private function addAllowAndDeny(Acl $acl)
{
foreach ($this->config as $roleName => $roleConfig) {
$allowList = isset($roleConfig['allow']) ? $roleConfig['allow'] : [];
foreach ($allowList as $resource => $privilegeList) {
if (empty($privilegeList)) {
$acl->allow($roleName, strtolower($resource));
} else {
foreach ((array) $privilegeList as $privilege) {
$acl->allow($roleName, strtolower($resource), strtolower($privilege));
}
}
}
$denyList = isset($roleConfig['deny']) ? $roleConfig['deny'] : [];
foreach ($denyList as $resource => $privilegeList) {
if (empty($privilegeList)) {
$acl->deny($roleName, strtolower($resource));
} else {
foreach ((array) $privilegeList as $privilege) {
$acl->deny($roleName, strtolower($resource), strtolower($privilege));
}
}
}
}
}
/**
* @return Acl
*/
protected function roleAcl()
{
if (!$this->roleAcl) {
$id = $this->objId();
$this->roleAcl = new Acl();
$this->roleAcl->addRole(new Role($id));
$this->roleAcl->addResource(new Resource('admin'));
$q = '
select
`denied`,
`allowed`,
`superuser`
from
`charcoal_admin_acl_roles`
where
ident = :id';
$db = \Charcoal\App\App::instance()->getContainer()->get('database');
$sth = $db->prepare($q);
$sth->bindParam(':id', $id);
$sth->execute();
$permissions = $sth->fetch(\PDO::FETCH_ASSOC);
$this->roleAllowed = explode(',', trim($permissions['allowed']));
$this->roleDenied = explode(',', trim($permissions['denied']));
foreach ($this->roleAllowed as $allowed) {
$this->roleAcl->allow($id, 'admin', $allowed);
}
foreach ($this->roleDenied as $denied) {
$this->roleAcl->deny($id, 'admin', $denied);
}
}
return $this->roleAcl;
}
public function doAuthorization($e)
{
//setting ACL...
$acl = new Acl();
//add role ..
$acl->addRole(new Role('anonymous'));
$acl->addRole(new Role('user'), 'anonymous');
$acl->addRole(new Role('admin'), 'user');
$acl->addResource(new Resource('Application'));
$acl->addResource(new Resource('Login'));
$acl->addResource(new Resource('ZfcAdmin'));
$acl->deny('anonymous', 'Application', 'view');
$acl->allow('anonymous', 'Login', 'view');
$acl->allow('user', array('Application'), array('view'));
//admin is child of user, can publish, edit, and view too !
$acl->allow('admin', array('Application'), array('publish', 'edit'));
$controller = $e->getTarget();
$controllerClass = get_class($controller);
//echo "<pre>";print_r($controllerClass);exit;
$namespace = substr($controllerClass, 0, strpos($controllerClass, '\\'));
// echo "<pre>";print_r($namespace);exit;
$role = !$this->getSessContainer()->role ? 'anonymous' : $this->getSessContainer()->role;
if (!isset($_SESSION['admin']['user_id']) && $namespace == 'ZfcAdmin') {
$router = $e->getRouter();
$url = $router->assemble(array(), array('name' => 'zfcadmin'));
$response = $e->getResponse();
$response->setStatusCode(302);
//redirect to login route...
