public function preDispatch(Zend_Controller_Request_Abstract $request)
{
$this->_initAcl();
if ($this->_auth->hasIdentity()) {
$ident = $this->_auth->getIdentity();
$date = new Zend_Date();
$ident->last_login = $date->get(DATABASE_DATE_FORMAT);
$ident->save();
}
if ($request->getControllerName() != 'admin' && $request->getModuleName() != 'admin') {
return;
}
// if this is not admin skip the rest
if (!$this->_auth->hasIdentity() && !($request->getControllerName() == 'auth' && $request->getActionName() == 'login' && $request->getModuleName() == 'admin')) {
$redirect = new Zend_Controller_Action_Helper_Redirector();
$redirect->gotoSimple('login', 'auth', 'admin');
}
if ($request->getModuleName() == 'user' && $request->getControllerName() == 'admin' && $request->getActionName() == 'profile') {
return;
}
// the profile is a free resource
$resource = $request->getModuleName() . '_' . $request->getControllerName();
$hasResource = $this->_acl->has($resource);
if ($hasResource && !$this->_acl->isAllowed('fansubcms_user_custom_role_logged_in_user', $resource, $request->getActionName())) {
throw new FansubCMS_Exception_Denied('The user is not allowd to do this');
}
}
/**
* @param Zend_Controller_Request_Abstract $oHttpRequest
*/
public function preDispatch(Zend_Controller_Request_Abstract $oHttpRequest)
{
$sControllerName = $oHttpRequest->getControllerName();
$sActionName = $oHttpRequest->getActionName();
$aRequestedParams = $oHttpRequest->getUserParams();
$sQuery = '';
unset($aRequestedParams['controller']);
unset($aRequestedParams['action']);
// Define user role
if (Zend_Auth::getInstance()->hasIdentity()) {
$aData = Zend_Auth::getInstance()->getStorage()->read();
$sRole = $aData['role'];
} else {
// Default role
$sRole = 'guest';
}
// Check access
if (!$this->_oAcl->isAllowed($sRole, $sControllerName, $sActionName)) {
$oHttpRequest->setParam('referer_controller', $sControllerName);
$oHttpRequest->setParam('referer_action', $sActionName);
$aParams = array();
if (count($aRequestedParams)) {
foreach ($aRequestedParams as $sKey => $sValue) {
$aParams[] = $sKey;
$aParams[] = $sValue;
}
$sQuery = implode('/', $aParams) . '/';
}
$oHttpRequest->setParam('query', $sQuery);
$oHttpRequest->setControllerName('auth')->setActionName('login');
$this->_response->setHttpResponseCode(401);
}
}
public function setAcl(Zend_Acl $acl)
{
if (!$acl->has($this->getResourceId())) {
$acl->add($this)->deny(Model_Role::GUEST, $this, array('view', 'delete'));
}
$this->_acl = $acl;
}
protected function _setupPrivileges()
{
$menu = new Application_Model_DbTable_MenuPermissaoPerfil();
$listaPermissao = $menu->listaPermissaoPapel();
//Zend_Registry::get('logger')->log($listaPermissao, Zend_Log::INFO);
//$this->_acl->allow( 'guest', 'index', array('logout', 'login','index','edit-alterar-perfil','ajuda','lista-centro-custo','edit-centro-custo','add-centro-custo','delete-centro-custo','lista-compra','add-compra','edit-compra','delete-compra','add-projeto','add-servico','add-plano-acao','add-contato','add-noticia','edit-noticia','delete-noticia','lista-projeto','lista-tipo-projeto','edit-tipo-projeto','delete-tipo-projeto','lista-status-projeto','edit-status-projeto','delete-status-projeto') )
// ->allow( 'guest', 'error', array('error', 'forbidden') );
// $this->_acl->allow( 'user', 'index', array('index','logout','lista-remessa','view-remessa','add-projeto') );
//$this->_acl->allow( 'negocio', 'index', array('index', 'ranking-executivo-negocio','lista-fotos-evento','logout') );
//$this->_acl->allow( 'gerente', 'index', array('index', 'ranking-gerente','lista-fotos-evento','logout') );
// $this->_acl->allow( 'produtor', 'index', array('index','lista-fotos-evento','logout','observacao-evento') );
//$this->_acl->allow( 'produtor', 'upload', array('media','uploadjqAction','uploadjq','lista-videos','videos') );
