<?php
// +----------------------------------------------------------------------
// | SentCMS [ WE CAN DO IT JUST THINK IT ]
// +----------------------------------------------------------------------
// | Copyright (c) 2013 http://www.tensent.cn All rights reserved.
// +----------------------------------------------------------------------
// | Author: molong <molong@tensent.cn> <http://www.tensent.cn>
// +----------------------------------------------------------------------
namespace app\controller;

use app\BaseController;
use sent\auth\Auth;
use think\facade\Cache;
use think\facade\Config;

/**
 * @title 后端公共模块
 */
class Admin extends BaseController {

	protected $middleware = [
		'\app\http\middleware\Validate',
		'\app\http\middleware\Admin',
	];

	protected $data = ['data' => [], 'code' => 0, 'msg' => ''];

	protected function initialize() {
		$config = Cache::get('system_config');
		if (!$config) {
			$config = (new \app\model\Config())->lists();
			Cache::set('system_config', $config);
		}
		$this->data['config'] = $config;
	}

	protected function success($msg, $url = '') {
		$this->data['code'] = 0;
		$this->data['msg']  = $msg;
		$this->data['url']  = $url ? $url->__toString() : '';
		return $this->data;
	}

	protected function error($msg, $url = '') {
		$this->data['code'] = 1;
		$this->data['msg']  = $msg;
		$this->data['url']  = $url ? $url->__toString() : '';
		return $this->data;
	}

	/**
	 * 授权配置
	 * @param  [type] $request [description]
	 * @return [type]          [description]
	 */
	protected function auth($request) {
		// 是否是超级管理员
		define('IS_ROOT', is_administrator());
		if (!IS_ROOT && Config::get('admin_allow_ip')) {
			// 检查IP地址访问
			if (!in_array(get_client_ip(), explode(',', Config::get('admin_allow_ip')))) {
				$this->error('403:禁止访问');
			}
		}

		// 检测系统权限
		if (!IS_ROOT) {
			$access = $this->accessControl();
			if (false === $access) {
				$this->error('403:禁止访问');
			} elseif (null === $access) {
				$dynamic = $this->checkDynamic(); //检测分类栏目有关的各项动态权限
				if ($dynamic === null) {
					//检测访问权限
					if (!$this->checkRule($this->url_path, array('in', '1,2'))) {
						$this->error('未授权访问!');
					} else {
						// 检测分类及内容有关的各项动态权限
						$dynamic = $this->checkDynamic();
						if (false === $dynamic) {
							$this->error('未授权访问!');
						}
					}
				} elseif ($dynamic === false) {
					$this->error('未授权访问!');
				}
			}
		}
	}

	/**
	 * 权限检测
	 * @param string  $rule    检测的规则
	 * @param string  $mode    check模式
	 * @return boolean
	 * @author 朱亚杰  <xcoolcc@gmail.com>
	 */
	final protected function checkRule($rule, $type = AuthRule::rule_url, $mode = 'url') {
		static $Auth = null;
		if (!$Auth) {
			$Auth = new Auth();
		}
		if (!$Auth->check($rule, session('user_auth.uid'), $type, $mode)) {
			return false;
		}
		return true;
	}

	/**
	 * 检测是否是需要动态判断的权限
	 * @return boolean|null
	 *      返回true则表示当前访问有权限
	 *      返回false则表示当前访问无权限
	 *      返回null，则表示权限不明
	 *
	 * @author 朱亚杰  <xcoolcc@gmail.com>
	 */
	protected function checkDynamic() {
		if (IS_ROOT) {
			return true; //管理员允许访问任何页面
		}
		return null; //不明,需checkRule
	}

	/**
	 * action访问控制,在 **登陆成功** 后执行的第一项权限检测任务
	 *
	 * @return boolean|null  返回值必须使用 `===` 进行判断
	 *
	 *   返回 **false**, 不允许任何人访问(超管除外)
	 *   返回 **true**, 允许任何管理员访问,无需执行节点权限检测
	 *   返回 **null**, 需要继续执行节点权限检测决定是否允许访问
	 * @author 朱亚杰  <xcoolcc@gmail.com>
	 */
	final protected function accessControl() {
		$allow = Config::get('allow_visit');
		$deny  = Config::get('deny_visit');
		$check = strtolower($this->request->controller() . '/' . $this->request->action());
		if (!empty($deny) && in_array_case($check, $deny)) {
			return false; //非超管禁止访问deny中的方法
		}
		if (!empty($allow) && in_array_case($check, $allow)) {
			return true;
		}
		return null; //需要检测节点权限
	}
}