public function __invoke(MvcAuthEvent $mvcAuthEvent)
{
/** @var AclAuthorization $authorization */
$authorization = $mvcAuthEvent->getAuthorizationService();
$authenticaton = $mvcAuthEvent->getAuthenticationService();
/**
* Regardless of how our configuration is currently through via the Apigility UI,
* we want to ensure that the default rule for the service we want to give access
* to a particular identity has a DENY BY DEFAULT rule.
*
* Naturally, if you have many versions, or many methods, you would want to build
* some kind of logic to build all the possible strings, and push these into the
* ACL. If this gets too cumbersome, writing an assertion would be the next best
* approach.
*/
$authorization->deny(null, 'DbApi\\V1\\Rest\\User\\Controller::collection', 'GET');
$authorization->deny(null, 'DbApi\\V1\\Rest\\User\\Controller::entity', 'GET');
if ($authenticaton->hasIdentity() && $authenticaton->getIdentity()->getAuthenticationIdentity()) {
/** @var \ZF\MvcAuth\Identity\IdentityInterface $currentUser */
$currentUser = $authenticaton->getIdentity()->getAuthenticationIdentity();
/**
* Now, add the name of the identity in question as a role to the ACL
*/
$authorization->addRole($currentUser['user_id']);
/**
* Next, assign the particular privilege that this identity needs.
*/
$authorization->allow($currentUser['user_id'], 'DbApi\\V1\\Rest\\User\\Controller::entity', 'GET');
}
}
public function authorization(MvcAuthEvent $event)
{
/** @var \ZF\MvcAuth\Identity\AuthenticatedIdentity $identity */
$identity = $event->getIdentity();
if (!$identity instanceof IdentityInterface || $identity instanceof GuestIdentity) {
return;
}
$method = $event->getMvcEvent()->getRequest()->getMethod();
/** @var \ZF\MvcAuth\Authorization\AclAuthorization $authorization */
$authorization = $event->getAuthorizationService();
$sl = $event->getMvcEvent()->getApplication()->getServiceManager();
/** @var \Zend\Permissions\Acl\Assertion\AssertionInterface $resourceAssertion */
$resourceAssertion = $sl->get('Zfegg\\Admin\\MvcAuth\\Authorization\\ResourceAssertion');
if (!$authorization->hasRole($identity)) {
$authorization->addRole($identity);
}
if (!$authorization->hasResource($event->getResource())) {
$authorization->addResource($event->getResource());
}
$authorization->deny($identity, $event->getResource(), $method, $resourceAssertion);
}
/**
* Attempt to authorize the discovered identity based on the ACLs present
*
* @param MvcAuthEvent $mvcAuthEvent
* @void
*/
public function __invoke(MvcAuthEvent $mvcAuthEvent)
{
$imageService = $this->getServiceLocator()->get('AqilixAPI\\Image\\Service\\Image');
$authService = $mvcAuthEvent->getAuthorizationService();
$config = $this->getServiceLocator()->get('Config')['authorization'];
$imageService->setUser($this->getServiceLocator()->get('image.authenticated.user'));
$identity = $mvcAuthEvent->getIdentity();
if ($identity instanceof \ZF\MvcAuth\Identity\GuestIdentity) {
return;
}
// resource:method
$requestedResource = $mvcAuthEvent->getResource() . ':' . $mvcAuthEvent->getMvcEvent()->getRequest()->getMethod();
foreach ($config['scopes'] as $scope => $scopeConfig) {
$resource = $scopeConfig['resource'] . ':' . $scopeConfig['method'];
// if authorization resource equals to requested resource
if ($resource == $requestedResource) {
// check scope in identity
if (!in_array($scope, explode(' ', $identity->getAuthenticationIdentity()['scope']))) {
return $mvcAuthEvent->getMvcEvent()->getResponse()->setStatusCode(401);
}
}
}
}
public function testGetAuthorizationService()
{
$this->assertInstanceOf('Zend\\Permissions\\Acl\\Acl', $this->mvcAuthEvent->getAuthorizationService());
}