/* change with header('location: '.$url); if code below not working */
$response->getHeaders()->addHeaderLine('Location', $url);
$e->stopPropagation();
}
}
/**
* getAcl - This cannot be called before resources are parsed
*
* @param string $resourceId resourceId
* @param string $providerId @deprecated No Longer Required - providerId
*
* @return Acl
*/
public function getAcl($resourceId, $providerId)
{
if (!isset($this->acl)) {
$this->buildAcl();
}
/* resources privileges
we load the every time so they maybe updated dynamically
*/
$resources = $this->getResources($resourceId, $providerId);
foreach ($resources as $resource) {
if (!$this->acl->hasResource($resource)) {
$this->acl->addResource($resource, $resource->getParentResource());
}
$privileges = $resource->getPrivileges();
if (!empty($privileges)) {
foreach ($privileges as $privilege) {
if (!$this->acl->hasResource($privilege)) {
$this->acl->addResource($privilege, $resource);
}
}
}
}
// get only for resources
$rules = $this->getRules($resources);
/** @var AclRule $aclRule */
foreach ($rules as $aclRule) {
if ($aclRule->getRule() == AclRule::RULE_ALLOW) {
$this->acl->allow($aclRule->getRoleId(), $aclRule->getResourceId(), $aclRule->getPrivileges(), $aclRule->getAssertion());
} elseif ($aclRule->getRule() == AclRule::RULE_DENY) {
$this->acl->deny($aclRule->getRoleId(), $aclRule->getResourceId(), $aclRule->getPrivileges(), $aclRule->getAssertion());
}
}
return $this->acl;
}
public function initAcl(MvcEvent $e)
{
//Creamos el objeto ACL
$acl = new Acl();
//Incluimos la lista de roles y permisos, nos devuelve un array
$roles = (require 'config/autoload/acl.roles.php');
foreach ($roles as $role => $resources) {
//Indicamos que el rol será genérico
$role = new \Zend\Permissions\Acl\Role\GenericRole($role);
//Añadimos el rol al ACL
$acl->addRole($role);
//Recorremos los recursos o rutas permitidas
foreach ($resources["allow"] as $resource) {
//Si el recurso no existe lo añadimos
if (!$acl->hasResource($resource)) {
$acl->addResource(new \Zend\Permissions\Acl\Resource\GenericResource($resource));
}
//Permitimos a ese rol ese recurso
$acl->allow($role, $resource);
}
foreach ($resources["deny"] as $resource) {
//Si el recurso no existe lo añadimos
if (!$acl->hasResource($resource)) {
$acl->addResource(new \Zend\Permissions\Acl\Resource\GenericResource($resource));
}
//Denegamos a ese rol ese recurso
$acl->deny($role, $resource);
}
}
//Establecemos la lista de control de acceso
$e->getViewModel()->acl = $acl;
}
public function doAuthorization($e)
{
return;
//setting ACL...
$acl = new Acl();
//add role ..
$acl->addRole(new Role('anonymous'));
$acl->addRole(new Role('user'), 'anonymous');
$acl->addRole(new Role('admin'), 'user');
$acl->addResource(new Resource('Stick'));
$acl->addResource(new Resource('Auth'));
$acl->deny('anonymous', 'Stick', 'list');
$acl->allow('anonymous', 'Auth', 'login');
$acl->allow('anonymous', 'Auth', 'signup');
$acl->allow('user', 'Stick', 'add');
$acl->allow('user', 'Auth', 'logout');
//admin is child of user, can publish, edit, and view too !
$acl->allow('admin', 'Stick');
$controller = $e->getTarget();
$controllerClass = get_class($controller);
$namespace = substr($controllerClass, strrpos($controllerClass, '\\') + 1);
$role = !$this->getSessContainer()->role ? 'anonymous' : $this->getSessContainer()->role;
echo $role;
exit;
if (!$acl->isAllowed($role, $namespace, 'view')) {
$router = $e->getRouter();
$url = $router->assemble(array(), array('name' => 'Login/auth'));
$response = $e->getResponse();
$response->setStatusCode(302);
//redirect to login route...
$response->getHeaders()->addHeaderLine('Location', $url);
}
}
/**
* Constroi a ACL de acordo com as entities
* @see Core\Entity\System\Roles
* @todo Inclusao das ACLS no Cache
* @return Acl
*/
public function build()
{
$em = $this->getServiceManager()->get('Doctrine\\ORM\\EntityManager');
$roles = $em->getRepository('Core\\Entity\\System\\Roles')->findAll();
$resources = $em->getRepository('Core\\Entity\\System\\Resources')->findAll();
$acl = new Acl();
foreach ($roles as $role) {
$acl->addRole(new Role($role->getRoleName()), $role->getRoleParent());
}
