ACL_LINK_PROP
ACL_LINK_PROP
Provides ACL management.
A WebAcl object stores access control rules for a given FedoraResource object and provides methods to manipulate them.
Static methods provide a way to adjust class-oriented access control rules.
Keeping ACL rules in order is very troublesome in general.
The first problem is that every ACL resource can contain rules for any combination of users, groups, classes, resources and access modes. While the repo-php-util can follow some guidelines on write (e.g. "only one resource/class described in a single acl resource"), it must be able to cope with any mess on read.
Another big problem is tracking the current set of all rules connected with a given resource. It requires either inspecting the whole acl collection (which is terribly slow but reliable) or quering a triplestore (which is fast but unreliable as the triplestore is synchronized only at the transaction commit). This problem is not fully addressed by this class. During a transaction it provides proper tracking for the rules describing user/group access rights to particular resources. Tracking is not provided for rules describing access rights to classes and for rules specyfying access rights to more then one resource and/or class. This means you must commit a transaction and call reload() method on all WebAcl objects after every change made to class ACL rules to keep your WebAcl objects up to date.
When a compound (describing more then one class and/or resource) rule is encountered, it is automatically splitted into "simple" rules (each descrining exactly one resource/class). Similarly to class rules, a transaction commit and reload() calls on WebAcl objects is required to make WebAcl objects aware of this transformation.
$res : \acdhOeaw\fedora\FedoraResource
FedoraResource for which ACL rules are stored.
setAutosave(boolean $autosave)
When autosave is turned on, all changes to `WebAclRule` objects are immediately synced with the Fedora.
It is convenient but may be slower if you apply many rules to a single resource (e.g. when you grant the same access rights to many users).
When autosave is off, you must call a save()
method for the changes
to be populated to the Fedora (of course you must also commit
a transaction separately to make them persistent).
boolean | $autosave |
__construct(\acdhOeaw\fedora\FedoraResource $res)
Creates a WebAcl object
\acdhOeaw\fedora\FedoraResource | $res | corresponding Fedora resource |
revokeAll(integer $mode = \acdhOeaw\fedora\acl\WebAclRule::READ) : \acdhOeaw\fedora\acl\WebAcl
Revokes privileges from all users, groups and classes for a given Fedora resource.
Only rules directly targeting the given resource are removed. Rules inherited from Fedora parents sharing the same ACL are not affected.
If $mode
equals to WebAclRule::WRITE
all privileges are limited to
WebAclRule::READ
.
If $mode
equals to WebAclRule::READ
all privileges are revoked.
integer | $mode | WebAclRule::READ or WebAclRule::WRITE |
getMode(string $type, string $name = null, boolean $inherited = true) : integer
Returns effective access rights for a given user/group.
string | $type | WebAclRule::USER or WebAclRule::Group |
string | $name | user/group name |
boolean | $inherited | should rules inherited from parents (in Fedora terms) resources be taken into account? |
(WebAclRule::READ or WebAclRule::WRITE)
createAcl()
Creates an ACL attached directly to a given resource.
All rules describing resource from ACL currently in effect are automatically moved to the newly created ACL.
Resource has to permanently exist in the repository for operation to
succeed (you can not create a resource's ACL within the same transaction
a resource was created). If it is not a case, a NotFound
exception is
rised.
If an ACL attached directly to the resource already exists, nothing happens.
deleteAcl() : \acdhOeaw\fedora\acl\WebAcl
Removes ACL directly attached to this resource.
If there is no such ACL, error is thrown.
initRules(\EasyRdf\Sparql\Result $results, \acdhOeaw\fedora\Fedora $fedora, string $aclUrl) : array
Preprocesses rules fetched from the SPARQL query: - skips rules which no longer exist in the Fedora - splits compound rules into simple ones
\EasyRdf\Sparql\Result | $results | SPARQL result set containg a |
\acdhOeaw\fedora\Fedora | $fedora | Fedora connection object |
string | $aclUrl | URL of the ACL where splitted rules (if there will be such) should be saved |
collection of WebAclRule
objects