BenoitCier
/
Opendistrib
bifurqué depuis Laclic/Souke
Suivre 1
Ajouter aux favoris 0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
46 Révisions
2 Branches
Aborescence: 57ad0b4f06
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '57ad0b4f06'
${ noResults }
Opendistrib/vendor/yiisoft/yii2/rbac/DbManager.php

984 lines
29KB
Brut Annotations Historique 

  1. <?php

  2. /**

  3.  * @link http://www.yiiframework.com/

  4.  * @copyright Copyright (c) 2008 Yii Software LLC

  5.  * @license http://www.yiiframework.com/license/

  6.  */

  7. 

  8. namespace yii\rbac;

  9. 

  10. use Yii;

  11. use yii\caching\Cache;

  12. use yii\db\Connection;

  13. use yii\db\Query;

  14. use yii\db\Expression;

  15. use yii\base\InvalidCallException;

  16. use yii\base\InvalidParamException;

  17. use yii\di\Instance;

  18. 

  19. /**

  20.  * DbManager represents an authorization manager that stores authorization information in database.

  21.  *

  22.  * The database connection is specified by [[db]]. The database schema could be initialized by applying migration:

  23.  *

  24.  * ```

  25.  * yii migrate --migrationPath=@yii/rbac/migrations/

  26.  * ```

  27.  *

  28.  * If you don't want to use migration and need SQL instead, files for all databases are in migrations directory.

  29.  *

  30.  * You may change the names of the tables used to store the authorization and rule data by setting [[itemTable]],

  31.  * [[itemChildTable]], [[assignmentTable]] and [[ruleTable]].

  32.  *

  33.  * @author Qiang Xue <qiang.xue@gmail.com>

  34.  * @author Alexander Kochetov <creocoder@gmail.com>

  35.  * @since 2.0

  36.  */

  37. class DbManager extends BaseManager

  38. {

  39.     /**

  40.      * @var Connection|array|string the DB connection object or the application component ID of the DB connection.

  41.      * After the DbManager object is created, if you want to change this property, you should only assign it

  42.      * with a DB connection object.

  43.      * Starting from version 2.0.2, this can also be a configuration array for creating the object.

  44.      */

  45.     public $db = 'db';

  46.     /**

  47.      * @var string the name of the table storing authorization items. Defaults to "auth_item".

  48.      */

  49.     public $itemTable = '{{%auth_item}}';

  50.     /**

  51.      * @var string the name of the table storing authorization item hierarchy. Defaults to "auth_item_child".

  52.      */

  53.     public $itemChildTable = '{{%auth_item_child}}';

  54.     /**

  55.      * @var string the name of the table storing authorization item assignments. Defaults to "auth_assignment".

  56.      */

  57.     public $assignmentTable = '{{%auth_assignment}}';

  58.     /**

  59.      * @var string the name of the table storing rules. Defaults to "auth_rule".

  60.      */

  61.     public $ruleTable = '{{%auth_rule}}';

  62.     /**

  63.      * @var Cache|array|string the cache used to improve RBAC performance. This can be one of the following:

  64.      *

  65.      * - an application component ID (e.g. `cache`)

  66.      * - a configuration array

  67.      * - a [[\yii\caching\Cache]] object

  68.      *

  69.      * When this is not set, it means caching is not enabled.

  70.      *

  71.      * Note that by enabling RBAC cache, all auth items, rules and auth item parent-child relationships will

  72.      * be cached and loaded into memory. This will improve the performance of RBAC permission check. However,

  73.      * it does require extra memory and as a result may not be appropriate if your RBAC system contains too many

  74.      * auth items. You should seek other RBAC implementations (e.g. RBAC based on Redis storage) in this case.

  75.      *

  76.      * Also note that if you modify RBAC items, rules or parent-child relationships from outside of this component,

  77.      * you have to manually call [[invalidateCache()]] to ensure data consistency.

  78.      *

  79.      * @since 2.0.3

  80.      */

  81.     public $cache;

  82.     /**

  83.      * @var string the key used to store RBAC data in cache

  84.      * @see cache

  85.      * @since 2.0.3

  86.      */

  87.     public $cacheKey = 'rbac';

  88. 

  89.     /**

  90.      * @var Item[] all auth items (name => Item)

  91.      */

  92.     protected $items;

  93.     /**

  94.      * @var Rule[] all auth rules (name => Rule)

  95.      */

  96.     protected $rules;

  97.     /**

  98.      * @var array auth item parent-child relationships (childName => list of parents)

  99.      */

  100.     protected $parents;

  101. 