//$this->_acl->allow( 'admin', 'index' );
//$this->_acl->allow( 'admin', 'upload' );
//$this->_acl->allow( 'Operador', 'index', array('index', 'add-pcp') );
//$this->_acl->allow( 'Operador', 'index', array('add-pcp','index') );
$arrayPermissao = array();
$arrayPerfil = array();
foreach ($listaPermissao as $value) {
//$this->_acl->addRole( new Zend_Acl_Role($value['nome']) );
$arrayPermissao[] = $value["NM_PAGINA"];
$arrayPerfil[] = $value["nome"];
$this->_acl->allow($value["nome"], 'index', array($value["NM_PAGINA"], 'index', 'logout', 'error', 'forbidden'));
}
//Zend_Registry::get('logger')->log($arrayPermissao, Zend_Log::INFO);
//Zend_Registry::get('logger')->log($arrayPerfil, Zend_Log::INFO);
//Zend_Registry::get('logger')->log(array('add-pcp','index'), Zend_Log::INFO);
}
/**
* Check the acl
*
* @param string $resource
* @param string $privilege
* @return boolean
*/
public function isAllowed($resource = null, $privilege = null)
{
if (null === $this->_acl) {
return null;
}
return $this->_acl->isAllowed($this->getIdentity(), $resource, $privilege);
}
/**
* Get acl for role
*
* @param Zend_Acl_Role_Interface $role
* @return Zend_Acl
*/
public function getAcl(Zend_Acl_Role_Interface $role)
{
if (isset($this->cache[$role->getRoleId()])) {
return $this->cache[$role->getRoleId()];
}
$acl = new Zend_Acl();
// set resources
$resources = $this->getResources();
foreach (array_keys($resources) as $resource) {
$acl->addResource($resource);
}
// get role parents if possible
$method = self::PARENTS_METHOD;
$parents = NULL;
if (method_exists($role, $method)) {
foreach ($role->{$method}() as $parent) {
$parents[] = $parent;
$acl->addRole($parent);
$this->addRules($acl, $parent);
}
}
// set role
$acl->addRole($role, $parents);
$this->addRules($acl, $role);
return $this->cache[$role->getRoleId()] = $acl;
}
protected function _isAuthorized($resource, $action)
{
$user = $this->_auth->hasIdentity() ? $this->_auth->getIdentity() : 'guest';
if (!$this->_acl->has($resource) || !$this->_acl->isAllowed($user, $resource, $action)) {
return false;
}
return true;
}
public function isAllowed($resource = null, $privilege = null, $role = null)
{
// Default business rule to return null instead of throwing exceptions for non-known resources
if (!$this->_acl->has($resource)) {
$resource = null;
}
return $this->_acl->isAllowed($resource, $privilege, $role);
}
public static function getAcl()
{
$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('everyone'));
$acl->addRole(new Zend_Acl_Role('blocked'), 'everyone');
$acl->addRole(new Zend_Acl_Role('self'), 'everyone');
return $acl;
}
public function testDeniesProfileEditToNonAdmin()
{
$mapper = new Default_Model_Mapper_Mongo_UserMapper();
$user = $mapper->findByUserName('foo');
$profile = $mapper->findByUserName('admin');
$b = $this->_acl->isAllowed($user, $profile, 'update');
$this->assertFalse($b);
}
/**
* 是否有权限
*
* @param string $action
* @param string $controller
* @param string $module
* @param array $params
* @return boolean
*/
public function isAllowed($action, $controller, $module, $params = array())
{
$resource = ZtChart_Model_Acl_Resource::parsePageMvc($action, $controller, $module);
if (!$this->_acl->has($resource)) {
return true;
} else {
return $this->_acl->isAllowed($this->_role(), $resource, $this->_privileges());
}
}
/**
* Get ACL lists
*
* @return Zend_Acl
*/
public function getAcl()
{
if (null === $this->_acl) {
$acl = new Zend_Acl();
$acl->add(new Zend_Acl_Resource('admin'))->add(new Zend_Acl_Resource('kap'))->add(new Zend_Acl_Resource('members'))->addRole(new Zend_Acl_Role('guest'))->addRole(new Zend_Acl_Role('kap'), 'guest')->addRole(new Zend_Acl_Role('admin'), 'kap')->deny()->allow('admin', 'admin')->allow('admin', 'members')->allow('admin', 'kap')->allow('kap', 'kap')->allow('kap', 'members')->allow('guest', 'members', array('index', 'team', 'player', 'turnir', 'old', 'regno'));