foreach ($resources as $r) {
$acl->addResource(new Resource($r->getResourceName()));
}
foreach ($roles as $role) {
$rolename = $role->getRoleName();
$allowed = $em->getRepository('Core\\Entity\\System\\Permissions')->findBy(array('idRole' => $role->getId(), 'permission' => 'allow'));
foreach ($allowed as $allow) {
$resources = $em->getRepository('Core\\Entity\\System\\Resources')->find($allow->getIdResource());
$acl->allow($rolename, $resources->getResourceName());
}
$denyed = $em->getRepository('Core\\Entity\\System\\Permissions')->findBy(array('idRole' => $role->getId(), 'permission' => 'deny'));
foreach ($denyed as $deny) {
$resources = $em->getRepository('Core\\Entity\\System\\Resources')->find($deny->getIdResource());
$acl->deny($rolename, $resources->getResourceName());
}
}
return $acl;
}
public function createService(ServiceLocatorInterface $serviceLocator)
{
$config = $serviceLocator->get('config.helper')->get('acl');
$acl = new Acl();
foreach ($config['roles'] as $role => $parents) {
if (empty($parents)) {
$parents = null;
}
$role = new GenericRole($role);
$acl->addRole($role, $parents);
}
foreach ($config['resources'] as $permission => $controllers) {
foreach ($controllers as $controller => $actions) {
if (!$acl->hasResource($controller)) {
$acl->addResource(new GenericResource($controller));
}
foreach ($actions as $action => $role) {
if ($action == '*') {
$action = null;
}
if ($permission == 'allow') {
$acl->allow($role, $controller, $action);
} elseif ($permission == 'deny') {
$acl->deny($role, $controller, $action);
} else {
throw new Exception('No valid permission defined: ' . $permission);
}
}
}
}
if (class_exists('Zend\\View\\Helper\\Navigation')) {
Navigation::setDefaultAcl($acl);
}
return $acl;
}
public function build()
{
$authService = $this->getServiceLocator()->get('user-service-auth');
$role = $authService->getRole();
$repositoryPerfil = $this->getEm('Admin\\Entity\\Perfil');
$repositoryResource = $this->getEm('Admin\\Entity\\Resource');
$repositoryAcl = $this->getEm('Admin\\Entity\\Acl');
$config = $repositoryAcl->listaAcl();
$config['acl']['roles'] = $repositoryPerfil->getRoles();
$config['acl']['roles']['visitante'] = null;
$config['acl']['resources'] = $repositoryResource->getResources();
$acl = new ZendAcl();
foreach ($config['acl']['roles'] as $role => $parent) {
$acl->addRole(new GenericRole($role), $parent);
}
foreach ($config['acl']['resources'] as $resouce) {
$acl->addResource(new GenericResource($resouce));
}
if (isset($config['acl']['previlege'])) {
foreach ($config['acl']['previlege'] as $role => $privilege) {
if (isset($privilege['allow'])) {
foreach ($privilege['allow'] as $permissao) {
$acl->allow($role, $permissao);
}
}
if (isset($privilege['deny'])) {
foreach ($privilege['deny'] as $permissao) {
$acl->deny($role, $permissao);
}
}
}
}
return $acl;
}
public function initialAclRole($e, $serviceAdministratorConfigManager, $authenticationServiceStorage)
{
$oAcl = new Acl();
$oAcl->deny();
$oAcl->addRole(new Role('staff_1'));
$oAcl->addRole(new Role('staff_2'));
$oAcl->addRole(new Role('administrator'));
$oAcl->addResource('administrator');
$oAcl->addResource('api');
$oAcl->allow('staff_1', 'administrator', 'index:index');
$oAcl->allow('staff_1', 'administrator', 'user:profile');
$oAcl->allow('staff_1', 'administrator', 'user:list');
$oAcl->allow('staff_1', 'administrator', 'menu:list');
$controllerClass = get_class($e->getTarget());
$moduleName = strtolower(substr($controllerClass, 0, strpos($controllerClass, '\\')));
$routeMatch = $e->getRouteMatch();
$aName = strtolower($routeMatch->getParam('action', 'not-found'));
$cName = strtolower($routeMatch->getParam('__CONTROLLER__', 'not-found'));
/*
if (!$oAcl->isAllowed("staff_1",$moduleName, "{$cName}:{$aName}"))
{
$response = $e->getResponse();
$response->setStatusCode(302);
$response->getHeaders()->addHeaderLine('Location', $e->getRouter()->assemble($serviceAdministratorConfigManager['options']['constraints'],
array('name' => $_SERVER['HTTP_HOST']. '/'. 'default')));
$e->stopPropagation();
}
*/
}
/**
* Constroi a ACL
* @return Acl
*/
public function build()
{
// servico de config (array de configuracao)