  102. 

  103.     /**

  104.      * Initializes the application component.

  105.      * This method overrides the parent implementation by establishing the database connection.

  106.      */

  107.     public function init()

  108.     {

  109.         parent::init();

  110.         $this->db = Instance::ensure($this->db, Connection::className());

  111.         if ($this->cache !== null) {

  112.             $this->cache = Instance::ensure($this->cache, Cache::className());

  113.         }

  114.     }

  115. 

  116.     /**

  117.      * @inheritdoc

  118.      */

  119.     public function checkAccess($userId, $permissionName, $params = [])

  120.     {

  121.         $assignments = $this->getAssignments($userId);

  122.         $this->loadFromCache();

  123.         if ($this->items !== null) {

  124.             return $this->checkAccessFromCache($userId, $permissionName, $params, $assignments);

  125.         } else {

  126.             return $this->checkAccessRecursive($userId, $permissionName, $params, $assignments);

  127.         }

  128.     }

  129. 

  130.     /**

  131.      * Performs access check for the specified user based on the data loaded from cache.

  132.      * This method is internally called by [[checkAccess()]] when [[cache]] is enabled.

  133.      * @param string|integer $user the user ID. This should can be either an integer or a string representing

  134.      * the unique identifier of a user. See [[\yii\web\User::id]].

  135.      * @param string $itemName the name of the operation that need access check

  136.      * @param array $params name-value pairs that would be passed to rules associated

  137.      * with the tasks and roles assigned to the user. A param with name 'user' is added to this array,

  138.      * which holds the value of `$userId`.

  139.      * @param Assignment[] $assignments the assignments to the specified user

  140.      * @return boolean whether the operations can be performed by the user.

  141.      * @since 2.0.3

  142.      */

  143.     protected function checkAccessFromCache($user, $itemName, $params, $assignments)

  144.     {

  145.         if (!isset($this->items[$itemName])) {

  146.             return false;

  147.         }

  148. 

  149.         $item = $this->items[$itemName];

  150. 

  151.         Yii::trace($item instanceof Role ? "Checking role: $itemName" : "Checking permission: $itemName", __METHOD__);

  152. 

  153.         if (!$this->executeRule($user, $item, $params)) {

  154.             return false;

  155.         }

  156. 

  157.         if (isset($assignments[$itemName]) || in_array($itemName, $this->defaultRoles)) {

  158.             return true;

  159.         }

  160. 

  161.         if (!empty($this->parents[$itemName])) {

  162.             foreach ($this->parents[$itemName] as $parent) {

  163.                 if ($this->checkAccessFromCache($user, $parent, $params, $assignments)) {

  164.                     return true;

  165.                 }

  166.             }

  167.         }

  168. 

  169.         return false;

  170.     }

  171. 

  172.     /**

  173.      * Performs access check for the specified user.

  174.      * This method is internally called by [[checkAccess()]].

  175.      * @param string|integer $user the user ID. This should can be either an integer or a string representing

  176.      * the unique identifier of a user. See [[\yii\web\User::id]].

  177.      * @param string $itemName the name of the operation that need access check

  178.      * @param array $params name-value pairs that would be passed to rules associated

  179.      * with the tasks and roles assigned to the user. A param with name 'user' is added to this array,

  180.      * which holds the value of `$userId`.

  181.      * @param Assignment[] $assignments the assignments to the specified user

  182.      * @return boolean whether the operations can be performed by the user.

  183.      */

  184.     protected function checkAccessRecursive($user, $itemName, $params, $assignments)

  185.     {

  186.         if (($item = $this->getItem($itemName)) === null) {

  187.             return false;

  188.         }

  189. 

  190.         Yii::trace($item instanceof Role ? "Checking role: $itemName" : "Checking permission: $itemName", __METHOD__);

  191. 

  192.         if (!$this->executeRule($user, $item, $params)) {

  193.             return false;

  194.         }

  195. 

  196.         if (isset($assignments[$itemName]) || in_array($itemName, $this->defaultRoles)) {

  197.             return true;

  198.         }

  199. 

