<?php
namespace Users;

use Zend_Acl;
use Zend_Acl_Role;
use Zend_Acl_Resource;


class AclManager extends \Zend_Controller_Plugin_Abstract
{
	// default user role if not logged or (or invalid role found)
	private $_defaultRole = 'guest';
	// the action to dispatch if a user doesn't have sufficient privileges
	private $_authController = array(
		'module'=>'',
		'controller' => 'account',
		'action'    => 'login'
	);
	
	private $_adminRole;
	
	private $roles = array(
			'系统管理员' => 'administrator',
			'青海省气象科学研究所' => 'meteorologic',
			'青海省环境监测中心站' => 'qhemc',
			'青海省水土保持局' => 'watersoil',
			'青海省林业调查规划院' => 'forestry',
			'青海省水文水资源局' => 'hydrology',
			'青海省草原总站' => 'grassland',
			'青海省生态环境遥感监测中心' => 'qherc'
	);
	
	public function __construct(\Zend_Auth $auth)
	{
		$config = \Zend_Registry::get('config');
		$this->_adminRole = $config->auth->identifier;
		
		$this->db=\Zend_Registry::get('db');
		$this->auth = $auth;
		$this->acl = new Zend_Acl();
		// add the different user roles
		$this->acl->addRole(new Zend_Acl_Role($this->_defaultRole));
		$this->acl->addRole(new Zend_Acl_Role('member'));
		
		foreach($this->roles as $k=>$v)
		{
			$this->acl->addRole(new Zend_Acl_Role($v), 'member');
		}
		
		//$this->acl->addRole(new Zend_Acl_Role($this->_adminRole), 'member');
		
		// add the resources we want to have control over
		$this->acl->add(new Zend_Acl_Resource('account'));
		$this->acl->add(new Zend_Acl_Resource('data'));
		$this->acl->add(new Zend_Acl_Resource('water'));
		$this->acl->add(new Zend_Acl_Resource('admin'));
		$this->acl->add(new Zend_Acl_Resource('upload'));
		$this->acl->add(new Zend_Acl_Resource('author'));
		$this->acl->add(new Zend_Acl_Resource('heihe'));
		// allow access to everything for all users by default
		// except for the account management and administration areas
		$this->acl->allow();
		$this->acl->deny(null, 'account');
		$this->acl->deny(null, 'admin');
		$this->acl->deny(null, 'author');
		// add an exception so guests can log in or register
		// in order to gain privilege
		  $this->acl->allow('guest', 'account', array('login',
									'logout',
									'captcha',
								  'fetchpwd',
								  'register',
								  'registercomplete',
								  'wcdlogin'));
		  $this->acl->deny('guest','data',array('download','order'));
		  $this->acl->deny('guest','water',array('download','order'));  
		  $this->acl->deny('guest','heihe',array('submit'));                     
		  // allow members access to the account management area
		  $this->acl->allow('guest','author',array('index'));  
		  $this->acl->allow('member', 'account');
		  $this->acl->allow('member', 'author');
		  
		  // allows administrators access to the admin area
		  $this->acl->allow($this->_adminRole, 'admin');
		}
	/**
	  * preDispatch
	  *
	  * Before an action is dispatched, check if the current user
	  * has sufficient privileges. If not, dispatch the default
	  * action instead
	  *
	  * @param Zend_Controller_Request_Abstract     $request
	  */
	public function preDispatch(\Zend_Controller_Request_Abstract $request)
	{
		
		$phpSessId = $request->getParam('PHPSESSID');
		
		if (!empty($phpSessId) && session_id() != $phpSessId) {
			session_destroy();
			session_id($phpSessId);
			session_start();
		}
		 // check if a user is logged in and has a valid role,
		 // otherwise, assign them the default role (guest)
		 
		if(!$this->auth->hasIdentity())
		{
			$mb = new \member();
			$mb->db=$this->db;
			if($mb->checkcookie())
			{
				$auth = Zend_Auth::getInstance();
				$authAdapter = new Zend_Auth_Adapter_DbTable($this->db);
				$authAdapter->setTableName('users')
									->setIdentityColumn('username')
									->setCredentialColumn('password');
				$authAdapter->setIdentity($mb->user)->setCredential($mb->srpwd);
				$result = $auth->authenticate($authAdapter);
				if ($result->isValid()) {  	
					 $data = $authAdapter->getResultRowObject(null,'password');
					 //头像
					 include_once("Avatar.php");
					 $avatar = new Avatar();
					 $data->avatar = $avatar->Get($data->email,40);
					 
					 //组ID
					 include_once("Users.php");
					 $usr = new Users($this->db);
					 $data->gid = $usr->getGroup($data->id);
					 
					 $auth->getStorage()->write($data);
					 $this->db->query("update users set ts_last_login=now() where username=?",array($mb->user));
				}
			}
		}
		
		 if ($this->auth->hasIdentity())
			  $role = $this->auth->getIdentity()->usertype;
		 else
			  $role = $this->_defaultRole;
		 if (!$this->acl->hasRole($role))
			  $role = $this->_defaultRole;
		 // the ACL resource is the requested controller name
		 $resource = $request->controller;
		 if ($request->module<>"default") $resource=$request->module;
		 // the ACL privilege is the requested action name
		 $privilege = $request->action;
		 if ($request->module<>"default") $privilege = $request->controller;
		 // if we haven't explicitly added the resource, check
		 // the default global permissions
		 if (!$this->acl->has($resource))
			  $resource = null;
		 // access denied - reroute the request to the default action handler
		 if (!$this->acl->isAllowed($role, $resource, $privilege)) {
			$request->setModuleName($this->_authController['module']);
		  $request->setControllerName($this->_authController['controller']);
		  $request->setActionName($this->_authController['action']);
		}
	  }
	}