14 files changed, 3216 insertions, 0 deletions

diff --git a/framework/web/auth/CAccessControlFilter.php b/framework/web/auth/CAccessControlFilter.php
new file mode 100644
index 0000000..6ab4d2a
--- /dev/null
+++ b/framework/web/auth/CAccessControlFilter.php
@@ -0,0 +1,342 @@
+<?php
+/**
+ * CAccessControlFilter class file.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008-2011 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+/**
+ * CAccessControlFilter performs authorization checks for the specified actions.
+ *
+ * By enabling this filter, controller actions can be checked for access permissions.
+ * When the user is not denied by one of the security rules or allowed by a rule explicitly,
+ * he will be able to access the action.
+ *
+ * For maximum security consider adding
+ * <pre>array('deny')</pre>
+ * as a last rule in a list so all actions will be denied by default.
+ *
+ * To specify the access rules, set the {@link setRules rules} property, which should
+ * be an array of the rules. Each rule is specified as an array of the following structure:
+ * <pre>
+ * array(
+ *   'allow',  // or 'deny'
+ *   // optional, list of action IDs (case insensitive) that this rule applies to
+ *   // if not specified, rule applies to all actions
+ *   'actions'=>array('edit', 'delete'),
+ *   // optional, list of controller IDs (case insensitive) that this rule applies to
+ *   'controllers'=>array('post', 'admin/user'),
+ *   // optional, list of usernames (case insensitive) that this rule applies to
+ *   // Use * to represent all users, ? guest users, and @ authenticated users
+ *   'users'=>array('thomas', 'kevin'),
+ *   // optional, list of roles (case sensitive!) that this rule applies to.
+ *   'roles'=>array('admin', 'editor'),
+ *   // optional, list of IP address/patterns that this rule applies to
+ *   // e.g. 127.0.0.1, 127.0.0.*
+ *   'ips'=>array('127.0.0.1'),
+ *   // optional, list of request types (case insensitive) that this rule applies to
+ *   'verbs'=>array('GET', 'POST'),
+ *   // optional, a PHP expression whose value indicates whether this rule applies
+ *   'expression'=>'!$user->isGuest && $user->level==2',
+ *   // optional, the customized error message to be displayed
+ *   // This option is available since version 1.1.1.
+ *   'message'=>'Access Denied.',
+ * )
+ * </pre>
+ *
+ * @property array $rules List of access rules.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @version $Id: CAccessControlFilter.php 3515 2011-12-28 12:29:24Z mdomba $
+ * @package system.web.auth
+ * @since 1.0
+ */
+class CAccessControlFilter extends CFilter
+{
+	/**
+	 * @var string the error message to be displayed when authorization fails.
+	 * This property can be overridden by individual access rule via {@link CAccessRule::message}.
+	 * If this property is not set, a default error message will be displayed.
+	 * @since 1.1.1
+	 */
+	public $message;
+
+	private $_rules=array();
+
+	/**
+	 * @return array list of access rules.
+	 */
+	public function getRules()
+	{
+		return $this->_rules;
+	}
+
+	/**
+	 * @param array $rules list of access rules.
+	 */
+	public function setRules($rules)
+	{
+		foreach($rules as $rule)
+		{
+			if(is_array($rule) && isset($rule[0]))
+			{
+				$r=new CAccessRule;
+				$r->allow=$rule[0]==='allow';
+				foreach(array_slice($rule,1) as $name=>$value)
+				{
+					if($name==='expression' || $name==='roles' || $name==='message')
+						$r->$name=$value;
+					else
+						$r->$name=array_map('strtolower',$value);
+				}
+				$this->_rules[]=$r;
+			}
+		}
+	}
+
+	/**
+	 * Performs the pre-action filtering.
+	 * @param CFilterChain $filterChain the filter chain that the filter is on.
+	 * @return boolean whether the filtering process should continue and the action
+	 * should be executed.
+	 */
+	protected function preFilter($filterChain)
+	{
+		$app=Yii::app();
+		$request=$app->getRequest();
+		$user=$app->getUser();
+		$verb=$request->getRequestType();
+		$ip=$request->getUserHostAddress();
+
+		foreach($this->getRules() as $rule)
+		{
+			if(($allow=$rule->isUserAllowed($user,$filterChain->controller,$filterChain->action,$ip,$verb))>0) // allowed
+				break;
+			else if($allow<0) // denied
+			{
+				$this->accessDenied($user,$this->resolveErrorMessage($rule));
+				return false;
+			}
+		}
+
+		return true;
+	}
+
+	/**
+	 * Resolves the error message to be displayed.
+	 * This method will check {@link message} and {@link CAccessRule::message} to see
+	 * what error message should be displayed.
+	 * @param CAccessRule $rule the access rule
+	 * @return string the error message
+	 * @since 1.1.1
+	 */
+	protected function resolveErrorMessage($rule)
+	{
+		if($rule->message!==null)
+			return $rule->message;
+		else if($this->message!==null)
+			return $this->message;
+		else
+			return Yii::t('yii','You are not authorized to perform this action.');
+	}
+
+	/**
+	 * Denies the access of the user.
+	 * This method is invoked when access check fails.
+	 * @param IWebUser $user the current user
+	 * @param string $message the error message to be displayed
+	 */
+	protected function accessDenied($user,$message)
+	{
+		if($user->getIsGuest())
+			$user->loginRequired();
+		else
+			throw new CHttpException(403,$message);
+	}
+}
+
+
+/**
+ * CAccessRule represents an access rule that is managed by {@link CAccessControlFilter}.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @version $Id: CAccessControlFilter.php 3515 2011-12-28 12:29:24Z mdomba $
+ * @package system.web.auth
+ * @since 1.0
+ */
+class CAccessRule extends CComponent
+{
+	/**
+	 * @var boolean whether this is an 'allow' rule or 'deny' rule.
+	 */
+	public $allow;
+	/**
+	 * @var array list of action IDs that this rule applies to. The comparison is case-insensitive.
+	 * If no actions are specified, rule applies to all actions.
+	 */
+	public $actions;
+	/**
+	 * @var array list of controler IDs that this rule applies to. The comparison is case-insensitive.
+	 */
+	public $controllers;
+	/**
+	 * @var array list of user names that this rule applies to. The comparison is case-insensitive.
+	 * If no user names are specified, rule applies to all users.
+	 */
+	public $users;
+	/**
+	 * @var array list of roles this rule applies to. For each role, the current user's
+	 * {@link CWebUser::checkAccess} method will be invoked. If one of the invocations
+	 * returns true, the rule will be applied.
+	 * Note, you should mainly use roles in an "allow" rule because by definition,
+	 * a role represents a permission collection.
+	 * @see CAuthManager
+	 */
+	public $roles;
+	/**
+	 * @var array IP patterns.
+	 */
+	public $ips;
+	/**
+	 * @var array list of request types (e.g. GET, POST) that this rule applies to.
+	 */
+	public $verbs;
+	/**
+	 * @var string a PHP expression whose value indicates whether this rule should be applied.
+	 * In this expression, you can use <code>$user</code> which refers to <code>Yii::app()->user</code>.
+	 * The expression can also be a valid PHP callback,
+	 * including class method name (array(ClassName/Object, MethodName)),
+	 * or anonymous function (PHP 5.3.0+). The function/method signature should be as follows:
+	 * <pre>
+	 * function foo($user, $rule) { ... }
+	 * </pre>
+	 * where $user is the current application user object and $rule is this access rule.
+	 */
+	public $expression;
+	/**
+	 * @var string the error message to be displayed when authorization is denied by this rule.
+	 * If not set, a default error message will be displayed.
+	 * @since 1.1.1
+	 */
+	public $message;
+
+
+	/**
+	 * Checks whether the Web user is allowed to perform the specified action.
+	 * @param CWebUser $user the user object
+	 * @param CController $controller the controller currently being executed
+	 * @param CAction $action the action to be performed
+	 * @param string $ip the request IP address
+	 * @param string $verb the request verb (GET, POST, etc.)
+	 * @return integer 1 if the user is allowed, -1 if the user is denied, 0 if the rule does not apply to the user
+	 */
+	public function isUserAllowed($user,$controller,$action,$ip,$verb)
+	{
+		if($this->isActionMatched($action)
+			&& $this->isUserMatched($user)
+			&& $this->isRoleMatched($user)
+			&& $this->isIpMatched($ip)
+			&& $this->isVerbMatched($verb)
+			&& $this->isControllerMatched($controller)
+			&& $this->isExpressionMatched($user))
+			return $this->allow ? 1 : -1;
+		else
+			return 0;
+	}
+
+	/**
+	 * @param CAction $action the action
+	 * @return boolean whether the rule applies to the action
+	 */
+	protected function isActionMatched($action)
+	{
+		return empty($this->actions) || in_array(strtolower($action->getId()),$this->actions);
+	}
+
+	/**
+	 * @param CAction $controller the action
+	 * @return boolean whether the rule applies to the action
+	 */
+	protected function isControllerMatched($controller)
+	{
+		return empty($this->controllers) || in_array(strtolower($controller->getId()),$this->controllers);
+	}
+
+	/**
+	 * @param IWebUser $user the user
+	 * @return boolean whether the rule applies to the user
+	 */
+	protected function isUserMatched($user)
+	{
+		if(empty($this->users))
+			return true;
+		foreach($this->users as $u)
+		{
+			if($u==='*')
+				return true;
+			else if($u==='?' && $user->getIsGuest())
+				return true;
+			else if($u==='@' && !$user->getIsGuest())
+				return true;
+			else if(!strcasecmp($u,$user->getName()))
+				return true;
+		}
+		return false;
+	}
+
+	/**
+	 * @param IWebUser $user the user object
+	 * @return boolean whether the rule applies to the role
+	 */
+	protected function isRoleMatched($user)
+	{
+		if(empty($this->roles))
+			return true;
+		foreach($this->roles as $role)
+		{
+			if($user->checkAccess($role))
+				return true;
+		}
+		return false;
+	}
+
+	/**
+	 * @param string $ip the IP address
+	 * @return boolean whether the rule applies to the IP address
+	 */
+	protected function isIpMatched($ip)
+	{
+		if(empty($this->ips))
+			return true;
+		foreach($this->ips as $rule)
+		{
+			if($rule==='*' || $rule===$ip || (($pos=strpos($rule,'*'))!==false && !strncmp($ip,$rule,$pos)))
+				return true;
+		}
+		return false;
+	}
+
+	/**
+	 * @param string $verb the request method
+	 * @return boolean whether the rule applies to the request
+	 */
+	protected function isVerbMatched($verb)
+	{
+		return empty($this->verbs) || in_array(strtolower($verb),$this->verbs);
+	}
+
+	/**
+	 * @param IWebUser $user the user
+	 * @return boolean the expression value. True if the expression is not specified.
+	 */
+	protected function isExpressionMatched($user)
+	{
+		if($this->expression===null)
+			return true;
+		else
+			return $this->evaluateExpression($this->expression, array('user'=>$user));
+	}
+}
diff --git a/framework/web/auth/CAuthAssignment.php b/framework/web/auth/CAuthAssignment.php
new file mode 100644
index 0000000..b841437
--- /dev/null
+++ b/framework/web/auth/CAuthAssignment.php
@@ -0,0 +1,107 @@
+<?php
+/**
+ * CAuthAssignment class file.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008-2011 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+/**
+ * CAuthAssignment represents an assignment of a role to a user.
+ * It includes additional assignment information such as {@link bizRule} and {@link data}.
+ * Do not create a CAuthAssignment instance using the 'new' operator.
+ * Instead, call {@link IAuthManager::assign}.
+ *
+ * @property mixed $userId User ID (see {@link IWebUser::getId}).
+ * @property string $itemName The authorization item name.
+ * @property string $bizRule The business rule associated with this assignment.
+ * @property mixed $data Additional data for this assignment.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @version $Id: CAuthAssignment.php 3426 2011-10-25 00:01:09Z alexander.makarow $
+ * @package system.web.auth
+ * @since 1.0
+ */
+class CAuthAssignment extends CComponent
+{
+	private $_auth;
+	private $_itemName;
+	private $_userId;
+	private $_bizRule;
+	private $_data;
+
+	/**
+	 * Constructor.