$this->_acl = $acl;
}
return $this->_acl;
}
public function testApplyPermissions()
{
$acl = new Zend_Acl();
$this->setExpectedException('Zend_Acl_Role_Registry_Exception');
$acl->isAllowed($this->guestRole, 'documents');
$roleConfig = new Application_Security_RoleConfig('guest');
$roleConfig->applyPermissions($acl);
$this->assertTrue($acl->isAllowed($this->guestRole, 'documents'), "Expected role 'guest' can access resource 'documents'");
}
protected function _isAuthorized($controller, $action)
{
$this->_acl = Zend_Registry::get('acl');
$user = $this->_auth->getIdentity();
if (!$this->_acl->has($controller) || !$this->_acl->isAllowed($user, $controller, $action)) {
return false;
}
return true;
}
/**
* Checks if user has the right to do privilege on resource
*
* @param Zend_Acl_Resource $resource
* @param string $privilege
* @return boolean
*/
public function isAllowed($resource, $privilege)
{
if (empty(self::$_acl)) {
self::$_acl = Zend_Registry::get('Zend_Acl');
}
if (!self::$_acl->has($resource)) {
return true;
}
return self::$_acl->isAllowed('fansubcms_user_custom_role_logged_in_user', $resource, $privilege);
}
/**
* Get ACL lists
*
* @return Zend_Acl
*/
public function getAcl()
{
if (null === $this->_acl) {
$acl = new Zend_Acl();
$this->_loadAclClasses();
$acl->add(new Zend_Acl_Resource('page'))->addRole(new Brightfame_Acl_Role_Guest())->addRole(new Brightfame_Acl_Role_Member(), 'guest')->addRole(new Brightfame_Acl_Role_Administrator(), 'member')->deny()->allow('guest', 'page', array('view'))->allow('member', 'page', array('comment'))->allow('administrator', 'page', array('add', 'edit', 'delete', 'buildindex'));
$this->_acl = $acl;
}
return $this->_acl;
}
/**
* Get an ACL object for this post.
*
* For now this is generic for all posts, but in the future may be post
* specific
*
* @return Zend_Acl
*/
public function getAcl()
{
$acl = new Zend_Acl();
$acl->addRole('guest')->addRole('user', 'guest')->addRole('admin');
// Guests can view and comment
$acl->allow('guest', null, array('view', 'comment'));
// Admin can do anything
$acl->allow('admin');
return $acl;
}
public function checkAccess(Zend_Controller_Request_Abstract $request)
{
$resource = new User_Model_Acl_Resource();
$resource->getPrivileges($request);
if (!$resource->privileges || !$resource->resource_id) {
//error in getting resource privileges or nobody is allowed access, deny access and redirect to forbidden
return false;
}
$acl = new Zend_Acl();
$acl->add(new Zend_Acl_Resource($resource->resource_id));
foreach ($resource->privileges as $key => $privilege) {
if (!$acl->hasRole($privilege["role_id"])) {
$acl->addRole(new Zend_Acl_Role($privilege["role_id"]));
$acl->allow($privilege["role_id"], $resource->resource_id);
}
}
$authorization = Zend_Auth::getInstance();
if ($authorization->hasIdentity()) {
$user = $authorization->getIdentity();
if ($acl->hasRole($user['role_id']) && $acl->isAllowed($user['role_id'], $resource->resource_id)) {
//role has access
return true;
}
//user role does not have access to this resource
return false;
} else {
$aclrole = new User_Model_Acl_Role();
$aclrole->getDefaultRole();
if (!$aclrole->default_role || !$acl->hasRole($aclrole->default_role) || !$acl->isAllowed($aclrole->default_role, $resource->resource_id)) {
//redirect to login
return false;
}
}
return true;
}
public function __construct($aclInfo = null, $options = null)
{
if (!empty($aclInfo)) {
$acl = new Zend_Acl();
$this->_role = $aclInfo['role'];
$groupPrivileges = $aclInfo['privileges'];
$acl->addRole(new Zend_Acl_Role($this->_role));
$acl->allow($this->_role, null, $groupPrivileges);
$this->_acl = $acl;
}
}
/**
* Inicializa a ACL juntamente com as permissões.