  200.         $query = new Query;

  201.         $parents = $query->select(['parent'])

  202.             ->from($this->itemChildTable)

  203.             ->where(['child' => $itemName])

  204.             ->column($this->db);

  205.         foreach ($parents as $parent) {

  206.             if ($this->checkAccessRecursive($user, $parent, $params, $assignments)) {

  207.                 return true;

  208.             }

  209.         }

  210. 

  211.         return false;

  212.     }

  213. 

  214.     /**

  215.      * @inheritdoc

  216.      */

  217.     protected function getItem($name)

  218.     {

  219.         if (empty($name)) {

  220.             return null;

  221.         }

  222. 

  223.         if (!empty($this->items[$name])) {

  224.             return $this->items[$name];

  225.         }

  226. 

  227.         $row = (new Query)->from($this->itemTable)

  228.             ->where(['name' => $name])

  229.             ->one($this->db);

  230. 

  231.         if ($row === false) {

  232.             return null;

  233.         }

  234. 

  235.         if (!isset($row['data']) || ($data = @unserialize($row['data'])) === false) {

  236.             $row['data'] = null;

  237.         }

  238. 

  239.         return $this->populateItem($row);

  240.     }

  241. 

  242.     /**

  243.      * Returns a value indicating whether the database supports cascading update and delete.

  244.      * The default implementation will return false for SQLite database and true for all other databases.

  245.      * @return boolean whether the database supports cascading update and delete.

  246.      */

  247.     protected function supportsCascadeUpdate()

  248.     {

  249.         return strncmp($this->db->getDriverName(), 'sqlite', 6) !== 0;

  250.     }

  251. 

  252.     /**

  253.      * @inheritdoc

  254.      */

  255.     protected function addItem($item)

  256.     {

  257.         $time = time();

  258.         if ($item->createdAt === null) {

  259.             $item->createdAt = $time;

  260.         }

  261.         if ($item->updatedAt === null) {

  262.             $item->updatedAt = $time;

  263.         }

  264.         $this->db->createCommand()

  265.             ->insert($this->itemTable, [

  266.                 'name' => $item->name,

  267.                 'type' => $item->type,

  268.                 'description' => $item->description,

  269.                 'rule_name' => $item->ruleName,

  270.                 'data' => $item->data === null ? null : serialize($item->data),

  271.                 'created_at' => $item->createdAt,

  272.                 'updated_at' => $item->updatedAt,

  273.             ])->execute();

  274. 

  275.         $this->invalidateCache();

  276. 

  277.         return true;

  278.     }

  279. 

  280.     /**

  281.      * @inheritdoc

  282.      */

  283.     protected function removeItem($item)

  284.     {

  285.         if (!$this->supportsCascadeUpdate()) {

  286.             $this->db->createCommand()

  287.                 ->delete($this->itemChildTable, ['or', '[[parent]]=:name', '[[child]]=:name'], [':name' => $item->name])

  288.                 ->execute();

  289.             $this->db->createCommand()

  290.                 ->delete($this->assignmentTable, ['item_name' => $item->name])

  291.                 ->execute();

  292.         }

  293. 

  294.         $this->db->createCommand()

  295.             ->delete($this->itemTable, ['name' => $item->name])

  296.             ->execute();

  297. 

  298.         $this->invalidateCache();

  299. 

  300.         return true;

  301.     }

  302. 

  303.     /**

  304.      * @inheritdoc

  305.      */

  306.     protected function updateItem($name, $item)

  307.     {

  308.         if ($item->name !== $name && !$this->supportsCascadeUpdate()) {

  309.             $this->db->createCommand()

  310.                 ->update($this->itemChildTable, ['parent' => $item->name], ['parent' => $name])

  311.                 ->execute();

  312.             $this->db->createCommand()

  313.                 ->update($this->itemChildTable, ['child' => $item->name], ['child' => $name])

  314.                 ->execute();

  315.             $this->db->createCommand()

  316.                 ->update($this->assignmentTable, ['item_name' => $item->name], ['item_name' => $name])

  317.                 ->execute();

  318.         }

  319. 

  320.         $item->updatedAt = time();

  321. 

  322.         $this->db->createCommand()

  323.             ->update($this->itemTable, [

  324.                 'name' => $item->name,

  325.                 'description' => $item->description,

  326.                 'rule_name' => $item->ruleName,

  327.                 'data' => $item->data === null ? null : serialize($item->data),

  328.                 'updated_at' => $item->updatedAt,

  329.             ], [

  330.                 'name' => $name,

  331.             ])->execute();

  332. 

  333.         $this->invalidateCache();

  334. 

