#!/usr/bin/php
<?php
/*
* The Strangecode Codebase - a general application development framework for PHP
* For details visit the project site: <http://trac.strangecode.com/>
* Copyright © 2014 Strangecode, LLC
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

/*
* acl-init.cli.php
*
* @author   Quinn Comendant <quinn@strangecode.com>
* @version  1.0
* @since    18 Jan 2014 19:47:16
*/

/********************************************************************
* CONFIG
********************************************************************/

define('_CLI', true);
require realpath(dirname(__FILE__) . '/../app/_config.inc.php');
$app->setParam(array('log_screen_priority' => LOG_DEBUG));
error_reporting(E_ALL);


/********************************************************************
* MAIN
********************************************************************/

// Access Control Lists
require_once 'codebase/lib/ACL.inc.php';
$acl =& ACL::getInstance();
$acl->setParam(array('enable_cache' => false));

$acl->initDB(true);

// Request objects - GROUPS OF USERS
$acl->addRequestObject('internal');
$acl->addRequestObject('internal:engineering', 'internal');
$acl->addRequestObject('general');
$acl->addRequestObject('disabled');

// Control objects - all AREAS/FUNCTIONS of site
$acl->addControlObject('dashboard');
$acl->addControlObject('account');
$acl->addControlObject('account:read', 'account');
$acl->addControlObject('account:create', 'account');
$acl->addControlObject('account:update', 'account');
$acl->addControlObject('account:delete', 'account');
$acl->addControlObject('user');
$acl->addControlObject('user:read', 'user');
$acl->addControlObject('user:create', 'user');
$acl->addControlObject('user:update', 'user');
$acl->addControlObject('user:delete', 'user');
$acl->addControlObject('survey');
$acl->addControlObject('survey:read', 'survey');
$acl->addControlObject('survey:create', 'survey');
$acl->addControlObject('survey:update', 'survey');
$acl->addControlObject('survey:delete', 'survey');
$acl->addControlObject('question');
$acl->addControlObject('question:read', 'question');
$acl->addControlObject('question:create', 'question');
$acl->addControlObject('question:update', 'question');
$acl->addControlObject('question:delete', 'question');
$acl->addControlObject('participant');
$acl->addControlObject('participant:read', 'participant');
$acl->addControlObject('participant:create', 'participant');
$acl->addControlObject('participant:update', 'participant');
$acl->addControlObject('participant:delete', 'participant');
// $acl->addControlObject('participant:import', 'participant');
// $acl->addControlObject('participant:clone', 'participant');
$acl->addControlObject('trigger');
$acl->addControlObject('trigger:read', 'trigger');
$acl->addControlObject('trigger:create', 'trigger');
$acl->addControlObject('trigger:update', 'trigger');
$acl->addControlObject('trigger:delete', 'trigger');
// $acl->addControlObject('trigger:log', 'trigger');
$acl->addControlObject('payment');
$acl->addControlObject('payment:read', 'payment');
$acl->addControlObject('payment:create', 'payment');
$acl->addControlObject('payment:update', 'payment');
$acl->addControlObject('payment:delete', 'payment');
// $acl->addControlObject('payment:log', 'payment');
$acl->addControlObject('report');
$acl->addControlObject('report:response', 'report');
$acl->addControlObject('system');
$acl->addControlObject('settings');

// Xtra objects - use an 'any' object to indicate if the requestor can access any record, or is limited to those in their account.
$acl->addXtraObject('any');
// $acl->addXtraObject('account');
// $acl->addXtraObject('user');
// $acl->addXtraObject('payment');
// $acl->addXtraObject('trigger');
// $acl->addXtraObject('survey');
// $acl->addXtraObject('question');
// $acl->addXtraObject('participant');
// $acl->addXtraObject('account_id:1', 'account');
// $acl->addXtraObject('user_id:1', 'user');

//
// Initial users
//

$acl->addRequestObject('user_id:1', 'internal:engineering');
$acl->addRequestObject('user_id:2', 'general');

//
// Initial permissions.
//

// ENGINEERING: access to everything
$acl->grant('internal:engineering');

// INTERNAL: access to any accounts and any users
$acl->grant('internal', 'accounts', 'any');
$acl->grant('internal', 'users', 'any');

// GENERAL: only their own objects.
// Grant access to objects (we limit to objects under their account_id—the logic for this is in the model).
$acl->grant('general', 'account');
$acl->grant('general', 'user');
$acl->grant('general', 'payment');
$acl->grant('general', 'trigger');
$acl->grant('general', 'survey');
$acl->grant('general', 'question');
$acl->grant('general', 'participant');
$acl->grant('general', 'report:response');
// But deny accessing 'any' object.
$acl->revoke('general', 'account', 'any');
$acl->revoke('general', 'user', 'any');
$acl->revoke('general', 'payment', 'any');
$acl->revoke('general', 'trigger', 'any');
$acl->revoke('general', 'survey', 'any');
$acl->revoke('general', 'question', 'any');
$acl->revoke('general', 'participant', 'any');
$acl->revoke('general', 'report:response', 'any');

// $acl->grant('general', 'account:update', 'account_id:1');
// $acl->grant('general', 'user:update', 'user_id:1');

// disabled: no permissions
$acl->revoke('disabled');