*
* @author Alex Oliveira <*****@*****.**>
* @version 1.0
*
* @return Zend_Acl
*/
protected static function init()
{
# instancia a ACL
$acl = new Zend_Acl();
# adiciona recursos disponíveis na ACL # trocar null pelo tipo de permissão {publica, protegida, privada}
foreach (self::resources() as $controller => $actions) {
$acl->addResource(new Zend_Acl_Resource($controller))->allow(null, $controller, $actions);
}
# retorna uma instância da acl
return $acl;
}
public function testGetSelectAclIntegration()
{
// Test ItemTable::getSelect() when the ACL is not available.
$this->assertEquals("SELECT items.* FROM omeka_items AS items", (string) $this->table->getSelect());
// Test ItemTable::getSelect() when the ACL is available.
$acl = new Zend_Acl();
$acl->add(new Zend_Acl_Resource('Items'));
$acl->deny(null, 'Items', 'showNotPublic');
Zend_Registry::get('bootstrap')->getContainer()->acl = $acl;
$this->assertContains("WHERE (items.public = 1)", (string) $this->table->getSelect());
}
public function testShouldAllowAccessForCorrectRole()
{
$request = $this->request->setModuleName('admin')->setControllerName('index')->setActionName('index');
$this->acl->addResource('admin_index');
$this->acl->allow(Acl::ROLE_GUEST, 'admin_index');
$plugin = new Acl($this->acl);
$plugin->setRequest($this->request);
$plugin->preDispatch();
$this->assertEquals('admin', $this->request->getModuleName());
$this->assertEquals('index', $this->request->getControllerName());
$this->assertEquals('index', $this->request->getActionName());
}
protected function _setupPrivileges()
{
$userAllowedResources = $this->ca->getupPrivileges($this->id_role);
foreach ($userAllowedResources as $controller => $Actions) {
$arrayAllowedActions = array();
foreach ($Actions as $Action) {
echo $this->role . ' - ' . $controller . ' - ' . $Action . '<br>';
$arrayAllowedActions[] = $Action;
}
$this->_acl->allow($this->role, $controller, $arrayAllowedActions);
}
}
/**
*/
public function testPreDispatch()
{
$this->acl->addRole('guest');
$request = new Zend_Controller_Request_Http();
$request->setModuleName('1');
$request->setControllerName('2');
$request->setActionName('3');
$this->object->preDispatch($request);
self::assertEquals('default', $request->getModuleName());
self::assertEquals('error', $request->getControllerName());
self::assertEquals('denied', $request->getActionName());
}
public function appendRules(Zend_Acl $acl, $resource = null)
{
$acl->allow('everyone', $resource, 'view')->allow('self', $resource, 'edit')->deny('blocked');
if (Doctrine::getTable('SnsConfig')->get('is_allow_config_public_flag_profile_page')) {
$config = Doctrine::getTable('SnsConfig')->get('is_allow_config_public_flag_profile_page');
} elseif ($resource) {
$config = $resource->getConfig('profile_page_public_flag');
}
if ($config && 4 == $config) {
$acl->allow('anonymous', $resource, 'view');
}
return $acl;
}
public function __construct()
{
$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('guest'));
$acl->addRole(new Zend_Acl_Role('admin'));
$acl->add(new Zend_Acl_Resource('admin'));
$acl->add(new Zend_Acl_Resource('index'));
$acl->deny();
$acl->allow('admin', null);
$acl->allow('guest', 'admin', array('login'));
$acl->allow('guest', 'index');
Zend_Registry::set('acl', $acl);
}
public function __construct($auth = null)
{
if (is_null($auth)) {
$auth = Zend_Auth::getInstance();
}
$this->_auth = $auth;
$acl = new Zend_Acl();
foreach ($this->_roles as $role => $parent) {
$acl->addRole(new Zend_Acl_Role($role), $parent);
}
// $acl->deny(); // create whitelist. Zend_Acl defaults to this.
$this->_acl = $acl;
}
/**
* Grant access if the user owns the record or the parent exhibit.