  335.         return true;

  336.     }

  337. 

  338.     /**

  339.      * @inheritdoc

  340.      */

  341.     protected function addRule($rule)

  342.     {

  343.         $time = time();

  344.         if ($rule->createdAt === null) {

  345.             $rule->createdAt = $time;

  346.         }

  347.         if ($rule->updatedAt === null) {

  348.             $rule->updatedAt = $time;

  349.         }

  350.         $this->db->createCommand()

  351.             ->insert($this->ruleTable, [

  352.                 'name' => $rule->name,

  353.                 'data' => serialize($rule),

  354.                 'created_at' => $rule->createdAt,

  355.                 'updated_at' => $rule->updatedAt,

  356.             ])->execute();

  357. 

  358.         $this->invalidateCache();

  359. 

  360.         return true;

  361.     }

  362. 

  363.     /**

  364.      * @inheritdoc

  365.      */

  366.     protected function updateRule($name, $rule)

  367.     {

  368.         if ($rule->name !== $name && !$this->supportsCascadeUpdate()) {

  369.             $this->db->createCommand()

  370.                 ->update($this->itemTable, ['rule_name' => $rule->name], ['rule_name' => $name])

  371.                 ->execute();

  372.         }

  373. 

  374.         $rule->updatedAt = time();

  375. 

  376.         $this->db->createCommand()

  377.             ->update($this->ruleTable, [

  378.                 'name' => $rule->name,

  379.                 'data' => serialize($rule),

  380.                 'updated_at' => $rule->updatedAt,

  381.             ], [

  382.                 'name' => $name,

  383.             ])->execute();

  384. 

  385.         $this->invalidateCache();

  386. 

  387.         return true;

  388.     }

  389. 

  390.     /**

  391.      * @inheritdoc

  392.      */

  393.     protected function removeRule($rule)

  394.     {

  395.         if (!$this->supportsCascadeUpdate()) {

  396.             $this->db->createCommand()

  397.                 ->update($this->itemTable, ['rule_name' => null], ['rule_name' => $rule->name])

  398.                 ->execute();

  399.         }

  400. 

  401.         $this->db->createCommand()

  402.             ->delete($this->ruleTable, ['name' => $rule->name])

  403.             ->execute();

  404. 

  405.         $this->invalidateCache();

  406. 

  407.         return true;

  408.     }

  409. 

  410.     /**

  411.      * @inheritdoc

  412.      */

  413.     protected function getItems($type)

  414.     {

  415.         $query = (new Query)

  416.             ->from($this->itemTable)

  417.             ->where(['type' => $type]);

  418. 

  419.         $items = [];

  420.         foreach ($query->all($this->db) as $row) {

  421.             $items[$row['name']] = $this->populateItem($row);

  422.         }

  423. 

  424.         return $items;

  425.     }

  426. 

  427.     /**

  428.      * Populates an auth item with the data fetched from database

  429.      * @param array $row the data from the auth item table

  430.      * @return Item the populated auth item instance (either Role or Permission)

  431.      */

  432.     protected function populateItem($row)

  433.     {

  434.         $class = $row['type'] == Item::TYPE_PERMISSION ? Permission::className() : Role::className();

  435. 

  436.         if (!isset($row['data']) || ($data = @unserialize($row['data'])) === false) {

  437.             $data = null;

  438.         }

  439. 

  440.         return new $class([

  441.             'name' => $row['name'],

  442.             'type' => $row['type'],

  443.             'description' => $row['description'],

  444.             'ruleName' => $row['rule_name'],

  445.             'data' => $data,

  446.             'createdAt' => $row['created_at'],

  447.             'updatedAt' => $row['updated_at'],

  448.         ]);

  449.     }

  450. 

  451.     /**

  452.      * @inheritdoc

  453.      */

  454.     public function getRolesByUser($userId)

  455.     {

  456.         if (!isset($userId) || $userId === '') {

  457.             return [];

  458.         }

  459. 

  460.         $query = (new Query)->select('b.*')

  461.             ->from(['a' => $this->assignmentTable, 'b' => $this->itemTable])

  462.             ->where('{{a}}.[[item_name]]={{b}}.[[name]]')

  463.             ->andWhere(['a.user_id' => (string) $userId])

  464.             ->andWhere(['b.type' => Item::TYPE_ROLE]);

  465. 

