The data return when access is not permitted will vary by adapter, but it is
ideal to have a "message" and a "redirect" so that a user can be notified
about why they were denied access and so they can be redirected somewhere to,
perhaps, login.
| public static check ( string $name, mixed $user, mixed $params, array $options = [] ) : Array | ||
| $name | string | The name of the `Access` configuration/adapter to check against. |
| $user | mixed | The user data array that holds all necessary information about the user requesting access. Or `false` (because `Auth::check()` can return `false`). |
| $params | mixed | The Lithium `Request` object, or an array with at least 'request', and 'params' |
| $options | array | An array of additional options. |
| return | Array | An empty array if access is allowed and an array with reasons for denial if denied. |
public function testNoConfigurations()
{
Access::reset();
$this->assertIdentical(array(), Access::config());
$this->expectException("Configuration `test_no_config` has not been defined.");
Access::check('test_no_config', false, new Request());
}
public function testCheck()
{
$request = new Request();
$result = Access::check('test_access', array('username' => 'Tom'), $request);
$this->assertEqual(array(), $result);
$expected = array('message' => 'Access denied.', 'redirect' => '/login');
$result = Access::check('test_access', false, $request, array('redirect' => '/login', 'message' => 'Access denied.'));
$this->assertEqual($expected, $result);
}
public function testAdd() {
$request = new Request();
// The add() method to add a rule
Access::adapter('test_rulebased')->add('testDeny', function($requester, $request, $options) {
return false;
});
$rules = array(
array('rule' => 'testDeny', 'message' => 'Access denied.')
);
$expected = array('rule' => 'testDeny', 'message' => 'Access denied.', 'redirect' => '/');
$result = Access::check('test_rulebased', array('username' => 'Tom'), $request, array('rules' => $rules));
$this->assertEqual($expected, $result);
// Make sure the rule got added to the $_rules property
$this->assertTrue(is_callable(Access::adapter('test_rulebased')->getRules('testDeny')));
$this->assertTrue(is_array(Access::adapter('test_rulebased')->getRules()));
}
public function testNoRolesConfigured() {
$request = new Request();
$config = Access::config('test_no_roles_configured');
$request->params = array('controller' => 'Tests', 'action' => 'granted');
$this->assertTrue(empty($config['roles']));
$this->expectException('No roles defined for adapter configuration.');
Access::check('test_no_roles_configured', array('guest' => null), $request);
}
use li3_access\security\Access;
use li3_flash_message\extensions\storage\FlashMessage;
// Adding the library here if it hasn't already been added.
if (!class_exists('li3_access\\security\\Access')) {
Libraries::add('li3_access');
}
Dispatcher::applyFilter('_callable', function ($self, $params, $chain) {
// Run other filters first. This allows this one to not exactly be overwritten or excluded...But it does allow for a different login action to be used...
// TODO: Perhaps allow this to be skipped...
$next = $chain->next($self, $params, $chain);
$request = $params['request'];
$action = $request->action;
$user = Auth::check('li3b_user');
// Protect all admin methods except for login and logout.
if ($request->admin === true && $action != 'login' && $action != 'logout') {
$action_access = Access::check('default', $user, $request, array('rules' => array('allowManagers')));
if (!empty($action_access)) {
FlashMessage::write($action_access['message'], 'default');
if ($user) {
header('Location: ' . Router::match($action_access['redirect']));
} else {
header('Location: ' . Router::match(array('library' => 'li3b_users', 'controller' => 'users', 'action' => 'login')));
}
// None shall pass.
exit;
}
}
// Sets the current user in each request for convenience.
