BenoitCier
/
Opendistrib
forked from Laclic/Souke
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
913 Commits
2 Branches
Tree: 92157fe2cd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '92157fe2cd'
${ noResults }
Opendistrib/vendor/yiisoft/yii2/rbac/DbManager.php

1007 lines
30KB
Raw Blame History 

  1. <?php

  2. /**

  3.  * @link http://www.yiiframework.com/

  4.  * @copyright Copyright (c) 2008 Yii Software LLC

  5.  * @license http://www.yiiframework.com/license/

  6.  */

  7. 

  8. namespace yii\rbac;

  9. 

  10. use Yii;

  11. use yii\caching\Cache;

  12. use yii\db\Connection;

  13. use yii\db\Query;

  14. use yii\db\Expression;

  15. use yii\base\InvalidCallException;

  16. use yii\base\InvalidParamException;

  17. use yii\di\Instance;

  18. 

  19. /**

  20.  * DbManager represents an authorization manager that stores authorization information in database.

  21.  *

  22.  * The database connection is specified by [[db]]. The database schema could be initialized by applying migration:

  23.  *

  24.  * ```

  25.  * yii migrate --migrationPath=@yii/rbac/migrations/

  26.  * ```

  27.  *

  28.  * If you don't want to use migration and need SQL instead, files for all databases are in migrations directory.

  29.  *

  30.  * You may change the names of the tables used to store the authorization and rule data by setting [[itemTable]],

  31.  * [[itemChildTable]], [[assignmentTable]] and [[ruleTable]].

  32.  *

  33.  * @author Qiang Xue <qiang.xue@gmail.com>

  34.  * @author Alexander Kochetov <creocoder@gmail.com>

  35.  * @since 2.0

  36.  */

  37. class DbManager extends BaseManager

  38. {

  39.     /**

  40.      * @var Connection|array|string the DB connection object or the application component ID of the DB connection.

  41.      * After the DbManager object is created, if you want to change this property, you should only assign it

  42.      * with a DB connection object.

  43.      * Starting from version 2.0.2, this can also be a configuration array for creating the object.

  44.      */

  45.     public $db = 'db';

  46.     /**

  47.      * @var string the name of the table storing authorization items. Defaults to "auth_item".

  48.      */

  49.     public $itemTable = '{{%auth_item}}';

  50.     /**

  51.      * @var string the name of the table storing authorization item hierarchy. Defaults to "auth_item_child".

  52.      */

  53.     public $itemChildTable = '{{%auth_item_child}}';

  54.     /**

  55.      * @var string the name of the table storing authorization item assignments. Defaults to "auth_assignment".

  56.      */

  57.     public $assignmentTable = '{{%auth_assignment}}';

  58.     /**

  59.      * @var string the name of the table storing rules. Defaults to "auth_rule".

  60.      */

  61.     public $ruleTable = '{{%auth_rule}}';

  62.     /**

  63.      * @var Cache|array|string the cache used to improve RBAC performance. This can be one of the following:

  64.      *

  65.      * - an application component ID (e.g. `cache`)

  66.      * - a configuration array

  67.      * - a [[\yii\caching\Cache]] object

  68.      *

  69.      * When this is not set, it means caching is not enabled.

  70.      *

  71.      * Note that by enabling RBAC cache, all auth items, rules and auth item parent-child relationships will

  72.      * be cached and loaded into memory. This will improve the performance of RBAC permission check. However,

  73.      * it does require extra memory and as a result may not be appropriate if your RBAC system contains too many

  74.      * auth items. You should seek other RBAC implementations (e.g. RBAC based on Redis storage) in this case.

  75.      *

  76.      * Also note that if you modify RBAC items, rules or parent-child relationships from outside of this component,

  77.      * you have to manually call [[invalidateCache()]] to ensure data consistency.

  78.      *

  79.      * @since 2.0.3

  80.      */

  81.     public $cache;

  82.     /**

  83.      * @var string the key used to store RBAC data in cache

  84.      * @see cache

  85.      * @since 2.0.3

  86.      */

  87.     public $cacheKey = 'rbac';

  88. 

  89.     /**

  90.      * @var Item[] all auth items (name => Item)

  91.      */

  92.     protected $items;

  93.     /**

  94.      * @var Rule[] all auth rules (name => Rule)

  95.      */

  96.     protected $rules;

  97.     /**

  98.      * @var array auth item parent-child relationships (childName => list of parents)

  99.      */

  100.     protected $parents;

  101. 

  102. 

