229. 

  229. 

  230.         return $this;
    231. 

  231.     }
    232. 

  232. 

  233.     /**
    234. 

  234.      * Removes all Roles from the registry
    235. 

  235.      *
    236. 

  236.      * @uses   Zend_Acl_Role_Registry::removeAll()
    237. 

  237.      * @return Zend_Acl Provides a fluent interface
    238. 

  238.      */
    239. 

  239.     public function removeRoleAll()
    240. 

  240.     {
    241. 

  241.         $this->_getRoleRegistry()->removeAll();
    242. 

  242. 

  243.         foreach ($this->_rules['allResources']['byRoleId'] as $roleIdCurrent => $rules) {
    244. 

  244.             unset($this->_rules['allResources']['byRoleId'][$roleIdCurrent]);
    245. 

  245.         }
    246. 

  246.         foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $visitor) {
    247. 

  247.             foreach ($visitor['byRoleId'] as $roleIdCurrent => $rules) {
    248. 

  248.                 unset($this->_rules['byResourceId'][$resourceIdCurrent]['byRoleId'][$roleIdCurrent]);
    249. 

  249.             }
    250. 

  250.         }
    251. 

  251. 

  252.         return $this;
    253. 

  253.     }
    254. 

  254. 

  255.     /**
    256. 

  256.      * Adds a Resource having an identifier unique to the ACL
    257. 

  257.      *
    258. 

  258.      * The $parent parameter may be a reference to, or the string identifier for,
    259. 

  259.      * the existing Resource from which the newly added Resource will inherit.
    260. 

  260.      *
    261. 

  261.      * @param  Zend_Acl_Resource_Interface|string $resource
    262. 

  262.      * @param  Zend_Acl_Resource_Interface|string $parent
    263. 

  263.      * @throws Zend_Acl_Exception
    264. 

  264.      * @return Zend_Acl Provides a fluent interface
    265. 

  265.      */
    266. 

  266.     public function addResource($resource, $parent = null)
    267. 

  267.     {
    268. 

  268.         if (is_string($resource)) {
    269. 

  269.             $resource = new Zend_Acl_Resource($resource);
    270. 

  270.         }
    271. 

  271. 

  272.         if (!$resource instanceof Zend_Acl_Resource_Interface) {
    273. 

  273.             require_once 'Zend/Acl/Exception.php';
    274. 

  274.             throw new Zend_Acl_Exception('addResource() expects $resource to be of type Zend_Acl_Resource_Interface');
    275. 

  275.         }
    276. 

  276. 

  277.         $resourceId = $resource->getResourceId();
    278. 

  278. 

  279.         if ($this->has($resourceId)) {
    280. 

  280.             require_once 'Zend/Acl/Exception.php';
    281. 

  281.             throw new Zend_Acl_Exception("Resource id '$resourceId' already exists in the ACL");
    282. 

  282.         }
    283. 

  283. 

  284.         $resourceParent = null;
    285. 

  285. 

  286.         if (null !== $parent) {
    287. 

  287.             try {
    288. 

  288.                 if ($parent instanceof Zend_Acl_Resource_Interface) {
    289. 

  289.                     $resourceParentId = $parent->getResourceId();
    290. 

  290.                 } else {
    291. 

  291.                     $resourceParentId = $parent;
    292. 

  292.                 }
    293. 

  293.                 $resourceParent = $this->get($resourceParentId);
    294. 

  294.             } catch (Zend_Acl_Exception $e) {
    295. 

  295.                 throw new Zend_Acl_Exception("Parent Resource id '$resourceParentId' does not exist");
    296. 

  296.             }
    297. 

  297.             $this->_resources[$resourceParentId]['children'][$resourceId] = $resource;
    298. 

  298.         }
    299. 

  299. 

  300.         $this->_resources[$resourceId] = array(
    301. 

  301.             'instance' => $resource,
    302. 

  302.             'parent'   => $resourceParent,
    303. 

  303.             'children' => array()
    304. 

  304.             );
    305. 

  305. 

  306.         return $this;
    307. 

  307.     }
    308. 

  308. 

  309.     /**
    310. 

  310.      * Adds a Resource having an identifier unique to the ACL
    311. 

  311.      *
    312. 

  312.      * The $parent parameter may be a reference to, or the string identifier for,
    313. 

  313.      * the existing Resource from which the newly added Resource will inherit.
    314. 

  314.      *
    315. 

  315.      * @deprecated in version 1.9.1 and will be available till 2.0.  New code
    316. 

  316.      *             should use addResource() instead.
    317. 

  317.      *
    318. 

  318.      * @param  Zend_Acl_Resource_Interface        $resource
    319. 

  319.      * @param  Zend_Acl_Resource_Interface|string $parent
    320. 

  320.      * @throws Zend_Acl_Exception
    321. 

  321.      * @return Zend_Acl Provides a fluent interface
    322. 

  322.      */
    323. 

  323.     public function add(Zend_Acl_Resource_Interface $resource, $parent = null)
    324. 

  324.     {
    325. 

  325.         return $this->addResource($resource, $parent);
    326. 

  326.     }
    327. 

  327. 

  328.     /**
    329. 

  329.      * Returns the identified Resource
    330. 

  330.      *
    331. 

  331.      * The $resource parameter can either be a Resource or a Resource identifier.
    332. 

  332.      *
    333. 

  333.      * @param  Zend_Acl_Resource_Interface|string $resource
    334. 

  334.      * @throws Zend_Acl_Exception
    335. 

  335.      * @return Zend_Acl_Resource_Interface
    336. 

  336.      */
    337. 

  337.     public function get($resource)
    338. 

  338.     {
    339. 

  339.         if ($resource instanceof Zend_Acl_Resource_Interface) {
    340. 

  340.             $resourceId = $resource->getResourceId();
    341. 

  341.         } else {
    342. 

  342.             $resourceId = (string) $resource;
    343. 

  343.         }
    344. 

  344. 

  345.         if (!$this->has($resource)) {
    346. 