+	 * @param IAuthManager $auth the authorization manager
+	 * @param string $itemName authorization item name
+	 * @param mixed $userId user ID (see {@link IWebUser::getId})
+	 * @param string $bizRule the business rule associated with this assignment
+	 * @param mixed $data additional data for this assignment
+	 */
+	public function __construct($auth,$itemName,$userId,$bizRule=null,$data=null)
+	{
+		$this->_auth=$auth;
+		$this->_itemName=$itemName;
+		$this->_userId=$userId;
+		$this->_bizRule=$bizRule;
+		$this->_data=$data;
+	}
+
+	/**
+	 * @return mixed user ID (see {@link IWebUser::getId})
+	 */
+	public function getUserId()
+	{
+		return $this->_userId;
+	}
+
+	/**
+	 * @return string the authorization item name
+	 */
+	public function getItemName()
+	{
+		return $this->_itemName;
+	}
+
+	/**
+	 * @return string the business rule associated with this assignment
+	 */
+	public function getBizRule()
+	{
+		return $this->_bizRule;
+	}
+
+	/**
+	 * @param string $value the business rule associated with this assignment
+	 */
+	public function setBizRule($value)
+	{
+		if($this->_bizRule!==$value)
+		{
+			$this->_bizRule=$value;
+			$this->_auth->saveAuthAssignment($this);
+		}
+	}
+
+	/**
+	 * @return mixed additional data for this assignment
+	 */
+	public function getData()
+	{
+		return $this->_data;
+	}
+
+	/**
+	 * @param mixed $value additional data for this assignment
+	 */
+	public function setData($value)
+	{
+		if($this->_data!==$value)
+		{
+			$this->_data=$value;
+			$this->_auth->saveAuthAssignment($this);
+		}
+	}
+}
\ No newline at end of file
diff --git a/framework/web/auth/CAuthItem.php b/framework/web/auth/CAuthItem.php
new file mode 100644
index 0000000..7634786
--- /dev/null
+++ b/framework/web/auth/CAuthItem.php
@@ -0,0 +1,277 @@
+<?php
+/**
+ * CAuthItem class file.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008-2011 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+/**
+ * CAuthItem represents an authorization item.
+ * An authorization item can be an operation, a task or a role.
+ * They form an authorization hierarchy. Items on higher levels of the hierarchy
+ * inherit the permissions represented by items on lower levels.
+ * A user may be assigned one or several authorization items (called {@link CAuthAssignment assignments}.
+ * He can perform an operation only when it is among his assigned items.
+ *
+ * @property IAuthManager $authManager The authorization manager.
+ * @property integer $type The authorization item type. This could be 0 (operation), 1 (task) or 2 (role).
+ * @property string $name The item name.
+ * @property string $description The item description.
+ * @property string $bizRule The business rule associated with this item.
+ * @property mixed $data The additional data associated with this item.
+ * @property array $children All child items of this item.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @version $Id: CAuthItem.php 3442 2011-11-09 02:48:50Z alexander.makarow $
+ * @package system.web.auth
+ * @since 1.0
+ */
+class CAuthItem extends CComponent
+{
+	const TYPE_OPERATION=0;
+	const TYPE_TASK=1;
+	const TYPE_ROLE=2;
+
+	private $_auth;
+	private $_type;
+	private $_name;
+	private $_description;
+	private $_bizRule;
+	private $_data;
+
+	/**
+	 * Constructor.
+	 * @param IAuthManager $auth authorization manager
+	 * @param string $name authorization item name
+	 * @param integer $type authorization item type. This can be 0 (operation), 1 (task) or 2 (role).
+	 * @param description $description the description
+	 * @param string $bizRule the business rule associated with this item
+	 * @param mixed $data additional data for this item
+	 */
+	public function __construct($auth,$name,$type,$description='',$bizRule=null,$data=null)
+	{
+		$this->_type=(int)$type;
+		$this->_auth=$auth;
+		$this->_name=$name;
+		$this->_description=$description;
+		$this->_bizRule=$bizRule;
+		$this->_data=$data;
+	}
+
+	/**
+	 * Checks to see if the specified item is within the hierarchy starting from this item.
+	 * This method is internally used by {@link IAuthManager::checkAccess}.
+	 * @param string $itemName the name of the item to be checked
+	 * @param array $params the parameters to be passed to business rule evaluation
+	 * @return boolean whether the specified item is within the hierarchy starting from this item.
+	 */
+	public function checkAccess($itemName,$params=array())
+	{
+		Yii::trace('Checking permission "'.$this->_name.'"','system.web.auth.CAuthItem');
+		if($this->_auth->executeBizRule($this->_bizRule,$params,$this->_data))
+		{
+			if($this->_name==$itemName)
+				return true;
+			foreach($this->_auth->getItemChildren($this->_name) as $item)
+			{
+				if($item->checkAccess($itemName,$params))
+					return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * @return IAuthManager the authorization manager
+	 */
+	public function getAuthManager()
+	{
+		return $this->_auth;
+	}
+
+	/**
+	 * @return integer the authorization item type. This could be 0 (operation), 1 (task) or 2 (role).
+	 */
+	public function getType()
+	{
+		return $this->_type;
+	}
+
+	/**
+	 * @return string the item name
+	 */
+	public function getName()
+	{
+		return $this->_name;
+	}
+
+	/**
+	 * @param string $value the item name
+	 */
+	public function setName($value)
+	{
+		if($this->_name!==$value)
+		{
+			$oldName=$this->_name;
+			$this->_name=$value;
+			$this->_auth->saveAuthItem($this,$oldName);
+		}
+	}
+
+	/**
+	 * @return string the item description
+	 */
+	public function getDescription()
+	{
+		return $this->_description;
+	}
+
+	/**
+	 * @param string $value the item description
+	 */
+	public function setDescription($value)
+	{
+		if($this->_description!==$value)
+		{
+			$this->_description=$value;
+			$this->_auth->saveAuthItem($this);
+		}
+	}
+
+	/**
+	 * @return string the business rule associated with this item
+	 */
+	public function getBizRule()
+	{
+		return $this->_bizRule;
+	}
+
+	/**
+	 * @param string $value the business rule associated with this item
+	 */
+	public function setBizRule($value)
+	{
+		if($this->_bizRule!==$value)
+		{
+			$this->_bizRule=$value;
+			$this->_auth->saveAuthItem($this);
+		}
+	}
+
+	/**
+	 * @return mixed the additional data associated with this item
+	 */
+	public function getData()
+	{
+		return $this->_data;
+	}
+
+	/**
+	 * @param mixed $value the additional data associated with this item
+	 */
+	public function setData($value)
+	{
+		if($this->_data!==$value)
+		{
+			$this->_data=$value;
+			$this->_auth->saveAuthItem($this);
+		}
+	}
+
+	/**
+	 * Adds a child item.
+	 * @param string $name the name of the child item
+	 * @return boolean whether the item is added successfully
+	 * @throws CException if either parent or child doesn't exist or if a loop has been detected.
+	 * @see IAuthManager::addItemChild
+	 */
+	public function addChild($name)
+	{
+		return $this->_auth->addItemChild($this->_name,$name);
+	}
+
+	/**
+	 * Removes a child item.
+	 * Note, the child item is not deleted. Only the parent-child relationship is removed.
+	 * @param string $name the child item name
+	 * @return boolean whether the removal is successful
+	 * @see IAuthManager::removeItemChild
+	 */
+	public function removeChild($name)
+	{
+		return $this->_auth->removeItemChild($this->_name,$name);
+	}
+
+	/**
+	 * Returns a value indicating whether a child exists
+	 * @param string $name the child item name
+	 * @return boolean whether the child exists
+	 * @see IAuthManager::hasItemChild
+	 */
+	public function hasChild($name)
+	{
+		return $this->_auth->hasItemChild($this->_name,$name);
+	}
+
+	/**
+	 * Returns the children of this item.
+	 * @return array all child items of this item.
+	 * @see IAuthManager::getItemChildren
+	 */
+	public function getChildren()
+	{
+		return $this->_auth->getItemChildren($this->_name);
+	}
+
+	/**
+	 * Assigns this item to a user.
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @param string $bizRule the business rule to be executed when {@link checkAccess} is called
+	 * for this particular authorization item.
+	 * @param mixed $data additional data associated with this assignment
+	 * @return CAuthAssignment the authorization assignment information.
+	 * @throws CException if the item has already been assigned to the user
+	 * @see IAuthManager::assign
+	 */
+	public function assign($userId,$bizRule=null,$data=null)
+	{
+		return $this->_auth->assign($this->_name,$userId,$bizRule,$data);
+	}
+
+	/**
+	 * Revokes an authorization assignment from a user.
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return boolean whether removal is successful
+	 * @see IAuthManager::revoke
+	 */
+	public function revoke($userId)
+	{
+		$this->_auth->revoke($this->_name,$userId);
+	}
+
+	/**
+	 * Returns a value indicating whether this item has been assigned to the user.
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return boolean whether the item has been assigned to the user.
+	 * @see IAuthManager::isAssigned
+	 */
+	public function isAssigned($userId)
+	{
+		return $this->_auth->isAssigned($this->_name,$userId);
+	}
+
+	/**
+	 * Returns the item assignment information.
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return CAuthAssignment the item assignment information. Null is returned if
+	 * this item is not assigned to the user.
+	 * @see IAuthManager::getAuthAssignment
+	 */
+	public function getAssignment($userId)
+	{
+		return $this->_auth->getAuthAssignment($this->_name,$userId);
+	}
+}
diff --git a/framework/web/auth/CAuthManager.php b/framework/web/auth/CAuthManager.php
new file mode 100644
index 0000000..2756afb
--- /dev/null
+++ b/framework/web/auth/CAuthManager.php
@@ -0,0 +1,166 @@
+<?php
+/**
+ * CAuthManager class file.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008-2011 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+/**
+ * CAuthManager is the base class for authorization manager classes.
+ *
+ * CAuthManager extends {@link CApplicationComponent} and implements some methods
+ * that are common among authorization manager classes.
+ *
+ * CAuthManager together with its concrete child classes implement the Role-Based
+ * Access Control (RBAC).
+ *
+ * The main idea is that permissions are organized as a hierarchy of
+ * {@link CAuthItem authorization items}. Items on higer level inherit the permissions
+ * represented by items on lower level. And roles are simply top-level authorization items
+ * that may be assigned to individual users. A user is said to have a permission
+ * to do something if the corresponding authorization item is inherited by one of his roles.
+ *
+ * Using authorization manager consists of two aspects. First, the authorization hierarchy
+ * and assignments have to be established. CAuthManager and its child classes
+ * provides APIs to accomplish this task. Developers may need to develop some GUI
+ * so that it is more intuitive to end-users. Second, developers call {@link IAuthManager::checkAccess}
+ * at appropriate places in the application code to check if the current user
+ * has the needed permission for an operation.
+ *
+ * @property array $roles Roles (name=>CAuthItem).
+ * @property array $tasks Tasks (name=>CAuthItem).
+ * @property array $operations Operations (name=>CAuthItem).
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @version $Id: CAuthManager.php 3515 2011-12-28 12:29:24Z mdomba $
+ * @package system.web.auth
+ * @since 1.0
+ */
+abstract class CAuthManager extends CApplicationComponent implements IAuthManager
+{
+	/**
+	 * @var boolean Enable error reporting for bizRules.	 
+	 * @since 1.1.3
+	 */
+	public $showErrors = false;
+
+	/**
+	 * @var array list of role names that are assigned to all users implicitly.
+	 * These roles do not need to be explicitly assigned to any user.
+	 * When calling {@link checkAccess}, these roles will be checked first.
+	 * For performance reason, you should minimize the number of such roles.
+	 * A typical usage of such roles is to define an 'authenticated' role and associate
+	 * it with a biz rule which checks if the current user is authenticated.
+	 * And then declare 'authenticated' in this property so that it can be applied to
+	 * every authenticated user.
+	 */
+	public $defaultRoles=array();
+
+	/**
+	 * Creates a role.
+	 * This is a shortcut method to {@link IAuthManager::createAuthItem}.
+	 * @param string $name the item name
+	 * @param string $description the item description.
+	 * @param string $bizRule the business rule associated with this item
+	 * @param mixed $data additional data to be passed when evaluating the business rule
+	 * @return CAuthItem the authorization item
+	 */
+	public function createRole($name,$description='',$bizRule=null,$data=null)
+	{
+		return $this->createAuthItem($name,CAuthItem::TYPE_ROLE,$description,$bizRule,$data);
+	}
+
+	/**
+	 * Creates a task.
+	 * This is a shortcut method to {@link IAuthManager::createAuthItem}.
+	 * @param string $name the item name
+	 * @param string $description the item description.
+	 * @param string $bizRule the business rule associated with this item
+	 * @param mixed $data additional data to be passed when evaluating the business rule
+	 * @return CAuthItem the authorization item
+	 */
+	public function createTask($name,$description='',$bizRule=null,$data=null)
+	{
+		return $this->createAuthItem($name,CAuthItem::TYPE_TASK,$description,$bizRule,$data);
+	}
+
+	/**
+	 * Creates an operation.
+	 * This is a shortcut method to {@link IAuthManager::createAuthItem}.
+	 * @param string $name the item name
+	 * @param string $description the item description.
+	 * @param string $bizRule the business rule associated with this item
+	 * @param mixed $data additional data to be passed when evaluating the business rule
+	 * @return CAuthItem the authorization item
+	 */
+	public function createOperation($name,$description='',$bizRule=null,$data=null)
+	{
+		return $this->createAuthItem($name,CAuthItem::TYPE_OPERATION,$description,$bizRule,$data);
+	}
+
+	/**
+	 * Returns roles.
+	 * This is a shortcut method to {@link IAuthManager::getAuthItems}.
+	 * @param mixed $userId the user ID. If not null, only the roles directly assigned to the user
+	 * will be returned. Otherwise, all roles will be returned.
+	 * @return array roles (name=>CAuthItem)
+	 */
+	public function getRoles($userId=null)
+	{
+		return $this->getAuthItems(CAuthItem::TYPE_ROLE,$userId);
+	}
+
+	/**
+	 * Returns tasks.
+	 * This is a shortcut method to {@link IAuthManager::getAuthItems}.
