Open Journal Systems  3.3.0
RoleBasedHandlerOperationPolicy.inc.php
1 <?php
16 import('lib.pkp.classes.security.authorization.HandlerOperationPolicy');
17 
18 class RoleBasedHandlerOperationPolicy extends HandlerOperationPolicy {
20  var $_roles = array();
21 
23  var $_allRoles;
24 
35  function __construct($request, $roles, $operations,
36  $message = 'user.authorization.roleBasedAccessDenied',
37  $allRoles = false) {
38  parent::__construct($request, $operations, $message);
39 
40  // Make sure a single role doesn't have to be
41  // passed in as an array.
42  assert(is_integer($roles) || is_array($roles));
43  if (!is_array($roles)) {
44  $roles = array($roles);
45  }
46  $this->_roles = $roles;
47  $this->_allRoles = $allRoles;
48  }
49 
50 
51  //
52  // Implement template methods from AuthorizationPolicy
53  //
57  function effect() {
58  // Check whether the user has one of the allowed roles
59  // assigned. If that's the case we'll permit access.
60  // Get user roles grouped by context.
61  $userRoles = $this->getAuthorizedContextObject(ASSOC_TYPE_USER_ROLES);
62  if (empty($userRoles)) return AUTHORIZATION_DENY;
63 
64  if (!$this->_checkUserRoleAssignment($userRoles)) return AUTHORIZATION_DENY;
65  if (!$this->_checkOperationWhitelist()) return AUTHORIZATION_DENY;
66 
67  $handler = $this->getRequest()->getRouter()->getHandler();
68  $handler->markRoleAssignmentsChecked();
69 
70  return AUTHORIZATION_PERMIT;
71  }
72 
73 
74  //
75  // Private helper methods
76  //
84  function _checkUserRoleAssignment($userRoles) {
85  // Find matching roles.
86  $foundMatchingRole = false;
87  foreach($this->_roles as $roleId) {
88  $foundMatchingRole = in_array($roleId, $userRoles);
89 
90  if ($this->_allRoles) {
91  if (!$foundMatchingRole) {
92  // When the "all roles" flag is switched on then
93  // one missing role is enough to fail.
94  return false;
95  }
96  } else {
97  if ($foundMatchingRole) {
98  // When the "all roles" flag is not set then
99  // one matching role is enough to succeed.
100  return true;
101  }
102  }
103  }
104 
105  if ($this->_allRoles) {
106  // All roles matched, otherwise we'd have failed before.
107  return true;
108  } else {
109  // None of the roles matched, otherwise we'd have succeeded already.
110  return false;
111  }
112  }
113 }
114 
115 
RoleBasedHandlerOperationPolicy\_checkUserRoleAssignment
_checkUserRoleAssignment($userRoles)
Definition: RoleBasedHandlerOperationPolicy.inc.php:90
RoleBasedHandlerOperationPolicy\$_allRoles
$_allRoles
Definition: RoleBasedHandlerOperationPolicy.inc.php:29
AuthorizationPolicy\getAuthorizedContextObject
& getAuthorizedContextObject($assocType)
Definition: AuthorizationPolicy.inc.php:117
HandlerOperationPolicy
Abstract base class that provides infrastructure to control access to handler operations.
Definition: HandlerOperationPolicy.inc.php:18
HandlerOperationPolicy\getRequest
& getRequest()
Definition: HandlerOperationPolicy.inc.php:59
RoleBasedHandlerOperationPolicy\__construct
__construct($request, $roles, $operations, $message='user.authorization.roleBasedAccessDenied', $allRoles=false)
Definition: RoleBasedHandlerOperationPolicy.inc.php:41
RoleBasedHandlerOperationPolicy\effect
effect()
Definition: RoleBasedHandlerOperationPolicy.inc.php:63
HandlerOperationPolicy\_checkOperationWhitelist
_checkOperationWhitelist()
Definition: HandlerOperationPolicy.inc.php:80
RoleBasedHandlerOperationPolicy\$_roles
$_roles
Definition: RoleBasedHandlerOperationPolicy.inc.php:23
RoleBasedHandlerOperationPolicy
Class to control access to handler operations via role based access control.
Definition: RoleBasedHandlerOperationPolicy.inc.php:18