  466.         $roles = [];

  467.         foreach ($query->all($this->db) as $row) {

  468.             $roles[$row['name']] = $this->populateItem($row);

  469.         }

  470.         return $roles;

  471.     }

  472. 

  473.     /**

  474.      * @inheritdoc

  475.      */

  476.     public function getPermissionsByRole($roleName)

  477.     {

  478.         $childrenList = $this->getChildrenList();

  479.         $result = [];

  480.         $this->getChildrenRecursive($roleName, $childrenList, $result);

  481.         if (empty($result)) {

  482.             return [];

  483.         }

  484.         $query = (new Query)->from($this->itemTable)->where([

  485.             'type' => Item::TYPE_PERMISSION,

  486.             'name' => array_keys($result),

  487.         ]);

  488.         $permissions = [];

  489.         foreach ($query->all($this->db) as $row) {

  490.             $permissions[$row['name']] = $this->populateItem($row);

  491.         }

  492.         return $permissions;

  493.     }

  494. 

  495.     /**

  496.      * @inheritdoc

  497.      */

  498.     public function getPermissionsByUser($userId)

  499.     {

  500.         if (empty($userId)) {

  501.             return [];

  502.         }

  503. 

  504.         $directPermission = $this->getDirectPermissionsByUser($userId);

  505.         $inheritedPermission = $this->getInheritedPermissionsByUser($userId);

  506. 

  507.         return array_merge($directPermission, $inheritedPermission);

  508.     }

  509. 

  510.     /**

  511.      * Returns all permissions that are directly assigned to user.

  512.      * @param string|integer $userId the user ID (see [[\yii\web\User::id]])

  513.      * @return Permission[] all direct permissions that the user has. The array is indexed by the permission names.

  514.      * @since 2.0.7

  515.      */

  516.     protected function getDirectPermissionsByUser($userId)

  517.     {

  518.         $query = (new Query)->select('b.*')

  519.             ->from(['a' => $this->assignmentTable, 'b' => $this->itemTable])

  520.             ->where('{{a}}.[[item_name]]={{b}}.[[name]]')

  521.             ->andWhere(['a.user_id' => (string) $userId])

  522.             ->andWhere(['b.type' => Item::TYPE_PERMISSION]);

  523. 

  524.         $permissions = [];

  525.         foreach ($query->all($this->db) as $row) {

  526.             $permissions[$row['name']] = $this->populateItem($row);

  527.         }

  528.         return $permissions;

  529.     }

  530. 

  531.     /**

  532.      * Returns all permissions that the user inherits from the roles assigned to him.

  533.      * @param string|integer $userId the user ID (see [[\yii\web\User::id]])

  534.      * @return Permission[] all inherited permissions that the user has. The array is indexed by the permission names.

  535.      * @since 2.0.7

  536.      */

  537.     protected function getInheritedPermissionsByUser($userId)

  538.     {

  539.         $query = (new Query)->select('item_name')

  540.             ->from($this->assignmentTable)

  541.             ->where(['user_id' => (string) $userId]);

  542. 

  543.         $childrenList = $this->getChildrenList();

  544.         $result = [];

  545.         foreach ($query->column($this->db) as $roleName) {

  546.             $this->getChildrenRecursive($roleName, $childrenList, $result);

  547.         }

  548. 

  549.         if (empty($result)) {

  550.             return [];

  551.         }

  552. 

  553.         $query = (new Query)->from($this->itemTable)->where([

  554.             'type' => Item::TYPE_PERMISSION,

  555.             'name' => array_keys($result),

  556.         ]);

  557.         $permissions = [];

  558.         foreach ($query->all($this->db) as $row) {

  559.             $permissions[$row['name']] = $this->populateItem($row);

  560.         }

  561.         return $permissions;

  562.     }

  563. 

  564.     /**

  565.      * Returns the children for every parent.

  566.      * @return array the children list. Each array key is a parent item name,

  567.      * and the corresponding array value is a list of child item names.

  568.      */

  569.     protected function getChildrenList()

  570.     {

  571.         $query = (new Query)->from($this->itemChildTable);

  572.         $parents = [];

  573.         foreach ($query->all($this->db) as $row) {

  574.             $parents[$row['parent']][] = $row['child'];

  575.         }

  576.         return $parents;

  577.     }

  578. 

  579.     /**

  580.      * Recursively finds all children and grand children of the specified item.

  581.      * @param string $name the name of the item whose children are to be looked for.

