note: aco = access controled object (eg a resource), aro = access request object (eg a role), it's actually an aco so it extends 'role based'.
Code: Select all
$acl = new PHPRBAC_AccessControl();
$storage = new PHPRBAC_Storage_NonPersistentStorage();
$acl->setStorage($storage);
/**
* example 1
*/
$storage->addAco('role');
$storage->addAco('resource');
$storage->allow('role', 'action', 'resource');
$result = $acl->isAllowed('role', 'action', 'resource');
var_dump($result->isAllowed()); // true;
/**
* example 2
*/
$storage->addAco('parentRole');
$storage->addParent('role', 'parentRole'); // note: awkward name 'addParent'?
$storage->addAco('parentResource');
$storage->addParent('resource', 'parentResource');
$storage->allow('parentRole', 'action', 'parentResource');
$result = $acl->isAllowed('role', 'action', 'parentResource');
var_dump($result->isAllowed()); // true;
/**
* example 3
*/
$storage->addAco('post');
$storage->addAco('published', array($acl->criteria()->eq('status', 'published')));
$storage->addParent('published', 'post');
$storage->addAco('visitor');
$storage->deny('visitor', 'view', 'post');
$storage->allow('visitor', 'view', 'published');
$result = $acl->isAllowed('visitor', 'view', 'post');
var_dump($result->isAllowed()); // false;
var_dump($result->isDenied()); // false;
var_dump($result->isCriterial()); // true;
$result->setRewriter(new PHPRBAC_Criteria_Rewriter_MysqlExpressionRewriter()); // note: $acl->setCriteriaRewriter() to set default rewriter
// SELECT * FROM posts WHERE
echo $result->getCriteria(); // status = published
-checking an actual aco (only the returning criteria part for now, as in example 3).
-caching the results
-binding of variables (so you can have dynamic criteria, eg as in $acl->criteria()->eq('user_id', ':user_id:'), for things like allowing users to edit their own posts).