  103.     /**

  104.      * Initializes the application component.

  105.      * This method overrides the parent implementation by establishing the database connection.

  106.      */

  107.     public function init()

  108.     {

  109.         parent::init();

  110.         $this->db = Instance::ensure($this->db, Connection::className());

  111.         if ($this->cache !== null) {

  112.             $this->cache = Instance::ensure($this->cache, Cache::className());

  113.         }

  114.     }

  115. 

  116.     /**

  117.      * @inheritdoc

  118.      */

  119.     public function checkAccess($userId, $permissionName, $params = [])

  120.     {

  121.         $assignments = $this->getAssignments($userId);

  122.         $this->loadFromCache();

  123.         if ($this->items !== null) {

  124.             return $this->checkAccessFromCache($userId, $permissionName, $params, $assignments);

  125.         } else {

  126.             return $this->checkAccessRecursive($userId, $permissionName, $params, $assignments);

  127.         }

  128.     }

  129. 

  130.     /**

  131.      * Performs access check for the specified user based on the data loaded from cache.

  132.      * This method is internally called by [[checkAccess()]] when [[cache]] is enabled.

  133.      * @param string|integer $user the user ID. This should can be either an integer or a string representing

  134.      * the unique identifier of a user. See [[\yii\web\User::id]].

  135.      * @param string $itemName the name of the operation that need access check

  136.      * @param array $params name-value pairs that would be passed to rules associated

  137.      * with the tasks and roles assigned to the user. A param with name 'user' is added to this array,

  138.      * which holds the value of `$userId`.

  139.      * @param Assignment[] $assignments the assignments to the specified user

  140.      * @return boolean whether the operations can be performed by the user.

  141.      * @since 2.0.3

  142.      */

  143.     protected function checkAccessFromCache($user, $itemName, $params, $assignments)

  144.     {

  145.         if (!isset($this->items[$itemName])) {

  146.             return false;

  147.         }

  148. 

  149.         $item = $this->items[$itemName];

  150. 

  151.         Yii::trace($item instanceof Role ? "Checking role: $itemName" : "Checking permission: $itemName", __METHOD__);

  152. 

  153.         if (!$this->executeRule($user, $item, $params)) {

  154.             return false;

  155.         }

  156. 

  157.         if (isset($assignments[$itemName]) || in_array($itemName, $this->defaultRoles)) {

  158.             return true;

  159.         }

  160. 

  161.         if (!empty($this->parents[$itemName])) {

  162.             foreach ($this->parents[$itemName] as $parent) {

  163.                 if ($this->checkAccessFromCache($user, $parent, $params, $assignments)) {

  164.                     return true;

  165.                 }

  166.             }

  167.         }

  168. 

  169.         return false;

  170.     }

  171. 

  172.     /**

  173.      * Performs access check for the specified user.

  174.      * This method is internally called by [[checkAccess()]].

  175.      * @param string|integer $user the user ID. This should can be either an integer or a string representing

  176.      * the unique identifier of a user. See [[\yii\web\User::id]].

  177.      * @param string $itemName the name of the operation that need access check

  178.      * @param array $params name-value pairs that would be passed to rules associated

  179.      * with the tasks and roles assigned to the user. A param with name 'user' is added to this array,

  180.      * which holds the value of `$userId`.

  181.      * @param Assignment[] $assignments the assignments to the specified user

  182.      * @return boolean whether the operations can be performed by the user.

  183.      */

  184.     protected function checkAccessRecursive($user, $itemName, $params, $assignments)

  185.     {

  186.         if (($item = $this->getItem($itemName)) === null) {

  187.             return false;

  188.         }

  189. 

  190.         Yii::trace($item instanceof Role ? "Checking role: $itemName" : "Checking permission: $itemName", __METHOD__);

  191. 

  192.         if (!$this->executeRule($user, $item, $params)) {

  193.             return false;

  194.         }

  195. 

  196.         if (isset($assignments[$itemName]) || in_array($itemName, $this->defaultRoles)) {

  197.             return true;

  198.         }

  199. 

  200.         $query = new Query;

  201.         $parents = $query->select(['parent'])

  202.             ->from($this->itemChildTable)

  203.             ->where(['child' => $itemName])

  204.             ->column($this->db);

  205.         foreach ($parents as $parent) {

  206.             if ($this->checkAccessRecursive($user, $parent, $params, $assignments)) {

  207.                 return true;

  208.             }

  209.         }

  210. 

  211.         return false;

  212.     }

  213. 

