line 284

addResource

public Permission addResource (string $resource, [string $parent = NULL])

Adds a Resource having an identifier unique to the list.

line 92

addRole

public Permission addRole (string $role, [string|array $parents = NULL])

Adds a Role to the list.

The $parents parameter may be a Role identifier (or array of identifiers) to indicate the Roles from which the newly added Role will directly inherit.

In order to resolve potential ambiguities with conflicting rules inherited from different parents, the most recently added parent takes precedence over parents that were previously added. In other words, the first parent added will have the least priority, and the last parent added will have the highest priority.

line 451

allow

public Permission allow ([string|array|self::ALL $roles = self::ALL], [string|array|self::ALL $resources = self::ALL], [string|array|self::ALL $privileges = self::ALL], [IPermissionAssertion $assert = NULL])

Adds an "allow" rule to the list.

line 467

deny

public Permission deny ([string|array|self::ALL $roles = self::ALL], [string|array|self::ALL $resources = self::ALL], [string|array|self::ALL $privileges = self::ALL], [IPermissionAssertion $assert = NULL])

Adds a "deny" rule to the list.

line 167

getRoleParents

public array getRoleParents (string $role)

Returns an array of an existing Role's parents.

The parent Roles are ordered in this array by ascending priority. The highest priority parent Role, last in the array, corresponds with the parent Role most recently added.

If the Role does not have any parents, then an empty array is returned.

line 934

getRules

protected array|NULL & getRules (string|self::ALL $resource, string|self::ALL $role, [boolean $create = FALSE])

Returns the rules associated with a Resource and a Role, or NULL if no such rules exist.

If either $resource or $role is self::ALL, this means that the rules returned are for all Resources or all Roles, respectively. Both can be self::ALL to return the default rule set for all Resources and all Roles.

If the $create parameter is TRUE, then a rule set is first created and then returned to the caller.

line 887

getRuleType

protected bool|NULL getRuleType (string|self::ALL $resource, string|self::ALL $role, string|self::ALL $privilege)

Returns the rule type associated with the specified Resource, Role, and privilege.

combination.

If a rule does not exist or its attached assertion fails, which means that the rule is not applicable, then this method returns NULL. Otherwise, the rule type applies and is returned as either ALLOW or DENY.

If $resource or $role is self::ALL, then this means that the rule must apply to all Resources or Roles, respectively.

If $privilege is self::ALL, then the rule must apply to all privileges.

If all three parameters are self::ALL, then the default ACL rule type is returned, based on whether its assertion method passes.

line 316

hasResource

public bool hasResource (string $resource)

Returns TRUE if the Resource exists in the list.

line 131

hasRole

public bool hasRole (string $role)

Returns TRUE if the Role exists in the list.

line 667

isAllowed

public bool isAllowed ([string|self::ALL $role = self::ALL], [string|self::ALL $resource = self::ALL], [string|self::ALL $privilege = self::ALL])

Returns TRUE if and only if the Role has access to the Resource.

If either $role or $resource is self::ALL, then the query applies to all Roles or all Resources, respectively. Both may be self::ALL to query whether the ACL has a "blacklist" rule (allow everything to all). By default, Permission creates a "whitelist" rule (deny everything to all), and this method would return FALSE unless this default has been overridden (i.e., by executing $acl->allow()).

If a $privilege is not provided, then this method returns FALSE if and only if the Role is denied access to at least one privilege upon the Resource. In other words, this method returns TRUE if and only if the Role is allowed all privileges on the Resource.

This method checks Role inheritance using a depth-first traversal of the Role list. The highest priority parent (i.e., the parent most recently added) is checked first, and its respective parents are checked similarly before the lower-priority parents of the Role are checked.

line 329

needResource

protected bool needResource (string $resource)

Throws exception the Resource doesn't exist in the list.

line 144

needRole

protected bool needRole (string $role)

Throws exception the Role doesn't exist in the list.

line 482

removeAllow

public Permission removeAllow ([string|array|self::ALL $roles = self::ALL], [string|array|self::ALL $resources = self::ALL], [string|array|self::ALL $privileges = self::ALL])

Removes "allow" permissions from the list.

line 422

removeAllResources

public Permission removeAllResources ()

Removes all Resources.

line 254

removeAllRoles

public Permission removeAllRoles ()

Removes all Roles from the list.

line 497

removeDeny

public Permission removeDeny ([string|array|self::ALL $roles = self::ALL], [string|array|self::ALL $resources = self::ALL], [string|array|self::ALL $privileges = self::ALL])

Removes "deny" restrictions from the list.

line 387

removeResource

public Permission removeResource (string $resource)

Removes a Resource and all of its children.

line 218

removeRole

public Permission removeRole (string $role)

Removes the Role from the list.

line 352

resourceInheritsFrom

public bool resourceInheritsFrom (string $resource, string $inherit, [boolean $onlyParent = FALSE])

Returns TRUE if $resource inherits from $inherit.