*/
public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null)
{
$allPriv = $privilege . 'All';
$selfPriv = $privilege . 'Self';
if (!$role instanceof User) {
return false;
} else {
$allowedAll = $acl->isAllowed($role, $resource, $allPriv);
$allowedSelf = $acl->isAllowed($role, $resource, $selfPriv);
$ownsRecord = $this->_userOwnsRecord($role, $resource);
return $allowedAll || $allowedSelf && $ownsRecord;
}
}
/**
*(non-PHPdoc)
*
* @see Zend_Controller_Plugin_Abstract::preDispatch()
*/
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
/**
* Recupera a identidade do usuario logado
*
* @var Array
*/
$role = $this->auth->getIdentity();
/**
* Recursos que se deseja acesso
*
* @var String
*/
$resource = $this->getRequest()->getModuleName();
/**
* Ação permitida dentro de um resource
*
* @var String
*/
$action = $this->getRequest()->getModuleName() != 'admin' && $this->getRequest()->getModuleName() != 'sac' ? null : $this->getRequest()->getControllerName();
// Verificação condicional para os controllers e actions de upload
if (!($request->getActionName() == 'upload' || $request->getControllerName() == 'upload')) {
// Verifica se ha lixo na autenticacao
if (!is_array($role)) {
// Parametros
$params = array();
// Destroi qualquer instancia de autenticacao
$this->auth->clearIdentity();
// Altera a rota de destino
$request->setModuleName('admin')->setControllerName('login')->setActionName('index');
return;
}
// Verifica se o recurso existe e se o usuario logado tem acesso
if (!$this->acl->has($resource) || !$this->acl->isAllowed($role['usuario'], $resource, $action)) {
// Parametros
$params = array();
// Redireciona para o controller de login
if ($role['usuario'] != 'visitante') {
$params['erro'] = 'Você não possui permissão de acesso a este recurso.';
$request->setModuleName('admin')->setControllerName('index')->setActionName('index')->setParams($params);
} else {
if ($this->getRequest()->getModuleName() == "sac") {
$request->setModuleName('sac')->setControllerName('login')->setActionName('index')->setParams($params);
} else {
$request->setModuleName('admin')->setControllerName('login')->setActionName('index')->setParams($params);
}
}
return;
}
}
}
/**
* check if specific roles are allowed to perform specific action on resource
* @param $roles (array)roles array
* @param $permissionName (integer)permission identifier
* @param $object (integer)object identifier
* @param $defaultDeniedMessage (boolean)should add a default access denied message to flash messanger
* @return boolean
*/
static function isAllowed($roles, $permissionName, $object = null, $defaultDeniedMessage = true)
{
$cache = Zend_Registry::get('cache_files');
$acl = new Zend_Acl();
#adding all the roles that user has
$tmpRoles = array();
foreach ($roles as $role) {
$acl->addRole(new Zend_Acl_Role($role->id));
array_push($tmpRoles, $role->id);
}
$select = self::getAclTable()->select()->where('role IN (?)', $tmpRoles);
#fetching permissions for specific object from database
#if no object is passed then we test for object 1 - faking site "section" permission
if (!$object) {
$object = 1;
}
$select->where('object = ?', (int) $object);
#resource for test
$acl->add(new Zend_Acl_Resource($object));
#caching
$permsAvailable = $cache->load(md5(UNIQUE_HASH . $select->__toString()));
if ($permsAvailable === false) {
$permsAvailable = array();
#TODO is there a more efficient way to do it instead of casting to array and then casting to object ?
$aclResources = self::getAclTable()->fetchAll($select)->toArray();
foreach ($aclResources as $aclResource) {
array_push($permsAvailable, (object) $aclResource);
}
$cache->save($permsAvailable, md5(UNIQUE_HASH . $select->__toString()), array('acl', 'user_data'));
}
#setting up permissions for roles
if ($permsAvailable) {
foreach ($permsAvailable as $perm) {
$acl->allow($perm->role, $perm->object, $perm->permission);
}
}
#admin has access to everything
#admin group has id of 2 in db
if (in_array(2, $tmpRoles)) {
$acl->allow(2);
}
#setting a role that will be used for testing and will inherit all the priviledges from parent roles
$acl->addRole(new Zend_Acl_Role('testedRole'), $tmpRoles);
#query acl
$result = $acl->isAllowed('testedRole', $object, $permissionName);
if (!$result && $defaultDeniedMessage) {
$messages = Zend_Controller_Action_HelperBroker::getStaticHelper('Messages');
$messages->errors = 'e_permission_too_low';
}
return $result;
}