  214.     /**

  215.      * @inheritdoc

  216.      */

  217.     protected function getItem($name)

  218.     {

  219.         if (empty($name)) {

  220.             return null;

  221.         }

  222. 

  223.         if (!empty($this->items[$name])) {

  224.             return $this->items[$name];

  225.         }

  226. 

  227.         $row = (new Query)->from($this->itemTable)

  228.             ->where(['name' => $name])

  229.             ->one($this->db);

  230. 

  231.         if ($row === false) {

  232.             return null;

  233.         }

  234. 

  235.         if (!isset($row['data']) || ($data = @unserialize($row['data'])) === false) {

  236.             $row['data'] = null;

  237.         }

  238. 

  239.         return $this->populateItem($row);

  240.     }

  241. 

  242.     /**

  243.      * Returns a value indicating whether the database supports cascading update and delete.

  244.      * The default implementation will return false for SQLite database and true for all other databases.

  245.      * @return boolean whether the database supports cascading update and delete.

  246.      */

  247.     protected function supportsCascadeUpdate()

  248.     {

  249.         return strncmp($this->db->getDriverName(), 'sqlite', 6) !== 0;

  250.     }

  251. 

  252.     /**

  253.      * @inheritdoc

  254.      */

  255.     protected function addItem($item)

  256.     {

  257.         $time = time();

  258.         if ($item->createdAt === null) {

  259.             $item->createdAt = $time;

  260.         }

  261.         if ($item->updatedAt === null) {

  262.             $item->updatedAt = $time;

  263.         }

  264.         $this->db->createCommand()

  265.             ->insert($this->itemTable, [

  266.                 'name' => $item->name,

  267.                 'type' => $item->type,

  268.                 'description' => $item->description,

  269.                 'rule_name' => $item->ruleName,

  270.                 'data' => $item->data === null ? null : serialize($item->data),

  271.                 'created_at' => $item->createdAt,

  272.                 'updated_at' => $item->updatedAt,

  273.             ])->execute();

  274. 

  275.         $this->invalidateCache();

  276. 

  277.         return true;

  278.     }

  279. 

  280.     /**

  281.      * @inheritdoc

  282.      */

  283.     protected function removeItem($item)

  284.     {

  285.         if (!$this->supportsCascadeUpdate()) {

  286.             $this->db->createCommand()

  287.                 ->delete($this->itemChildTable, ['or', '[[parent]]=:name', '[[child]]=:name'], [':name' => $item->name])

  288.                 ->execute();

  289.             $this->db->createCommand()

  290.                 ->delete($this->assignmentTable, ['item_name' => $item->name])

  291.                 ->execute();

  292.         }

  293. 

  294.         $this->db->createCommand()

  295.             ->delete($this->itemTable, ['name' => $item->name])

  296.             ->execute();

  297. 

  298.         $this->invalidateCache();

  299. 

  300.         return true;

  301.     }

  302. 

  303.     /**

  304.      * @inheritdoc

  305.      */

  306.     protected function updateItem($name, $item)

  307.     {

  308.         if ($item->name !== $name && !$this->supportsCascadeUpdate()) {

  309.             $this->db->createCommand()

  310.                 ->update($this->itemChildTable, ['parent' => $item->name], ['parent' => $name])

  311.                 ->execute();

  312.             $this->db->createCommand()

  313.                 ->update($this->itemChildTable, ['child' => $item->name], ['child' => $name])

  314.                 ->execute();

  315.             $this->db->createCommand()

  316.                 ->update($this->assignmentTable, ['item_name' => $item->name], ['item_name' => $name])

  317.                 ->execute();

  318.         }

  319. 

  320.         $item->updatedAt = time();

  321. 

  322.         $this->db->createCommand()

  323.             ->update($this->itemTable, [

  324.                 'name' => $item->name,

  325.                 'description' => $item->description,

  326.                 'rule_name' => $item->ruleName,

  327.                 'data' => $item->data === null ? null : serialize($item->data),

  328.                 'updated_at' => $item->updatedAt,

  329.             ], [

  330.                 'name' => $name,

  331.             ])->execute();

  332. 

  333.         $this->invalidateCache();

  334. 

  335.         return true;

  336.     }

  337. 