  346.             require_once 'Zend/Acl/Exception.php';
    347. 

  347.             throw new Zend_Acl_Exception("Resource '$resourceId' not found");
    348. 

  348.         }
    349. 

  349. 

  350.         return $this->_resources[$resourceId]['instance'];
    351. 

  351.     }
    352. 

  352. 

  353.     /**
    354. 

  354.      * Returns true if and only if the Resource exists in the ACL
    355. 

  355.      *
    356. 

  356.      * The $resource parameter can either be a Resource or a Resource identifier.
    357. 

  357.      *
    358. 

  358.      * @param  Zend_Acl_Resource_Interface|string $resource
    359. 

  359.      * @return boolean
    360. 

  360.      */
    361. 

  361.     public function has($resource)
    362. 

  362.     {
    363. 

  363.         if ($resource instanceof Zend_Acl_Resource_Interface) {
    364. 

  364.             $resourceId = $resource->getResourceId();
    365. 

  365.         } else {
    366. 

  366.             $resourceId = (string) $resource;
    367. 

  367.         }
    368. 

  368. 

  369.         return isset($this->_resources[$resourceId]);
    370. 

  370.     }
    371. 

  371. 

  372.     /**
    373. 

  373.      * Returns true if and only if $resource inherits from $inherit
    374. 

  374.      *
    375. 

  375.      * Both parameters may be either a Resource or a Resource identifier. If
    376. 

  376.      * $onlyParent is true, then $resource must inherit directly from
    377. 

  377.      * $inherit in order to return true. By default, this method looks
    378. 

  378.      * through the entire inheritance tree to determine whether $resource
    379. 

  379.      * inherits from $inherit through its ancestor Resources.
    380. 

  380.      *
    381. 

  381.      * @param  Zend_Acl_Resource_Interface|string $resource
    382. 

  382.      * @param  Zend_Acl_Resource_Interface|string $inherit
    383. 

  383.      * @param  boolean                            $onlyParent
    384. 

  384.      * @throws Zend_Acl_Resource_Registry_Exception
    385. 

  385.      * @return boolean
    386. 

  386.      */
    387. 

  387.     public function inherits($resource, $inherit, $onlyParent = false)
    388. 

  388.     {
    389. 

  389.         try {
    390. 

  390.             $resourceId     = $this->get($resource)->getResourceId();
    391. 

  391.             $inheritId = $this->get($inherit)->getResourceId();
    392. 

  392.         } catch (Zend_Acl_Exception $e) {
    393. 

  393.             throw $e;
    394. 

  394.         }
    395. 

  395. 

  396.         if (null !== $this->_resources[$resourceId]['parent']) {
    397. 

  397.             $parentId = $this->_resources[$resourceId]['parent']->getResourceId();
    398. 

  398.             if ($inheritId === $parentId) {
    399. 

  399.                 return true;
    400. 

  400.             } else if ($onlyParent) {
    401. 

  401.                 return false;
    402. 

  402.             }
    403. 

  403.         } else {
    404. 

  404.             return false;
    405. 

  405.         }
    406. 

  406. 

  407.         while (null !== $this->_resources[$parentId]['parent']) {
    408. 

  408.             $parentId = $this->_resources[$parentId]['parent']->getResourceId();
    409. 

  409.             if ($inheritId === $parentId) {
    410. 

  410.                 return true;
    411. 

  411.             }
    412. 

  412.         }
    413. 

  413. 

  414.         return false;
    415. 

  415.     }
    416. 

  416. 

  417.     /**
    418. 

  418.      * Removes a Resource and all of its children
    419. 

  419.      *
    420. 

  420.      * The $resource parameter can either be a Resource or a Resource identifier.
    421. 

  421.      *
    422. 

  422.      * @param  Zend_Acl_Resource_Interface|string $resource
    423. 

  423.      * @throws Zend_Acl_Exception
    424. 

  424.      * @return Zend_Acl Provides a fluent interface
    425. 

  425.      */
    426. 

  426.     public function remove($resource)
    427. 

  427.     {
    428. 

  428.         try {
    429. 

  429.             $resourceId = $this->get($resource)->getResourceId();
    430. 

  430.         } catch (Zend_Acl_Exception $e) {
    431. 

  431.             throw $e;
    432. 

  432.         }
    433. 

  433. 

  434.         $resourcesRemoved = array($resourceId);
    435. 

  435.         if (null !== ($resourceParent = $this->_resources[$resourceId]['parent'])) {
    436. 

  436.             unset($this->_resources[$resourceParent->getResourceId()]['children'][$resourceId]);
    437. 

  437.         }
    438. 

  438.         foreach ($this->_resources[$resourceId]['children'] as $childId => $child) {
    439. 

  439.             $this->remove($childId);
    440. 

  440.             $resourcesRemoved[] = $childId;
    441. 

  441.         }
    442. 

  442. 

  443.         foreach ($resourcesRemoved as $resourceIdRemoved) {
    444. 

  444.             foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $rules) {
    445. 

  445.                 if ($resourceIdRemoved === $resourceIdCurrent) {
    446. 

  446.                     unset($this->_rules['byResourceId'][$resourceIdCurrent]);
    447. 

  447.                 }
    448. 

  448.             }
    449. 

  449.         }
    450. 

  450. 

  451.         unset($this->_resources[$resourceId]);
    452. 

  452. 

  453.         return $this;
    454. 

  454.     }
    455. 

  455. 

  456.     /**
    457. 

  457.      * Removes all Resources
    458. 

  458.      *
    459. 

  459.      * @return Zend_Acl Provides a fluent interface
    460. 

  460.      */
    461. 

  461.     public function removeAll()
    462. 

  462.     {
    463. 

  463.         foreach ($this->_resources as $resourceId => $resource) {
    464. 

  464.             foreach ($this->_rules['byResourceId'] as $resourceIdCurrent => $rules) {
    465. 

  465.                 if ($resourceId === $resourceIdCurrent) {
    466. 