+	 * @param mixed $userId the user ID. If not null, only the tasks directly assigned to the user
+	 * will be returned. Otherwise, all tasks will be returned.
+	 * @return array tasks (name=>CAuthItem)
+	 */
+	public function getTasks($userId=null)
+	{
+		return $this->getAuthItems(CAuthItem::TYPE_TASK,$userId);
+	}
+
+	/**
+	 * Returns operations.
+	 * This is a shortcut method to {@link IAuthManager::getAuthItems}.
+	 * @param mixed $userId the user ID. If not null, only the operations directly assigned to the user
+	 * will be returned. Otherwise, all operations will be returned.
+	 * @return array operations (name=>CAuthItem)
+	 */
+	public function getOperations($userId=null)
+	{
+		return $this->getAuthItems(CAuthItem::TYPE_OPERATION,$userId);
+	}
+
+	/**
+	 * Executes the specified business rule.
+	 * @param string $bizRule the business rule to be executed.
+	 * @param array $params parameters passed to {@link IAuthManager::checkAccess}.
+	 * @param mixed $data additional data associated with the authorization item or assignment.
+	 * @return boolean whether the business rule returns true.
+	 * If the business rule is empty, it will still return true.
+	 */
+	public function executeBizRule($bizRule,$params,$data)
+	{
+		return $bizRule==='' || $bizRule===null || ($this->showErrors ? eval($bizRule)!=0 : @eval($bizRule)!=0);
+	}
+
+	/**
+	 * Checks the item types to make sure a child can be added to a parent.
+	 * @param integer $parentType parent item type
+	 * @param integer $childType child item type
+	 * @throws CException if the item cannot be added as a child due to its incompatible type.
+	 */
+	protected function checkItemChildType($parentType,$childType)
+	{
+		static $types=array('operation','task','role');
+		if($parentType < $childType)
+			throw new CException(Yii::t('yii','Cannot add an item of type "{child}" to an item of type "{parent}".',
+				array('{child}'=>$types[$childType], '{parent}'=>$types[$parentType])));
+	}
+}
diff --git a/framework/web/auth/CBaseUserIdentity.php b/framework/web/auth/CBaseUserIdentity.php
new file mode 100644
index 0000000..c2bf4e3
--- /dev/null
+++ b/framework/web/auth/CBaseUserIdentity.php
@@ -0,0 +1,132 @@
+<?php
+/**
+ * CBaseUserIdentity class file
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008-2011 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+/**
+ * CBaseUserIdentity is a base class implementing {@link IUserIdentity}.
+ *
+ * CBaseUserIdentity implements the scheme for representing identity
+ * information that needs to be persisted. It also provides the way
+ * to represent the authentication errors.
+ *
+ * Derived classes should implement {@link IUserIdentity::authenticate}
+ * and {@link IUserIdentity::getId} that are required by the {@link IUserIdentity}
+ * interface.
+ *
+ * @property mixed $id A value that uniquely represents the identity (e.g. primary key value).
+ * The default implementation simply returns {@link name}.
+ * @property string $name The display name for the identity.
+ * The default implementation simply returns empty string.
+ * @property array $persistentStates The identity states that should be persisted.
+ * @property whether $isAuthenticated The authentication is successful.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @version $Id: CBaseUserIdentity.php 3515 2011-12-28 12:29:24Z mdomba $
+ * @package system.web.auth
+ * @since 1.0
+ */
+abstract class CBaseUserIdentity extends CComponent implements IUserIdentity
+{
+	const ERROR_NONE=0;
+	const ERROR_USERNAME_INVALID=1;
+	const ERROR_PASSWORD_INVALID=2;
+	const ERROR_UNKNOWN_IDENTITY=100;
+
+	/**
+	 * @var integer the authentication error code. If there is an error, the error code will be non-zero.
+	 * Defaults to 100, meaning unknown identity. Calling {@link authenticate} will change this value.
+	 */
+	public $errorCode=self::ERROR_UNKNOWN_IDENTITY;
+	/**
+	 * @var string the authentication error message. Defaults to empty.
+	 */
+	public $errorMessage='';
+
+	private $_state=array();
+
+	/**
+	 * Returns a value that uniquely represents the identity.
+	 * @return mixed a value that uniquely represents the identity (e.g. primary key value).
+	 * The default implementation simply returns {@link name}.
+	 */
+	public function getId()
+	{
+		return $this->getName();
+	}
+
+	/**
+	 * Returns the display name for the identity (e.g. username).
+	 * @return string the display name for the identity.
+	 * The default implementation simply returns empty string.
+	 */
+	public function getName()
+	{
+		return '';
+	}
+
+	/**
+	 * Returns the identity states that should be persisted.
+	 * This method is required by {@link IUserIdentity}.
+	 * @return array the identity states that should be persisted.
+	 */
+	public function getPersistentStates()
+	{
+		return $this->_state;
+	}
+
+	/**
+	 * Sets an array of presistent states.
+	 *
+	 * @param array $states the identity states that should be persisted.
+	 */
+	public function setPersistentStates($states)
+	{
+		$this->_state = $states;
+	}
+
+	/**
+	 * Returns a value indicating whether the identity is authenticated.
+	 * This method is required by {@link IUserIdentity}.
+	 * @return whether the authentication is successful.
+	 */
+	public function getIsAuthenticated()
+	{
+		return $this->errorCode==self::ERROR_NONE;
+	}
+
+	/**
+	 * Gets the persisted state by the specified name.
+	 * @param string $name the name of the state
+	 * @param mixed $defaultValue the default value to be returned if the named state does not exist
+	 * @return mixed the value of the named state
+	 */
+	public function getState($name,$defaultValue=null)
+	{
+		return isset($this->_state[$name])?$this->_state[$name]:$defaultValue;
+	}
+
+	/**
+	 * Sets the named state with a given value.
+	 * @param string $name the name of the state
+	 * @param mixed $value the value of the named state
+	 */
+	public function setState($name,$value)
+	{
+		$this->_state[$name]=$value;
+	}
+
+	/**
+	 * Removes the specified state.
+	 * @param string $name the name of the state
+	 */
+	public function clearState($name)
+	{
+		unset($this->_state[$name]);
+	}
+}
diff --git a/framework/web/auth/CDbAuthManager.php b/framework/web/auth/CDbAuthManager.php
new file mode 100644
index 0000000..5172fcf
--- /dev/null
+++ b/framework/web/auth/CDbAuthManager.php
@@ -0,0 +1,600 @@
+<?php
+/**
+ * CDbAuthManager class file.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008-2011 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+/**
+ * CDbAuthManager represents an authorization manager that stores authorization information in database.
+ *
+ * The database connection is specified by {@link connectionID}. And the database schema
+ * should be as described in "framework/web/auth/*.sql". You may change the names of
+ * the three tables used to store the authorization data by setting {@link itemTable},
+ * {@link itemChildTable} and {@link assignmentTable}.
+ *
+ * @property array $authItems The authorization items of the specific type.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @version $Id: CDbAuthManager.php 3515 2011-12-28 12:29:24Z mdomba $
+ * @package system.web.auth
+ * @since 1.0
+ */
+class CDbAuthManager extends CAuthManager
+{
+	/**
+	 * @var string the ID of the {@link CDbConnection} application component. Defaults to 'db'.
+	 * The database must have the tables as declared in "framework/web/auth/*.sql".
+	 */
+	public $connectionID='db';
+	/**
+	 * @var string the name of the table storing authorization items. Defaults to 'AuthItem'.
+	 */
+	public $itemTable='AuthItem';
+	/**
+	 * @var string the name of the table storing authorization item hierarchy. Defaults to 'AuthItemChild'.
+	 */
+	public $itemChildTable='AuthItemChild';
+	/**
+	 * @var string the name of the table storing authorization item assignments. Defaults to 'AuthAssignment'.
+	 */
+	public $assignmentTable='AuthAssignment';
+	/**
+	 * @var CDbConnection the database connection. By default, this is initialized
+	 * automatically as the application component whose ID is indicated as {@link connectionID}.
+	 */
+	public $db;
+
+	private $_usingSqlite;
+
+	/**
+	 * Initializes the application component.
+	 * This method overrides the parent implementation by establishing the database connection.
+	 */
+	public function init()
+	{
+		parent::init();
+		$this->_usingSqlite=!strncmp($this->getDbConnection()->getDriverName(),'sqlite',6);
+	}
+
+	/**
+	 * Performs access check for the specified user.
+	 * @param string $itemName the name of the operation that need access check
+	 * @param mixed $userId the user ID. This should can be either an integer and a string representing
+	 * the unique identifier of a user. See {@link IWebUser::getId}.
+	 * @param array $params name-value pairs that would be passed to biz rules associated
+	 * with the tasks and roles assigned to the user.
+	 * @return boolean whether the operations can be performed by the user.
+	 */
+	public function checkAccess($itemName,$userId,$params=array())
+	{
+		$assignments=$this->getAuthAssignments($userId);
+		return $this->checkAccessRecursive($itemName,$userId,$params,$assignments);
+	}
+
+	/**
+	 * Performs access check for the specified user.
+	 * This method is internally called by {@link checkAccess}.
+	 * @param string $itemName the name of the operation that need access check
+	 * @param mixed $userId the user ID. This should can be either an integer and a string representing
+	 * the unique identifier of a user. See {@link IWebUser::getId}.
+	 * @param array $params name-value pairs that would be passed to biz rules associated
+	 * with the tasks and roles assigned to the user.
+	 * @param array $assignments the assignments to the specified user
+	 * @return boolean whether the operations can be performed by the user.
+	 * @since 1.1.3
+	 */
+	protected function checkAccessRecursive($itemName,$userId,$params,$assignments)
+	{
+		if(($item=$this->getAuthItem($itemName))===null)
+			return false;
+		Yii::trace('Checking permission "'.$item->getName().'"','system.web.auth.CDbAuthManager');
+		if($this->executeBizRule($item->getBizRule(),$params,$item->getData()))
+		{
+			if(in_array($itemName,$this->defaultRoles))
+				return true;
+			if(isset($assignments[$itemName]))
+			{
+				$assignment=$assignments[$itemName];
+				if($this->executeBizRule($assignment->getBizRule(),$params,$assignment->getData()))
+					return true;
+			}
+			$parents=$this->db->createCommand()
+				->select('parent')
+				->from($this->itemChildTable)
+				->where('child=:name', array(':name'=>$itemName))
+				->queryColumn();
+			foreach($parents as $parent)
+			{
+				if($this->checkAccessRecursive($parent,$userId,$params,$assignments))
+					return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * Adds an item as a child of another item.
+	 * @param string $itemName the parent item name
+	 * @param string $childName the child item name
+	 * @return boolean whether the item is added successfully
+	 * @throws CException if either parent or child doesn't exist or if a loop has been detected.
+	 */
+	public function addItemChild($itemName,$childName)
+	{
+		if($itemName===$childName)
+			throw new CException(Yii::t('yii','Cannot add "{name}" as a child of itself.',
+					array('{name}'=>$itemName)));
+
+		$rows=$this->db->createCommand()
+			->select()
+			->from($this->itemTable)
+			->where('name=:name1 OR name=:name2', array(
+				':name1'=>$itemName,
+				':name2'=>$childName
+			))
+			->queryAll();
+
+		if(count($rows)==2)
+		{
+			if($rows[0]['name']===$itemName)
+			{
+				$parentType=$rows[0]['type'];
+				$childType=$rows[1]['type'];
+			}
+			else
+			{
+				$childType=$rows[0]['type'];
+				$parentType=$rows[1]['type'];
+			}
+			$this->checkItemChildType($parentType,$childType);
+			if($this->detectLoop($itemName,$childName))
+				throw new CException(Yii::t('yii','Cannot add "{child}" as a child of "{name}". A loop has been detected.',
+					array('{child}'=>$childName,'{name}'=>$itemName)));
+
+			$this->db->createCommand()
+				->insert($this->itemChildTable, array(
+					'parent'=>$itemName,
+					'child'=>$childName,
+				));
+
+			return true;
+		}
+		else
+			throw new CException(Yii::t('yii','Either "{parent}" or "{child}" does not exist.',array('{child}'=>$childName,'{parent}'=>$itemName)));
+	}
+
+	/**
+	 * Removes a child from its parent.
+	 * Note, the child item is not deleted. Only the parent-child relationship is removed.
+	 * @param string $itemName the parent item name
+	 * @param string $childName the child item name
+	 * @return boolean whether the removal is successful
+	 */
+	public function removeItemChild($itemName,$childName)
+	{
+		return $this->db->createCommand()
+			->delete($this->itemChildTable, 'parent=:parent AND child=:child', array(
+				':parent'=>$itemName,
+				':child'=>$childName
+			)) > 0;
+	}
+
+	/**
+	 * Returns a value indicating whether a child exists within a parent.
+	 * @param string $itemName the parent item name
+	 * @param string $childName the child item name
+	 * @return boolean whether the child exists
+	 */
+	public function hasItemChild($itemName,$childName)
+	{
+		return $this->db->createCommand()
+			->select('parent')
+			->from($this->itemChildTable)
+			->where('parent=:parent AND child=:child', array(
+				':parent'=>$itemName,
+				':child'=>$childName))
+			->queryScalar() !== false;
+	}
+
+	/**
+	 * Returns the children of the specified item.