$config = $this->getServiceManager()->get('Config');
$acl = new Acl();
foreach ($config['acl']['roles'] as $role => $parent) {
$acl->addRole(new Role($role), $parent);
}
foreach ($config['acl']['resources'] as $r) {
$acl->addResource(new Resource($r));
}
foreach ($config['acl']['privilege'] as $role => $privilege) {
if (isset($privilege['allow'])) {
foreach ($privilege['allow'] as $p) {
$acl->allow($role, $p);
}
}
if (isset($privilege['deny'])) {
foreach ($privilege['deny'] as $p) {
$acl->deny($role, $p);
}
}
}
return $acl;
}
private function _load()
{
if ($this->loaded == false) {
// Add roles
$config = $this->serviceLocator->get('config');
if (isset($config['acl']['role_providers'])) {
$roles = [];
foreach ($config['acl']['role_providers'] as $class => $options) {
/** @var \Acl\Provider\Role\ProviderInterface $roleProvider */
$roleProvider = $this->serviceLocator->get($class);
$roles = $roles + $roleProvider->getRoles();
}
foreach ($roles as $role) {
/** @var \Acl\Entity\Role $role */
$this->acl->addRole($role, $role->getParents());
}
}
// Add resources
if (isset($config['acl']['resource_providers'])) {
foreach ($config['acl']['resource_providers'] as $class => $options) {
/** @var \Acl\Provider\Resource\ProviderInterface $resourceProvider */
$resourceProvider = $this->serviceLocator->get($class);
$resources = $resourceProvider->getResources();
if ($resources) {
foreach ($resources as $r) {
if (!$this->acl->hasResource($r)) {
$this->acl->addResource($r);
}
}
}
}
}
// Add rules
if (isset($config['acl']['rule_providers'])) {
$rules = [];
foreach ($config['acl']['rule_providers'] as $class => $options) {
/** @var \Acl\Provider\Rule\ProviderInterface $ruleProvider */
$ruleProvider = $this->serviceLocator->get($class);
$rules = $rules + $ruleProvider->getRules();
}
foreach ($rules as $rule) {
/** @var \Acl\Entity\Rule $rule */
if ($rule->allow) {
$this->acl->allow($rule->obj_id, $rule->resource, $rule->privilege);
} else {
$this->acl->deny($rule->obj_id, $rule->resource, $rule->privilege);
}
}
}
$this->loaded = true;
}
}
public function getPermissionsACL(\Zend\Permissions\Acl\Acl $acl, \Doctrine\ORM\EntityManager $em)
{
$repoPermissao = $em->getRepository('Security\\Entity\\PermissaoAcl');
$permissions = $repoPermissao->getPermissions();
foreach ($permissions as $permission) {
if ($permission->getPermissao() == 'allow') {
$acl->allow($permission->getGrupo()->getNome(), $permission->getRecursoSistema()->getUrl());
} else {
$acl->deny($permission->getGrupo()->getNome(), $permission->getRecursoSistema()->getUrl());
}
}
return $acl;
}
public function setupAcl(MvcEvent $e)
{
$acl = new Acl();
$rolInvitado = new Role('invitado');
$admin = new Admin();
$rolAdmin = new Role($admin->getRol());
$acl->addRole($rolInvitado);
$acl->addRole($rolAdmin, $rolInvitado);
//el admin hereda los permisos de invitado
$acl->addResource('index_empleado');
$acl->addResource('login');
$acl->deny($rolInvitado, 'index_empleado');
$acl->allow($rolInvitado, 'login');
//$acl->allow($rolAdmin, 'login');
$acl->allow($rolAdmin, 'index_empleado');
$vista = $e->getApplication()->getMvcEvent()->getViewModel();
$vista->acl = $acl;
$this->acl = $acl;
}
/**
* @group ZF2-3454
*/
public function testAclResourcePermissionsAreInheritedWithMultilevelResourcesAndDenyPolicy()
{
$this->_acl->addRole('guest');
$this->_acl->addResource('blogposts');
$this->_acl->addResource('feature', 'blogposts');
$this->_acl->addResource('post_1', 'feature');
$this->_acl->addResource('post_2', 'feature');
// Allow a guest to read feature posts and
// comment on everything except feature posts.
$this->_acl->deny();
$this->_acl->allow('guest', 'feature', 'read');
$this->_acl->allow('guest', null, 'comment');
$this->_acl->deny('guest', 'feature', 'comment');
$this->assertFalse($this->_acl->isAllowed('guest', 'feature', 'write'));
$this->assertTrue($this->_acl->isAllowed('guest', 'post_1', 'read'));
$this->assertTrue($this->_acl->isAllowed('guest', 'post_2', 'read'));
$this->assertFalse($this->_acl->isAllowed('guest', 'post_1', 'comment'));
$this->assertFalse($this->_acl->isAllowed('guest', 'post_2', 'comment'));
}
/**
* Returns BlogController instance.