  466.                     unset($this->_rules['byResourceId'][$resourceIdCurrent]);
    467. 

  467.                 }
    468. 

  468.             }
    469. 

  469.         }
    470. 

  470. 

  471.         $this->_resources = array();
    472. 

  472. 

  473.         return $this;
    474. 

  474.     }
    475. 

  475. 

  476.     /**
    477. 

  477.      * Adds an "allow" rule to the ACL
    478. 

  478.      *
    479. 

  479.      * @param  Zend_Acl_Role_Interface|string|array     $roles
    480. 

  480.      * @param  Zend_Acl_Resource_Interface|string|array $resources
    481. 

  481.      * @param  string|array                             $privileges
    482. 

  482.      * @param  Zend_Acl_Assert_Interface                $assert
    483. 

  483.      * @uses   Zend_Acl::setRule()
    484. 

  484.      * @return Zend_Acl Provides a fluent interface
    485. 

  485.      */
    486. 

  486.     public function allow($roles = null, $resources = null, $privileges = null, Zend_Acl_Assert_Interface $assert = null)
    487. 

  487.     {
    488. 

  488.         return $this->setRule(self::OP_ADD, self::TYPE_ALLOW, $roles, $resources, $privileges, $assert);
    489. 

  489.     }
    490. 

  490. 

  491.     /**
    492. 

  492.      * Adds a "deny" rule to the ACL
    493. 

  493.      *
    494. 

  494.      * @param  Zend_Acl_Role_Interface|string|array     $roles
    495. 

  495.      * @param  Zend_Acl_Resource_Interface|string|array $resources
    496. 

  496.      * @param  string|array                             $privileges
    497. 

  497.      * @param  Zend_Acl_Assert_Interface                $assert
    498. 

  498.      * @uses   Zend_Acl::setRule()
    499. 

  499.      * @return Zend_Acl Provides a fluent interface
    500. 

  500.      */
    501. 

  501.     public function deny($roles = null, $resources = null, $privileges = null, Zend_Acl_Assert_Interface $assert = null)
    502. 

  502.     {
    503. 

  503.         return $this->setRule(self::OP_ADD, self::TYPE_DENY, $roles, $resources, $privileges, $assert);
    504. 

  504.     }
    505. 

  505. 

  506.     /**
    507. 

  507.      * Removes "allow" permissions from the ACL
    508. 

  508.      *
    509. 

  509.      * @param  Zend_Acl_Role_Interface|string|array     $roles
    510. 

  510.      * @param  Zend_Acl_Resource_Interface|string|array $resources
    511. 

  511.      * @param  string|array                             $privileges
    512. 

  512.      * @uses   Zend_Acl::setRule()
    513. 

  513.      * @return Zend_Acl Provides a fluent interface
    514. 

  514.      */
    515. 

  515.     public function removeAllow($roles = null, $resources = null, $privileges = null)
    516. 

  516.     {
    517. 

  517.         return $this->setRule(self::OP_REMOVE, self::TYPE_ALLOW, $roles, $resources, $privileges);
    518. 

  518.     }
    519. 

  519. 

  520.     /**
    521. 

  521.      * Removes "deny" restrictions from the ACL
    522. 

  522.      *
    523. 

  523.      * @param  Zend_Acl_Role_Interface|string|array     $roles
    524. 

  524.      * @param  Zend_Acl_Resource_Interface|string|array $resources
    525. 

  525.      * @param  string|array                             $privileges
    526. 

  526.      * @uses   Zend_Acl::setRule()
    527. 

  527.      * @return Zend_Acl Provides a fluent interface
    528. 

  528.      */
    529. 

  529.     public function removeDeny($roles = null, $resources = null, $privileges = null)
    530. 

  530.     {
    531. 

  531.         return $this->setRule(self::OP_REMOVE, self::TYPE_DENY, $roles, $resources, $privileges);
    532. 

  532.     }
    533. 

  533. 

  534.     /**
    535. 

  535.      * Performs operations on ACL rules
    536. 

  536.      *
    537. 

  537.      * The $operation parameter may be either OP_ADD or OP_REMOVE, depending on whether the
    538. 

  538.      * user wants to add or remove a rule, respectively:
    539. 

  539.      *
    540. 

  540.      * OP_ADD specifics:
    541. 

  541.      *
    542. 

  542.      *      A rule is added that would allow one or more Roles access to [certain $privileges
    543. 

  543.      *      upon] the specified Resource(s).
    544. 

  544.      *
    545. 

  545.      * OP_REMOVE specifics:
    546. 

  546.      *
    547. 

  547.      *      The rule is removed only in the context of the given Roles, Resources, and privileges.
    548. 

  548.      *      Existing rules to which the remove operation does not apply would remain in the
    549. 

  549.      *      ACL.
    550. 

  550.      *
    551. 

  551.      * The $type parameter may be either TYPE_ALLOW or TYPE_DENY, depending on whether the
    552. 

  552.      * rule is intended to allow or deny permission, respectively.
    553. 

  553.      *
    554. 

  554.      * The $roles and $resources parameters may be references to, or the string identifiers for,
    555. 

  555.      * existing Resources/Roles, or they may be passed as arrays of these - mixing string identifiers
    556. 

  556.      * and objects is ok - to indicate the Resources and Roles to which the rule applies. If either
    557. 

  557.      * $roles or $resources is null, then the rule applies to all Roles or all Resources, respectively.
    558. 

  558.      * Both may be null in order to work with the default rule of the ACL.
    559. 

  559.      *
    560. 

  560.      * The $privileges parameter may be used to further specify that the rule applies only
    561. 

  561.      * to certain privileges upon the Resource(s) in question. This may be specified to be a single
    562. 

  562.      * privilege with a string, and multiple privileges may be specified as an array of strings.
    563. 

  563.      *
    564. 

  564.      * If $assert is provided, then its assert() method must return true in order for
    565. 

  565.      * the rule to apply. If $assert is provided with $roles, $resources, and $privileges all
    566. 