+	 * @param mixed $names the parent item name. This can be either a string or an array.
+	 * The latter represents a list of item names.
+	 * @return array all child items of the parent
+	 */
+	public function getItemChildren($names)
+	{
+		if(is_string($names))
+			$condition='parent='.$this->db->quoteValue($names);
+		else if(is_array($names) && $names!==array())
+		{
+			foreach($names as &$name)
+				$name=$this->db->quoteValue($name);
+			$condition='parent IN ('.implode(', ',$names).')';
+		}
+
+		$rows=$this->db->createCommand()
+			->select('name, type, description, bizrule, data')
+			->from(array(
+				$this->itemTable,
+				$this->itemChildTable
+			))
+			->where($condition.' AND name=child')
+			->queryAll();
+
+		$children=array();
+		foreach($rows as $row)
+		{
+			if(($data=@unserialize($row['data']))===false)
+				$data=null;
+			$children[$row['name']]=new CAuthItem($this,$row['name'],$row['type'],$row['description'],$row['bizrule'],$data);
+		}
+		return $children;
+	}
+
+	/**
+	 * Assigns an authorization item to a user.
+	 * @param string $itemName the item name
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @param string $bizRule the business rule to be executed when {@link checkAccess} is called
+	 * for this particular authorization item.
+	 * @param mixed $data additional data associated with this assignment
+	 * @return CAuthAssignment the authorization assignment information.
+	 * @throws CException if the item does not exist or if the item has already been assigned to the user
+	 */
+	public function assign($itemName,$userId,$bizRule=null,$data=null)
+	{
+		if($this->usingSqlite() && $this->getAuthItem($itemName)===null)
+			throw new CException(Yii::t('yii','The item "{name}" does not exist.',array('{name}'=>$itemName)));
+
+		$this->db->createCommand()
+			->insert($this->assignmentTable, array(
+				'itemname'=>$itemName,
+				'userid'=>$userId,
+				'bizrule'=>$bizRule,
+				'data'=>serialize($data)
+			));
+		return new CAuthAssignment($this,$itemName,$userId,$bizRule,$data);
+	}
+
+	/**
+	 * Revokes an authorization assignment from a user.
+	 * @param string $itemName the item name
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return boolean whether removal is successful
+	 */
+	public function revoke($itemName,$userId)
+	{
+		return $this->db->createCommand()
+			->delete($this->assignmentTable, 'itemname=:itemname AND userid=:userid', array(
+				':itemname'=>$itemName,
+				':userid'=>$userId
+			)) > 0;
+	}
+
+	/**
+	 * Returns a value indicating whether the item has been assigned to the user.
+	 * @param string $itemName the item name
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return boolean whether the item has been assigned to the user.
+	 */
+	public function isAssigned($itemName,$userId)
+	{
+		return $this->db->createCommand()
+			->select('itemname')
+			->from($this->assignmentTable)
+			->where('itemname=:itemname AND userid=:userid', array(
+				':itemname'=>$itemName,
+				':userid'=>$userId))
+			->queryScalar() !== false;
+	}
+
+	/**
+	 * Returns the item assignment information.
+	 * @param string $itemName the item name
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return CAuthAssignment the item assignment information. Null is returned if
+	 * the item is not assigned to the user.
+	 */
+	public function getAuthAssignment($itemName,$userId)
+	{
+		$row=$this->db->createCommand()
+			->select()
+			->from($this->assignmentTable)
+			->where('itemname=:itemname AND userid=:userid', array(
+				':itemname'=>$itemName,
+				':userid'=>$userId))
+			->queryRow();
+		if($row!==false)
+		{
+			if(($data=@unserialize($row['data']))===false)
+				$data=null;
+			return new CAuthAssignment($this,$row['itemname'],$row['userid'],$row['bizrule'],$data);
+		}
+		else
+			return null;
+	}
+
+	/**
+	 * Returns the item assignments for the specified user.
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return array the item assignment information for the user. An empty array will be
+	 * returned if there is no item assigned to the user.
+	 */
+	public function getAuthAssignments($userId)
+	{
+		$rows=$this->db->createCommand()
+			->select()
+			->from($this->assignmentTable)
+			->where('userid=:userid', array(':userid'=>$userId))
+			->queryAll();
+		$assignments=array();
+		foreach($rows as $row)
+		{
+			if(($data=@unserialize($row['data']))===false)
+				$data=null;
+			$assignments[$row['itemname']]=new CAuthAssignment($this,$row['itemname'],$row['userid'],$row['bizrule'],$data);
+		}
+		return $assignments;
+	}
+
+	/**
+	 * Saves the changes to an authorization assignment.
+	 * @param CAuthAssignment $assignment the assignment that has been changed.
+	 */
+	public function saveAuthAssignment($assignment)
+	{
+		$this->db->createCommand()
+			->update($this->assignmentTable, array(
+				'bizrule'=>$assignment->getBizRule(),
+				'data'=>serialize($assignment->getData()),
+			), 'itemname=:itemname AND userid=:userid', array(
+				'itemname'=>$assignment->getItemName(),
+				'userid'=>$assignment->getUserId()
+			));
+	}
+
+	/**
+	 * Returns the authorization items of the specific type and user.
+	 * @param integer $type the item type (0: operation, 1: task, 2: role). Defaults to null,
+	 * meaning returning all items regardless of their type.
+	 * @param mixed $userId the user ID. Defaults to null, meaning returning all items even if
+	 * they are not assigned to a user.
+	 * @return array the authorization items of the specific type.
+	 */
+	public function getAuthItems($type=null,$userId=null)
+	{
+		if($type===null && $userId===null)
+		{
+			$command=$this->db->createCommand()
+				->select()
+				->from($this->itemTable);
+		}
+		else if($userId===null)
+		{
+			$command=$this->db->createCommand()
+				->select()
+				->from($this->itemTable)
+				->where('type=:type', array(':type'=>$type));
+		}
+		else if($type===null)
+		{
+			$command=$this->db->createCommand()
+				->select('name,type,description,t1.bizrule,t1.data')
+				->from(array(
+					$this->itemTable.' t1',
+					$this->assignmentTable.' t2'
+				))
+				->where('name=itemname AND userid=:userid', array(':userid'=>$userId));
+		}
+		else
+		{
+			$command=$this->db->createCommand()
+				->select('name,type,description,t1.bizrule,t1.data')
+				->from(array(
+					$this->itemTable.' t1',
+					$this->assignmentTable.' t2'
+				))
+				->where('name=itemname AND type=:type AND userid=:userid', array(
+					':type'=>$type,
+					':userid'=>$userId
+				));
+		}
+		$items=array();
+		foreach($command->queryAll() as $row)
+		{
+			if(($data=@unserialize($row['data']))===false)
+				$data=null;
+			$items[$row['name']]=new CAuthItem($this,$row['name'],$row['type'],$row['description'],$row['bizrule'],$data);
+		}
+		return $items;
+	}
+
+	/**
+	 * Creates an authorization item.
+	 * An authorization item represents an action permission (e.g. creating a post).
+	 * It has three types: operation, task and role.
+	 * Authorization items form a hierarchy. Higher level items inheirt permissions representing
+	 * by lower level items.
+	 * @param string $name the item name. This must be a unique identifier.
+	 * @param integer $type the item type (0: operation, 1: task, 2: role).
+	 * @param string $description description of the item
+	 * @param string $bizRule business rule associated with the item. This is a piece of
+	 * PHP code that will be executed when {@link checkAccess} is called for the item.
+	 * @param mixed $data additional data associated with the item.
+	 * @return CAuthItem the authorization item
+	 * @throws CException if an item with the same name already exists
+	 */
+	public function createAuthItem($name,$type,$description='',$bizRule=null,$data=null)
+	{
+		$this->db->createCommand()
+			->insert($this->itemTable, array(
+				'name'=>$name,
+				'type'=>$type,
+				'description'=>$description,
+				'bizrule'=>$bizRule,
+				'data'=>serialize($data)
+			));
+		return new CAuthItem($this,$name,$type,$description,$bizRule,$data);
+	}
+
+	/**
+	 * Removes the specified authorization item.
+	 * @param string $name the name of the item to be removed
+	 * @return boolean whether the item exists in the storage and has been removed
+	 */
+	public function removeAuthItem($name)
+	{
+		if($this->usingSqlite())
+		{
+			$this->db->createCommand()
+				->delete($this->itemChildTable, 'parent=:name1 OR child=:name2', array(
+					':name1'=>$name,
+					':name2'=>$name
+			));
+			$this->db->createCommand()
+				->delete($this->assignmentTable, 'itemname=:name', array(
+					':name'=>$name,
+			));
+		}
+
+		return $this->db->createCommand()
+			->delete($this->itemTable, 'name=:name', array(
+				':name'=>$name
+			)) > 0;
+	}
+
+	/**
+	 * Returns the authorization item with the specified name.
+	 * @param string $name the name of the item
+	 * @return CAuthItem the authorization item. Null if the item cannot be found.
+	 */
+	public function getAuthItem($name)
+	{
+		$row=$this->db->createCommand()
+			->select()
+			->from($this->itemTable)
+			->where('name=:name', array(':name'=>$name))
+			->queryRow();
+
+		if($row!==false)
+		{
+			if(($data=@unserialize($row['data']))===false)
+				$data=null;
+			return new CAuthItem($this,$row['name'],$row['type'],$row['description'],$row['bizrule'],$data);
+		}
+		else
+			return null;
+	}
+
+	/**
+	 * Saves an authorization item to persistent storage.
+	 * @param CAuthItem $item the item to be saved.
+	 * @param string $oldName the old item name. If null, it means the item name is not changed.
+	 */
+	public function saveAuthItem($item,$oldName=null)
+	{
+		if($this->usingSqlite() && $oldName!==null && $item->getName()!==$oldName)
+		{
+			$this->db->createCommand()
+				->update($this->itemChildTable, array(
+					'parent'=>$item->getName(),
+				), 'parent=:whereName', array(
+					':whereName'=>$oldName,
+				));
+			$this->db->createCommand()
+				->update($this->itemChildTable, array(
+					'child'=>$item->getName(),
+				), 'child=:whereName', array(
+					':whereName'=>$oldName,
+				));
+			$this->db->createCommand()
+				->update($this->assignmentTable, array(
+					'itemname'=>$item->getName(),
+				), 'itemname=:whereName', array(
+					':whereName'=>$oldName,
+				));
+		}
+
+		$this->db->createCommand()
+			->update($this->itemTable, array(
+				'name'=>$item->getName(),
+				'type'=>$item->getType(),
+				'description'=>$item->getDescription(),
+				'bizrule'=>$item->getBizRule(),
+				'data'=>serialize($item->getData()),
+			), 'name=:whereName', array(
+				':whereName'=>$oldName===null?$item->getName():$oldName,
+			));
+	}
+
+	/**
+	 * Saves the authorization data to persistent storage.
+	 */
+	public function save()
+	{
+	}
+
+	/**
+	 * Removes all authorization data.
+	 */
+	public function clearAll()
+	{
+		$this->clearAuthAssignments();
+		$this->db->createCommand()->delete($this->itemChildTable);
+		$this->db->createCommand()->delete($this->itemTable);
+	}
+
+	/**
+	 * Removes all authorization assignments.
+	 */
+	public function clearAuthAssignments()
+	{
+		$this->db->createCommand()->delete($this->assignmentTable);
+	}
+
+	/**
+	 * Checks whether there is a loop in the authorization item hierarchy.
+	 * @param string $itemName parent item name
+	 * @param string $childName the name of the child item that is to be added to the hierarchy
+	 * @return boolean whether a loop exists
+	 */
+	protected function detectLoop($itemName,$childName)
+	{
+		if($childName===$itemName)
+			return true;
+		foreach($this->getItemChildren($childName) as $child)
+		{
+			if($this->detectLoop($itemName,$child->getName()))
+				return true;
+		}
+		return false;
+	}
+
+	/**
+	 * @return CDbConnection the DB connection instance
+	 * @throws CException if {@link connectionID} does not point to a valid application component.
+	 */
+	protected function getDbConnection()
+	{
+		if($this->db!==null)
+			return $this->db;
+		else if(($this->db=Yii::app()->getComponent($this->connectionID)) instanceof CDbConnection)
+			return $this->db;
+		else
+			throw new CException(Yii::t('yii','CDbAuthManager.connectionID "{id}" is invalid. Please make sure it refers to the ID of a CDbConnection application component.',
+				array('{id}'=>$this->connectionID)));
+	}
+
+	/**
+	 * @return boolean whether the database is a SQLite database
+	 */
+	protected function usingSqlite()
+	{
+		return $this->_usingSqlite;
+	}
+}
diff --git a/framework/web/auth/CPhpAuthManager.php b/framework/web/auth/CPhpAuthManager.php
new file mode 100644
index 0000000..4a62c67
--- /dev/null
+++ b/framework/web/auth/CPhpAuthManager.php
@@ -0,0 +1,504 @@
+<?php
+/**
+ * CPhpAuthManager class file.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008-2011 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+/**
+ * CPhpAuthManager represents an authorization manager that stores authorization information in terms of a PHP script file.
+ *
+ * The authorization data will be saved to and loaded from a file
+ * specified by {@link authFile}, which defaults to 'protected/data/auth.php'.