  338.     /**

  339.      * @inheritdoc

  340.      */

  341.     protected function addRule($rule)

  342.     {

  343.         $time = time();

  344.         if ($rule->createdAt === null) {

  345.             $rule->createdAt = $time;

  346.         }

  347.         if ($rule->updatedAt === null) {

  348.             $rule->updatedAt = $time;

  349.         }

  350.         $this->db->createCommand()

  351.             ->insert($this->ruleTable, [

  352.                 'name' => $rule->name,

  353.                 'data' => serialize($rule),

  354.                 'created_at' => $rule->createdAt,

  355.                 'updated_at' => $rule->updatedAt,

  356.             ])->execute();

  357. 

  358.         $this->invalidateCache();

  359. 

  360.         return true;

  361.     }

  362. 

  363.     /**

  364.      * @inheritdoc

  365.      */

  366.     protected function updateRule($name, $rule)

  367.     {

  368.         if ($rule->name !== $name && !$this->supportsCascadeUpdate()) {

  369.             $this->db->createCommand()

  370.                 ->update($this->itemTable, ['rule_name' => $rule->name], ['rule_name' => $name])

  371.                 ->execute();

  372.         }

  373. 

  374.         $rule->updatedAt = time();

  375. 

  376.         $this->db->createCommand()

  377.             ->update($this->ruleTable, [

  378.                 'name' => $rule->name,

  379.                 'data' => serialize($rule),

  380.                 'updated_at' => $rule->updatedAt,

  381.             ], [

  382.                 'name' => $name,

  383.             ])->execute();

  384. 

  385.         $this->invalidateCache();

  386. 

  387.         return true;

  388.     }

  389. 

  390.     /**

  391.      * @inheritdoc

  392.      */

  393.     protected function removeRule($rule)

  394.     {

  395.         if (!$this->supportsCascadeUpdate()) {

  396.             $this->db->createCommand()

  397.                 ->update($this->itemTable, ['rule_name' => null], ['rule_name' => $rule->name])

  398.                 ->execute();

  399.         }

  400. 

  401.         $this->db->createCommand()

  402.             ->delete($this->ruleTable, ['name' => $rule->name])

  403.             ->execute();

  404. 

  405.         $this->invalidateCache();

  406. 

  407.         return true;

  408.     }

  409. 

  410.     /**

  411.      * @inheritdoc

  412.      */

  413.     protected function getItems($type)

  414.     {

  415.         $query = (new Query)

  416.             ->from($this->itemTable)

  417.             ->where(['type' => $type]);

  418. 

  419.         $items = [];

  420.         foreach ($query->all($this->db) as $row) {

  421.             $items[$row['name']] = $this->populateItem($row);

  422.         }

  423. 

  424.         return $items;

  425.     }

  426. 

  427.     /**

  428.      * Populates an auth item with the data fetched from database

  429.      * @param array $row the data from the auth item table

  430.      * @return Item the populated auth item instance (either Role or Permission)

  431.      */

  432.     protected function populateItem($row)

  433.     {

  434.         $class = $row['type'] == Item::TYPE_PERMISSION ? Permission::className() : Role::className();

  435. 

  436.         if (!isset($row['data']) || ($data = @unserialize($row['data'])) === false) {

  437.             $data = null;

  438.         }

  439. 

  440.         return new $class([

  441.             'name' => $row['name'],

  442.             'type' => $row['type'],

  443.             'description' => $row['description'],

  444.             'ruleName' => $row['rule_name'],

  445.             'data' => $data,

  446.             'createdAt' => $row['created_at'],

  447.             'updatedAt' => $row['updated_at'],

  448.         ]);

  449.     }

  450. 

  451.     /**

  452.      * @inheritdoc

  453.      */

  454.     public function getRolesByUser($userId)

  455.     {

  456.         if (!isset($userId) || $userId === '') {

  457.             return [];

  458.         }

  459. 

  460.         $query = (new Query)->select('b.*')

  461.             ->from(['a' => $this->assignmentTable, 'b' => $this->itemTable])

  462.             ->where('{{a}}.[[item_name]]={{b}}.[[name]]')

  463.             ->andWhere(['a.user_id' => (string) $userId])

  464.             ->andWhere(['b.type' => Item::TYPE_ROLE]);

  465. 

  466.         $roles = [];

  467.         foreach ($query->all($this->db) as $row) {

  468.             $roles[$row['name']] = $this->populateItem($row);

  469.         }

  470.         return $roles;

  471.     }

  472. 

  473.     /**

  474.      * @inheritdoc

  475.      */

  476.     public function getChildRoles($roleName)

  477.     {

  478.         $role = $this->getRole($roleName);

  479. 

  480.         if (is_null($role)) {

  481.             throw new InvalidParamException("Role \"$roleName\" not found.");

  482.         }

  483. 