  566.      * equal to null, then a rule having a type of:
    567. 

  567.      *
    568. 

  568.      *      TYPE_ALLOW will imply a type of TYPE_DENY, and
    569. 

  569.      *
    570. 

  570.      *      TYPE_DENY will imply a type of TYPE_ALLOW
    571. 

  571.      *
    572. 

  572.      * when the rule's assertion fails. This is because the ACL needs to provide expected
    573. 

  573.      * behavior when an assertion upon the default ACL rule fails.
    574. 

  574.      *
    575. 

  575.      * @param  string                                   $operation
    576. 

  576.      * @param  string                                   $type
    577. 

  577.      * @param  Zend_Acl_Role_Interface|string|array     $roles
    578. 

  578.      * @param  Zend_Acl_Resource_Interface|string|array $resources
    579. 

  579.      * @param  string|array                             $privileges
    580. 

  580.      * @param  Zend_Acl_Assert_Interface                $assert
    581. 

  581.      * @throws Zend_Acl_Exception
    582. 

  582.      * @uses   Zend_Acl_Role_Registry::get()
    583. 

  583.      * @uses   Zend_Acl::get()
    584. 

  584.      * @return Zend_Acl Provides a fluent interface
    585. 

  585.      */
    586. 

  586.     public function setRule($operation, $type, $roles = null, $resources = null, $privileges = null,
    587. 

  587.                             Zend_Acl_Assert_Interface $assert = null)
    588. 

  588.     {
    589. 

  589.         // ensure that the rule type is valid; normalize input to uppercase
    590. 

  590.         $type = strtoupper($type);
    591. 

  591.         if (self::TYPE_ALLOW !== $type && self::TYPE_DENY !== $type) {
    592. 

  592.             require_once 'Zend/Acl/Exception.php';
    593. 

  593.             throw new Zend_Acl_Exception("Unsupported rule type; must be either '" . self::TYPE_ALLOW . "' or '"
    594. 

  594.                                        . self::TYPE_DENY . "'");
    595. 

  595.         }
    596. 

  596. 

  597.         // ensure that all specified Roles exist; normalize input to array of Role objects or null
    598. 

  598.         if (!is_array($roles)) {
    599. 

  599.             $roles = array($roles);
    600. 

  600.         } else if (0 === count($roles)) {
    601. 

  601.             $roles = array(null);
    602. 

  602.         }
    603. 

  603.         $rolesTemp = $roles;
    604. 

  604.         $roles = array();
    605. 

  605.         foreach ($rolesTemp as $role) {
    606. 

  606.             if (null !== $role) {
    607. 

  607.                 $roles[] = $this->_getRoleRegistry()->get($role);
    608. 

  608.             } else {
    609. 

  609.                 $roles[] = null;
    610. 

  610.             }
    611. 

  611.         }
    612. 

  612.         unset($rolesTemp);
    613. 

  613. 

  614.         // ensure that all specified Resources exist; normalize input to array of Resource objects or null
    615. 

  615.         if (!is_array($resources)) {
    616. 

  616.             $resources = array($resources);
    617. 

  617.         } else if (0 === count($resources)) {
    618. 

  618.             $resources = array(null);
    619. 

  619.         }
    620. 

  620.         $resourcesTemp = $resources;
    621. 

  621.         $resources = array();
    622. 

  622.         foreach ($resourcesTemp as $resource) {
    623. 

  623.             if (null !== $resource) {
    624. 

  624.                 $resources[] = $this->get($resource);
    625. 

  625.             } else {
    626. 

  626.                 $resources[] = null;
    627. 

  627.             }
    628. 

  628.         }
    629. 

  629.         unset($resourcesTemp);
    630. 

  630. 

  631.         // normalize privileges to array
    632. 

  632.         if (null === $privileges) {
    633. 

  633.             $privileges = array();
    634. 

  634.         } else if (!is_array($privileges)) {
    635. 

  635.             $privileges = array($privileges);
    636. 

  636.         }
    637. 

  637. 

  638.         switch ($operation) {
    639. 

  639. 

  640.             // add to the rules
    641. 

  641.             case self::OP_ADD:
    642. 

  642.                 foreach ($resources as $resource) {
    643. 

  643.                     foreach ($roles as $role) {
    644. 

  644.                         $rules =& $this->_getRules($resource, $role, true);
    645. 

  645.                         if (0 === count($privileges)) {
    646. 

  646.                             $rules['allPrivileges']['type']   = $type;
    647. 

  647.                             $rules['allPrivileges']['assert'] = $assert;
    648. 

  648.                             if (!isset($rules['byPrivilegeId'])) {
    649. 

  649.                                 $rules['byPrivilegeId'] = array();
    650. 

  650.                             }
    651. 

  651.                         } else {
    652. 

  652.                             foreach ($privileges as $privilege) {
    653. 

  653.                                 $rules['byPrivilegeId'][$privilege]['type']   = $type;
    654. 

  654.                                 $rules['byPrivilegeId'][$privilege]['assert'] = $assert;
    655. 

  655.                             }
    656. 

  656.                         }
    657. 

  657.                     }
    658. 

  658.                 }
    659. 

  659.                 break;
    660. 

  660. 

  661.             // remove from the rules
    662. 

  662.             case self::OP_REMOVE:
    663. 

  663.                 foreach ($resources as $resource) {
    664. 

  664.                     foreach ($roles as $role) {
    665. 

  665.                         $rules =& $this->_getRules($resource, $role);
    666. 

  666.                         if (null === $rules) {
    667. 

  667.                             continue;
    668. 

  668.                         }
    669. 

  669.                         if (0 === count($privileges)) {
    670. 

  670.                             if (null === $resource && null === $role) {
    671. 

  671.                                 if ($type === $rules['allPrivileges']['type']) {
    672. 

  672.                                     $rules = array(
    673. 

  673.                                         'allPrivileges' => array(
    674. 

  674.                                             'type'   => self::TYPE_DENY,
    675. 

