Open Journal Systems  3.3.0
PluginAccessPolicy.inc.php
1 <?php
15 import('lib.pkp.classes.security.authorization.PolicySet');
16 import('lib.pkp.classes.security.authorization.internal.PluginLevelRequiredPolicy');
17 import('lib.pkp.classes.security.authorization.internal.PluginRequiredPolicy');
18 import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy');
19 
20 define('ACCESS_MODE_MANAGE', 0x01);
21 define('ACCESS_MODE_ADMIN', 0x02);
22 
23 class PluginAccessPolicy extends PolicySet {
31  function __construct($request, &$args, $roleAssignments, $accessMode = ACCESS_MODE_ADMIN) {
32  parent::__construct();
33 
34  // A valid plugin is required.
35  $this->addPolicy(new PluginRequiredPolicy($request));
36 
37  // Managers and site admin have access to plugins. We'll have to define
38  // differentiated policies for those roles in a policy set.
39  $pluginAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
40  $pluginAccessPolicy->setEffectIfNoPolicyApplies(AUTHORIZATION_DENY);
41 
42  //
43  // Managerial role
44  //
45  if (isset($roleAssignments[ROLE_ID_MANAGER])) {
46  if ($accessMode & ACCESS_MODE_MANAGE) {
47  // Managers have edit settings access mode...
48  $managerPluginAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
49  $managerPluginAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
50 
51  // ...only to context-level plugins.
52  $managerPluginAccessPolicy->addPolicy(new PluginLevelRequiredPolicy($request, true));
53 
54  $pluginAccessPolicy->addPolicy($managerPluginAccessPolicy);
55  }
56  }
57 
58  //
59  // Site administrator role
60  //
61  if (isset($roleAssignments[ROLE_ID_SITE_ADMIN])) {
62  // Site admin have access to all plugins...
63  $siteAdminPluginAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
64  $siteAdminPluginAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, $roleAssignments[ROLE_ID_SITE_ADMIN]));
65 
66  if ($accessMode & ACCESS_MODE_MANAGE) {
67  // ...of site level only.
68  $siteAdminPluginAccessPolicy->addPolicy(new PluginLevelRequiredPolicy($request, false));
69  }
70 
71  $pluginAccessPolicy->addPolicy($siteAdminPluginAccessPolicy);
72  }
73 
74  $this->addPolicy($pluginAccessPolicy);
75  }
76 }
77 
78 
PluginAccessPolicy\__construct
__construct($request, &$args, $roleAssignments, $accessMode=ACCESS_MODE_ADMIN)
Definition: PluginAccessPolicy.inc.php:31
PluginAccessPolicy
Class to control access to plugins.
Definition: PluginAccessPolicy.inc.php:23
PluginLevelRequiredPolicy
Class to test the plugin level.
Definition: PluginLevelRequiredPolicy.inc.php:18
PluginRequiredPolicy
Class to make sure we have a valid plugin in request.
Definition: PluginRequiredPolicy.inc.php:18
PolicySet\addPolicy
addPolicy($policyOrPolicySet, $addToTop=false)
Definition: PolicySet.inc.php:63
RoleBasedHandlerOperationPolicy
Class to control access to handler operations via role based access control.
Definition: RoleBasedHandlerOperationPolicy.inc.php:18
PolicySet
An ordered list of policies. Policy sets can be added to decision managers like policies....
Definition: PolicySet.inc.php:26