*
* @param ServiceLocatorInterface $serviceLocator
* @return BlogController
* @override
**/
public function createService(ServiceLocatorInterface $serviceLocator)
{
/* @var $serviceLocator Zend\Mvc\Controller\ControllerManager */
$sm = $serviceLocator->getServiceLocator();
$em = $sm->get('em');
$service = new PostService($em);
$controller = new BlogController();
$controller->setEntityManager($em);
$controller->setPostService($service);
$acl = new Acl();
$acl->addRole(new Role(UserService::ROLE_GUEST));
$acl->addRole(new Role(UserService::ROLE_ADMIN));
$acl->addResource($controller);
$acl->allow(UserService::ROLE_ADMIN, $controller);
$acl->allow(UserService::ROLE_GUEST, $controller);
$acl->deny(UserService::ROLE_GUEST, $controller, array('create', 'edit', 'view-all'));
$controller->setAcl($acl);
return $controller;
}
/**
* set Roles and Resource for ACL
*
* @return Acl
*/
protected function setAcl()
{
$guestRole = new Role(self::DEFAULT_ROLE);
$userRole = new Role(self::USER_ROLE);
$adminRole = new Role(self::ADMIN_ROLE);
$this->acl->addRole($guestRole);
$this->acl->addRole($userRole, $guestRole);
$this->acl->addRole($adminRole, $userRole);
$roleResource = new RoleResourcePermissionFromArray();
$roles = $roleResource->getListRoleResourcePermission();
foreach ($roles as $role => $roleResource) {
//adding resources
foreach ($roleResource as $permission => $resources) {
foreach ($resources as $resource) {
if (!$this->acl->hasResource($resource['resource'])) {
$this->acl->addResource(new Resource($resource['resource']));
}
if (count($resource['permission']) > 0 && $permission != 'deny') {
$this->acl->allow($role, $resource['resource'], $resource['permission']);
} else {
$this->acl->deny($role, $resource['resource'], $resource['permission']);
}
}
}
}
/*
foreach ($roles['deny'] as $role => $resources) {
//adding resources
foreach ($resources as $resource) {
if (!$this->acl->hasResource($resource['resource']))
$this->acl->addResource(new Resource($resource['resource']));
if (count($resource['permission']) > 0)
$this->acl->deny($role, $resource['resource'], $resource['permission']);
}
}
*/
return $this->acl;
}
/**
* @deprecated this method will be removed in BjyAuthorize 2.0.x
*
* @param mixed $rule
* @param mixed $type
*
* @throws \InvalidArgumentException
*/
protected function loadRule(array $rule, $type)
{
$privileges = $assertion = null;
$ruleSize = count($rule);
if (4 === $ruleSize) {
list($roles, $resources, $privileges, $assertion) = $rule;
$assertion = $this->serviceLocator->get($assertion);
} elseif (3 === $ruleSize) {
list($roles, $resources, $privileges) = $rule;
} elseif (2 === $ruleSize) {
list($roles, $resources) = $rule;
} else {
throw new \InvalidArgumentException('Invalid rule definition: ' . print_r($rule, true));
}
if (is_string($assertion)) {
$assertion = $this->serviceLocator->get($assertion);
}
if (static::TYPE_ALLOW === $type) {
$this->acl->allow($roles, $resources, $privileges, $assertion);
} else {
$this->acl->deny($roles, $resources, $privileges, $assertion);
}
}
public function index04Action()
{
$aclObj = new Acl();
$aclObj->addRole("member")->addRole("manager", "member")->addRole("admin", "manager");
$aclObj->allow("member", null, array("info", "index"));
$aclObj->allow("manager", null, array("add", "edit"));
$aclObj->allow("admin", null, array("delete"));
$aclObj->deny("admin", null, array("info"));
$aclObj->removeAllow("manager", null, array("add", "edit"));
$aclObj->removeDeny("admin", null, array("info"));
$role = "admin";
$privileges = array("info", "index", "add", "edit", "delete");
if ($aclObj->hasRole($role)) {
foreach ($privileges as $privilege) {
if ($aclObj->isAllowed($role, null, $privilege)) {
echo sprintf("<h3 style='color:red;font-weight:bold'>%s : Được quyền truy cập %s</h3>", $role, $privilege);
} else {
echo sprintf("<h3 style='color:red;font-weight:bold'>%s : Không được quyền truy cập %s</h3>", $role, $privilege);
}
}
}
return false;
}
public function doAuthorization()
{
//setting ACL...
$acl = new Acl();
//add role ..
$acl->addRole(new Role('anonymous'));
$acl->addRole(new Role('user'), 'anonymous');
$acl->addRole(new Role('admin'), 'user');
$acl->addResource(new Resource('Backend'));
$acl->addResource(new Resource('Login'));
$acl->deny('anonymous', 'Backend', 'view');
$acl->allow('anonymous', 'Login', 'view');
$acl->allow('user', array('Backend'), array('view'));
//admin is child of user, can publish, edit, and view too !