  582.      * @param array $childrenList the child list built via [[getChildrenList()]]

  583.      * @param array $result the children and grand children (in array keys)

  584.      */

  585.     protected function getChildrenRecursive($name, $childrenList, &$result)

  586.     {

  587.         if (isset($childrenList[$name])) {

  588.             foreach ($childrenList[$name] as $child) {

  589.                 $result[$child] = true;

  590.                 $this->getChildrenRecursive($child, $childrenList, $result);

  591.             }

  592.         }

  593.     }

  594. 

  595.     /**

  596.      * @inheritdoc

  597.      */

  598.     public function getRule($name)

  599.     {

  600.         if ($this->rules !== null) {

  601.             return isset($this->rules[$name]) ? $this->rules[$name] : null;

  602.         }

  603. 

  604.         $row = (new Query)->select(['data'])

  605.             ->from($this->ruleTable)

  606.             ->where(['name' => $name])

  607.             ->one($this->db);

  608.         return $row === false ? null : unserialize($row['data']);

  609.     }

  610. 

  611.     /**

  612.      * @inheritdoc

  613.      */

  614.     public function getRules()

  615.     {

  616.         if ($this->rules !== null) {

  617.             return $this->rules;

  618.         }

  619. 

  620.         $query = (new Query)->from($this->ruleTable);

  621. 

  622.         $rules = [];

  623.         foreach ($query->all($this->db) as $row) {

  624.             $rules[$row['name']] = unserialize($row['data']);

  625.         }

  626. 

  627.         return $rules;

  628.     }

  629. 

  630.     /**

  631.      * @inheritdoc

  632.      */

  633.     public function getAssignment($roleName, $userId)

  634.     {

  635.         if (empty($userId)) {

  636.             return null;

  637.         }

  638. 

  639.         $row = (new Query)->from($this->assignmentTable)

  640.             ->where(['user_id' => (string) $userId, 'item_name' => $roleName])

  641.             ->one($this->db);

  642. 

  643.         if ($row === false) {

  644.             return null;

  645.         }

  646. 

  647.         return new Assignment([

  648.             'userId' => $row['user_id'],

  649.             'roleName' => $row['item_name'],

  650.             'createdAt' => $row['created_at'],

  651.         ]);

  652.     }

  653. 

  654.     /**

  655.      * @inheritdoc

  656.      */

  657.     public function getAssignments($userId)

  658.     {

  659.         if (empty($userId)) {

  660.             return [];

  661.         }

  662. 

  663.         $query = (new Query)

  664.             ->from($this->assignmentTable)

  665.             ->where(['user_id' => (string) $userId]);

  666. 

  667.         $assignments = [];

  668.         foreach ($query->all($this->db) as $row) {

  669.             $assignments[$row['item_name']] = new Assignment([

  670.                 'userId' => $row['user_id'],

  671.                 'roleName' => $row['item_name'],

  672.                 'createdAt' => $row['created_at'],

  673.             ]);

  674.         }

  675. 

  676.         return $assignments;

  677.     }

  678. 

  679.     /**

  680.      * @inheritdoc

  681.      * @since 2.0.8

  682.      */

  683.     public function canAddChild($parent, $child)

  684.     {

  685.         return !$this->detectLoop($parent, $child);

  686.     }

  687. 

  688.     /**

  689.      * @inheritdoc

  690.      */

  691.     public function addChild($parent, $child)

  692.     {

  693.         if ($parent->name === $child->name) {

  694.             throw new InvalidParamException("Cannot add '{$parent->name}' as a child of itself.");

  695.         }

  696. 

  697.         if ($parent instanceof Permission && $child instanceof Role) {

  698.             throw new InvalidParamException('Cannot add a role as a child of a permission.');

  699.         }

  700. 

  701.         if ($this->detectLoop($parent, $child)) {

  702.             throw new InvalidCallException("Cannot add '{$child->name}' as a child of '{$parent->name}'. A loop has been detected.");

  703.         }

  704. 

  705.         $this->db->createCommand()

  706.             ->insert($this->itemChildTable, ['parent' => $parent->name, 'child' => $child->name])

  707.             ->execute();

  708. 

  709.         $this->invalidateCache();

  710. 

  711.         return true;

  712.     }

  713. 

  714.     /**

  715.      * @inheritdoc

  716.      */

  717.     public function removeChild($parent, $child)

  718.     {

  719.         $result = $this->db->createCommand()

  720.             ->delete($this->itemChildTable, ['parent' => $parent->name, 'child' => $child->name])

  721.             ->execute() > 0;

  722. 

