diff --git a/library/Icinga/Authentication/AdmissionLoader.php b/library/Icinga/Authentication/AdmissionLoader.php index 391622fb1..0a80be127 100644 --- a/library/Icinga/Authentication/AdmissionLoader.php +++ b/library/Icinga/Authentication/AdmissionLoader.php @@ -5,6 +5,7 @@ namespace Icinga\Authentication; use Icinga\Application\Config; use Icinga\Application\Logger; +use Icinga\Authentication\Role; use Icinga\Exception\NotReadableError; use Icinga\Data\ConfigObject; use Icinga\User; @@ -43,16 +44,12 @@ class AdmissionLoader } /** - * Get user permissions and restrictions + * Apply permissions, restrictions and roles to the given user * - * @param User $user - * - * @return array + * @param User $user */ - public function getPermissionsAndRestrictions(User $user) + public function applyRoles(User $user) { - $permissions = array(); - $restrictions = array(); $username = $user->getUsername(); try { $roles = Config::app('roles'); @@ -62,14 +59,18 @@ class AdmissionLoader $username, $e ); - return array($permissions, $restrictions); + return; } $userGroups = $user->getGroups(); - foreach ($roles as $role) { + $permissions = array(); + $restrictions = array(); + $roleObjs = array(); + foreach ($roles as $roleName => $role) { if ($this->match($username, $userGroups, $role)) { + $permissionsFromRole = StringHelper::trimSplit($role->permissions); $permissions = array_merge( $permissions, - array_diff(StringHelper::trimSplit($role->permissions), $permissions) + array_diff($permissionsFromRole, $permissions) ); $restrictionsFromRole = $role->toArray(); unset($restrictionsFromRole['users']); @@ -81,8 +82,16 @@ class AdmissionLoader } $restrictions[$name][] = $restriction; } + + $roleObj = new Role(); + $roleObjs[] = $roleObj + ->setName($roleName) + ->setPermissions($permissionsFromRole) + ->setRestrictions($restrictionsFromRole); } } - return array($permissions, $restrictions); + $user->setPermissions($permissions); + $user->setRestrictions($restrictions); + $user->setRoles($roleObjs); } } diff --git a/library/Icinga/Authentication/Auth.php b/library/Icinga/Authentication/Auth.php index 9fb43922c..392a59d71 100644 --- a/library/Icinga/Authentication/Auth.php +++ b/library/Icinga/Authentication/Auth.php @@ -160,9 +160,7 @@ class Auth } $user->setGroups($groups); $admissionLoader = new AdmissionLoader(); - list($permissions, $restrictions) = $admissionLoader->getPermissionsAndRestrictions($user); - $user->setPermissions($permissions); - $user->setRestrictions($restrictions); + $admissionLoader->applyRoles($user); $this->user = $user; if ($persist) { $this->persistCurrentUser(); diff --git a/library/Icinga/Authentication/Role.php b/library/Icinga/Authentication/Role.php new file mode 100644 index 000000000..f00d063e2 --- /dev/null +++ b/library/Icinga/Authentication/Role.php @@ -0,0 +1,109 @@ +name; + } + + /** + * Set the name of the role + * + * @param string $name + * + * @return $this + */ + public function setName($name) + { + $this->name = $name; + return $this; + } + + /** + * Get the permissions of the role + * + * @return string[] + */ + public function getPermissions() + { + return $this->permissions; + } + + /** + * Set the permissions of the role + * + * @param string[] $permissions + * + * @return $this + */ + public function setPermissions(array $permissions) + { + $this->permissions = $permissions; + return $this; + } + + /** + * Get the restrictions of the role + * + * @param string $name Optional name of the restriction + * + * @return string[]|null + */ + public function getRestrictions($name = null) + { + $restrictions = $this->restrictions; + + if ($name === null) { + return $restrictions; + } + + if (isset($restrictions[$name])) { + return $restrictions[$name]; + } + + return null; + } + + /** + * Set the restrictions of the role + * + * @param string[] $restrictions + * + * @return $this + */ + public function setRestrictions(array $restrictions) + { + $this->restrictions = $restrictions; + return $this; + } +} diff --git a/library/Icinga/User.php b/library/Icinga/User.php index cbd8c4743..738df109e 100644 --- a/library/Icinga/User.php +++ b/library/Icinga/User.php @@ -6,6 +6,7 @@ namespace Icinga; use DateTimeZone; use InvalidArgumentException; use Icinga\Application\Config; +use Icinga\Authentication\Role; use Icinga\User\Preferences; use Icinga\Web\Navigation\Navigation; @@ -91,6 +92,13 @@ class User */ protected $groups = array(); + /** + * Roles of this user + * + * @var Role[] + */ + protected $roles = array(); + /** * Preferences object * @@ -229,13 +237,39 @@ class User } /** - * Settter for restrictions + * Set the user's restrictions * - * @param array $restrictions + * @param string[] $restrictions + * + * @return $this */ public function setRestrictions(array $restrictions) { $this->restrictions = $restrictions; + return $this; + } + + /** + * Get the roles of the user + * + * @return Role[] + */ + public function getRoles() + { + return $this->roles; + } + + /** + * Set the roles of the user + * + * @param Role[] $roles + * + * @return $this + */ + public function setRoles(array $roles) + { + $this->roles = $roles; + return $this; } /**