  675.                                             'assert' => null
    676. 

  676.                                             ),
    677. 

  677.                                         'byPrivilegeId' => array()
    678. 

  678.                                         );
    679. 

  679.                                 }
    680. 

  680.                                 continue;
    681. 

  681.                             }
    682. 

  682.                             if ($type === $rules['allPrivileges']['type']) {
    683. 

  683.                                 unset($rules['allPrivileges']);
    684. 

  684.                             }
    685. 

  685.                         } else {
    686. 

  686.                             foreach ($privileges as $privilege) {
    687. 

  687.                                 if (isset($rules['byPrivilegeId'][$privilege]) &&
    688. 

  688.                                     $type === $rules['byPrivilegeId'][$privilege]['type']) {
    689. 

  689.                                     unset($rules['byPrivilegeId'][$privilege]);
    690. 

  690.                                 }
    691. 

  691.                             }
    692. 

  692.                         }
    693. 

  693.                     }
    694. 

  694.                 }
    695. 

  695.                 break;
    696. 

  696. 

  697.             default:
    698. 

  698.                 require_once 'Zend/Acl/Exception.php';
    699. 

  699.                 throw new Zend_Acl_Exception("Unsupported operation; must be either '" . self::OP_ADD . "' or '"
    700. 

  700.                                            . self::OP_REMOVE . "'");
    701. 

  701.         }
    702. 

  702. 

  703.         return $this;
    704. 

  704.     }
    705. 

  705. 

  706.     /**
    707. 

  707.      * Returns true if and only if the Role has access to the Resource
    708. 

  708.      *
    709. 

  709.      * The $role and $resource parameters may be references to, or the string identifiers for,
    710. 

  710.      * an existing Resource and Role combination.
    711. 

  711.      *
    712. 

  712.      * If either $role or $resource is null, then the query applies to all Roles or all Resources,
    713. 

  713.      * respectively. Both may be null to query whether the ACL has a "blacklist" rule
    714. 

  714.      * (allow everything to all). By default, Zend_Acl creates a "whitelist" rule (deny
    715. 

  715.      * everything to all), and this method would return false unless this default has
    716. 

  716.      * been overridden (i.e., by executing $acl->allow()).
    717. 

  717.      *
    718. 

  718.      * If a $privilege is not provided, then this method returns false if and only if the
    719. 

  719.      * Role is denied access to at least one privilege upon the Resource. In other words, this
    720. 

  720.      * method returns true if and only if the Role is allowed all privileges on the Resource.
    721. 

  721.      *
    722. 

  722.      * This method checks Role inheritance using a depth-first traversal of the Role registry.
    723. 

  723.      * The highest priority parent (i.e., the parent most recently added) is checked first,
    724. 

  724.      * and its respective parents are checked similarly before the lower-priority parents of
    725. 

  725.      * the Role are checked.
    726. 

  726.      *
    727. 

  727.      * @param  Zend_Acl_Role_Interface|string     $role
    728. 

  728.      * @param  Zend_Acl_Resource_Interface|string $resource
    729. 

  729.      * @param  string                             $privilege
    730. 

  730.      * @uses   Zend_Acl::get()
    731. 

  731.      * @uses   Zend_Acl_Role_Registry::get()
    732. 

  732.      * @return boolean
    733. 

  733.      */
    734. 

  734.     public function isAllowed($role = null, $resource = null, $privilege = null)
    735. 

  735.     {
    736. 

  736.         // reset role & resource to null
    737. 

  737.         $this->_isAllowedRole = $this->_isAllowedResource = null;
    738. 

  738. 

  739.         if (null !== $role) {
    740. 

  740.             // keep track of originally called role
    741. 

  741.             $this->_isAllowedRole = $role;
    742. 

  742.             $role = $this->_getRoleRegistry()->get($role);
    743. 

  743.             if (!$this->_isAllowedRole instanceof Zend_Acl_Role_Interface) {
    744. 

  744.                 $this->_isAllowedRole = $role;
    745. 

  745.             }
    746. 

  746.         }
    747. 

  747. 

  748.         if (null !== $resource) {
    749. 

  749.             // keep track of originally called resource
    750. 

  750.             $this->_isAllowedResource = $resource;
    751. 

  751.             $resource = $this->get($resource);
    752. 

  752.             if (!$this->_isAllowedResource instanceof Zend_Acl_Resource_Interface) {
    753. 

  753.                 $this->_isAllowedResource = $resource;
    754. 

  754.             }
    755. 

  755.         }
    756. 

  756. 

  757.         if (null === $privilege) {
    758. 

  758.             // query on all privileges
    759. 

  759.             do {
    760. 

  760.                 // depth-first search on $role if it is not 'allRoles' pseudo-parent
    761. 

  761.                 if (null !== $role && null !== ($result = $this->_roleDFSAllPrivileges($role, $resource, $privilege))) {
    762. 

  762.                     return $result;
    763. 

  763.                 }
    764. 

  764. 

  765.                 // look for rule on 'allRoles' psuedo-parent
    766. 

  766.                 if (null !== ($rules = $this->_getRules($resource, null))) {
    767. 

  767.                     foreach ($rules['byPrivilegeId'] as $privilege => $rule) {
    768. 

  768.                         if (self::TYPE_DENY === ($ruleTypeOnePrivilege = $this->_getRuleType($resource, null, $privilege))) {
    769. 

  769.                             return false;
    770. 

  770.                         }
    771. 

  771.                     }
    772. 

  772.                     if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, null, null))) {
    773. 

  773.                         return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
    774. 

  774.                     }
    775. 

  775.                 }
    776. 

  776. 

  777.                 // try next Resource
    778. 

  778.                 $resource = $this->_resources[$resource->getResourceId()]['parent'];
    779. 

  779. 

  780.             } while (true); // loop terminates at 'allResources' pseudo-parent
    781. 

  781.         } else {
    782. 

  782.             // query on one privilege
    783. 

  783.             do {
    784. 