+ *
+ * CPhpAuthManager is mainly suitable for authorization data that is not too big
+ * (for example, the authorization data for a personal blog system).
+ * Use {@link CDbAuthManager} for more complex authorization data.
+ *
+ * @property array $authItems The authorization items of the specific type.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @version $Id: CPhpAuthManager.php 3515 2011-12-28 12:29:24Z mdomba $
+ * @package system.web.auth
+ * @since 1.0
+ */
+class CPhpAuthManager extends CAuthManager
+{
+	/**
+	 * @var string the path of the PHP script that contains the authorization data.
+	 * If not set, it will be using 'protected/data/auth.php' as the data file.
+	 * Make sure this file is writable by the Web server process if the authorization
+	 * needs to be changed.
+	 * @see loadFromFile
+	 * @see saveToFile
+	 */
+	public $authFile;
+
+	private $_items=array();			// itemName => item
+	private $_children=array();			// itemName, childName => child
+	private $_assignments=array();		// userId, itemName => assignment
+
+	/**
+	 * Initializes the application component.
+	 * This method overrides parent implementation by loading the authorization data
+	 * from PHP script.
+	 */
+	public function init()
+	{
+		parent::init();
+		if($this->authFile===null)
+			$this->authFile=Yii::getPathOfAlias('application.data.auth').'.php';
+		$this->load();
+	}
+
+	/**
+	 * Performs access check for the specified user.
+	 * @param string $itemName the name of the operation that need access check
+	 * @param mixed $userId the user ID. This should can be either an integer and a string representing
+	 * the unique identifier of a user. See {@link IWebUser::getId}.
+	 * @param array $params name-value pairs that would be passed to biz rules associated
+	 * with the tasks and roles assigned to the user.
+	 * @return boolean whether the operations can be performed by the user.
+	 */
+	public function checkAccess($itemName,$userId,$params=array())
+	{
+		if(!isset($this->_items[$itemName]))
+			return false;
+		$item=$this->_items[$itemName];
+		Yii::trace('Checking permission "'.$item->getName().'"','system.web.auth.CPhpAuthManager');
+		if($this->executeBizRule($item->getBizRule(),$params,$item->getData()))
+		{
+			if(in_array($itemName,$this->defaultRoles))
+				return true;
+			if(isset($this->_assignments[$userId][$itemName]))
+			{
+				$assignment=$this->_assignments[$userId][$itemName];
+				if($this->executeBizRule($assignment->getBizRule(),$params,$assignment->getData()))
+					return true;
+			}
+			foreach($this->_children as $parentName=>$children)
+			{
+				if(isset($children[$itemName]) && $this->checkAccess($parentName,$userId,$params))
+					return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * Adds an item as a child of another item.
+	 * @param string $itemName the parent item name
+	 * @param string $childName the child item name
+	 * @return boolean whether the item is added successfully
+	 * @throws CException if either parent or child doesn't exist or if a loop has been detected.
+	 */
+	public function addItemChild($itemName,$childName)
+	{
+		if(!isset($this->_items[$childName],$this->_items[$itemName]))
+			throw new CException(Yii::t('yii','Either "{parent}" or "{child}" does not exist.',array('{child}'=>$childName,'{name}'=>$itemName)));
+		$child=$this->_items[$childName];
+		$item=$this->_items[$itemName];
+		$this->checkItemChildType($item->getType(),$child->getType());
+		if($this->detectLoop($itemName,$childName))
+			throw new CException(Yii::t('yii','Cannot add "{child}" as a child of "{parent}". A loop has been detected.',
+				array('{child}'=>$childName,'{parent}'=>$itemName)));
+		if(isset($this->_children[$itemName][$childName]))
+			throw new CException(Yii::t('yii','The item "{parent}" already has a child "{child}".',
+				array('{child}'=>$childName,'{parent}'=>$itemName)));
+		$this->_children[$itemName][$childName]=$this->_items[$childName];
+		return true;
+	}
+
+	/**
+	 * Removes a child from its parent.
+	 * Note, the child item is not deleted. Only the parent-child relationship is removed.
+	 * @param string $itemName the parent item name
+	 * @param string $childName the child item name
+	 * @return boolean whether the removal is successful
+	 */
+	public function removeItemChild($itemName,$childName)
+	{
+		if(isset($this->_children[$itemName][$childName]))
+		{
+			unset($this->_children[$itemName][$childName]);
+			return true;
+		}
+		else
+			return false;
+	}
+
+	/**
+	 * Returns a value indicating whether a child exists within a parent.
+	 * @param string $itemName the parent item name
+	 * @param string $childName the child item name
+	 * @return boolean whether the child exists
+	 */
+	public function hasItemChild($itemName,$childName)
+	{
+		return isset($this->_children[$itemName][$childName]);
+	}
+
+	/**
+	 * Returns the children of the specified item.
+	 * @param mixed $names the parent item name. This can be either a string or an array.
+	 * The latter represents a list of item names.
+	 * @return array all child items of the parent
+	 */
+	public function getItemChildren($names)
+	{
+		if(is_string($names))
+			return isset($this->_children[$names]) ? $this->_children[$names] : array();
+
+		$children=array();
+		foreach($names as $name)
+		{
+			if(isset($this->_children[$name]))
+				$children=array_merge($children,$this->_children[$name]);
+		}
+		return $children;
+	}
+
+	/**
+	 * Assigns an authorization item to a user.
+	 * @param string $itemName the item name
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @param string $bizRule the business rule to be executed when {@link checkAccess} is called
+	 * for this particular authorization item.
+	 * @param mixed $data additional data associated with this assignment
+	 * @return CAuthAssignment the authorization assignment information.
+	 * @throws CException if the item does not exist or if the item has already been assigned to the user
+	 */
+	public function assign($itemName,$userId,$bizRule=null,$data=null)
+	{
+		if(!isset($this->_items[$itemName]))
+			throw new CException(Yii::t('yii','Unknown authorization item "{name}".',array('{name}'=>$itemName)));
+		else if(isset($this->_assignments[$userId][$itemName]))
+			throw new CException(Yii::t('yii','Authorization item "{item}" has already been assigned to user "{user}".',
+				array('{item}'=>$itemName,'{user}'=>$userId)));
+		else
+			return $this->_assignments[$userId][$itemName]=new CAuthAssignment($this,$itemName,$userId,$bizRule,$data);
+	}
+
+	/**
+	 * Revokes an authorization assignment from a user.
+	 * @param string $itemName the item name
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return boolean whether removal is successful
+	 */
+	public function revoke($itemName,$userId)
+	{
+		if(isset($this->_assignments[$userId][$itemName]))
+		{
+			unset($this->_assignments[$userId][$itemName]);
+			return true;
+		}
+		else
+			return false;
+	}
+
+	/**
+	 * Returns a value indicating whether the item has been assigned to the user.
+	 * @param string $itemName the item name
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return boolean whether the item has been assigned to the user.
+	 */
+	public function isAssigned($itemName,$userId)
+	{
+		return isset($this->_assignments[$userId][$itemName]);
+	}
+
+	/**
+	 * Returns the item assignment information.
+	 * @param string $itemName the item name
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return CAuthAssignment the item assignment information. Null is returned if
+	 * the item is not assigned to the user.
+	 */
+	public function getAuthAssignment($itemName,$userId)
+	{
+		return isset($this->_assignments[$userId][$itemName])?$this->_assignments[$userId][$itemName]:null;
+	}
+
+	/**
+	 * Returns the item assignments for the specified user.
+	 * @param mixed $userId the user ID (see {@link IWebUser::getId})
+	 * @return array the item assignment information for the user. An empty array will be
+	 * returned if there is no item assigned to the user.
+	 */
+	public function getAuthAssignments($userId)
+	{
+		return isset($this->_assignments[$userId])?$this->_assignments[$userId]:array();
+	}
+
+	/**
+	 * Returns the authorization items of the specific type and user.
+	 * @param integer $type the item type (0: operation, 1: task, 2: role). Defaults to null,
+	 * meaning returning all items regardless of their type.
+	 * @param mixed $userId the user ID. Defaults to null, meaning returning all items even if
+	 * they are not assigned to a user.
+	 * @return array the authorization items of the specific type.
+	 */
+	public function getAuthItems($type=null,$userId=null)
+	{
+		if($type===null && $userId===null)
+			return $this->_items;
+		$items=array();
+		if($userId===null)
+		{
+			foreach($this->_items as $name=>$item)
+			{
+				if($item->getType()==$type)
+					$items[$name]=$item;
+			}
+		}
+		else if(isset($this->_assignments[$userId]))
+		{
+			foreach($this->_assignments[$userId] as $assignment)
+			{
+				$name=$assignment->getItemName();
+				if(isset($this->_items[$name]) && ($type===null || $this->_items[$name]->getType()==$type))
+					$items[$name]=$this->_items[$name];
+			}
+		}
+		return $items;
+	}
+
+	/**
+	 * Creates an authorization item.
+	 * An authorization item represents an action permission (e.g. creating a post).
+	 * It has three types: operation, task and role.
+	 * Authorization items form a hierarchy. Higher level items inheirt permissions representing
+	 * by lower level items.
+	 * @param string $name the item name. This must be a unique identifier.
+	 * @param integer $type the item type (0: operation, 1: task, 2: role).
+	 * @param string $description description of the item
+	 * @param string $bizRule business rule associated with the item. This is a piece of
+	 * PHP code that will be executed when {@link checkAccess} is called for the item.
+	 * @param mixed $data additional data associated with the item.
+	 * @return CAuthItem the authorization item
+	 * @throws CException if an item with the same name already exists
+	 */
+	public function createAuthItem($name,$type,$description='',$bizRule=null,$data=null)
+	{
+		if(isset($this->_items[$name]))
+			throw new CException(Yii::t('yii','Unable to add an item whose name is the same as an existing item.'));
+		return $this->_items[$name]=new CAuthItem($this,$name,$type,$description,$bizRule,$data);
+	}
+
+	/**
+	 * Removes the specified authorization item.
+	 * @param string $name the name of the item to be removed
+	 * @return boolean whether the item exists in the storage and has been removed
+	 */
+	public function removeAuthItem($name)
+	{
+		if(isset($this->_items[$name]))
+		{
+			foreach($this->_children as &$children)
+				unset($children[$name]);
+			foreach($this->_assignments as &$assignments)
+				unset($assignments[$name]);
+			unset($this->_items[$name]);
+			return true;
+		}
+		else
+			return false;
+	}
+
+	/**
+	 * Returns the authorization item with the specified name.
+	 * @param string $name the name of the item
+	 * @return CAuthItem the authorization item. Null if the item cannot be found.
+	 */
+	public function getAuthItem($name)
+	{
+		return isset($this->_items[$name])?$this->_items[$name]:null;
+	}
+
+	/**
+	 * Saves an authorization item to persistent storage.
+	 * @param CAuthItem $item the item to be saved.
+	 * @param string $oldName the old item name. If null, it means the item name is not changed.
+	 */
+	public function saveAuthItem($item,$oldName=null)
+	{
+		if($oldName!==null && ($newName=$item->getName())!==$oldName) // name changed
+		{
+			if(isset($this->_items[$newName]))
+				throw new CException(Yii::t('yii','Unable to change the item name. The name "{name}" is already used by another item.',array('{name}'=>$newName)));
+			if(isset($this->_items[$oldName]) && $this->_items[$oldName]===$item)
+			{
+				unset($this->_items[$oldName]);
+				$this->_items[$newName]=$item;
+				if(isset($this->_children[$oldName]))
+				{
+					$this->_children[$newName]=$this->_children[$oldName];
+					unset($this->_children[$oldName]);
+				}
+				foreach($this->_children as &$children)
+				{
+					if(isset($children[$oldName]))
+					{
+						$children[$newName]=$children[$oldName];
+						unset($children[$oldName]);
+					}
+				}
+				foreach($this->_assignments as &$assignments)
+				{
+					if(isset($assignments[$oldName]))
+					{
+						$assignments[$newName]=$assignments[$oldName];
+						unset($assignments[$oldName]);
+					}
+				}
+			}
+		}
+	}
+
+	/**
+	 * Saves the changes to an authorization assignment.
+	 * @param CAuthAssignment $assignment the assignment that has been changed.
+	 */
+	public function saveAuthAssignment($assignment)
+	{
+	}
+
+	/**
+	 * Saves authorization data into persistent storage.
+	 * If any change is made to the authorization data, please make
+	 * sure you call this method to save the changed data into persistent storage.
+	 */
+	public function save()
+	{
+		$items=array();
+		foreach($this->_items as $name=>$item)
+		{
+			$items[$name]=array(
+				'type'=>$item->getType(),
+				'description'=>$item->getDescription(),
+				'bizRule'=>$item->getBizRule(),
+				'data'=>$item->getData(),
+			);
+			if(isset($this->_children[$name]))
+			{
+				foreach($this->_children[$name] as $child)
+					$items[$name]['children'][]=$child->getName();
+			}
+		}
+
+		foreach($this->_assignments as $userId=>$assignments)
+		{
+			foreach($assignments as $name=>$assignment)
+			{
+				if(isset($items[$name]))
+				{
+					$items[$name]['assignments'][$userId]=array(
+						'bizRule'=>$assignment->getBizRule(),
+						'data'=>$assignment->getData(),
+					);
+				}
+			}
+		}
+
+		$this->saveToFile($items,$this->authFile);
+	}
+
+	/**
+	 * Loads authorization data.