If $onlyParents is TRUE, then $resource must inherit directly from $inherit in order to return TRUE. By default, this method looks through the entire inheritance tree to determine whether $resource inherits from $inherit through its ancestor Resources.

line 737

roleDFSAllPrivileges

protected bool|NULL roleDFSAllPrivileges (string $role, string $resource)

Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule.

allowing/denying $role access to all privileges upon $resource

This method returns TRUE if a rule is found and allows access. If a rule exists and denies access, then this method returns FALSE. If no applicable rule is found, then this method returns NULL.

line 809

roleDFSOnePrivilege

protected bool|NULL roleDFSOnePrivilege (string $role, string $resource, string $privilege)

Performs a depth-first search of the Role DAG, starting at $role, in order to find a rule.

allowing/denying $role access to a $privilege upon $resource

This method returns TRUE if a rule is found and allows access. If a rule exists and denies access, then this method returns FALSE. If no applicable rule is found, then this method returns NULL.

line 774

roleDFSVisitAllPrivileges

protected bool|NULL roleDFSVisitAllPrivileges (string $role, string $resource, array &$dfs)

Visits an $role in order to look for a rule allowing/denying $role access to all privileges upon $resource.

This method returns TRUE if a rule is found and allows access. If a rule exists and denies access, then this method returns FALSE. If no applicable rule is found, then this method returns NULL.

This method is used by the internal depth-first search algorithm and may modify the DFS data structure.

line 847

roleDFSVisitOnePrivilege

protected bool|NULL roleDFSVisitOnePrivilege (string $role, string $resource, string $privilege, array &$dfs)

Visits an $role in order to look for a rule allowing/denying $role access to a $privilege upon $resource.

This method returns TRUE if a rule is found and allows access. If a rule exists and denies access, then this method returns FALSE. If no applicable rule is found, then this method returns NULL.

This method is used by the internal depth-first search algorithm and may modify the DFS data structure.

line 189

roleInheritsFrom

public bool roleInheritsFrom (string $role, string $inherit, [boolean $onlyParents = FALSE])

Returns TRUE if $role inherits from $inherit.

If $onlyParents is TRUE, then $role must inherit directly from $inherit in order to return TRUE. By default, this method looks through the entire inheritance DAG to determine whether $role inherits from $inherit through its ancestor Roles.

line 551

setRule

public Permission setRule (bool $operation, bool $type, [string|array|self::ALL $roles = self::ALL], [string|array|self::ALL $resources = self::ALL], [string|array|self::ALL $privileges = self::ALL], [IPermissionAssertion $assert = NULL])

Performs operations on Access Control List rules.

The $operation parameter may be either Permission::ADD or Permission::REMOVE, depending on whether the user wants to add or remove a rule, respectively:

ADD specifics:

A rule is added that would allow one or more Roles access to [certain $privileges upon] the specified Resource(s).

REMOVE specifics:

The rule is removed only in the context of the given Roles, Resources, and privileges. Existing rules to which the remove operation does not apply would remain in the Access Control List.

The $type parameter may be either Permission::ALLOW or Permission::DENY, depending on whether the rule is intended to allow or deny permission, respectively.

If either $roles or $resources is self::ALL, then the rule applies to all Roles or all Resources, respectively. Both may be self::ALL in order to work with the default rule of the ACL.

The $privileges parameter may be used to further specify that the rule applies only to certain privileges upon the Resource(s) in question. This may be specified to be a single privilege with a string, and multiple privileges may be specified as an array of strings.

If $assert is provided, then its assert() method must return TRUE in order for the rule to apply. If $assert is provided with $roles, $resources, and $privileges all equal to NULL, then a rule having a type of:

ALLOW will imply a type of DENY, and

DENY will imply a type of ALLOW

when the rule's assertion fails. This is because the ACL needs to provide expected behavior when an assertion upon the default ACL rule fails.