$acl->allow('admin', array('Backend'), array('publish', 'edit'));
$controller = $this->getController();
$controllerClass = get_class($controller);
$namespace = substr($controllerClass, 0, strpos($controllerClass, '\\'));
$role = !$this->getSessContainer()->role ? 'anonymous' : $this->getSessContainer()->role;
if (!$acl->isAllowed($role, $namespace, 'view') && $controllerClass !== $namespace . "\\Controller\\LoginController") {
// $redirector = $controller->getPluginManager()->get('Redirect');
// return $redirector->toRoute('backend_logout');
}
}
public function testOverrideIsAllowed()
{
$acl = new Acl();
$acl->addRole('role1');
$acl->addResource('resource1');
$acl->addResource('resource2');
$acl->allow(null, 'resource1', null);
$acl->allow(null, 'resource2', 'view');
$acl->deny('role1', 'resource1', null);
$service = $this->serviceManager->get('AclService4');
$service->loadResource(null, null);
$this->assertSame($acl->isAllowed('role1', 'resource1', 'add'), $service->isAllowed('role1', 'resource1', 'add'));
$this->assertSame($acl->isAllowed('role1', 'resource2', 'add'), $service->isAllowed('role1', 'resource2', 'add'));
$this->assertSame($acl->isAllowed('role1', 'resource2', 'view'), $service->isAllowed('role1', 'resource2', 'view'));
}
/**
* @param string $role_id
* @param string $resource_id
*/
public function addDeny($role_id = '', $resource_id = '')
{
$this->acl->deny($role_id, $resource_id);
}
private function getConfiguredAcl()
{
$acl = new Acl();
$acl->addRole(new Role('guest'));
$acl->addRole(new Role('member'), 'guest');
$acl->addRole(new Role('admin'));
$acl->addResource('/');
$acl->addResource('/login');
$acl->addResource('/member');
$acl->addResource('/member/photo/:id');
$acl->addResource('/admin');
$acl->allow('guest', '/');
$acl->allow('guest', '/login', array('GET', 'POST'));
$acl->deny('guest', '/admin');
$acl->allow('member', '/member');
$acl->allow('member', '/member/photo/:id', 'DELETE');
// admin gets everything
$acl->allow('admin');
return $acl;
}
protected function applyRolePermissions(Acl $role_acl, GenericRole $role, PermissionListMap $role_permissions_map)
{
$permitted_scopes = [];
foreach ($role_permissions_map as $scope => $role_permissions) {
foreach ($role_permissions as $permission) {
$expression = $permission->getExpression();
$expression_assert = null;
if (!empty($expression)) {
$expression_assert = new ExpressionAssert(['expression' => $expression, 'expression_service' => $this->expression_service]);
}
if ($permission->getAccessType() === Permission::ALLOW) {
$role_acl->allow($role, $permission->getAccessScope(), $permission->getName());
// implicitly register a global right for each scope (to serve for example: action.getCredentials)
if (!in_array($permission->getAccessScope(), $permitted_scopes)) {
$permitted_scopes[] = $permission->getAccessScope();
$role_acl->allow($role, null, $permission->getAccessScope(), $expression_assert);
}
} else {
$role_acl->deny($role, $permission->getAccessScope(), $permission->getName(), $expression_assert);
}
}
}
}
/**
* Init acl
*
* @param array $currentUserIdentity
* @return void
*/
protected static function initAcl(array $currentUserIdentity)
{
// create a new ACL role
$acl = new AclZend();
$acl->addRole(new Role($currentUserIdentity['role']));
$aclModel = ServiceLocatorService::getServiceLocator()->get('Application\\Model\\ModelManager')->getInstance('Acl\\Model\\AclBase');
// get assigned acl resources
if (null != ($resources = $aclModel->getAclResources($currentUserIdentity['role'], $currentUserIdentity['user_id']))) {
// process acl resources
$resourcesInfo = [];
foreach ($resources as $resource) {
// add a new resource
$acl->addResource(new Resource($resource['resource']));
// add the resource's permission
$resource['permission'] == AclBaseModel::ACTION_ALLOWED ? $acl->allow($currentUserIdentity['role'], $resource['resource']) : $acl->deny($currentUserIdentity['role'], $resource['resource']);
$resourcesInfo[$resource['resource']] = $resource;
}
self::$currentAclResources = $resourcesInfo;
}
self::$currentAcl = $acl;
}
public function setPermissions(Acl $acl)
{
foreach ($this->getConfig()->permissions as $role => $type) {
if ($type->allow) {
foreach ($type->allow as $allow) {
$acl->allow($role, $allow->get('resource'), $allow->get('params'));
}
}
if ($type->deny) {
foreach ($type->deny as $deny) {
$acl->deny($role, $deny->get('resource'), $deny->get('params'));
}
}
}
}
/**
* @param Container $container Pimple DI Container.