+	 */
+	public function load()
+	{
+		$this->clearAll();
+
+		$items=$this->loadFromFile($this->authFile);
+
+		foreach($items as $name=>$item)
+			$this->_items[$name]=new CAuthItem($this,$name,$item['type'],$item['description'],$item['bizRule'],$item['data']);
+
+		foreach($items as $name=>$item)
+		{
+			if(isset($item['children']))
+			{
+				foreach($item['children'] as $childName)
+				{
+					if(isset($this->_items[$childName]))
+						$this->_children[$name][$childName]=$this->_items[$childName];
+				}
+			}
+			if(isset($item['assignments']))
+			{
+				foreach($item['assignments'] as $userId=>$assignment)
+				{
+					$this->_assignments[$userId][$name]=new CAuthAssignment($this,$name,$userId,$assignment['bizRule'],$assignment['data']);
+				}
+			}
+		}
+	}
+
+	/**
+	 * Removes all authorization data.
+	 */
+	public function clearAll()
+	{
+		$this->clearAuthAssignments();
+		$this->_children=array();
+		$this->_items=array();
+	}
+
+	/**
+	 * Removes all authorization assignments.
+	 */
+	public function clearAuthAssignments()
+	{
+		$this->_assignments=array();
+	}
+
+	/**
+	 * Checks whether there is a loop in the authorization item hierarchy.
+	 * @param string $itemName parent item name
+	 * @param string $childName the name of the child item that is to be added to the hierarchy
+	 * @return boolean whether a loop exists
+	 */
+	protected function detectLoop($itemName,$childName)
+	{
+		if($childName===$itemName)
+			return true;
+		if(!isset($this->_children[$childName], $this->_items[$itemName]))
+			return false;
+
+		foreach($this->_children[$childName] as $child)
+		{
+			if($this->detectLoop($itemName,$child->getName()))
+				return true;
+		}
+		return false;
+	}
+
+	/**
+	 * Loads the authorization data from a PHP script file.
+	 * @param string $file the file path.
+	 * @return array the authorization data
+	 * @see saveToFile
+	 */
+	protected function loadFromFile($file)
+	{
+		if(is_file($file))
+			return require($file);
+		else
+			return array();
+	}
+
+	/**
+	 * Saves the authorization data to a PHP script file.
+	 * @param array $data the authorization data
+	 * @param string $file the file path.
+	 * @see loadFromFile
+	 */
+	protected function saveToFile($data,$file)
+	{
+		file_put_contents($file,"<?php\nreturn ".var_export($data,true).";\n");
+	}
+}
diff --git a/framework/web/auth/CUserIdentity.php b/framework/web/auth/CUserIdentity.php
new file mode 100644
index 0000000..560e75a
--- /dev/null
+++ b/framework/web/auth/CUserIdentity.php
@@ -0,0 +1,82 @@
+<?php
+/**
+ * CUserIdentity class file
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008-2011 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+/**
+ * CUserIdentity is a base class for representing identities that are authenticated based on a username and a password.
+ *
+ * Derived classes should implement {@link authenticate} with the actual
+ * authentication scheme (e.g. checking username and password against a DB table).
+ *
+ * By default, CUserIdentity assumes the {@link username} is a unique identifier
+ * and thus use it as the {@link id ID} of the identity.
+ *
+ * @property string $id The unique identifier for the identity.
+ * @property string $name The display name for the identity.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @version $Id: CUserIdentity.php 3426 2011-10-25 00:01:09Z alexander.makarow $
+ * @package system.web.auth
+ * @since 1.0
+ */
+class CUserIdentity extends CBaseUserIdentity
+{
+	/**
+	 * @var string username
+	 */
+	public $username;
+	/**
+	 * @var string password
+	 */
+	public $password;
+
+	/**
+	 * Constructor.
+	 * @param string $username username
+	 * @param string $password password
+	 */
+	public function __construct($username,$password)
+	{
+		$this->username=$username;
+		$this->password=$password;
+	}
+
+	/**
+	 * Authenticates a user based on {@link username} and {@link password}.
+	 * Derived classes should override this method, or an exception will be thrown.
+	 * This method is required by {@link IUserIdentity}.
+	 * @return boolean whether authentication succeeds.
+	 */
+	public function authenticate()
+	{
+		throw new CException(Yii::t('yii','{class}::authenticate() must be implemented.',array('{class}'=>get_class($this))));
+	}
+
+	/**
+	 * Returns the unique identifier for the identity.
+	 * The default implementation simply returns {@link username}.
+	 * This method is required by {@link IUserIdentity}.
+	 * @return string the unique identifier for the identity.
+	 */
+	public function getId()
+	{
+		return $this->username;
+	}
+
+	/**
+	 * Returns the display name for the identity.
+	 * The default implementation simply returns {@link username}.
+	 * This method is required by {@link IUserIdentity}.
+	 * @return string the display name for the identity.
+	 */
+	public function getName()
+	{
+		return $this->username;
+	}
+}
diff --git a/framework/web/auth/CWebUser.php b/framework/web/auth/CWebUser.php
new file mode 100644
index 0000000..73e5a63
--- /dev/null
+++ b/framework/web/auth/CWebUser.php
@@ -0,0 +1,796 @@
+<?php
+/**
+ * CWebUser class file
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008-2011 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+/**
+ * CWebUser represents the persistent state for a Web application user.
+ *
+ * CWebUser is used as an application component whose ID is 'user'.
+ * Therefore, at any place one can access the user state via
+ * <code>Yii::app()->user</code>.
+ *
+ * CWebUser should be used together with an {@link IUserIdentity identity}
+ * which implements the actual authentication algorithm.
+ *
+ * A typical authentication process using CWebUser is as follows:
+ * <ol>
+ * <li>The user provides information needed for authentication.</li>
+ * <li>An {@link IUserIdentity identity instance} is created with the user-provided information.</li>
+ * <li>Call {@link IUserIdentity::authenticate} to check if the identity is valid.</li>
+ * <li>If valid, call {@link CWebUser::login} to login the user, and
+ *     Redirect the user browser to {@link returnUrl}.</li>
+ * <li>If not valid, retrieve the error code or message from the identity
+ * instance and display it.</li>
+ * </ol>
+ *
+ * The property {@link id} and {@link name} are both identifiers
+ * for the user. The former is mainly used internally (e.g. primary key), while
+ * the latter is for display purpose (e.g. username). The {@link id} property
+ * is a unique identifier for a user that is persistent
+ * during the whole user session. It can be a username, or something else,
+ * depending on the implementation of the {@link IUserIdentity identity class}.
+ *
+ * Both {@link id} and {@link name} are persistent during the user session.
+ * Besides, an identity may have additional persistent data which can
+ * be accessed by calling {@link getState}.
+ * Note, when {@link allowAutoLogin cookie-based authentication} is enabled,
+ * all these persistent data will be stored in cookie. Therefore, do not
+ * store password or other sensitive data in the persistent storage. Instead,
+ * you should store them directly in session on the server side if needed.
+ *
+ * @property boolean $isGuest Whether the current application user is a guest.
+ * @property mixed $id The unique identifier for the user. If null, it means the user is a guest.
+ * @property string $name The user name. If the user is not logged in, this will be {@link guestName}.
+ * @property string $returnUrl The URL that the user should be redirected to after login.
+ * @property string $stateKeyPrefix A prefix for the name of the session variables storing user session data.
+ * @property array $flashes Flash messages (key => message).
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @version $Id: CWebUser.php 3515 2011-12-28 12:29:24Z mdomba $
+ * @package system.web.auth
+ * @since 1.0
+ */
+class CWebUser extends CApplicationComponent implements IWebUser
+{
+	const FLASH_KEY_PREFIX='Yii.CWebUser.flash.';
+	const FLASH_COUNTERS='Yii.CWebUser.flashcounters';
+	const STATES_VAR='__states';
+	const AUTH_TIMEOUT_VAR='__timeout';
+
+	/**
+	 * @var boolean whether to enable cookie-based login. Defaults to false.
+	 */
+	public $allowAutoLogin=false;
+	/**
+	 * @var string the name for a guest user. Defaults to 'Guest'.
+	 * This is used by {@link getName} when the current user is a guest (not authenticated).
+	 */
+	public $guestName='Guest';
+	/**
+	 * @var string|array the URL for login. If using array, the first element should be
+	 * the route to the login action, and the rest name-value pairs are GET parameters
+	 * to construct the login URL (e.g. array('/site/login')). If this property is null,
+	 * a 403 HTTP exception will be raised instead.
+	 * @see CController::createUrl
+	 */
+	public $loginUrl=array('/site/login');
+	/**
+	 * @var array the property values (in name-value pairs) used to initialize the identity cookie.
+	 * Any property of {@link CHttpCookie} may be initialized.
+	 * This property is effective only when {@link allowAutoLogin} is true.
+	 */
+	public $identityCookie;
+	/**
+	 * @var integer timeout in seconds after which user is logged out if inactive.
+	 * If this property is not set, the user will be logged out after the current session expires
+	 * (c.f. {@link CHttpSession::timeout}).
+	 * @since 1.1.7
+	 */
+	public $authTimeout;
+	/**
+	 * @var boolean whether to automatically renew the identity cookie each time a page is requested.
+	 * Defaults to false. This property is effective only when {@link allowAutoLogin} is true.
+	 * When this is false, the identity cookie will expire after the specified duration since the user
+	 * is initially logged in. When this is true, the identity cookie will expire after the specified duration
+	 * since the user visits the site the last time.
+	 * @see allowAutoLogin
+	 * @since 1.1.0
+	 */
+	public $autoRenewCookie=false;
+	/**
+	 * @var boolean whether to automatically update the validity of flash messages.
+	 * Defaults to true, meaning flash messages will be valid only in the current and the next requests.
+	 * If this is set false, you will be responsible for ensuring a flash message is deleted after usage.
+	 * (This can be achieved by calling {@link getFlash} with the 3rd parameter being true).
+	 * @since 1.1.7
+	 */
+	public $autoUpdateFlash=true;
+	/**
+	 * @var string value that will be echoed in case that user session has expired during an ajax call.
+	 * When a request is made and user session has expired, {@link loginRequired} redirects to {@link loginUrl} for login.
+	 * If that happens during an ajax call, the complete HTML login page is returned as the result of that ajax call. That could be
+	 * a problem if the ajax call expects the result to be a json array or a predefined string, as the login page is ignored in that case.
+	 * To solve this, set this property to the desired return value.
+	 * 
+	 * If this property is set, this value will be returned as the result of the ajax call in case that the user session has expired.
+	 * @since 1.1.9
+	 * @see loginRequired
+	 */
+	public $loginRequiredAjaxResponse;
+
+	private $_keyPrefix;
+	private $_access=array();
+
+	/**
+	 * PHP magic method.
+	 * This method is overriden so that persistent states can be accessed like properties.
+	 * @param string $name property name
+	 * @return mixed property value
+	 */
+	public function __get($name)
+	{
+		if($this->hasState($name))
+			return $this->getState($name);
+		else
+			return parent::__get($name);
+	}
+
+	/**
+	 * PHP magic method.
+	 * This method is overriden so that persistent states can be set like properties.
+	 * @param string $name property name
+	 * @param mixed $value property value
+	 */
+	public function __set($name,$value)
+	{
+		if($this->hasState($name))
+			$this->setState($name,$value);
+		else
+			parent::__set($name,$value);
+	}
+
+	/**
+	 * PHP magic method.
+	 * This method is overriden so that persistent states can also be checked for null value.
+	 * @param string $name property name
+	 * @return boolean
+	 */
+	public function __isset($name)
+	{
+		if($this->hasState($name))
+			return $this->getState($name)!==null;
+		else
+			return parent::__isset($name);
+	}
+
+	/**
+	 * PHP magic method.
+	 * This method is overriden so that persistent states can also be unset.
+	 * @param string $name property name
+	 * @throws CException if the property is read only.
+	 */
+	public function __unset($name)
+	{
+		if($this->hasState($name))
+			$this->setState($name,null);
+		else
+			parent::__unset($name);
+	}
+
+	/**
+	 * Initializes the application component.
+	 * This method overrides the parent implementation by starting session,
+	 * performing cookie-based authentication if enabled, and updating the flash variables.
+	 */
+	public function init()
+	{
+		parent::init();
+		Yii::app()->getSession()->open();
+		if($this->getIsGuest() && $this->allowAutoLogin)
+			$this->restoreFromCookie();
+		else if($this->autoRenewCookie && $this->allowAutoLogin)
+			$this->renewCookie();
+		if($this->autoUpdateFlash)
+			$this->updateFlash();
+
+		$this->updateAuthStatus();
+	}
+
+	/**
+	 * Logs in a user.
+	 *
+	 * The user identity information will be saved in storage that is
+	 * persistent during the user session. By default, the storage is simply
+	 * the session storage. If the duration parameter is greater than 0,
+	 * a cookie will be sent to prepare for cookie-based login in future.
+	 *
+	 * Note, you have to set {@link allowAutoLogin} to true
+	 * if you want to allow user to be authenticated based on the cookie information.
