Authorization
From harmoni
AuthZ provides an implementation of a hierarchical authorization system. Polyphony's authorization module provides tools for managing authorizations.
Contents |
Usage
Configuration
// :: Set up the DatabaseManager ::
$configuration =& new ConfigurationProperties;
Services::startManagerAsService("DatabaseManager", $context, $configuration);
//Set up the database connection
$databaseManager =& Services::getService("DatabaseManager");
$dbName = "adam_concerto";
$dbID = $databaseManager->addDatabase( new MySQLDatabase("localhost", $dbName,"test","*****") );
$databaseManager->pConnect($dbID);
unset($databaseManager); // done with that for now
// :: Set up the Authorization System ::
$configuration =& new ConfigurationProperties;
$configuration->addProperty('database_index', $dbID);
$configuration->addProperty('database_name', $dbName);
Services::startManagerAsService("AuthorizationManager", $context, $configuration);
Function Creation
When you application is first installed/configured you will most likely need to define some functions which you will later check to see if users are authorized to do.
...
$authZManager =& Services::getService("AuthorizationManager");
$idManager =& Services::getService("IdManager");
$qualifierHierarchyId =& $hierarchyId; // Id from above
$type =& new Type ("Authorization", "Concerto", "Editing", "Functions for editing.");
$id =& $idManager->createId();
$function =& $authZManager->createFunction($id, "Add Children", "Add children to this qualifier.", $type, $qualifierHierarchyId);
...
Authorization Checking
Inside your actions, isUserAuthorized() is the only method needed to check for appropriate authorization for the currently authenticated Agent(s). You must however, know the id of the Function that you wish to check authorizations for, as well as the Id of the node in the qualifier hierarchy at which you wish to check authorization.
...
// Check for our authorization function definitions
if (!defined("AZ_ADD_CHILDREN"))
throwError(new Error("You must define an id for AZ_ADD_CHILDREN", "concerto.collection", true));
// Check that the user can create a collection here.
$authZ =& Services::getService("AuthZ");
$idManager =& Services::getService("Id");
if (!$authZ->isUserAuthorized($idManager->getId(AZ_ADD_CHILDREN), $node->getId())) {
print _("You are not authorized to create a <em>Collection</em>.");
return;
}
// Continue with the action if the user is authorized.
Implementation Notes
Dependencies
The Authorization OSID implementation makes use of the Id, Authentication, and Hierarchy OSIDs and expects implementations of them to be available through the Services API.
While the AuthorizationManager makes only OSID calls to the Hierarchy, a caching system called the IsAuthorizedCache queries the Hierarchy implementation's tables directly in order to get around some performance limitations. As such the current implementation has a dependency on the Hierarchy implementation, though the dependency could be easily removed as needed by updating the IsAuthorizedCache.