  784.                 // depth-first search on $role if it is not 'allRoles' pseudo-parent
    785. 

  785.                 if (null !== $role && null !== ($result = $this->_roleDFSOnePrivilege($role, $resource, $privilege))) {
    786. 

  786.                     return $result;
    787. 

  787.                 }
    788. 

  788. 

  789.                 // look for rule on 'allRoles' pseudo-parent
    790. 

  790.                 if (null !== ($ruleType = $this->_getRuleType($resource, null, $privilege))) {
    791. 

  791.                     return self::TYPE_ALLOW === $ruleType;
    792. 

  792.                 } else if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, null, null))) {
    793. 

  793.                     return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
    794. 

  794.                 }
    795. 

  795. 

  796.                 // try next Resource
    797. 

  797.                 $resource = $this->_resources[$resource->getResourceId()]['parent'];
    798. 

  798. 

  799.             } while (true); // loop terminates at 'allResources' pseudo-parent
    800. 

  800.         }
    801. 

  801.     }
    802. 

  802. 

  803.     /**
    804. 

  804.      * Returns the Role registry for this ACL
    805. 

  805.      *
    806. 

  806.      * If no Role registry has been created yet, a new default Role registry
    807. 

  807.      * is created and returned.
    808. 

  808.      *
    809. 

  809.      * @return Zend_Acl_Role_Registry
    810. 

  810.      */
    811. 

  811.     protected function _getRoleRegistry()
    812. 

  812.     {
    813. 

  813.         if (null === $this->_roleRegistry) {
    814. 

  814.             $this->_roleRegistry = new Zend_Acl_Role_Registry();
    815. 

  815.         }
    816. 

  816.         return $this->_roleRegistry;
    817. 

  817.     }
    818. 

  818. 

  819.     /**
    820. 

  820.      * Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule
    821. 

  821.      * allowing/denying $role access to all privileges upon $resource
    822. 

  822.      *
    823. 

  823.      * This method returns true if a rule is found and allows access. If a rule exists and denies access,
    824. 

  824.      * then this method returns false. If no applicable rule is found, then this method returns null.
    825. 

  825.      *
    826. 

  826.      * @param  Zend_Acl_Role_Interface     $role
    827. 

  827.      * @param  Zend_Acl_Resource_Interface $resource
    828. 

  828.      * @return boolean|null
    829. 

  829.      */
    830. 

  830.     protected function _roleDFSAllPrivileges(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource = null)
    831. 

  831.     {
    832. 

  832.         $dfs = array(
    833. 

  833.             'visited' => array(),
    834. 

  834.             'stack'   => array()
    835. 

  835.             );
    836. 

  836. 

  837.         if (null !== ($result = $this->_roleDFSVisitAllPrivileges($role, $resource, $dfs))) {
    838. 

  838.             return $result;
    839. 

  839.         }
    840. 

  840. 

  841.         while (null !== ($role = array_pop($dfs['stack']))) {
    842. 

  842.             if (!isset($dfs['visited'][$role->getRoleId()])) {
    843. 

  843.                 if (null !== ($result = $this->_roleDFSVisitAllPrivileges($role, $resource, $dfs))) {
    844. 

  844.                     return $result;
    845. 

  845.                 }
    846. 

  846.             }
    847. 

  847.         }
    848. 

  848. 

  849.         return null;
    850. 

  850.     }
    851. 

  851. 

  852.     /**
    853. 

  853.      * Visits an $role in order to look for a rule allowing/denying $role access to all privileges upon $resource
    854. 

  854.      *
    855. 

  855.      * This method returns true if a rule is found and allows access. If a rule exists and denies access,
    856. 

  856.      * then this method returns false. If no applicable rule is found, then this method returns null.
    857. 

  857.      *
    858. 

  858.      * This method is used by the internal depth-first search algorithm and may modify the DFS data structure.
    859. 

  859.      *
    860. 

  860.      * @param  Zend_Acl_Role_Interface     $role
    861. 

  861.      * @param  Zend_Acl_Resource_Interface $resource
    862. 

  862.      * @param  array                  $dfs
    863. 

  863.      * @return boolean|null
    864. 

  864.      * @throws Zend_Acl_Exception
    865. 

  865.      */
    866. 

  866.     protected function _roleDFSVisitAllPrivileges(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource = null,
    867. 

  867.                                                  &$dfs = null)
    868. 

  868.     {
    869. 

  869.         if (null === $dfs) {
    870. 

  870.             /**
    871. 

  871.              * @see Zend_Acl_Exception
    872. 

  872.              */
    873. 

  873.             require_once 'Zend/Acl/Exception.php';
    874. 

  874.             throw new Zend_Acl_Exception('$dfs parameter may not be null');
    875. 

  875.         }
    876. 

  876. 

  877.         if (null !== ($rules = $this->_getRules($resource, $role))) {
    878. 

  878.             foreach ($rules['byPrivilegeId'] as $privilege => $rule) {
    879. 

  879.                 if (self::TYPE_DENY === ($ruleTypeOnePrivilege = $this->_getRuleType($resource, $role, $privilege))) {
    880. 

  880.                     return false;
    881. 

  881.                 }
    882. 

  882.             }
    883. 

  883.             if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, $role, null))) {
    884. 

  884.                 return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
    885. 

  885.             }
    886. 

  886.         }
    887. 

  887. 

  888.         $dfs['visited'][$role->getRoleId()] = true;
    889. 

  889.         foreach ($this->_getRoleRegistry()->getParents($role) as $roleParentId => $roleParent) {
    890. 

  890.             $dfs['stack'][] = $roleParent;
    891. 

  891.         }
    892. 

  892. 

  893.         return null;
    894. 

  894.     }
    895. 

  895. 

  896.     /**
    897. 

  897.      * Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule
    898. 

  898.      * allowing/denying $role access to a $privilege upon $resource
    899. 

  899.      *
    900. 

  900.      * This method returns true if a rule is found and allows access. If a rule exists and denies access,
    901. 

