phpGACL中文手册（五）

How does phpGACL determine permissions?
phpGACL怎样确定权限呢？

When the ship's computer (running phpGACL of course) checks access, the only question it can ask itself is "Does person X have access to room Y?" In phpGACL terms, this is rephrased as "Does ARO 'X' have access to ACO 'Y'?"
当飞船上的计算机（当然运行是的phpGACL了）检查权限时，它只需要问自己这样一个问题："X人有权进入Y房间吗？"用phpGACL的说法就是"ARO对象X有权访问ACO对象Y吗？"

phpGACL determines whether a specific person has access to a specific room by working from the top of the ARO tree towards the specified person, noting explicit access controls for that place along the way. When it reaches that person, it uses the last explicit access control it encountered as the result to return. In this way, you can define access controls for groups of people, but over-ride them further down the tree if you need to.
phpGACL通过从ARO树的顶部向下遍历的方式，直到找到那个人，明确其访问控制权限来确定该人是否有权访问指定房间。当它找到那个人时，它将它最终遇到的访问控制权限作为结果返回。通过这种方式，你能够为人们所属的组定义访问控制权限，但也可以在你需要时在树的下一层次覆写它们。

Example 1: We ask: "Does Luke have access to the Lounge?".
例1：我们问"Luke有访问休息室的权限吗？"

Set the default result, "DENY".
设置缺省结果，"拒绝"

Work out a path to Luke:Millennium Falcon Passengers → Passengers → Jedi → Luke
遍历ARO树以找到Luke：千年隼号乘客→ 乘客→ 绝地战士→ Luke

Start at the top of the tree and move towards Luke: The "Millennium Falcon Passengers" node doesn't say anything about any room, so do nothing here.
从ARO树顶开始遍历到Luke："千年隼号乘客"节点没有定义任何权限，所以这儿不做任何事情。

Move on to "Passengers", which explicitly says that "Passengers" have Lounge access, so change the internal result to "ALLOW".
移动到"乘客"节点，这儿清楚地表示"乘客"有进入休息室的权限，所以改变内部结果为"允许"。

Move to the "Jedi" node, which doesn't mention the Lounge at all.
移动到"绝地战士"节点，这儿根本没有提到任何关于休息室的话。

Finally move to Luke's node, and again there's nothing there about the Lounge.
最后移动到Luke，这儿也没提至休息室

There's nowhere left to go, so the result returned is the current value of the internal result: "ALLOW"
现在已经到达终点了，所以返回结果就是当前的内部结果值："允许"

Example 2: We ask: "Does Chewie have access to the Engines?"
例2：我们问："Chewie有权访问发动机室吗？"

Set the default result, "DENY".
设置缺省结果，"拒绝"

Work out a path to Chewie:Millennium Falcon Passengers → Crew → Chewie
遍历ARO树以找出Chewie：千年隼号乘客→ 船员→ Chewie

Start at the top of the tree and move towards Chewie. The "Millennium Falcon Passengers" node doesn't say anything about anywhere, so do nothing here.
从ARO树顶开始遍历到Chewie，"千年隼号乘客"节点没有定义任何权限，所以这儿不做任何事情。

Move on to "Crew", which explicitly says that "Crew" have Engine access, so change the internal result to "ALLOW".
移至"船员"节点，该节点明确表明"船员"组拥有访问发动机室的权限，因此改变内部结果为"允许"。

Move to Chewie's node, and there's an explicit rule saying that he doesn't have access to the Engines, so change the internal result to "DENY".
移至Chewie节点，该节点规则表明没有访问发动机室的权限，因此改变内部结果为"拒绝"。

There's nowhere left to go, so the result returned is the current value of the internal result: "DENY"
现在已经到达终点了，所以返回结果就是当前的内部结果值："拒绝"

As you can see from the examples, if a Group doesn't explicitly specify a permission for a room, then that Group inherits the access restrictions of its parent for that room. If the root node ("Millennium Falcon Passengers") doesn't specify a permission, it inherits it from the default setting ("DENY ALL" in the above examples).
就象你从例子上看到的那样，如果一个组没被明确指定访问某个房间的权限的话，那么该组就会继承其父节点对该房间的权限。如果根节点（"千年隼号乘客"）也没有被指定权限的知，则它继承它的缺省设置（在上面的例子里是"全部拒绝"）

This implies a couple of interesting points about the ARO tree:
从上面的例子我们不难看出ARO树中有意思的几点：

The ARO tree always shows the full list of the AROs. It would not make sense to ask "Does Jabba have access to the Cockpit?" because Jabba has not been defined in this system. However, phpGACL does not check to see if AROs or ACOs exist before performing the check, so if this question was actually asked then the result would be the default "DENY".
ARO树总是列出完整的ARO对象列表。如果问题是"Jabba是否有权进入驾驶室？"那就显得很不合理了，因为Jabba并未在这个系统中提及。然而，phpGACL在进行权限检查之前并不检查ARO对象或ACO对象是否存在，因此如果真被问及上述问题，则返回的结果将是缺省值"拒绝"。

The ARO tree may not display some defined ACOs, and relies on the default setting to define access policy. For example, say Han defined a "Bathroom" ACO. Any question like "Does Luke have access to the Bathroom?" would have the answer "DENY", because the default is "DENY" and nowhere in the ARO tree does it ever explicitly mention the Bathroom. Keep in mind when examining the ARO tree that some ACOs may not be visible.
在ARO树中也许并不显示某些已被定义的ACO对象，而是凭借缺省值来进行权限策略的设定。比如说Han定义了一个"浴室"ACO对象，那么任何诸如"Luke有权进浴室吗？"这样的问题将会得到"拒绝"这样的回答，因为在ARO树中没有任何地方明确地说明了浴室的权限而缺省的值又是"拒绝"。请记住检查ARO树时有些ACO对象也许是看不见的。

Note: When asking phpGACL questions about access to an ACO, it is not possible to use Groups as AROs (even though it might 'seem' right). For example, it is impossible to answer the question "Do Passengers have access to Guns?" The complete answer is not a Boolean "ALLOW" or "DENY", but the more complex "Luke and Obi-wan can but R2D2 and C3PO cannot." phpGACL is not designed to return that kind of answer.
注意： 当询问phpGACL系统对某个ACO对象的权限时，它不可能使用组来代替ARO对象的（尽管那看上去可能是合理的）。比如说象回答诸如"乘客是否有权进入武器室？"之类的问题，完整的回答不是一个简单的"允许"或"拒绝"，而是更为复杂的"Luke和Obi-wan可以，而R2D2和C3PO不可以。"phpGACL系统没有被设计成能返回这样的回答。