  484.         /** @var $result Item[] */

  485.         $this->getChildrenRecursive($roleName, $this->getChildrenList(), $result);

  486. 

  487.         $roles = [$roleName => $role];

  488. 

  489.         $roles += array_filter($this->getRoles(), function (Role $roleItem) use ($result) {

  490.             return array_key_exists($roleItem->name, $result);

  491.         });

  492. 

  493.         return $roles;

  494.     }

  495. 

  496.     /**

  497.      * @inheritdoc

  498.      */

  499.     public function getPermissionsByRole($roleName)

  500.     {

  501.         $childrenList = $this->getChildrenList();

  502.         $result = [];

  503.         $this->getChildrenRecursive($roleName, $childrenList, $result);

  504.         if (empty($result)) {

  505.             return [];

  506.         }

  507.         $query = (new Query)->from($this->itemTable)->where([

  508.             'type' => Item::TYPE_PERMISSION,

  509.             'name' => array_keys($result),

  510.         ]);

  511.         $permissions = [];

  512.         foreach ($query->all($this->db) as $row) {

  513.             $permissions[$row['name']] = $this->populateItem($row);

  514.         }

  515.         return $permissions;

  516.     }

  517. 

  518.     /**

  519.      * @inheritdoc

  520.      */

  521.     public function getPermissionsByUser($userId)

  522.     {

  523.         if (empty($userId)) {

  524.             return [];

  525.         }

  526. 

  527.         $directPermission = $this->getDirectPermissionsByUser($userId);

  528.         $inheritedPermission = $this->getInheritedPermissionsByUser($userId);

  529. 

  530.         return array_merge($directPermission, $inheritedPermission);

  531.     }

  532. 

  533.     /**

  534.      * Returns all permissions that are directly assigned to user.

  535.      * @param string|integer $userId the user ID (see [[\yii\web\User::id]])

  536.      * @return Permission[] all direct permissions that the user has. The array is indexed by the permission names.

  537.      * @since 2.0.7

  538.      */

  539.     protected function getDirectPermissionsByUser($userId)

  540.     {

  541.         $query = (new Query)->select('b.*')

  542.             ->from(['a' => $this->assignmentTable, 'b' => $this->itemTable])

  543.             ->where('{{a}}.[[item_name]]={{b}}.[[name]]')

  544.             ->andWhere(['a.user_id' => (string) $userId])

  545.             ->andWhere(['b.type' => Item::TYPE_PERMISSION]);

  546. 

  547.         $permissions = [];

  548.         foreach ($query->all($this->db) as $row) {

  549.             $permissions[$row['name']] = $this->populateItem($row);

  550.         }

  551.         return $permissions;

  552.     }

  553. 

  554.     /**

  555.      * Returns all permissions that the user inherits from the roles assigned to him.

  556.      * @param string|integer $userId the user ID (see [[\yii\web\User::id]])

  557.      * @return Permission[] all inherited permissions that the user has. The array is indexed by the permission names.

  558.      * @since 2.0.7

  559.      */

  560.     protected function getInheritedPermissionsByUser($userId)

  561.     {

  562.         $query = (new Query)->select('item_name')

  563.             ->from($this->assignmentTable)

  564.             ->where(['user_id' => (string) $userId]);

  565. 

  566.         $childrenList = $this->getChildrenList();

  567.         $result = [];

  568.         foreach ($query->column($this->db) as $roleName) {

  569.             $this->getChildrenRecursive($roleName, $childrenList, $result);

  570.         }

  571. 

  572.         if (empty($result)) {

  573.             return [];

  574.         }

  575. 

  576.         $query = (new Query)->from($this->itemTable)->where([

  577.             'type' => Item::TYPE_PERMISSION,

  578.             'name' => array_keys($result),

  579.         ]);

  580.         $permissions = [];

  581.         foreach ($query->all($this->db) as $row) {

  582.             $permissions[$row['name']] = $this->populateItem($row);

  583.         }

  584.         return $permissions;

  585.     }

  586. 

  587.     /**

  588.      * Returns the children for every parent.

  589.      * @return array the children list. Each array key is a parent item name,

  590.      * and the corresponding array value is a list of child item names.

  591.      */

  592.     protected function getChildrenList()

  593.     {

  594.         $query = (new Query)->from($this->itemChildTable);

  595.         $parents = [];

  596.         foreach ($query->all($this->db) as $row) {

  597.             $parents[$row['parent']][] = $row['child'];

  598.         }

  599.         return $parents;

  600.     }

  601. 

  602.     /**

  603.      * Recursively finds all children and grand children of the specified item.

  604.      * @param string $name the name of the item whose children are to be looked for.

  605.      * @param array $childrenList the child list built via [[getChildrenList()]]

  606.      * @param array $result the children and grand children (in array keys)

  607.      */

  608.     protected function getChildrenRecursive($name, $childrenList, &$result)

  609.     {

  610.         if (isset($childrenList[$name])) {

  611.             foreach ($childrenList[$name] as $child) {

  612.                 $result[$child] = true;

  613.                 $this->getChildrenRecursive($child, $childrenList, $result);

  614.             }

  615.         }

  616.     }

  617. 

  618.     /**

  619.      * @inheritdoc

  620.      */

  621.     public function getRule($name)

  622.     {

  623.         if ($this->rules !== null) {

  624.             return isset($this->rules[$name]) ? $this->rules[$name] : null;

  625.         }

  626. 

  627.         $row = (new Query)->select(['data'])

  628.             ->from($this->ruleTable)

  629.             ->where(['name' => $name])

  630.             ->one($this->db);

  631.         return $row === false ? null : unserialize($row['data']);

  632.     }

  633. 

  634.     /**

  635.      * @inheritdoc

  636.      */

  637.     public function getRules()

  638.     {

  639.         if ($this->rules !== null) {

  640.             return $this->rules;

  641.         }

  642. 

  643.         $query = (new Query)->from($this->ruleTable);

  644. 

  645.         $rules = [];

  646.         foreach ($query->all($this->db) as $row) {

  647.             $rules[$row['name']] = unserialize($row['data']);

  648.         }

  649. 

  650.         return $rules;

  651.     }

  652. 

  653.     /**

  654.      * @inheritdoc

  655.      */

  656.     public function getAssignment($roleName, $userId)

  657.     {

  658.         if (empty($userId)) {

  659.             return null;

  660.         }

  661. 

  662.         $row = (new Query)->from($this->assignmentTable)

  663.             ->where(['user_id' => (string) $userId, 'item_name' => $roleName])

  664.             ->one($this->db);

  665. 

  666.         if ($row === false) {

  667.             return null;

  668.         }

  669. 

  670.         return new Assignment([

  671.             'userId' => $row['user_id'],

  672.             'roleName' => $row['item_name'],

  673.             'createdAt' => $row['created_at'],

  674.         ]);

  675.     }

  676. 

  677.     /**

  678.      * @inheritdoc

  679.      */

  680.     public function getAssignments($userId)

  681.     {

  682.         if (empty($userId)) {

  683.             return [];

  684.         }

  685. 

  686.         $query = (new Query)

  687.             ->from($this->assignmentTable)

  688.             ->where(['user_id' => (string) $userId]);

  689. 

  690.         $assignments = [];

  691.         foreach ($query->all($this->db) as $row) {

  692.             $assignments[$row['item_name']] = new Assignment([

  693.                 'userId' => $row['user_id'],

  694.                 'roleName' => $row['item_name'],

  695.                 'createdAt' => $row['created_at'],

  696.             ]);

  697.         }

  698. 

  699.         return $assignments;

  700.     }

  701. 

  702.     /**

  703.      * @inheritdoc

  704.      * @since 2.0.8

  705.      */

  706.     public function canAddChild($parent, $child)

  707.     {

  708.         return !$this->detectLoop($parent, $child);

  709.     }

  710. 

  711.     /**

  712.      * @inheritdoc

  713.      */

  714.     public function addChild($parent, $child)

  715.     {

  716.         if ($parent->name === $child->name) {

  717.             throw new InvalidParamException("Cannot add '{$parent->name}' as a child of itself.");

  718.         }

  719. 

  720.         if ($parent instanceof Permission && $child instanceof Role) {

  721.             throw new InvalidParamException('Cannot add a role as a child of a permission.');

  722.         }

  723. 

  724.         if ($this->detectLoop($parent, $child)) {

  725.             throw new InvalidCallException("Cannot add '{$child->name}' as a child of '{$parent->name}'. A loop has been detected.");

  726.         }

  727. 

  728.         $this->db->createCommand()

  729.             ->insert($this->itemChildTable, ['parent' => $parent->name, 'child' => $child->name])

  730.             ->execute();

  731. 

  732.         $this->invalidateCache();

  733. 

  734.         return true;

  735.     }

  736. 

  737.     /**

  738.      * @inheritdoc

  739.      */

  740.     public function removeChild($parent, $child)

  741.     {

  742.         $result = $this->db->createCommand()

  743.             ->delete($this->itemChildTable, ['parent' => $parent->name, 'child' => $child->name])

  744.             ->execute() > 0;

  745. 

  746.         $this->invalidateCache();

  747. 

  748.         return $result;

  749.     }

  750. 

  751.     /**

  752.      * @inheritdoc

  753.      */

  754.     public function removeChildren($parent)

  755.     {

  756.         $result = $this->db->createCommand()

  757.             ->delete($this->itemChildTable, ['parent' => $parent->name])

  758.             ->execute() > 0;

  759. 

  760.         $this->invalidateCache();

  761. 

  762.         return $result;

  763.     }

  764. 

  765.     /**

  766.      * @inheritdoc

  767.      */

  768.     public function hasChild($parent, $child)

  769.     {

  770.         return (new Query)

  771.             ->from($this->itemChildTable)

  772.             ->where(['parent' => $parent->name, 'child' => $child->name])

  773.             ->one($this->db) !== false;

  774.     }

  775. 

  776.     /**

  777.      * @inheritdoc

  778.      */

  779.     public function getChildren($name)

  780.     {

  781.         $query = (new Query)

  782.             ->select(['name', 'type', 'description', 'rule_name', 'data', 'created_at', 'updated_at'])

  783.             ->from([$this->itemTable, $this->itemChildTable])

  784.             ->where(['parent' => $name, 'name' => new Expression('[[child]]')]);

  785. 

  786.         $children = [];

  787.         foreach ($query->all($this->db) as $row) {

  788.             $children[$row['name']] = $this->populateItem($row);

  789.         }

  790. 

  791.         return $children;

  792.     }

  793. 

  794.     /**

  795.      * Checks whether there is a loop in the authorization item hierarchy.

  796.      * @param Item $parent the parent item

  797.      * @param Item $child the child item to be added to the hierarchy

  798.      * @return boolean whether a loop exists

  799.      */

  800.     protected function detectLoop($parent, $child)

  801.     {

  802.         if ($child->name === $parent->name) {

  803.             return true;

  804.         }

  805.         foreach ($this->getChildren($child->name) as $grandchild) {

  806.             if ($this->detectLoop($parent, $grandchild)) {

  807.                 return true;

  808.             }

  809.         }

  810.         return false;

  811.     }

  812. 

  813.     /**

  814.      * @inheritdoc

  815.      */

  816.     public function assign($role, $userId)

  817.     {

  818.         $assignment = new Assignment([

  819.             'userId' => $userId,

  820.             'roleName' => $role->name,

  821.             'createdAt' => time(),

  822.         ]);

  823. 

  824.         $this->db->createCommand()

  825.             ->insert($this->assignmentTable, [

  826.                 'user_id' => $assignment->userId,

  827.                 'item_name' => $assignment->roleName,

  828.                 'created_at' => $assignment->createdAt,

  829.             ])->execute();

  830. 

  831.         return $assignment;

  832.     }

  833. 

  834.     /**

  835.      * @inheritdoc

  836.      */

  837.     public function revoke($role, $userId)

  838.     {

  839.         if (empty($userId)) {

  840.             return false;

  841.         }

  842. 

  843.         return $this->db->createCommand()

  844.             ->delete($this->assignmentTable, ['user_id' => (string) $userId, 'item_name' => $role->name])

  845.             ->execute() > 0;

  846.     }

  847. 

  848.     /**

  849.      * @inheritdoc

  850.      */

  851.     public function revokeAll($userId)

  852.     {

  853.         if (empty($userId)) {

  854.             return false;

  855.         }

  856. 

  857.         return $this->db->createCommand()

  858.             ->delete($this->assignmentTable, ['user_id' => (string) $userId])

  859.             ->execute() > 0;

  860.     }

  861. 

  862.     /**

  863.      * @inheritdoc

  864.      */

  865.     public function removeAll()

  866.     {

  867.         $this->removeAllAssignments();

  868.         $this->db->createCommand()->delete($this->itemChildTable)->execute();

  869.         $this->db->createCommand()->delete($this->itemTable)->execute();

  870.         $this->db->createCommand()->delete($this->ruleTable)->execute();

  871.         $this->invalidateCache();

  872.     }

  873. 

  874.     /**

  875.      * @inheritdoc

  876.      */

  877.     public function removeAllPermissions()

  878.     {

  879.         $this->removeAllItems(Item::TYPE_PERMISSION);

  880.     }

  881. 