+	 *
+	 * @param IUserIdentity $identity the user identity (which should already be authenticated)
+	 * @param integer $duration number of seconds that the user can remain in logged-in status. Defaults to 0, meaning login till the user closes the browser.
+	 * If greater than 0, cookie-based login will be used. In this case, {@link allowAutoLogin}
+	 * must be set true, otherwise an exception will be thrown.
+	 * @return boolean whether the user is logged in
+	 */
+	public function login($identity,$duration=0)
+	{
+		$id=$identity->getId();
+		$states=$identity->getPersistentStates();
+		if($this->beforeLogin($id,$states,false))
+		{
+			$this->changeIdentity($id,$identity->getName(),$states);
+
+			if($duration>0)
+			{
+				if($this->allowAutoLogin)
+					$this->saveToCookie($duration);
+				else
+					throw new CException(Yii::t('yii','{class}.allowAutoLogin must be set true in order to use cookie-based authentication.',
+						array('{class}'=>get_class($this))));
+			}
+
+			$this->afterLogin(false);
+		}
+		return !$this->getIsGuest();
+	}
+
+	/**
+	 * Logs out the current user.
+	 * This will remove authentication-related session data.
+	 * If the parameter is true, the whole session will be destroyed as well.
+	 * @param boolean $destroySession whether to destroy the whole session. Defaults to true. If false,
+	 * then {@link clearStates} will be called, which removes only the data stored via {@link setState}.
+	 */
+	public function logout($destroySession=true)
+	{
+		if($this->beforeLogout())
+		{
+			if($this->allowAutoLogin)
+			{
+				Yii::app()->getRequest()->getCookies()->remove($this->getStateKeyPrefix());
+				if($this->identityCookie!==null)
+				{
+					$cookie=$this->createIdentityCookie($this->getStateKeyPrefix());
+					$cookie->value=null;
+					$cookie->expire=0;
+					Yii::app()->getRequest()->getCookies()->add($cookie->name,$cookie);
+				}
+			}
+			if($destroySession)
+				Yii::app()->getSession()->destroy();
+			else
+				$this->clearStates();
+			$this->afterLogout();
+		}
+	}
+
+	/**
+	 * @return boolean whether the current application user is a guest.
+	 */
+	public function getIsGuest()
+	{
+		return $this->getState('__id')===null;
+	}
+
+	/**
+	 * @return mixed the unique identifier for the user. If null, it means the user is a guest.
+	 */
+	public function getId()
+	{
+		return $this->getState('__id');
+	}
+
+	/**
+	 * @param mixed $value the unique identifier for the user. If null, it means the user is a guest.
+	 */
+	public function setId($value)
+	{
+		$this->setState('__id',$value);
+	}
+
+	/**
+	 * Returns the unique identifier for the user (e.g. username).
+	 * This is the unique identifier that is mainly used for display purpose.
+	 * @return string the user name. If the user is not logged in, this will be {@link guestName}.
+	 */
+	public function getName()
+	{
+		if(($name=$this->getState('__name'))!==null)
+			return $name;
+		else
+			return $this->guestName;
+	}
+
+	/**
+	 * Sets the unique identifier for the user (e.g. username).
+	 * @param string $value the user name.
+	 * @see getName
+	 */
+	public function setName($value)
+	{
+		$this->setState('__name',$value);
+	}
+
+	/**
+	 * Returns the URL that the user should be redirected to after successful login.
+	 * This property is usually used by the login action. If the login is successful,
+	 * the action should read this property and use it to redirect the user browser.
+	 * @param string $defaultUrl the default return URL in case it was not set previously. If this is null,
+	 * the application entry URL will be considered as the default return URL.
+	 * @return string the URL that the user should be redirected to after login.
+	 * @see loginRequired
+	 */
+	public function getReturnUrl($defaultUrl=null)
+	{
+		return $this->getState('__returnUrl', $defaultUrl===null ? Yii::app()->getRequest()->getScriptUrl() : CHtml::normalizeUrl($defaultUrl));
+	}
+
+	/**
+	 * @param string $value the URL that the user should be redirected to after login.
+	 */
+	public function setReturnUrl($value)
+	{
+		$this->setState('__returnUrl',$value);
+	}
+
+	/**
+	 * Redirects the user browser to the login page.
+	 * Before the redirection, the current URL (if it's not an AJAX url) will be
+	 * kept in {@link returnUrl} so that the user browser may be redirected back
+	 * to the current page after successful login. Make sure you set {@link loginUrl}
+	 * so that the user browser can be redirected to the specified login URL after
+	 * calling this method.
+	 * After calling this method, the current request processing will be terminated.
+	 */
+	public function loginRequired()
+	{
+		$app=Yii::app();
+		$request=$app->getRequest();
+
+		if(!$request->getIsAjaxRequest())
+			$this->setReturnUrl($request->getUrl());
+		elseif(isset($this->loginRequiredAjaxResponse))
+		{
+			echo $this->loginRequiredAjaxResponse;
+			Yii::app()->end();
+		}
+
+		if(($url=$this->loginUrl)!==null)
+		{
+			if(is_array($url))
+			{
+				$route=isset($url[0]) ? $url[0] : $app->defaultController;
+				$url=$app->createUrl($route,array_splice($url,1));
+			}
+			$request->redirect($url);
+		}
+		else
+			throw new CHttpException(403,Yii::t('yii','Login Required'));
+	}
+
+	/**
+	 * This method is called before logging in a user.
+	 * You may override this method to provide additional security check.
+	 * For example, when the login is cookie-based, you may want to verify
+	 * that the user ID together with a random token in the states can be found
+	 * in the database. This will prevent hackers from faking arbitrary
+	 * identity cookies even if they crack down the server private key.
+	 * @param mixed $id the user ID. This is the same as returned by {@link getId()}.
+	 * @param array $states a set of name-value pairs that are provided by the user identity.
+	 * @param boolean $fromCookie whether the login is based on cookie
+	 * @return boolean whether the user should be logged in
+	 * @since 1.1.3
+	 */
+	protected function beforeLogin($id,$states,$fromCookie)
+	{
+		return true;
+	}
+
+	/**
+	 * This method is called after the user is successfully logged in.
+	 * You may override this method to do some postprocessing (e.g. log the user
+	 * login IP and time; load the user permission information).
+	 * @param boolean $fromCookie whether the login is based on cookie.
+	 * @since 1.1.3
+	 */
+	protected function afterLogin($fromCookie)
+	{
+	}
+
+	/**
+	 * This method is invoked when calling {@link logout} to log out a user.
+	 * If this method return false, the logout action will be cancelled.
+	 * You may override this method to provide additional check before
+	 * logging out a user.
+	 * @return boolean whether to log out the user
+	 * @since 1.1.3
+	 */
+	protected function beforeLogout()
+	{
+		return true;
+	}
+
+	/**
+	 * This method is invoked right after a user is logged out.
+	 * You may override this method to do some extra cleanup work for the user.
+	 * @since 1.1.3
+	 */
+	protected function afterLogout()
+	{
+	}
+
+	/**
+	 * Populates the current user object with the information obtained from cookie.
+	 * This method is used when automatic login ({@link allowAutoLogin}) is enabled.
+	 * The user identity information is recovered from cookie.
+	 * Sufficient security measures are used to prevent cookie data from being tampered.
+	 * @see saveToCookie
+	 */
+	protected function restoreFromCookie()
+	{
+		$app=Yii::app();
+		$request=$app->getRequest();
+		$cookie=$request->getCookies()->itemAt($this->getStateKeyPrefix());
+		if($cookie && !empty($cookie->value) && ($data=$app->getSecurityManager()->validateData($cookie->value))!==false)
+		{
+			$data=@unserialize($data);
+			if(is_array($data) && isset($data[0],$data[1],$data[2],$data[3]))
+			{
+				list($id,$name,$duration,$states)=$data;
+				if($this->beforeLogin($id,$states,true))
+				{
+					$this->changeIdentity($id,$name,$states);
+					if($this->autoRenewCookie)
+					{
+						$cookie->expire=time()+$duration;
+						$request->getCookies()->add($cookie->name,$cookie);
+					}
+					$this->afterLogin(true);
+				}
+			}
+		}
+	}
+
+	/**
+	 * Renews the identity cookie.
+	 * This method will set the expiration time of the identity cookie to be the current time
+	 * plus the originally specified cookie duration.
+	 * @since 1.1.3
+	 */
+	protected function renewCookie()
+	{
+		$request=Yii::app()->getRequest();
+		$cookies=$request->getCookies();
+		$cookie=$cookies->itemAt($this->getStateKeyPrefix());
+		if($cookie && !empty($cookie->value) && ($data=Yii::app()->getSecurityManager()->validateData($cookie->value))!==false)
+		{
+			$data=@unserialize($data);
+			if(is_array($data) && isset($data[0],$data[1],$data[2],$data[3]))
+			{
+				$cookie->expire=time()+$data[2];
+				$cookies->add($cookie->name,$cookie);
+			}
+		}
+	}
+
+	/**
+	 * Saves necessary user data into a cookie.
+	 * This method is used when automatic login ({@link allowAutoLogin}) is enabled.
+	 * This method saves user ID, username, other identity states and a validation key to cookie.
+	 * These information are used to do authentication next time when user visits the application.
+	 * @param integer $duration number of seconds that the user can remain in logged-in status. Defaults to 0, meaning login till the user closes the browser.
+	 * @see restoreFromCookie
+	 */
+	protected function saveToCookie($duration)
+	{
+		$app=Yii::app();
+		$cookie=$this->createIdentityCookie($this->getStateKeyPrefix());
+		$cookie->expire=time()+$duration;
+		$data=array(
+			$this->getId(),
+			$this->getName(),
+			$duration,
+			$this->saveIdentityStates(),
+		);
+		$cookie->value=$app->getSecurityManager()->hashData(serialize($data));
+		$app->getRequest()->getCookies()->add($cookie->name,$cookie);
+	}
+
+	/**
+	 * Creates a cookie to store identity information.
+	 * @param string $name the cookie name
+	 * @return CHttpCookie the cookie used to store identity information
+	 */
+	protected function createIdentityCookie($name)
+	{
+		$cookie=new CHttpCookie($name,'');
+		if(is_array($this->identityCookie))
+		{
+			foreach($this->identityCookie as $name=>$value)
+				$cookie->$name=$value;
+		}
+		return $cookie;
+	}
+
+	/**
+	 * @return string a prefix for the name of the session variables storing user session data.
+	 */
+	public function getStateKeyPrefix()
+	{
+		if($this->_keyPrefix!==null)
+			return $this->_keyPrefix;
+		else
+			return $this->_keyPrefix=md5('Yii.'.get_class($this).'.'.Yii::app()->getId());
+	}
+
+	/**
+	 * @param string $value a prefix for the name of the session variables storing user session data.
+	 */
+	public function setStateKeyPrefix($value)
+	{
+		$this->_keyPrefix=$value;
+	}
+
+	/**
+	 * Returns the value of a variable that is stored in user session.
+	 *
+	 * This function is designed to be used by CWebUser descendant classes
+	 * who want to store additional user information in user session.
+	 * A variable, if stored in user session using {@link setState} can be
+	 * retrieved back using this function.
+	 *
+	 * @param string $key variable name
+	 * @param mixed $defaultValue default value
+	 * @return mixed the value of the variable. If it doesn't exist in the session,
+	 * the provided default value will be returned
+	 * @see setState
+	 */
+	public function getState($key,$defaultValue=null)
+	{
+		$key=$this->getStateKeyPrefix().$key;
+		return isset($_SESSION[$key]) ? $_SESSION[$key] : $defaultValue;
+	}
+
+	/**
+	 * Stores a variable in user session.
+	 *
+	 * This function is designed to be used by CWebUser descendant classes
+	 * who want to store additional user information in user session.
+	 * By storing a variable using this function, the variable may be retrieved
+	 * back later using {@link getState}. The variable will be persistent
+	 * across page requests during a user session.
+	 *
+	 * @param string $key variable name
+	 * @param mixed $value variable value
+	 * @param mixed $defaultValue default value. If $value===$defaultValue, the variable will be
+	 * removed from the session
+	 * @see getState
+	 */
+	public function setState($key,$value,$defaultValue=null)
+	{
+		$key=$this->getStateKeyPrefix().$key;
+		if($value===$defaultValue)
+			unset($_SESSION[$key]);
+		else
+			$_SESSION[$key]=$value;
+	}
+
+	/**
+	 * Returns a value indicating whether there is a state of the specified name.
+	 * @param string $key state name
+	 * @return boolean whether there is a state of the specified name.
+	 */
+	public function hasState($key)
+	{
+		$key=$this->getStateKeyPrefix().$key;
+		return isset($_SESSION[$key]);
+	}
+
+	/**
+	 * Clears all user identity information from persistent storage.
+	 * This will remove the data stored via {@link setState}.
+	 */
+	public function clearStates()
+	{
+		$keys=array_keys($_SESSION);
+		$prefix=$this->getStateKeyPrefix();
+		$n=strlen($prefix);
+		foreach($keys as $key)
+		{
+			if(!strncmp($key,$prefix,$n))
+				unset($_SESSION[$key]);
+		}
+	}
+
+	/**
+	 * Returns all flash messages.
