Privilege class, used to interact with the privilege system.

It encapsulates the actual Database Level Object. As usual with MidCOM DBA, you must never access the DB layer object.

The main area of expertise of this class is privilege IO (loading and storing), their validation and privilege merging.

It is important to understand that you must never load privilege records directly, or access them by their IDs. Instead, use the DBA level interface functions to locate existing privilege sets. The only time where you use this class directly is when creating new privilege, using the default constructor of this class (although the create_new_privilege_object DBA member methods are the preferred way of doing this).

Caching:

This class uses the memcache cache module to speed up ACL accesses. It caches the ACL objects retrieved from the database, not any merged privilege set (at this time, that is). This should speed up regular operations quite a bit (along with the parent guid cache, which is a second important key).

package midcom

 Methods

__construct (\midcom_core_privilege_db $src)

The Default constructor creates an empty privilege, if you specify another privilege object in the constructor, a copy is constructed.

Parameters

$src

\midcom_core_privilege_dbObject to copy from.

__get ($property)

Parameters

$property

__isset ($property)

Parameters

$property

__set ($property, $value)

Parameters

$property

$value

does_privilege_apply (string $user_id)

Internal helper function, determines whether a given privilege applies for the given user in content mode.

This means, that all SELF privileges are skipped at this point, EVERYONE privileges apply always, and all other privileges are checked against the user.

Parameters

$user_id

stringThe user id in question.

Returns

booleanIndicating whether the privilege record applies for the user, or not.

drop ()

Drop the privilege.

If we are a known DB record, we delete us, otherwise we return silently.

Returns

booleanIndicating success.

get_all_privileges (string $guid)

This is a static helper function which lists all privileges assigned an object unfiltered.
Static

This function is for use in the authentication framework only

Parameters

$guid

stringThe GUID of the object for which we should look up privileges.

Returns

ArrayA list of midcom_core_privilege instances.

get_assignee ()

If the assignee has an object representation (at this time, only users and groups have), this call will return a reference to the assignee object held by the authentication service.

Use is_magic_assignee to determine if you have an assignee object.

see \midcom_services_auth::get_assignee()

Returns

mixedA midcom_core_user or midcom_core_group object reference as returned by the auth service, returns false on failure.

get_content_privileges (string $guid)

This is a helper function which lists all content privileges assigned to a given object.
Static

Essentially, this will exclude all SELF style assignees.

This function is for use in the authentication framework only.

Parameters

$guid

stringA GUID to query.

Returns

ArrayA list of midcom_core_privilege instances.

get_object ()

A copy of the object referenced by the guid value of this privilege.

Returns

objectThe DBA object to which this privileges is assigned or false on failure (f.x. missing access permissions).

get_privilege (object $object, string $name, string $assignee, string $classname)

This is a helper function which retrieves a single given privilege at a content object, identified by the combination of assignee and privilege name.
Static

This call will return an object even if the privilege is set to INHERITED at the given object (i.e. does not exist) for consistency reasons. Errors are thrown for example on database inconsistencies.

This function is for use in the authentication framework only.

Parameters

$object

objectThe object to query.

$name

stringThe name of the privilege to query

$assignee

stringThe identifier of the assignee to query.

$classname

stringThe optional classname required only for class-limited SELF privileges.

Returns

\midcom_core_privilegeThe privilege matching the constraints.

get_self_privileges (string $guid)

This is a helper function which lists all privileges assigned directly to a user or group.
Static

These are all SELF privileges.

This function is for use in the authentication framework only.

Parameters

$guid

stringA GUID to query.

Returns

ArrayA list of midcom_core_privilege instances.

is_magic_assignee ($assignee)

Checks whether the current assignee is a magic assignee or an object identifier.

Parameters

$assignee

Returns

booleanTrue, if it is a magic assignee, false otherwise.

set_assignee (mixed $assignee)

This call sets the assignee member string to the correct value to represent the object passed, in general, this resolves users and groups to their strings and leaves magic assignees intact.

Possible argument types:

  • Any one of the magic assignees SELF, EVERYONE, ANONYMOUS, USERS.
  • Any midcom_core_user or midcom_core_group object or subtype thereof.
  • Any string identifier which can be resolved using midcom_services_auth::get_assignee().

Parameters

$assignee

mixed&$assignee An assignee representation as outlined above.

Returns

booleanindicating success.

set_object (object $object)

Set a privilege to a given content object.

Parameters

$object

objectA MidCOM DBA level object to which this privilege should be assigned to.

store ()

Store the privilege.

This will validate it first and then either update an existing privilege record, or create a new one, depending on the DB state.

Returns

booleanIndicating success.

validate ()

This call validates the privilege for correctness of all set options.

This includes:

  • A check against the list of registered privileges to ensure the existence of the privilege itself.
  • A check for a valid and existing assignee, this includes a class existence check for classname restrictions for SELF privileges.
  • A check for an existing content object GUID (this implicitly checks for midgard:read as well).
  • Enough privileges of the current user to update the object's privileges (the user must have midgard:update and midgard:privileges for this to succeed).
  • A valid privilege value.

_query_privileges (string $guid, string $type)

This is an internal helper function used by get_all_privileges in case that there is no cache hit.
Static

It will query the database and construct all necessary objects out of it.

Parameters

$guid

stringThe GUID of the object for which to query ACL data.

$type

stringSELF or CONTENT

Returns

ArrayA list of midcom_core_privilege instances.

_get_privileges (string $guid, $type)

This is a static helper function which lists all privileges assigned an object unfiltered.
Static

Parameters

$guid

stringThe GUID of the object for which we should look up privileges.

$type

Returns

ArrayA list of midcom_core_privilege instances.

_get_scope ()

_invalidate_cache ()

This is an internal helper called after all I/O operation which invalidates the memcache accordingly.

_load ($src)

Parameters

$src

_sync_from_db_object ()

_sync_to_db_object ()

 Properties

 

object $__cached_object

Cached content object, based on $objectguid.
 

string $__guid

GUID of the midcom_core_privilege_db object, used when values are retrieved via collector instead of QB
 

array $__privilege

Cached actual midcom_core_privilege_db data for this privilege.
 

\midcom_core_privilege_db $__privilege_object

The actual midcom_core_privilege_db object for this privilege.