Created
July 4, 2011 14:14
-
-
Save rich97/1063377 to your computer and use it in GitHub Desktop.
Access control configuration.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| use lithium\security\Auth; | |
| use lithium\security\Password; | |
| use li3_access\security\Access; | |
| use li3_admin\models\Staffs; | |
| Auth::config(array( | |
| 'root' => array( | |
| 'adapter' => 'Form', 'model' => 'Staffs', 'with' => 'Accounts', | |
| 'fields' => array('Accounts.username', 'Accounts.password'), | |
| 'scope' => array('Staffs.access' => 'root', 'Accounts.active' => true), | |
| 'validators' => array( | |
| 'password' => false, | |
| 'Accounts.password' => function($form, $data) { | |
| return Password::check($form, $data); | |
| } | |
| ) | |
| ), | |
| 'superuser' => array( | |
| 'adapter' => 'Form', 'model' => 'Staffs', 'with' => 'Accounts', | |
| 'fields' => array('Accounts.username', 'Accounts.password'), | |
| 'scope' => array('Staffs.access' => 'root', 'Accounts.active' => true), | |
| 'validators' => array( | |
| 'password' => false, | |
| 'Accounts.password' => function($form, $data) { | |
| return Password::check($form, $data); | |
| } | |
| ) | |
| ), | |
| 'admin' => array( | |
| 'adapter' => 'Form', 'model' => 'Staffs', 'with' => 'Accounts', | |
| 'fields' => array('Accounts.username', 'Accounts.password'), | |
| 'scope' => array('Staffs.access' => 'root', 'Accounts.active' => true), | |
| 'validators' => array( | |
| 'password' => false, | |
| 'Accounts.password' => function($form, $data) { | |
| return Password::check($form, $data); | |
| } | |
| ) | |
| ) | |
| )); | |
| $authed = Auth::check('admin'); | |
| $accountsEmpty = !(boolean) Staffs::count(); | |
| $isCurrentAccount = function($request) use ($authed) { | |
| if ((integer) $authed->id !== (integer) $request->id) { | |
| return true; | |
| } | |
| return false; | |
| }; | |
| $hasPermissions = function($request_id) use ($authed) { | |
| $with = array('Accounts'); | |
| $conditions = array('Staffs.id' => $request_id); | |
| $fields = array('Staffs.id', 'Staffs.access', 'Accounts.id'); | |
| $staffs = Staffs::first(compact('with', 'fields', 'conditions')); | |
| $level = Staffs::accessToNumeric($access); | |
| if (!empty($staffs) && !empty($authed) && ($staffs->level > $authed->level)) { | |
| return true; | |
| } | |
| return false; | |
| }; | |
| Access::config( | |
| array('rbac' => array( | |
| 'adapter' => 'AuthRbac', | |
| 'roles' => array( | |
| // Deny by default | |
| array( | |
| 'match' => array('library' => 'li3_admin', '*::*'), | |
| 'redirect' => 'Access::login', | |
| 'allow' => false | |
| ), | |
| // Allow authenticated users to access the system | |
| array( | |
| 'match' => array('library' => 'li3_admin', '*::*'), | |
| 'requesters' => array('admin', 'superuser', 'root'), | |
| 'message' => 'Log in to access this area.', | |
| 'options' => array('class' => 'notice') | |
| ), | |
| // Any user can access the login action as long as they are not logged in already and an admin already exists in the system. | |
| array( | |
| 'match' => array('library' => 'li3_admin', 'Access::login'), | |
| 'message' => "You're already logged in!", | |
| 'options' => array('class' => 'notice'), | |
| 'redirect' => 'Dashboard::index', | |
| 'allow' => array( | |
| function() use ($authed) { | |
| return !(boolean) $authed; | |
| }, | |
| function($request, &$options) use ($accountsEmpty) { | |
| if ($accountsEmpty) { | |
| $options['message'] = 'No account available, setup the main (root) staff account.'; | |