+	 * This method is similar to {@link getFlash} except that it returns all
+	 * currently available flash messages.
+	 * @param boolean $delete whether to delete the flash messages after calling this method.
+	 * @return array flash messages (key => message).
+	 * @since 1.1.3
+	 */
+	public function getFlashes($delete=true)
+	{
+		$flashes=array();
+		$prefix=$this->getStateKeyPrefix().self::FLASH_KEY_PREFIX;
+		$keys=array_keys($_SESSION);
+		$n=strlen($prefix);
+		foreach($keys as $key)
+		{
+			if(!strncmp($key,$prefix,$n))
+			{
+				$flashes[substr($key,$n)]=$_SESSION[$key];
+				if($delete)
+					unset($_SESSION[$key]);
+			}
+		}
+		if($delete)
+			$this->setState(self::FLASH_COUNTERS,array());
+		return $flashes;
+	}
+
+	/**
+	 * Returns a flash message.
+	 * A flash message is available only in the current and the next requests.
+	 * @param string $key key identifying the flash message
+	 * @param mixed $defaultValue value to be returned if the flash message is not available.
+	 * @param boolean $delete whether to delete this flash message after accessing it.
+	 * Defaults to true.
+	 * @return mixed the message message
+	 */
+	public function getFlash($key,$defaultValue=null,$delete=true)
+	{
+		$value=$this->getState(self::FLASH_KEY_PREFIX.$key,$defaultValue);
+		if($delete)
+			$this->setFlash($key,null);
+		return $value;
+	}
+
+	/**
+	 * Stores a flash message.
+	 * A flash message is available only in the current and the next requests.
+	 * @param string $key key identifying the flash message
+	 * @param mixed $value flash message
+	 * @param mixed $defaultValue if this value is the same as the flash message, the flash message
+	 * will be removed. (Therefore, you can use setFlash('key',null) to remove a flash message.)
+	 */
+	public function setFlash($key,$value,$defaultValue=null)
+	{
+		$this->setState(self::FLASH_KEY_PREFIX.$key,$value,$defaultValue);
+		$counters=$this->getState(self::FLASH_COUNTERS,array());
+		if($value===$defaultValue)
+			unset($counters[$key]);
+		else
+			$counters[$key]=0;
+		$this->setState(self::FLASH_COUNTERS,$counters,array());
+	}
+
+	/**
+	 * @param string $key key identifying the flash message
+	 * @return boolean whether the specified flash message exists
+	 */
+	public function hasFlash($key)
+	{
+		return $this->getFlash($key, null, false)!==null;
+	}
+
+	/**
+	 * Changes the current user with the specified identity information.
+	 * This method is called by {@link login} and {@link restoreFromCookie}
+	 * when the current user needs to be populated with the corresponding
+	 * identity information. Derived classes may override this method
+	 * by retrieving additional user-related information. Make sure the
+	 * parent implementation is called first.
+	 * @param mixed $id a unique identifier for the user
+	 * @param string $name the display name for the user
+	 * @param array $states identity states
+	 */
+	protected function changeIdentity($id,$name,$states)
+	{
+		Yii::app()->getSession()->regenerateID();
+		$this->setId($id);
+		$this->setName($name);
+		$this->loadIdentityStates($states);
+	}
+
+	/**
+	 * Retrieves identity states from persistent storage and saves them as an array.
+	 * @return array the identity states
+	 */
+	protected function saveIdentityStates()
+	{
+		$states=array();
+		foreach($this->getState(self::STATES_VAR,array()) as $name=>$dummy)
+			$states[$name]=$this->getState($name);
+		return $states;
+	}
+
+	/**
+	 * Loads identity states from an array and saves them to persistent storage.
+	 * @param array $states the identity states
+	 */
+	protected function loadIdentityStates($states)
+	{
+		$names=array();
+		if(is_array($states))
+		{
+			foreach($states as $name=>$value)
+			{
+				$this->setState($name,$value);
+				$names[$name]=true;
+			}
+		}
+		$this->setState(self::STATES_VAR,$names);
+	}
+
+	/**
+	 * Updates the internal counters for flash messages.
+	 * This method is internally used by {@link CWebApplication}
+	 * to maintain the availability of flash messages.
+	 */
+	protected function updateFlash()
+	{
+		$counters=$this->getState(self::FLASH_COUNTERS);
+		if(!is_array($counters))
+			return;
+		foreach($counters as $key=>$count)
+		{
+			if($count)
+			{
+				unset($counters[$key]);
+				$this->setState(self::FLASH_KEY_PREFIX.$key,null);
+			}
+			else
+				$counters[$key]++;
+		}
+		$this->setState(self::FLASH_COUNTERS,$counters,array());
+	}
+
+	/**
+	 * Updates the authentication status according to {@link authTimeout}.
+	 * If the user has been inactive for {@link authTimeout} seconds,
+	 * he will be automatically logged out.
+	 * @since 1.1.7
+	 */
+	protected function updateAuthStatus()
+	{
+		if($this->authTimeout!==null && !$this->getIsGuest())
+		{
+			$expires=$this->getState(self::AUTH_TIMEOUT_VAR);
+			if ($expires!==null && $expires < time())
+				$this->logout(false);
+			else
+				$this->setState(self::AUTH_TIMEOUT_VAR,time()+$this->authTimeout);
+		}
+	}
+
+	/**
+	 * Performs access check for this user.
+	 * @param string $operation the name of the operation that need access check.
+	 * @param array $params name-value pairs that would be passed to business rules associated
+	 * with the tasks and roles assigned to the user.
+	 * @param boolean $allowCaching whether to allow caching the result of access check.
+	 * When this parameter
+	 * is true (default), if the access check of an operation was performed before,
+	 * its result will be directly returned when calling this method to check the same operation.
+	 * If this parameter is false, this method will always call {@link CAuthManager::checkAccess}
+	 * to obtain the up-to-date access result. Note that this caching is effective
+	 * only within the same request.
+	 * @return boolean whether the operations can be performed by this user.
+	 */
+	public function checkAccess($operation,$params=array(),$allowCaching=true)
+	{
+		if($allowCaching && $params===array() && isset($this->_access[$operation]))
+			return $this->_access[$operation];
+		else
+			return $this->_access[$operation]=Yii::app()->getAuthManager()->checkAccess($operation,$this->getId(),$params);
+	}
+}
diff --git a/framework/web/auth/schema-mssql.sql b/framework/web/auth/schema-mssql.sql
new file mode 100644
index 0000000..7c1208b
--- /dev/null
+++ b/framework/web/auth/schema-mssql.sql
@@ -0,0 +1,42 @@
+/**
+ * Database schema required by CDbAuthManager.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ * @since 1.0
+ */
+
+drop table if exists [AuthAssignment];
+drop table if exists [AuthItemChild];
+drop table if exists [AuthItem];
+
+create table [AuthItem]
+(
+   [name]                 varchar(64) not null,
+   [type]                 integer not null,
+   [description]          text,
+   [bizrule]              text,
+   [data]                 text,
+   primary key ([name])
+);
+
+create table [AuthItemChild]
+(
+   [parent]               varchar(64) not null,
+   [child]                varchar(64) not null,
+   primary key ([parent],[child]),
+   foreign key ([parent]) references [AuthItem] ([name]) on delete cascade on update cascade,
+   foreign key ([child]) references [AuthItem] ([name]) on delete cascade on update cascade
+);
+
+create table [AuthAssignment]
+(
+   [itemname]             varchar(64) not null,
+   [userid]               varchar(64) not null,
+   [bizrule]              text,
+   [data]                 text,
+   primary key ([itemname],[userid]),
+   foreign key ([itemname]) references [AuthItem] ([name]) on delete cascade on update cascade
+);
diff --git a/framework/web/auth/schema-mysql.sql b/framework/web/auth/schema-mysql.sql
new file mode 100644
index 0000000..8ed5556
--- /dev/null
+++ b/framework/web/auth/schema-mysql.sql
@@ -0,0 +1,42 @@
+/**
+ * Database schema required by CDbAuthManager.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ * @since 1.0
+ */
+
+drop table if exists `AuthAssignment`;
+drop table if exists `AuthItemChild`;
+drop table if exists `AuthItem`;
+
+create table `AuthItem`
+(
+   `name`                 varchar(64) not null,
+   `type`                 integer not null,
+   `description`          text,
+   `bizrule`              text,
+   `data`                 text,
+   primary key (`name`)
+) engine InnoDB;
+
+create table `AuthItemChild`
+(
+   `parent`               varchar(64) not null,
+   `child`                varchar(64) not null,
+   primary key (`parent`,`child`),
+   foreign key (`parent`) references `AuthItem` (`name`) on delete cascade on update cascade,
+   foreign key (`child`) references `AuthItem` (`name`) on delete cascade on update cascade
+) engine InnoDB;
+
+create table `AuthAssignment`
+(
+   `itemname`             varchar(64) not null,
+   `userid`               varchar(64) not null,
+   `bizrule`              text,
+   `data`                 text,
+   primary key (`itemname`,`userid`),
+   foreign key (`itemname`) references `AuthItem` (`name`) on delete cascade on update cascade
+) engine InnoDB;
diff --git a/framework/web/auth/schema-oci.sql b/framework/web/auth/schema-oci.sql
new file mode 100644
index 0000000..2d597b4
--- /dev/null
+++ b/framework/web/auth/schema-oci.sql
@@ -0,0 +1,42 @@
+/**
+ * Database schema required by CDbAuthManager.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ * @since 1.0
+ */
+
+drop table if exists "AuthAssignment";
+drop table if exists "AuthItemChild";
+drop table if exists "AuthItem";
+
+create table "AuthItem"
+(
+   "name"                 varchar(64) not null,
+   "type"                 integer not null,
+   "description"          text,
+   "bizrule"              text,
+   "data"                 text,
+   primary key ("name")
+);
+
+create table "AuthItemChild"
+(
+   "parent"               varchar(64) not null,
+   "child"                varchar(64) not null,
+   primary key ("parent","child"),
+   foreign key ("parent") references "AuthItem" ("name") on delete cascade on update cascade,
+   foreign key ("child") references "AuthItem" ("name") on delete cascade on update cascade
+);
+
+create table "AuthAssignment"
+(
+   "itemname"             varchar(64) not null,
+   "userid"               varchar(64) not null,
+   "bizrule"              text,
+   "data"                 text,
+   primary key ("itemname","userid"),
+   foreign key ("itemname") references "AuthItem" ("name") on delete cascade on update cascade
+);
diff --git a/framework/web/auth/schema-pgsql.sql b/framework/web/auth/schema-pgsql.sql
new file mode 100644
index 0000000..2d597b4
--- /dev/null
+++ b/framework/web/auth/schema-pgsql.sql
@@ -0,0 +1,42 @@
+/**
+ * Database schema required by CDbAuthManager.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ * @since 1.0
+ */
+
+drop table if exists "AuthAssignment";
+drop table if exists "AuthItemChild";
+drop table if exists "AuthItem";
+
+create table "AuthItem"
+(
+   "name"                 varchar(64) not null,
+   "type"                 integer not null,
+   "description"          text,
+   "bizrule"              text,
+   "data"                 text,
+   primary key ("name")
+);
+
+create table "AuthItemChild"
+(
+   "parent"               varchar(64) not null,
+   "child"                varchar(64) not null,
+   primary key ("parent","child"),
+   foreign key ("parent") references "AuthItem" ("name") on delete cascade on update cascade,
+   foreign key ("child") references "AuthItem" ("name") on delete cascade on update cascade
+);
+
+create table "AuthAssignment"
+(
+   "itemname"             varchar(64) not null,
+   "userid"               varchar(64) not null,
+   "bizrule"              text,
+   "data"                 text,
+   primary key ("itemname","userid"),
+   foreign key ("itemname") references "AuthItem" ("name") on delete cascade on update cascade
+);
diff --git a/framework/web/auth/schema-sqlite.sql b/framework/web/auth/schema-sqlite.sql
new file mode 100644
index 0000000..8d93272
--- /dev/null
+++ b/framework/web/auth/schema-sqlite.sql
@@ -0,0 +1,42 @@
+/**
+ * Database schema required by CDbAuthManager.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright &copy; 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ * @since 1.0
+ */
+
+drop table if exists 'AuthAssignment';
+drop table if exists 'AuthItemChild';
+drop table if exists 'AuthItem';
+
+create table 'AuthItem'
+(
+   "name"                 varchar(64) not null,
+   "type"                 integer not null,
+   "description"          text,
+   "bizrule"              text,
+   "data"                 text,
+   primary key ("name")
+);
+
+create table 'AuthItemChild'
+(
+   "parent"               varchar(64) not null,
+   "child"                varchar(64) not null,
+   primary key ("parent","child"),
+   foreign key ("parent") references 'AuthItem' ("name") on delete cascade on update cascade,
+   foreign key ("child") references 'AuthItem' ("name") on delete cascade on update cascade
+);
+
+create table 'AuthAssignment'
+(
+   "itemname"             varchar(64) not null,
+   "userid"               varchar(64) not null,
+   "bizrule"              text,
+   "data"                 text,
+   primary key ("itemname","userid"),
+   foreign key ("itemname") references 'AuthItem' ("name") on delete cascade on update cascade
+);