* @return void
*/
public function register(Container $container)
{
/**
* @param Container $container Pimple DI container
* @return array
*/
$container['admin/acl/roles'] = function (Container $container) {
$db = $container['database'];
$q = '
SELECT
`ident`,
`parent`
FROM
`charcoal_admin_acl_roles`
ORDER BY
`position` ASC';
$container['logger']->debug($q);
// Put inside a try-catch block because ACL is optional; table might not exist.
try {
$sth = $db->query($q);
$roles = $sth->fetchAll(PDO::FETCH_KEY_PAIR);
} catch (PDOException $e) {
$container['logger']->warning('Can not fetch ACL roles: ' . $e->getMessage());
$roles = [];
}
return $roles;
};
/**
* @param Container $container Pimple DI container
* @return array
*/
$container['admin/acl/permissions'] = function (Container $container) {
$db = $container['database'];
$q = '
SELECT
`ident`,
`denied`,
`allowed`,
`superuser`
FROM
`charcoal_admin_acl_roles`
ORDER BY
`position` ASC';
$container['logger']->debug($q);
$permissions = [];
// Put inside a try-catch block because ACL is optional; table might not exist.
try {
$sth = $db->query($q);
while ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
$ident = $row['ident'];
if ($row['superuser']) {
$permissions[$ident] = 'superuser';
} else {
$allowed = explode(',', trim($row['allowed']));
$denied = explode(',', trim($row['denied']));
$permissions[$ident] = ['allow' => $allowed, 'deny' => $denied];
}
}
} catch (PDOException $e) {
$container['logger']->warning('Can not fetch ACL roles: ' . $e->getMessage());
$permissions = [];
}
return $permissions;
};
/**
* @param Container $container Pimple DI container
* @return Acl
*/
$container['admin/acl'] = function (Container $container) {
$acl = new Acl();
// Default role, which will contain default permissions
$acl->addRole(new Role('default'));
// Add roles
$roles = $container['admin/acl/roles'];
foreach ($roles as $role => $parentRole) {
if ($parentRole) {
$acl->addRole(new Role($role), $parentRole);
} else {
$acl->addRole(new Role($role), 'default');
}
}
// Add resources
$acl->addResource(new Resource('admin'));
// Setup default permissions (from admin config)
$adminConfig = $container['admin/config'];
$defaultPermissions = $adminConfig['acl.default_permissions'];
foreach ($defaultPermissions['allowed'] as $allowed) {
$acl->allow('default', 'admin', $allowed);
}
foreach ($defaultPermissions['denied'] as $denied) {
$acl->deny('default', 'admin', $denied);
}
// Add permissions
$permissions = $container['admin/acl/permissions'];
foreach ($permissions as $role => $permissions) {
if ($permissions === 'superuser') {
// Allow all
$acl->allow($role);
} else {
foreach ($permissions['allow'] as $allowed) {
$acl->allow($role, 'admin', $allowed);
}
foreach ($permissions['deny'] as $denied) {
$acl->deny($role, 'admin', $denied);
}
}
}
return $acl;
};
}
/**
* Registriert die Module aus der DB mit Zend/Auth
* Setzt die Rechte der Gruppen
*
* @param $sm
*/
public function __construct($sm)
{
$authSessionStorage = new Session('AUTH_IDENTITY');
parent::__construct($authSessionStorage);
$em = $sm->get('Doctrine\\ORM\\EntityManager');
$acl = new ZendAcl();
// add roles
foreach ($em->getRepository('Auth\\Entity\\Role')->findBy(array(), array('parentId' => 'ASC')) as $role) {
if ($role->parent) {
$parentName = $role->parent->name;
} else {
$parentName = null;
}
$acl->addRole(new GenericRole($role->name), $parentName);
}
// add resources + action
foreach ($em->getRepository('Auth\\Entity\\Resource')->findBy(array(), array('modul' => 'DESC')) as $resource) {
$ressouceName = $resource->modul;
if ($resource->action) {
$ressouceName .= '/' . $resource->action;
}
if ($resource->subAction) {
$ressouceName .= '/' . $resource->subAction;
}
$acl->addResource(new GenericResource($ressouceName));
}
unset($ressouceName);
// deny all
$acl->deny(null);
// add permissions
foreach ($em->getRepository('Auth\\Entity\\Permission')->findAll() as $permission) {
// allow
$permissionName = $permission->resource->modul;
if ($permission->resource->action) {
$permissionName .= '/' . $permission->resource->action;
}
if ($permission->resource->subAction) {
