Created
September 13, 2013 03:44
-
-
Save hugofabricio/6546596 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* This is the PHP base ACL configuration file. | |
* | |
* Use it to configure access control of your Cake application. | |
* | |
* PHP 5 | |
* | |
* CakePHP(tm) : Rapid Development Framework (http://cakephp.org) | |
* Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org) | |
* | |
* Licensed under The MIT License | |
* For full copyright and license information, please see the LICENSE.txt | |
* Redistributions of files must retain the above copyright notice. | |
* | |
* @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org) | |
* @link http://cakephp.org CakePHP(tm) Project | |
* @package app.Config | |
* @since CakePHP(tm) v 2.1 | |
* @license http://www.opensource.org/licenses/mit-license.php MIT License | |
*/ | |
/** | |
* Example | |
* ------- | |
* | |
* Assumptions: | |
* | |
* 1. In your application you created a User model with the following properties: | |
* username, group_id, password, email, firstname, lastname and so on. | |
* 2. You configured AuthComponent to authorize actions via | |
* $this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers/'),...) | |
* | |
* Now, when a user (i.e. jeff) authenticates successfully and requests a controller action (i.e. /invoices/delete) | |
* that is not allowed by default (e.g. via $this->Auth->allow('edit') in the Invoices controller) then AuthComponent | |
* will ask the configured ACL interface if access is granted. Under the assumptions 1. and 2. this will be | |
* done via a call to Acl->check() with | |
* | |
* array('User' => array('username' => 'jeff', 'group_id' => 4, ...)) | |
* | |
* as ARO and | |
* | |
* '/controllers/invoices/delete' | |
* | |
* as ACO. | |
* | |
* If the configured map looks like | |
* | |
* $config['map'] = array( | |
* 'User' => 'User/username', | |
* 'Role' => 'User/group_id', | |
* ); | |
* | |
* then PhpAcl will lookup if we defined a role like User/jeff. If that role is not found, PhpAcl will try to | |
* find a definition for Role/4. If the definition isn't found then a default role (Role/default) will be used to | |
* check rules for the given ACO. The search can be expanded by defining aliases in the alias configuration. | |
* E.g. if you want to use a more readable name than Role/4 in your definitions you can define an alias like | |
* | |
* $config['alias'] = array( | |
* 'Role/4' => 'Role/editor', | |
* ); | |
* | |
* In the roles configuration you can define roles on the lhs and inherited roles on the rhs: | |
* | |
* $config['roles'] = array( | |
* 'Role/admin' => null, | |
* 'Role/accountant' => null, | |
* 'Role/editor' => null, | |
* 'Role/manager' => 'Role/editor, Role/accountant', | |
* 'User/jeff' => 'Role/manager', | |
* ); | |
* | |
* In this example manager inherits all rules from editor and accountant. Role/admin doesn't inherit from any role. | |
* Lets define some rules: | |
* | |
* $config['rules'] = array( | |
* 'allow' => array( | |
* '*' => 'Role/admin', | |
* 'controllers/users/(dashboard|profile)' => 'Role/default', | |
* 'controllers/invoices/*' => 'Role/accountant', | |
* 'controllers/articles/*' => 'Role/editor', | |
* 'controllers/users/*' => 'Role/manager', | |
* 'controllers/invoices/delete' => 'Role/manager', | |
* ), | |
* 'deny' => array( | |
* 'controllers/invoices/delete' => 'Role/accountant, User/jeff', | |
* 'controllers/articles/(delete|publish)' => 'Role/editor', | |
* ), | |
* ); | |
* | |
* Ok, so as jeff inherits from Role/manager he's matched every rule that references User/jeff, Role/manager, | |
* Role/editor, Role/accountant and Role/default. However, for jeff, rules for User/jeff are more specific than | |
* rules for Role/manager, rules for Role/manager are more specific than rules for Role/editor and so on. | |
* This is important when allow and deny rules match for a role. E.g. Role/accountant is allowed | |
* controllers/invoices/* but at the same time controllers/invoices/delete is denied. But there is a more | |
* specific rule defined for Role/manager which is allowed controllers/invoices/delete. However, the most specific | |
* rule denies access to the delete action explicitly for User/jeff, so he'll be denied access to the resource. | |
* | |
* If we would remove the role definition for User/jeff, then jeff would be granted access as he would be resolved | |
* to Role/manager and Role/manager has an allow rule. | |
*/ | |
/** | |
* The role map defines how to resolve the user record from your application | |
* to the roles you defined in the roles configuration. | |
*/ | |
$config['map'] = array( | |
'User' => 'User/username', | |
'Role' => 'User/group_id', | |
); | |
/** | |
* define aliases to map your model information to | |
* the roles defined in your role configuration. | |
*/ | |
$config['alias'] = array( | |
'Role/1' => 'Role/master', | |
'Role/2' => 'Role/admin', | |
'Role/3' => 'Role/moderador', | |
'Role/4' => 'Role/editor', | |
); | |
/** | |
* role configuration | |
*/ | |
$config['roles'] = array( | |
'Role/master' => null, | |
'Role/admin' => null, | |
'Role/moderador' => null, | |
'Role/editor' => null, | |
); | |
$config['roles'] = array( | |
'Role/master' => null, | |
); | |
/** | |
* rule configuration | |
*/ | |
$config['rules'] = array( | |
'allow' => array( | |
'*' => 'Role/master' | |
) | |
); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment