SugarCRM如何检查控制器权限？

转载

mob604756f33d49 2013-12-23 17:34:00

SugarController定义了一个实例变量$hasAccess，布尔值，默认为true。该实例变量指示使用者是否有执行摸个action的权限：

class SugarController{
    /**
     * This can be set from the application to tell us whether we have authorization to
     * process the action. If this is set we will default to the noaccess view.
     */
    public $hasAccess = true;
    
    public function process(){
        ......
    
        //check to ensure we have access to the module.
        if($this->hasAccess){
            ... ...
        }else{
            $this->no_access();
        }
    }
}

$hasAccess的值在SugarApplication中设置，当SugarApplication::execute()执行时调用handleAccessControl()检查是否有授权：

class SugarApplication
{
    var $controller = null;
    
    /**
     * Perform execution of the application. This method is called from index2.php
     */
    function execute(){
        ......
        $this->controller = ControllerFactory::getController($module);
        $this->preProcess();
        ......
    }
    
    function preProcess(){
        ......
        $this->handleAccessControl();
    }
  
    /**
     * Handles everything related to authorization.
     */
    function handleAccessControl(){
        if($GLOBALS['current_user']->isDeveloperForAnyModule())
            return;
            
        if(!empty($_REQUEST['action']) && $_REQUEST['action']=="RetrieveEmail")
            return;
            
        if (!is_admin($GLOBALS['current_user']) && !empty($GLOBALS['adminOnlyList'][$this->controller->module])
            && !empty($GLOBALS['adminOnlyList'][$this->controller->module]['all'])
            && (empty($GLOBALS['adminOnlyList'][$this->controller->module][$this->controller->action]) || $GLOBALS['adminOnlyList'][$this->controller->module][$this->controller->action] != 'allow')) {
            $this->controller->hasAccess = false;
            return;
        }
    
        // Bug 20916 - Special case for check ACL access rights for Subpanel QuickCreates
        if (isset($_POST['action']) && $_POST['action'] == 'SubpanelCreates') {
            $actual_module = $_POST['target_module'];
            if (!empty($GLOBALS['modListHeader']) && !in_array($actual_module,$GLOBALS['modListHeader'])) {
                $this->controller->hasAccess = false;
            }
            return;
        }
    
    
        if (!empty($GLOBALS['current_user']) && empty($GLOBALS['modListHeader']))
            $GLOBALS['modListHeader'] = query_module_access_list($GLOBALS['current_user']);
    
        if (in_array($this->controller->module, $GLOBALS['modInvisList']) &&
          ((in_array('Activities', $GLOBALS['moduleList'])              &&
          in_array('Calendar',$GLOBALS['moduleList']))                 &&
          in_array($this->controller->module, $GLOBALS['modInvisListActivities']))
          ){
            $this->controller->hasAccess = false;
            return;
        }
    }
}

重点看一下对$GLOBALS['adminOnlyList']的判断。$GLOBALS['adminOnlyList']在inclue/modules.php中设置，指示哪些模块只有是管理员才有权限执行：

// index.php
//    require_once('include/entryPoint.php')
//        require_once('include/modules.php');

$adminOnlyList = array(
    //module => list of actions  (all says all actions are admin only)
    //'Administration'=>array('all'=>1, 'SupportPortal'=>'allow'),
    'Dropdown'=>array('all'=>1),
    'Dynamic'=>array('all'=>1),
    'DynamicFields'=>array('all'=>1),
    'Currencies'=>array('all'=>1),
    'EditCustomFields'=>array('all'=>1),
    'FieldsMetaData'=>array('all'=>1),
    'LabelEditor'=>array('all'=>1),
    'ACL'=>array('all'=>1),
    'ACLActions'=>array('all'=>1),
    'ACLRoles'=>array('all'=>1),
    'UpgradeWizard' => array('all' => 1),
    'Studio' => array('all' => 1),
    'Schedulers' => array('all' => 1),
);