  901.      * then this method returns false. If no applicable rule is found, then this method returns null.
    902. 

  902.      *
    903. 

  903.      * @param  Zend_Acl_Role_Interface     $role
    904. 

  904.      * @param  Zend_Acl_Resource_Interface $resource
    905. 

  905.      * @param  string                      $privilege
    906. 

  906.      * @return boolean|null
    907. 

  907.      * @throws Zend_Acl_Exception
    908. 

  908.      */
    909. 

  909.     protected function _roleDFSOnePrivilege(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource = null,
    910. 

  910.                                             $privilege = null)
    911. 

  911.     {
    912. 

  912.         if (null === $privilege) {
    913. 

  913.             /**
    914. 

  914.              * @see Zend_Acl_Exception
    915. 

  915.              */
    916. 

  916.             require_once 'Zend/Acl/Exception.php';
    917. 

  917.             throw new Zend_Acl_Exception('$privilege parameter may not be null');
    918. 

  918.         }
    919. 

  919. 

  920.         $dfs = array(
    921. 

  921.             'visited' => array(),
    922. 

  922.             'stack'   => array()
    923. 

  923.             );
    924. 

  924. 

  925.         if (null !== ($result = $this->_roleDFSVisitOnePrivilege($role, $resource, $privilege, $dfs))) {
    926. 

  926.             return $result;
    927. 

  927.         }
    928. 

  928. 

  929.         while (null !== ($role = array_pop($dfs['stack']))) {
    930. 

  930.             if (!isset($dfs['visited'][$role->getRoleId()])) {
    931. 

  931.                 if (null !== ($result = $this->_roleDFSVisitOnePrivilege($role, $resource, $privilege, $dfs))) {
    932. 

  932.                     return $result;
    933. 

  933.                 }
    934. 

  934.             }
    935. 

  935.         }
    936. 

  936. 

  937.         return null;
    938. 

  938.     }
    939. 

  939. 

  940.     /**
    941. 

  941.      * Visits an $role in order to look for a rule allowing/denying $role access to a $privilege upon $resource
    942. 

  942.      *
    943. 

  943.      * This method returns true if a rule is found and allows access. If a rule exists and denies access,
    944. 

  944.      * then this method returns false. If no applicable rule is found, then this method returns null.
    945. 

  945.      *
    946. 

  946.      * This method is used by the internal depth-first search algorithm and may modify the DFS data structure.
    947. 

  947.      *
    948. 

  948.      * @param  Zend_Acl_Role_Interface     $role
    949. 

  949.      * @param  Zend_Acl_Resource_Interface $resource
    950. 

  950.      * @param  string                      $privilege
    951. 

  951.      * @param  array                       $dfs
    952. 

  952.      * @return boolean|null
    953. 

  953.      * @throws Zend_Acl_Exception
    954. 

  954.      */
    955. 

  955.     protected function _roleDFSVisitOnePrivilege(Zend_Acl_Role_Interface $role, Zend_Acl_Resource_Interface $resource = null,
    956. 

  956.                                                 $privilege = null, &$dfs = null)
    957. 

  957.     {
    958. 

  958.         if (null === $privilege) {
    959. 

  959.             /**
    960. 

  960.              * @see Zend_Acl_Exception
    961. 

  961.              */
    962. 

  962.             require_once 'Zend/Acl/Exception.php';
    963. 

  963.             throw new Zend_Acl_Exception('$privilege parameter may not be null');
    964. 

  964.         }
    965. 

  965. 

  966.         if (null === $dfs) {
    967. 

  967.             /**
    968. 

  968.              * @see Zend_Acl_Exception
    969. 

  969.              */
    970. 

  970.             require_once 'Zend/Acl/Exception.php';
    971. 

  971.             throw new Zend_Acl_Exception('$dfs parameter may not be null');
    972. 

  972.         }
    973. 

  973. 

  974.         if (null !== ($ruleTypeOnePrivilege = $this->_getRuleType($resource, $role, $privilege))) {
    975. 

  975.             return self::TYPE_ALLOW === $ruleTypeOnePrivilege;
    976. 

  976.         } else if (null !== ($ruleTypeAllPrivileges = $this->_getRuleType($resource, $role, null))) {
    977. 

  977.             return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
    978. 

  978.         }
    979. 

  979. 

  980.         $dfs['visited'][$role->getRoleId()] = true;
    981. 

  981.         foreach ($this->_getRoleRegistry()->getParents($role) as $roleParentId => $roleParent) {
    982. 

  982.             $dfs['stack'][] = $roleParent;
    983. 

  983.         }
    984. 

  984. 

  985.         return null;
    986. 

  986.     }
    987. 

  987. 

  988.     /**
    989. 

  989.      * Returns the rule type associated with the specified Resource, Role, and privilege
    990. 

  990.      * combination.
    991. 

  991.      *
    992. 

  992.      * If a rule does not exist or its attached assertion fails, which means that
    993. 

  993.      * the rule is not applicable, then this method returns null. Otherwise, the
    994. 

  994.      * rule type applies and is returned as either TYPE_ALLOW or TYPE_DENY.
    995. 

  995.      *
    996. 

  996.      * If $resource or $role is null, then this means that the rule must apply to
    997. 

  997.      * all Resources or Roles, respectively.
    998. 

  998.      *
    999. 

  999.      * If $privilege is null, then the rule must apply to all privileges.
    1000. 

  1000.      *
    1001. 

  1001.      * If all three parameters are null, then the default ACL rule type is returned,
    1002. 

  1002.      * based on whether its assertion method passes.
    1003. 

  1003.      *
    1004. 

  1004.      * @param  Zend_Acl_Resource_Interface $resource
    1005. 

  1005.      * @param  Zend_Acl_Role_Interface     $role
    1006. 

  1006.      * @param  string                      $privilege
    1007. 

  1007.      * @return string|null
    1008. 

  1008.      */
    1009. 

  1009.     protected function _getRuleType(Zend_Acl_Resource_Interface $resource = null, Zend_Acl_Role_Interface $role = null,
    1010. 