  723.         $this->invalidateCache();

  724. 

  725.         return $result;

  726.     }

  727. 

  728.     /**

  729.      * @inheritdoc

  730.      */

  731.     public function removeChildren($parent)

  732.     {

  733.         $result = $this->db->createCommand()

  734.             ->delete($this->itemChildTable, ['parent' => $parent->name])

  735.             ->execute() > 0;

  736. 

  737.         $this->invalidateCache();

  738. 

  739.         return $result;

  740.     }

  741. 

  742.     /**

  743.      * @inheritdoc

  744.      */

  745.     public function hasChild($parent, $child)

  746.     {

  747.         return (new Query)

  748.             ->from($this->itemChildTable)

  749.             ->where(['parent' => $parent->name, 'child' => $child->name])

  750.             ->one($this->db) !== false;

  751.     }

  752. 

  753.     /**

  754.      * @inheritdoc

  755.      */

  756.     public function getChildren($name)

  757.     {

  758.         $query = (new Query)

  759.             ->select(['name', 'type', 'description', 'rule_name', 'data', 'created_at', 'updated_at'])

  760.             ->from([$this->itemTable, $this->itemChildTable])

  761.             ->where(['parent' => $name, 'name' => new Expression('[[child]]')]);

  762. 

  763.         $children = [];

  764.         foreach ($query->all($this->db) as $row) {

  765.             $children[$row['name']] = $this->populateItem($row);

  766.         }

  767. 

  768.         return $children;

  769.     }

  770. 

  771.     /**

  772.      * Checks whether there is a loop in the authorization item hierarchy.

  773.      * @param Item $parent the parent item

  774.      * @param Item $child the child item to be added to the hierarchy

  775.      * @return boolean whether a loop exists

  776.      */

  777.     protected function detectLoop($parent, $child)

  778.     {

  779.         if ($child->name === $parent->name) {

  780.             return true;

  781.         }

  782.         foreach ($this->getChildren($child->name) as $grandchild) {

  783.             if ($this->detectLoop($parent, $grandchild)) {

  784.                 return true;

  785.             }

  786.         }

  787.         return false;

  788.     }

  789. 

  790.     /**

  791.      * @inheritdoc

  792.      */

  793.     public function assign($role, $userId)

  794.     {

  795.         $assignment = new Assignment([

  796.             'userId' => $userId,

  797.             'roleName' => $role->name,

  798.             'createdAt' => time(),

  799.         ]);

  800. 

  801.         $this->db->createCommand()

  802.             ->insert($this->assignmentTable, [

  803.                 'user_id' => $assignment->userId,

  804.                 'item_name' => $assignment->roleName,

  805.                 'created_at' => $assignment->createdAt,

  806.             ])->execute();

  807. 

  808.         return $assignment;

  809.     }

  810. 

  811.     /**

  812.      * @inheritdoc

  813.      */

  814.     public function revoke($role, $userId)

  815.     {

  816.         if (empty($userId)) {

  817.             return false;

  818.         }

  819. 

  820.         return $this->db->createCommand()

  821.             ->delete($this->assignmentTable, ['user_id' => (string) $userId, 'item_name' => $role->name])

  822.             ->execute() > 0;

  823.     }

  824. 

  825.     /**

  826.      * @inheritdoc

  827.      */

  828.     public function revokeAll($userId)

  829.     {

  830.         if (empty($userId)) {

  831.             return false;

  832.         }

  833. 

  834.         return $this->db->createCommand()

  835.             ->delete($this->assignmentTable, ['user_id' => (string) $userId])

  836.             ->execute() > 0;

  837.     }

  838. 

  839.     /**

  840.      * @inheritdoc

  841.      */

  842.     public function removeAll()

  843.     {

  844.         $this->removeAllAssignments();

  845.         $this->db->createCommand()->delete($this->itemChildTable)->execute();

  846.         $this->db->createCommand()->delete($this->itemTable)->execute();

  847.         $this->db->createCommand()->delete($this->ruleTable)->execute();

  848.         $this->invalidateCache();

  849.     }

  850. 

  851.     /**

  852.      * @inheritdoc

  853.      */

  854.     public function removeAllPermissions()

  855.     {

  856.         $this->removeAllItems(Item::TYPE_PERMISSION);

  857.     }

  858. 

