SugarController定义了一个实例变量$hasAccess,布尔值,默认为true。该实例变量指示使用者是否有执行摸个action的权限:
class SugarController{ /** * This can be set from the application to tell us whether we have authorization to * process the action. If this is set we will default to the noaccess view. */ public $hasAccess = true; public function process(){ ...... //check to ensure we have access to the module. if($this->hasAccess){ ... ... }else{ $this->no_access(); } } }
$hasAccess的值在SugarApplication中设置,当SugarApplication::execute()执行时调用handleAccessControl()检查是否有授权:
class SugarApplication { var $controller = null; /** * Perform execution of the application. This method is called from index2.php */ function execute(){ ...... $this->controller = ControllerFactory::getController($module); $this->preProcess(); ...... } function preProcess(){ ...... $this->handleAccessControl(); } /** * Handles everything related to authorization. */ function handleAccessControl(){ if($GLOBALS['current_user']->isDeveloperForAnyModule()) return; if(!empty($_REQUEST['action']) && $_REQUEST['action']=="RetrieveEmail") return; if (!is_admin($GLOBALS['current_user']) && !empty($GLOBALS['adminOnlyList'][$this->controller->module]) && !empty($GLOBALS['adminOnlyList'][$this->controller->module]['all']) && (empty($GLOBALS['adminOnlyList'][$this->controller->module][$this->controller->action]) || $GLOBALS['adminOnlyList'][$this->controller->module][$this->controller->action] != 'allow')) { $this->controller->hasAccess = false; return; } // Bug 20916 - Special case for check ACL access rights for Subpanel QuickCreates if (isset($_POST['action']) && $_POST['action'] == 'SubpanelCreates') { $actual_module = $_POST['target_module']; if (!empty($GLOBALS['modListHeader']) && !in_array($actual_module,$GLOBALS['modListHeader'])) { $this->controller->hasAccess = false; } return; } if (!empty($GLOBALS['current_user']) && empty($GLOBALS['modListHeader'])) $GLOBALS['modListHeader'] = query_module_access_list($GLOBALS['current_user']); if (in_array($this->controller->module, $GLOBALS['modInvisList']) && ((in_array('Activities', $GLOBALS['moduleList']) && in_array('Calendar',$GLOBALS['moduleList'])) && in_array($this->controller->module, $GLOBALS['modInvisListActivities'])) ){ $this->controller->hasAccess = false; return; } } }
重点看一下对$GLOBALS['adminOnlyList']的判断。$GLOBALS['adminOnlyList']在inclue/modules.php中设置,指示哪些模块只有是管理员才有权限执行:
// index.php // require_once('include/entryPoint.php') // require_once('include/modules.php'); $adminOnlyList = array( //module => list of actions (all says all actions are admin only) //'Administration'=>array('all'=>1, 'SupportPortal'=>'allow'), 'Dropdown'=>array('all'=>1), 'Dynamic'=>array('all'=>1), 'DynamicFields'=>array('all'=>1), 'Currencies'=>array('all'=>1), 'EditCustomFields'=>array('all'=>1), 'FieldsMetaData'=>array('all'=>1), 'LabelEditor'=>array('all'=>1), 'ACL'=>array('all'=>1), 'ACLActions'=>array('all'=>1), 'ACLRoles'=>array('all'=>1), 'UpgradeWizard' => array('all' => 1), 'Studio' => array('all' => 1), 'Schedulers' => array('all' => 1), );