  1010.                                     $privilege = null)
    1011. 

  1011.     {
    1012. 

  1012.         // get the rules for the $resource and $role
    1013. 

  1013.         if (null === ($rules = $this->_getRules($resource, $role))) {
    1014. 

  1014.             return null;
    1015. 

  1015.         }
    1016. 

  1016. 

  1017.         // follow $privilege
    1018. 

  1018.         if (null === $privilege) {
    1019. 

  1019.             if (isset($rules['allPrivileges'])) {
    1020. 

  1020.                 $rule = $rules['allPrivileges'];
    1021. 

  1021.             } else {
    1022. 

  1022.                 return null;
    1023. 

  1023.             }
    1024. 

  1024.         } else if (!isset($rules['byPrivilegeId'][$privilege])) {
    1025. 

  1025.             return null;
    1026. 

  1026.         } else {
    1027. 

  1027.             $rule = $rules['byPrivilegeId'][$privilege];
    1028. 

  1028.         }
    1029. 

  1029. 

  1030.         // check assertion first
    1031. 

  1031.         if ($rule['assert']) {
    1032. 

  1032.             $assertion = $rule['assert'];
    1033. 

  1033.             $assertionValue = $assertion->assert(
    1034. 

  1034.                 $this,
    1035. 

  1035.                 ($this->_isAllowedRole instanceof Zend_Acl_Role_Interface) ? $this->_isAllowedRole : $role,
    1036. 

  1036.                 ($this->_isAllowedResource instanceof Zend_Acl_Resource_Interface) ? $this->_isAllowedResource : $resource,
    1037. 

  1037.                 $privilege
    1038. 

  1038.                 );
    1039. 

  1039.         }
    1040. 

  1040. 

  1041.         if (null === $rule['assert'] || $assertionValue) {
    1042. 

  1042.             return $rule['type'];
    1043. 

  1043.         } else if (null !== $resource || null !== $role || null !== $privilege) {
    1044. 

  1044.             return null;
    1045. 

  1045.         } else if (self::TYPE_ALLOW === $rule['type']) {
    1046. 

  1046.             return self::TYPE_DENY;
    1047. 

  1047.         } else {
    1048. 

  1048.             return self::TYPE_ALLOW;
    1049. 

  1049.         }
    1050. 

  1050.     }
    1051. 

  1051. 

  1052.     /**
    1053. 

  1053.      * Returns the rules associated with a Resource and a Role, or null if no such rules exist
    1054. 

  1054.      *
    1055. 

  1055.      * If either $resource or $role is null, this means that the rules returned are for all Resources or all Roles,
    1056. 

  1056.      * respectively. Both can be null to return the default rule set for all Resources and all Roles.
    1057. 

  1057.      *
    1058. 

  1058.      * If the $create parameter is true, then a rule set is first created and then returned to the caller.
    1059. 

  1059.      *
    1060. 

  1060.      * @param  Zend_Acl_Resource_Interface $resource
    1061. 

  1061.      * @param  Zend_Acl_Role_Interface     $role
    1062. 

  1062.      * @param  boolean                     $create
    1063. 

  1063.      * @return array|null
    1064. 

  1064.      */
    1065. 

  1065.     protected function &_getRules(Zend_Acl_Resource_Interface $resource = null, Zend_Acl_Role_Interface $role = null,
    1066. 

  1066.                                   $create = false)
    1067. 

  1067.     {
    1068. 

  1068.         // create a reference to null
    1069. 

  1069.         $null = null;
    1070. 

  1070.         $nullRef =& $null;
    1071. 

  1071. 

  1072.         // follow $resource
    1073. 

  1073.         do {
    1074. 

  1074.             if (null === $resource) {
    1075. 

  1075.                 $visitor =& $this->_rules['allResources'];
    1076. 

  1076.                 break;
    1077. 

  1077.             }
    1078. 

  1078.             $resourceId = $resource->getResourceId();
    1079. 

  1079.             if (!isset($this->_rules['byResourceId'][$resourceId])) {
    1080. 

  1080.                 if (!$create) {
    1081. 

  1081.                     return $nullRef;
    1082. 

  1082.                 }
    1083. 

  1083.                 $this->_rules['byResourceId'][$resourceId] = array();
    1084. 

  1084.             }
    1085. 

  1085.             $visitor =& $this->_rules['byResourceId'][$resourceId];
    1086. 

  1086.         } while (false);
    1087. 

  1087. 

  1088. 

  1089.         // follow $role
    1090. 

  1090.         if (null === $role) {
    1091. 

  1091.             if (!isset($visitor['allRoles'])) {
    1092. 

  1092.                 if (!$create) {
    1093. 

  1093.                     return $nullRef;
    1094. 

  1094.                 }
    1095. 

  1095.                 $visitor['allRoles']['byPrivilegeId'] = array();
    1096. 

  1096.             }
    1097. 

  1097.             return $visitor['allRoles'];
    1098. 

  1098.         }
    1099. 

  1099.         $roleId = $role->getRoleId();
    1100. 

  1100.         if (!isset($visitor['byRoleId'][$roleId])) {
    1101. 

  1101.             if (!$create) {
    1102. 

  1102.                 return $nullRef;
    1103. 

  1103.             }
    1104. 

  1104.             $visitor['byRoleId'][$roleId]['byPrivilegeId'] = array();
    1105. 

  1105.         }
    1106. 

  1106.         return $visitor['byRoleId'][$roleId];
    1107. 

  1107.     }
    1108. 

  1108. 

  1109.     
    1110. 

  1110.     /**
    1111. 

  1111.      * @return array of registered roles
    1112. 

  1112.      *
    1113. 

  1113.      */
    1114. 

  1114.     public function getRegisteredRoles()
    1115. 

  1115.     { 
    1116. 

  1116.         return $this->_getRoleRegistry()->getRoles(); 
    1117. 

  1117.     } 
    1118. 

  1118. 

  1119. }
    1120.