cakephp2-php8/app/Config/acl.php

146 lines
4.8 KiB
PHP
Raw Normal View History

2012-01-13 23:28:55 +01:00
<?php
/**
* This is the PHP base ACL configuration file.
*
* Use it to configure access control of your CakePHP application.
2012-01-13 23:28:55 +01:00
*
2017-06-10 23:33:55 +02:00
* CakePHP(tm) : Rapid Development Framework (https://cakephp.org)
* Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
2012-01-13 23:28:55 +01:00
*
* Licensed under The MIT License
* For full copyright and license information, please see the LICENSE.txt
2012-01-13 23:28:55 +01:00
* Redistributions of files must retain the above copyright notice.
*
* @copyright Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
2017-06-10 23:33:55 +02:00
* @link https://cakephp.org CakePHP(tm) Project
2012-01-13 23:28:55 +01:00
* @package app.Config
* @since CakePHP(tm) v 2.1
* @license https://opensource.org/licenses/mit-license.php MIT License
2012-01-13 23:28:55 +01:00
*/
/**
* Example
* -------
2012-10-15 11:44:31 +11:00
*
2012-01-13 23:28:55 +01:00
* Assumptions:
*
2012-10-15 11:44:31 +11:00
* 1. In your application you created a User model with the following properties:
2012-01-13 23:28:55 +01:00
* username, group_id, password, email, firstname, lastname and so on.
2012-10-15 11:44:31 +11:00
* 2. You configured AuthComponent to authorize actions via
* $this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers/'),...)
*
2012-01-13 23:36:29 +01:00
* Now, when a user (i.e. jeff) authenticates successfully and requests a controller action (i.e. /invoices/delete)
2012-10-15 11:44:31 +11:00
* that is not allowed by default (e.g. via $this->Auth->allow('edit') in the Invoices controller) then AuthComponent
* will ask the configured ACL interface if access is granted. Under the assumptions 1. and 2. this will be
* done via a call to Acl->check() with
2012-01-13 23:28:55 +01:00
*
* ```
* array('User' => array('username' => 'jeff', 'group_id' => 4, ...))
* ```
2012-01-13 23:28:55 +01:00
*
* as ARO and
*
* ```
* '/controllers/invoices/delete'
* ```
2012-01-13 23:28:55 +01:00
*
* as ACO.
2012-10-15 11:44:31 +11:00
*
2012-01-13 23:28:55 +01:00
* If the configured map looks like
*
* ```
* $config['map'] = array(
* 'User' => 'User/username',
* 'Role' => 'User/group_id',
* );
* ```
2012-01-13 23:28:55 +01:00
*
2012-10-15 11:44:31 +11:00
* then PhpAcl will lookup if we defined a role like User/jeff. If that role is not found, PhpAcl will try to
* find a definition for Role/4. If the definition isn't found then a default role (Role/default) will be used to
2012-01-13 23:28:55 +01:00
* check rules for the given ACO. The search can be expanded by defining aliases in the alias configuration.
* E.g. if you want to use a more readable name than Role/4 in your definitions you can define an alias like
*
* ```
* $config['alias'] = array(
* 'Role/4' => 'Role/editor',
* );
* ```
2012-10-15 11:44:31 +11:00
*
2012-01-13 23:28:55 +01:00
* In the roles configuration you can define roles on the lhs and inherited roles on the rhs:
2012-10-15 11:44:31 +11:00
*
* ```
* $config['roles'] = array(
* 'Role/admin' => null,
* 'Role/accountant' => null,
* 'Role/editor' => null,
* 'Role/manager' => 'Role/editor, Role/accountant',
* 'User/jeff' => 'Role/manager',
* );
* ```
2012-10-15 11:44:31 +11:00
*
2012-01-13 23:28:55 +01:00
* In this example manager inherits all rules from editor and accountant. Role/admin doesn't inherit from any role.
* Lets define some rules:
*
* ```
* $config['rules'] = array(
* 'allow' => array(
* '*' => 'Role/admin',
* 'controllers/users/(dashboard|profile)' => 'Role/default',
* 'controllers/invoices/*' => 'Role/accountant',
* 'controllers/articles/*' => 'Role/editor',
* 'controllers/users/*' => 'Role/manager',
* 'controllers/invoices/delete' => 'Role/manager',
* ),
* 'deny' => array(
* 'controllers/invoices/delete' => 'Role/accountant, User/jeff',
* 'controllers/articles/(delete|publish)' => 'Role/editor',
* ),
* );
* ```
2012-01-13 23:28:55 +01:00
*
2012-10-15 11:44:31 +11:00
* Ok, so as jeff inherits from Role/manager he's matched every rule that references User/jeff, Role/manager,
* Role/editor, and Role/accountant. However, for jeff, rules for User/jeff are more specific than
2012-01-13 23:28:55 +01:00
* rules for Role/manager, rules for Role/manager are more specific than rules for Role/editor and so on.
2012-10-15 11:44:31 +11:00
* This is important when allow and deny rules match for a role. E.g. Role/accountant is allowed
2012-01-13 23:28:55 +01:00
* controllers/invoices/* but at the same time controllers/invoices/delete is denied. But there is a more
* specific rule defined for Role/manager which is allowed controllers/invoices/delete. However, the most specific
* rule denies access to the delete action explicitly for User/jeff, so he'll be denied access to the resource.
*
* If we would remove the role definition for User/jeff, then jeff would be granted access as he would be resolved
* to Role/manager and Role/manager has an allow rule.
*/
/**
* The role map defines how to resolve the user record from your application
2012-10-15 11:44:31 +11:00
* to the roles you defined in the roles configuration.
2012-01-13 23:28:55 +01:00
*/
$config['map'] = array(
'User' => 'User/username',
'Role' => 'User/group_id',
);
/**
* define aliases to map your model information to
* the roles defined in your role configuration.
*/
$config['alias'] = array(
'Role/4' => 'Role/editor',
);
/**
* role configuration
*/
$config['roles'] = array(
'Role/admin' => null,
);
/**
* rule configuration
*/
$config['rules'] = array(
'allow' => array(
'*' => 'Role/admin',
),
'deny' => array(),
);