1:   2:   3:   4:   5:   6:   7:   8:   9:  10:  11:  12:  13:  14:  15:  16:  17:  18:  19:  20:  21:  22:  23:  24:  25:  26:  27:  28:  29:  30:  31:  32:  33:  34:  35:  36:  37:  38:  39:  40:  41:  42:  43:  44:  45:  46:  47:  48:  49:  50:  51:  52:  53:  54:  55:  56:  57:  58:  59:  60:  61:  62:  63:  64:  65:  66:  67:  68:  69:  70:  71:  72:  73:  74:  75:  76:  77:  78:  79:  80:  81:  82:  83:  84:  85:  86:  87:  88:  89:  90:  91:  92:  93:  94:  95:  96:  97:  98:  99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 
<?php
namespace Omeka\Permissions;

use Zend\Authentication\AuthenticationServiceInterface;
use Zend\Permissions\Acl\Acl as ZendAcl;

class Acl extends ZendAcl
{
    const ROLE_GLOBAL_ADMIN = 'global_admin';
    const ROLE_SITE_ADMIN = 'site_admin';
    const ROLE_EDITOR = 'editor';
    const ROLE_REVIEWER = 'reviewer';
    const ROLE_AUTHOR = 'author';
    const ROLE_RESEARCHER = 'researcher';

    /**
     * @var array
     */
    protected $roleLabels = [
        self::ROLE_GLOBAL_ADMIN => 'Global Administrator', // @translate
        self::ROLE_SITE_ADMIN => 'Site Administrator', // @translate
        self::ROLE_EDITOR => 'Editor', // @translate
        self::ROLE_REVIEWER => 'Reviewer', // @translate
        self::ROLE_AUTHOR => 'Author', // @translate
        self::ROLE_RESEARCHER => 'Researcher', // @translate
    ];

    /**
     * Roles that are "admins" and restricted for editing.
     *
     * @var array
     */
    protected $adminRoles = [
        self::ROLE_GLOBAL_ADMIN,
        self::ROLE_SITE_ADMIN,
    ];

    /**
     * @var AuthenticationServiceInterface
     */
    protected $auth;

    /**
     * {@inheritDoc}
     */
    public function setAuthenticationService(AuthenticationServiceInterface $auth)
    {
        $this->auth = $auth;
    }

    /**
     * {@inheritDoc}
     */
    public function getAuthenticationService()
    {
        return $this->auth;
    }

    /**
     * Get role names and their labels.
     *
     * @param bool $excludeAdminRoles Whether to only return the non-admin
     *  roles. False by default, so all roles are returned.
     * @return array
     */
    public function getRoleLabels($excludeAdminRoles = false)
    {
        $labels = $this->roleLabels;

        if ($excludeAdminRoles) {
            foreach ($this->adminRoles as $role) {
                unset($labels[$role]);
            }
        }
        return $labels;
    }

    /**
     * Authorize the current user.
     *
     * @param Resource\ResourceInterface|string $resource
     * @param string $privilege
     * @return bool
     */
    public function userIsAllowed($resource = null, $privilege = null)
    {
        $auth = $this->auth;
        $role = null;
        if ($auth) {
            $role = $auth->getIdentity();
        }
        return $this->isAllowed($role, $resource, $privilege);
    }

    /**
     * Determine whether the admin role is an "admin" role that carries
     * restrictions beyond other roles.
     *
     * @return bool
     */
    public function isAdminRole($role)
    {
        return in_array($role, $this->adminRoles);
    }

    /**
     * Add a role label to the ACL
     *
     * @param $roleId
     * @param $roleLabel
     */
    public function addRoleLabel($roleId, $roleLabel)
    {
        $this->roleLabels[$roleId] = $roleLabel;
    }

    /**
     * Remove a role label from the ACL
     *
     * @param $roleId
     */
    public function removeRoleLabel($roleId)
    {
        unset($this->roleLabels[$roleId]);
    }
}