$params['request']->user = $user;
return $next;
// return $chain->next($self, $params, $chain);
public function testOptionOverride() {
$expected = array(
'message' => 'Rule access denied message.',
'redirect' => '/',
'options' => array(
'class' => 'notice'
)
);
$result = Access::check('test_option_override', null, $this->_request, array('whatt'));
$this->assertIdentical($expected, $result);
}
public function getDocument($options=array()) {
$defaults = array('action' => null, 'request' => null, 'find_type' => 'first', 'conditions' => array(), 'limit' => null, 'offset' => 0, 'order' => 'created.desc');
$options += $defaults;
extract($options);
// $action=null, $request=null, $find_type='first', $conditions=array(), $limit=null, $offset=0, $order=null
// 1. Determine the proper model to be using
$controller = $request->params['controller'];
$controller_pieces = explode('.', $controller);
if(count($controller_pieces) > 1) {
$controller = end($controller_pieces);
}
$model = Inflector::classify(Inflector::singularize($controller));
$modelClass = 'minerva\models\\'.$model;
$library = null;
$library_name_haystack = array();
// if the action is read, update, or delete then the document will be able to tell us the library name
if(($request->params['action'] == 'read') || ($request->params['action'] == 'update') || ($request->params['action'] == 'delete')) {
// could be using the MongoId or the pretty URL in the route. Both work, but prefer the URL if set and there's no need to use both.
$conditions = array();
if(isset($request->params['id'])) {
$conditions = array('_id' => $request->params['id']);
}
if(isset($request->params['url'])) {
$conditions = array('url' => $request->params['url']);
}
$record = $modelClass::first(array('request_params' => $request->params, 'conditions' => $conditions, 'fields' => $this->library_fields));
$library_name_haystack = ($record) ? $record->data():array();
} else {
// otherwise for index and create methods the library name is passed in the routes. as page_type or user_type or block_type
$library_name_haystack = $request->params;
}
// get the library name
foreach($this->library_fields as $field) {
if(in_array($field, array_keys($library_name_haystack))) {
$library = $library_name_haystack[$field];
}
}
$class = '\minerva\libraries\\'.$library.'\models\\'.$model;
// Don't load the model if it doesn't exist
if(class_exists($class)) {
// instantiate it so it can apply its properties to the base model along with any filters, etc.
$modelClass = new $class();
}
// 2. Authentication & Access Check for Core Minerva Controllers
// (properties set in model for core controllers) ... transfer those settings to the controller
$controller_pieces = explode('::', $action);
if(count($controller_pieces) > 1) {
$action = $controller_pieces[1];
}
$controllerClass = '\minerva\controllers\\'.$controller.'Controller';
// If the $controllerClass doesn't exist, it means it's a controller that Minerva doesn't have. That means it's not core and the access can be set there on that controller.
if((isset($modelClass::$access)) && (class_exists($controllerClass))) {
// Don't completely replace core Minerva controller with new access rules, but append all the rules (giving the library model's access property priority)
$controllerClass::$access = $modelClass::$access += $controllerClass::$access;
}
// Get the rules for this action
$rules = (isset($controllerClass::$access[$request->params['action']])) ? $controllerClass::$access[$request->params['action']]:array();
// Check access for the action in general
$action_access = Access::check('minerva_access', Auth::check('minerva_user'), $request, array('rules' => $rules['action']));
if(!empty($action_access)) {
FlashMessage::set($action_access['message'], array('options' => array('type' => 'error', 'pnotify_title' => 'Error', 'pnotify_opacity' => '.8')));
$this->redirect($action_access['redirect']);
}
// Before getting documents, make sure the calling method actually wanted to get documents.
if($find_type === false) {
return true;
}
/**
* 3. Get Document(s)
* If we're here, we now need to get the document(s) to determine any document based access
* and we'll return the document(s) back to the controller too.
*/
$document = $modelClass::find($find_type, array(
'conditions' => $conditions,
'limit' => $limit,
'order' => Util::format_dot_order($order),
'request_params' => $request->params // this is not used for Lithium's find() but gives some useful data if find() is filtered
));
// 4. Document Access Control
if($document) {
// add the document to the document access rules so it can be checked against
$i=0;
foreach($rules as $rule) {
$rules['document'][$i] = $document->data();
$i++;
}
$document_access = Access::check('minerva_access', Auth::check('minerva_user'), $request, array('rules' => $rules['document']));
if(!empty($document_access)) {
FlashMessage::set($document_access['message'], array('options' => array('type' => 'error', 'pnotify_title' => 'Error', 'pnotify_opacity' => '.8')));
$this->redirect($document_access['redirect']);
}
}
//read()
// $document = $modelClass::find('first', array('conditions' => array('url' => $url), 'request_params' => $this->request->params));
// modelClass will either be a core Minerva model class or the extended matching library model class
return $document;
}