| $options['redirect'] = array('controller' => 'settings', 'action' => 'setup'); | |
| $options['options'] = array('class' => 'error'); | |
| return false; | |
| } | |
| return true; | |
| } | |
| ) | |
| ), | |
| // Any user can logout | |
| array('match' => array('library' => 'li3_admin', 'Access::logout')), | |
| // Setup action can only be accessed if it's not already been done. | |
| array( | |
| 'match' => array('library' => 'li3_admin', 'Settings::setup'), | |
| 'redirect' => 'Access::login', | |
| 'message' => 'The system has already been set up.', | |
| 'options' => array('class' => 'notice'), | |
| 'allow' => array(function() use ($accountsEmpty) { | |
| return $accountsEmpty; | |
| }) | |
| ), | |
| // Only superuser and root accounts can edit or delete staff | |
| array('match' => array('library' => 'li3_admin', 'Staffs::*', 'allow' => false)), | |
| // Restrict edit action if the admin is not allowed to edit the other account or if the account ids match | |
| array( | |
| 'match' => array('library' => 'li3_admin', 'Staffs::edit'), | |
| 'requesters' => array('root', 'superuser'), | |
| 'message' => 'To edit your account use select profile in the top right of the screen.', | |
| 'redirect' => 'Staffs::index', | |
| 'allow' => array( | |
| function($request) use ($isCurrentAccount) { | |
| return !$isCurrentAccount($request); | |
| }, | |
| function($request, $options) use ($hasPermissions) { | |
| $result = $hasPermissions($request->id); | |
| if (!$result) { | |
| $options['message'] = 'You need higher permissions in order to modify that account.'; | |
| $options['redirect'] = array('controller' => 'staffs', 'action' => 'index'); | |
| $options['options'] = array('class' => 'error'); | |
| } | |
| return $result; | |
| } | |
| ) | |
| ), | |
| // Same here. Admins can't delete thier own accounts or other users that have higher access than them. | |
| array( | |
| 'match' => array('library' => 'li3_admin', 'Staffs::delete'), | |
| 'requesters' => array('root', 'superuser'), | |
| 'message' => "You can't delete your own account!", | |
| 'redirect' => 'Staffs::index', | |
| 'options' => array('class' => 'error'), | |
| 'allow' => array( | |
| function($request) use ($isCurrentAccount) { | |
| return !$isCurrentAccount($request); | |
| }, | |
| function(&$request, &$options) use ($hasPermissions) { | |
| $ids = array(); | |
| if (!empty($request->id)) { | |
| $ids[] = (integer) $request->id; | |
| } | |
| if (!empty($request->data['delete'])) { | |
| $ids = array_merge($ids, array_keys($request->data['delete'])); | |
| } | |
| $valid = true; | |
| foreach ($ids as $key => $id) { | |
| $staffs = Accounts::first(array( | |
| 'with' => 'Accounts', | |
| 'fields' => array('Staffs.id', 'Accounts.id', 'Accounts.access'), | |
| 'conditions' => array('Accounts.id' => $id) | |
| )); | |
| if (!$hasPermissions($staffs->access)) { | |
| unset($ids[$key]); | |
| $valid = false; | |
| } | |
| } | |
| if (!$valid) { | |
| $options['message'] = 'Not all selected records were deleted as you do not have sufficiant permissions.'; | |
| $options['redirect'] = 'Staffs::index'; | |
| } | |
| return $valid; | |
| } | |
| ) | |
| ), | |
| array('match' => array('library' => 'li3_admin', 'Staffs::add'), 'requesters' => array('root', 'superuser')), | |
| array('match' => array('library' => 'li3_admin', 'Staffs::index'), 'requesters' => array('admin')), | |
| array('match' => array('library' => 'li3_admin', 'Staffs::view'), 'requesters' => array('admin')) | |
| ) | |
| )) | |
| ); | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment