3 * API for role-based access control
4 * Defined at Planetforge.org
6 * Copyright 2010, Roland Mas
8 * This file is part of FusionForge. FusionForge is free software;
9 * you can redistribute it and/or modify it under the terms of the
10 * GNU General Public License as published by the Free Software
11 * Foundation; either version 2 of the Licence, or (at your option)
14 * FusionForge is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with FusionForge; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 // See http://wiki.planetforge.org/index.php/RBAC_API#Interfaces
26 // Constants to identify role classes
27 define ("PFO_ROLE_EXPLICIT", 1) ;
28 define ("PFO_ROLE_ANONYMOUS", 2) ;
29 define ("PFO_ROLE_LOGGEDIN", 3) ;
30 define ("PFO_ROLE_UNION", 4) ;
33 * Interface for the RBAC engine
36 * This interface is meant to be implemented with a singleton pattern.
37 * Its methods use the session management to decide what roles are available within the current session (if any),
38 * and to provide the answer to the question “Does the current client have the permission for this action?”.
39 * Other interesting questions that this interface is meant to answer include “does another account have the permission for that action?”
40 * and, more generically, “who is allowed that action?”.
42 interface PFO_RBACEngine {
46 public static function getInstance() ;
48 * returns roles available to the user in the current session
50 public function getAvailableRoles() ; // From session
52 * TODO Enter description here ...
53 * @param string $section
54 * @param unknown_type $reference group_id, ...
55 * @param string $action
57 public function isActionAllowed($section, $reference, $action = NULL) ;
58 public function isGlobalActionAllowed($section, $action = NULL) ;
59 public function isActionAllowedForUser($user, $section, $reference, $action = NULL) ;
60 public function isGlobalActionAllowedForUser($user, $section, $action = NULL) ;
61 public function getRolesByAllowedAction($section, $reference, $action = NULL) ;
62 public function getUsersByAllowedAction($section, $reference, $action = NULL) ;
66 * Interfaces for the capabilities
69 * Abstract interface, not meant to be implemented directly.
72 public function getName() ;
73 public function setName($name) ;
74 public function getID() ;
76 public function isPublic() ;
77 public function setPublic($flag) ;
79 * TODO: Enter description here ...
80 * NULL if role is “floating”
82 public function getHomeProject() ;
83 public function getLinkedProjects() ;
84 public function linkProject($project) ;
85 public function unlinkProject($project) ;
87 public function getUsers() ;
88 public function hasUser($user) ;
89 public function hasPermission($section, $reference, $action = NULL) ;
90 public function hasGlobalPermission($section, $action = NULL) ;
91 public function normalizeData() ;
92 public function getSettings() ;
93 public function getSettingsForProject($project) ;
94 public function setSettings($data) ;
98 * Standard, explicit membership role (members are list of usernames).
102 interface PFO_RoleExplicit extends PFO_Role {
103 const roleclass = PFO_ROLE_EXPLICIT ;
104 public function addUsers($users) ;
105 public function removeUsers($users) ;
113 interface PFO_RoleUnion extends PFO_Role {
114 const roleclass = PFO_ROLE_UNION ;
115 public function addRole($role) ;
116 public function removeRole($role) ;
120 * Implicit membership role : always applying
122 * Global scope (public, no home project), always available (even when logged in). hasUser() always returns true.
126 interface PFO_RoleAnonymous extends PFO_Role {
127 const roleclass = PFO_ROLE_ANONYMOUS ;
131 * Implicit membership role : the client has opened a session
133 * Global scope (public, no home project), available whenever a valid session is opened. hasUser() always returns true.
137 interface PFO_RoleLoggedin extends PFO_Role {
138 const roleclass = PFO_ROLE_LOGGEDIN ;
143 // c-file-style: "bsd"