  882.     /**

  883.      * @inheritdoc

  884.      */

  885.     public function removeAllRoles()

  886.     {

  887.         $this->removeAllItems(Item::TYPE_ROLE);

  888.     }

  889. 

  890.     /**

  891.      * Removes all auth items of the specified type.

  892.      * @param integer $type the auth item type (either Item::TYPE_PERMISSION or Item::TYPE_ROLE)

  893.      */

  894.     protected function removeAllItems($type)

  895.     {

  896.         if (!$this->supportsCascadeUpdate()) {

  897.             $names = (new Query)

  898.                 ->select(['name'])

  899.                 ->from($this->itemTable)

  900.                 ->where(['type' => $type])

  901.                 ->column($this->db);

  902.             if (empty($names)) {

  903.                 return;

  904.             }

  905.             $key = $type == Item::TYPE_PERMISSION ? 'child' : 'parent';

  906.             $this->db->createCommand()

  907.                 ->delete($this->itemChildTable, [$key => $names])

  908.                 ->execute();

  909.             $this->db->createCommand()

  910.                 ->delete($this->assignmentTable, ['item_name' => $names])

  911.                 ->execute();

  912.         }

  913.         $this->db->createCommand()

  914.             ->delete($this->itemTable, ['type' => $type])

  915.             ->execute();

  916. 

  917.         $this->invalidateCache();

  918.     }

  919. 

  920.     /**

  921.      * @inheritdoc

  922.      */

  923.     public function removeAllRules()

  924.     {

  925.         if (!$this->supportsCascadeUpdate()) {

  926.             $this->db->createCommand()

  927.                 ->update($this->itemTable, ['rule_name' => null])

  928.                 ->execute();

  929.         }

  930. 

  931.         $this->db->createCommand()->delete($this->ruleTable)->execute();

  932. 

  933.         $this->invalidateCache();

  934.     }

  935. 

  936.     /**

  937.      * @inheritdoc

  938.      */

  939.     public function removeAllAssignments()

  940.     {

  941.         $this->db->createCommand()->delete($this->assignmentTable)->execute();

  942.     }

  943. 

  944.     public function invalidateCache()

  945.     {

  946.         if ($this->cache !== null) {

  947.             $this->cache->delete($this->cacheKey);

  948.             $this->items = null;

  949.             $this->rules = null;

  950.             $this->parents = null;

  951.         }

  952.     }

  953. 

  954.     public function loadFromCache()

  955.     {

  956.         if ($this->items !== null || !$this->cache instanceof Cache) {

  957.             return;

  958.         }

  959. 

  960.         $data = $this->cache->get($this->cacheKey);

  961.         if (is_array($data) && isset($data[0], $data[1], $data[2])) {

  962.             list ($this->items, $this->rules, $this->parents) = $data;

  963.             return;

  964.         }

  965. 

  966.         $query = (new Query)->from($this->itemTable);

  967.         $this->items = [];

  968.         foreach ($query->all($this->db) as $row) {

  969.             $this->items[$row['name']] = $this->populateItem($row);

  970.         }

  971. 

  972.         $query = (new Query)->from($this->ruleTable);

  973.         $this->rules = [];

  974.         foreach ($query->all($this->db) as $row) {

  975.             $this->rules[$row['name']] = unserialize($row['data']);

  976.         }

  977. 

  978.         $query = (new Query)->from($this->itemChildTable);

  979.         $this->parents = [];

  980.         foreach ($query->all($this->db) as $row) {

  981.             if (isset($this->items[$row['child']])) {

  982.                 $this->parents[$row['child']][] = $row['parent'];

  983.             }

  984.         }

  985. 

  986.         $this->cache->set($this->cacheKey, [$this->items, $this->rules, $this->parents]);

  987.     }

  988. 

  989.     /**

  990.      * Returns all role assignment information for the specified role.

  991.      * @param string $roleName

  992.      * @return Assignment[] the assignments. An empty array will be

  993.      * returned if role is not assigned to any user.

  994.      * @since 2.0.7

  995.      */

  996.     public function getUserIdsByRole($roleName)

  997.     {

  998.         if (empty($roleName)) {

  999.             return [];

  1000.         }

  1001. 

  1002.         return (new Query)->select('[[user_id]]')

  1003.             ->from($this->assignmentTable)

  1004.             ->where(['item_name' => $roleName])->column($this->db);

  1005.     }

  1006. }