OpenPSA API Documentation
\
midcom
datamanager
extension
transformer
type
helper
indexer
storage
container
template
validation
dba
events
grid
provider
routing
workflow

\midcom_core_privilege

Privilege class, used to interact with the privilege system. It encapsulates the actual Database Level Object. As usual with MidCOM DBA, you <i>must never access the DB layer object.</i>

The main area of expertise of this class is privilege IO (loading and storing), their validation and privilege merging.

It is important to understand that you must never load privilege records directly, or access them by their IDs. Instead, use the DBA level interface functions to locate existing privilege sets. The only time where you use this class directly is when creating new privilege, using the default constructor of this class (although the create_new_privilege_object DBA member methods are the preferred way of doing this).

Caching:

This class uses the memcache cache module to speed up ACL accesses. It caches the ACL objects retrieved from the database, not any merged privilege set (at this time, that is). This should speed up regular operations quite a bit (along with the parent guid cache, which is a second important key).

Summary

Methods
Properties
Constants
__construct()
__get()
__set()
__isset()
get_object()
set_object()
get_assignee()
is_magic_assignee()
set_assignee()
validate()
get_content_privileges()
get_self_privileges()
get_all_privileges()
get_privilege()
does_privilege_apply()
store()
drop()
No public properties found
No constants found
_query_privileges()
No protected properties found
N/A
_get_scope()
_get_privileges()
_load()
_sync_to_db_object()
_sync_from_db_object()
_invalidate_cache()
$__privilege
$__privilege_object
$__guid
$__cached_object
N/A

Properties

$__privilege

$__privilege : array

Cached actual midcom_core_privilege_db data for this privilege.

Type

array

$__privilege_object

$__privilege_object : \midcom_core_privilege_db

The actual midcom_core_privilege_db object for this privilege.

Type

\midcom_core_privilege_db

$__guid

$__guid : string

GUID of the midcom_core_privilege_db object, used when values are retrieved via collector instead of QB

Type

string

$__cached_object

$__cached_object : object

Cached content object, based on $objectguid.

Type

object

Methods

__construct()

__construct(\midcom_core_privilege_db  $src = null)

The Default constructor creates an empty privilege, if you specify another privilege object in the constructor, a copy is constructed.

Parameters

\midcom_core_privilege_db $src

Object to copy from.

__get()

__get(  $property)

Parameters

$property

__set()

__set(  $property,   $value)

Parameters

$property
$value

__isset()

__isset(  $property)

Parameters

$property

get_object()

get_object() : \midcom_core_dbaobject

A copy of the object referenced by the guid value of this privilege.

Returns

\midcom_core_dbaobject

The DBA object to which this privileges is assigned or false on failure (f.x. missing access permissions).

set_object()

set_object(object  $object)

Set a privilege to a given content object.

Parameters

object $object

A MidCOM DBA level object to which this privilege should be assigned to.

get_assignee()

get_assignee() : \midcom_core_user|\midcom_core_group|false

If the assignee has an object representation (at this time, only users and groups have), this call will return the assignee object held by the authentication service.

Use is_magic_assignee to determine if you have an assignee object.

Returns

\midcom_core_user|\midcom_core_group|false —

object as returned by the auth service, false on failure.

is_magic_assignee()

is_magic_assignee(  $assignee = null) : boolean

Checks whether the current assignee is a magic assignee or an object identifier.

Parameters

$assignee

Returns

boolean —

True if it is a magic assignee, false otherwise.

set_assignee()

set_assignee(mixed  $assignee) : boolean

Set the assignee member string to the correct value to represent the object passed, in general, this resolves users and groups to their strings and leaves magic assignees intact.

Possible argument types:

  • Any one of the magic assignees SELF, EVERYONE, ANONYMOUS, USERS.
  • Any midcom_core_user or midcom_core_group object or subtype thereof.
  • Any string identifier which can be resolved using midcom_services_auth::get_assignee().

Parameters

mixed $assignee

An assignee representation as outlined above.

Returns

boolean —

indicating success.

validate()

validate()

Validate the privilege for correctness of all set options. This includes:

  • A check against the list of registered privileges to ensure the existence of the privilege itself.
  • A check for a valid and existing assignee, this includes a class existence check for classname restrictions for SELF privileges.
  • A check for an existing content object GUID (this implicitly checks for midgard:read as well).
  • Enough privileges of the current user to update the object's privileges (the user must have midgard:update and midgard:privileges for this to succeed).
  • A valid privilege value.

get_content_privileges()

get_content_privileges(string  $guid) : array<mixed,\midcom_core_privilege>

List all content privileges assigned to a given object.

Essentially, this will exclude all SELF style assignees.

This function is for use in the authentication framework only.

Parameters

string $guid

A GUID to query.

Returns

array<mixed,\midcom_core_privilege>

get_self_privileges()

get_self_privileges(string  $guid) : array<mixed,\midcom_core_privilege>

List all privileges assigned directly to a user or group.

These are all SELF privileges.

This function is for use in the authentication framework only.

Parameters

string $guid

A GUID to query.

Returns

array<mixed,\midcom_core_privilege>

get_all_privileges()

get_all_privileges(string  $guid) : array<mixed,\midcom_core_privilege>

List all privileges assigned an object unfiltered.

This function is for use in the authentication framework only

Parameters

string $guid

The GUID of the object for which we should look up privileges.

Returns

array<mixed,\midcom_core_privilege>

get_privilege()

get_privilege(object  $object, string  $name, string  $assignee, string  $classname = '') : \midcom_core_privilege

Retrieve a single given privilege at a content object, identified by the combination of assignee and privilege name.

This call will return an object even if the privilege is set to INHERITED at the given object (i.e. does not exist) for consistency reasons. Errors are thrown for example on database inconsistencies.

This function is for use in the authentication framework only.

Parameters

object $object

The object to query.
string $name

The name of the privilege to query
string $assignee

The identifier of the assignee to query.
string $classname

The optional classname required only for class-limited SELF privileges.

Returns

\midcom_core_privilege

The privilege matching the constraints.

does_privilege_apply()

does_privilege_apply(string  $user_id) : boolean

Determine whether a given privilege applies for the given user in content mode. This means, that all SELF privileges are skipped at this point, EVERYONE privileges apply always, and all other privileges are checked against the user.

Parameters

string $user_id

The user id in question.

Returns

boolean —

Indicating whether the privilege record applies for the user, or not.

store()

store() : boolean

Store the privilege. This will validate it first and then either update an existing privilege record, or create a new one, depending on the DB state.

Returns

boolean —

Indicating success.

drop()

drop() : boolean

Drop the privilege. If we are a known DB record, we delete us, otherwise we return silently.

Returns

boolean —

Indicating success.

_query_privileges()

_query_privileges(string  $guid, string  $type) : array<mixed,\midcom_core_privilege>

Query the database for privileges and construct all necessary objects out of it.

Parameters

string $guid

The GUID of the object for which to query ACL data.
string $type

SELF or CONTENT

Returns

array<mixed,\midcom_core_privilege>

_get_scope()

_get_scope()

_get_privileges()

_get_privileges(string  $guid,   $type) : array<mixed,\midcom_core_privilege>

List all privileges assigned an object unfiltered.

Parameters

string $guid

The GUID of the object for which we should look up privileges.
$type

Returns

array<mixed,\midcom_core_privilege>

_load()

_load(  $src)

Parameters

$src

_sync_to_db_object()

_sync_to_db_object()

_sync_from_db_object()

_sync_from_db_object()

_invalidate_cache()

_invalidate_cache()

Invalidate the memcache after I/O operations