  859.     /**

  860.      * @inheritdoc

  861.      */

  862.     public function removeAllRoles()

  863.     {

  864.         $this->removeAllItems(Item::TYPE_ROLE);

  865.     }

  866. 

  867.     /**

  868.      * Removes all auth items of the specified type.

  869.      * @param integer $type the auth item type (either Item::TYPE_PERMISSION or Item::TYPE_ROLE)

  870.      */

  871.     protected function removeAllItems($type)

  872.     {

  873.         if (!$this->supportsCascadeUpdate()) {

  874.             $names = (new Query)

  875.                 ->select(['name'])

  876.                 ->from($this->itemTable)

  877.                 ->where(['type' => $type])

  878.                 ->column($this->db);

  879.             if (empty($names)) {

  880.                 return;

  881.             }

  882.             $key = $type == Item::TYPE_PERMISSION ? 'child' : 'parent';

  883.             $this->db->createCommand()

  884.                 ->delete($this->itemChildTable, [$key => $names])

  885.                 ->execute();

  886.             $this->db->createCommand()

  887.                 ->delete($this->assignmentTable, ['item_name' => $names])

  888.                 ->execute();

  889.         }

  890.         $this->db->createCommand()

  891.             ->delete($this->itemTable, ['type' => $type])

  892.             ->execute();

  893. 

  894.         $this->invalidateCache();

  895.     }

  896. 

  897.     /**

  898.      * @inheritdoc

  899.      */

  900.     public function removeAllRules()

  901.     {

  902.         if (!$this->supportsCascadeUpdate()) {

  903.             $this->db->createCommand()

  904.                 ->update($this->itemTable, ['rule_name' => null])

  905.                 ->execute();

  906.         }

  907. 

  908.         $this->db->createCommand()->delete($this->ruleTable)->execute();

  909. 

  910.         $this->invalidateCache();

  911.     }

  912. 

  913.     /**

  914.      * @inheritdoc

  915.      */

  916.     public function removeAllAssignments()

  917.     {

  918.         $this->db->createCommand()->delete($this->assignmentTable)->execute();

  919.     }

  920. 

  921.     public function invalidateCache()

  922.     {

  923.         if ($this->cache !== null) {

  924.             $this->cache->delete($this->cacheKey);

  925.             $this->items = null;

  926.             $this->rules = null;

  927.             $this->parents = null;

  928.         }

  929.     }

  930. 

  931.     public function loadFromCache()

  932.     {

  933.         if ($this->items !== null || !$this->cache instanceof Cache) {

  934.             return;

  935.         }

  936. 

  937.         $data = $this->cache->get($this->cacheKey);

  938.         if (is_array($data) && isset($data[0], $data[1], $data[2])) {

  939.             list ($this->items, $this->rules, $this->parents) = $data;

  940.             return;

  941.         }

  942. 

  943.         $query = (new Query)->from($this->itemTable);

  944.         $this->items = [];

  945.         foreach ($query->all($this->db) as $row) {

  946.             $this->items[$row['name']] = $this->populateItem($row);

  947.         }

  948. 

  949.         $query = (new Query)->from($this->ruleTable);

  950.         $this->rules = [];

  951.         foreach ($query->all($this->db) as $row) {

  952.             $this->rules[$row['name']] = unserialize($row['data']);

  953.         }

  954. 

  955.         $query = (new Query)->from($this->itemChildTable);

  956.         $this->parents = [];

  957.         foreach ($query->all($this->db) as $row) {

  958.             if (isset($this->items[$row['child']])) {

  959.                 $this->parents[$row['child']][] = $row['parent'];

  960.             }

  961.         }

  962. 

  963.         $this->cache->set($this->cacheKey, [$this->items, $this->rules, $this->parents]);

  964.     }

  965. 

  966.     /**

  967.      * Returns all role assignment information for the specified role.

  968.      * @param string $roleName

  969.      * @return Assignment[] the assignments. An empty array will be

  970.      * returned if role is not assigned to any user.

  971.      * @since 2.0.7

  972.      */

  973.     public function getUserIdsByRole($roleName)

  974.     {

  975.         if (empty($roleName)) {

  976.             return [];

  977.         }

  978. 

  979.         return (new Query)->select('[[user_id]]')

  980.             ->from($this->assignmentTable)

  981.             ->where(['item_name' => $roleName])->column($this->db);

  982.     }

  983. }