$permissionName .= '/' . $permission->resource->subAction;
}
$acl->allow($permission->gruppe->name, $permissionName);
}
// register identity
if (!$this->hasIdentity()) {
// register as gast
$benutzer = new Benutzer();
$benutzer->setUsername('Unbekannter User');
$benutzer->setId(0);
$benutzer->setLoggedIn(false);
$gruppe = new Role();
$gruppe->id = 2;
$gruppe->name = 'Gast';
$gruppe->supervisor = 0;
$benutzer->setGruppe($gruppe);
if (!$benutzer) {
throw new \Exception('Gastbenutzer mit der ID -1 nicht vorhanden - bitte direkt in der Datenbank anlegen');
}
$this->getStorage()->write($benutzer);
}
// register acl in navigation
\Zend\View\Helper\Navigation\AbstractHelper::setDefaultAcl($acl);
\Zend\View\Helper\Navigation\AbstractHelper::setDefaultRole($this->getIdentity()->getGruppe()->name);
$this->acl = $acl;
$this->sm = $sm;
$this->em = $em;
return $this;
}
/**
* Authorizes a request. If the authorization fails a 403 response code
* will be set and the propagation will be stopped
*
* @param MvcEvent $e
* @return void
*/
public function authorize(MvcEvent $e)
{
$routeParams = $e->getRouteMatch()->getParams();
$controller = isset($routeParams['controller']) ? $routeParams['controller'] : null;
$action = isset($routeParams['action']) ? $routeParams['action'] : null;
if (empty($controller) or empty($action)) {
throw new \Exception('Couldn\'t resolve controller or action');
}
$application = $e->getApplication();
$sm = $application->getServiceManager();
// Load the configuration
$config = $sm->get('config');
if (!isset($config['acl']) or !is_array($config['acl']) or !isset($config['acl']['roles']) or !is_array($config['acl']['roles']) or !isset($config['acl']['resources']) or !is_array($config['acl']['resources']) or !isset($config['acl']['rules']) or !is_array($config['acl']['rules'])) {
throw new \Exception('ACL\'s are not configured correctly');
}
$aclConfig =& $config['acl'];
$acl = new Acl();
// Deny as default policy
$acl->deny();
// Add the roles
foreach ($aclConfig['roles'] as $role) {
$inherit = null;
if (is_array($role)) {
$inherit = $role[1];
$role = $role[0];
}
$acl->addRole(new Role($role), $inherit);
}
// Add the resources
foreach ($aclConfig['resources'] as $resource) {
if (strpos($resource, $this->resourcePrefix . ':') === 0) {
$acl->addResource(new Resource($resource));
}
}
// Set up the rules
foreach ($aclConfig['rules'] as $rule) {
$type = isset($rule[0]) ? $rule[0] : null;
$role = isset($rule[1]) ? $rule[1] : null;
$resource = isset($rule[2]) ? $rule[2] : null;
if (!$type) {
throw new \Exception('No type defined');
}
if (!$role) {
throw new \Exception('No role defined');
}
switch ($type) {
case 'allow':
$acl->allow($role, $resource);
break;
case 'deny':
$acl->deny($role, $resource);
break;
default:
throw new \Exception('Invalid rule type');
break;
}
}
// Set the resource based on the request params
$resource = 'controller:' . $controller . ':' . $action;
// Set the users role
$role = 'guest';
$identity = $sm->get('ControllerPluginManager')->get('identity');
if ($user = $identity()) {
$role = $user->role;
}
// Authorize
try {
return $acl->isAllowed($role, $resource);
} catch (\Zend\Permissions\Acl\Exception\InvalidArgumentException $exception) {
// If the route cannot be matched the router will show a 404 page;
// everyone can access the 404 page
$routeMatch = $e->getRouteMatch();
if (!$routeMatch or !$routeMatch->getMatchedRouteName()) {
return true;
}
// Check if the controller/action exists. If they don't we return
// true to make sure the 404 page is rendered
$controllerLoader = $sm->get('ControllerLoader');
if (!$controllerLoader->has($controller)) {
return true;
}
$controller = $controllerLoader->get($controller);
$method = $controller::getMethodFromAction($action);
if (!method_exists($controller, $method)) {
return true;
}
$logger = $sm->get('Logger');
$logger->debug('Invalid ACL ressource requested: ' . $resource . ' (' . $exception->getMessage() . ')');
return false;
}
}
/**
* Get service configuration.
*
* @return array Service configuration
*/
public function getServiceConfig()
{
return ['aliases' => ['Zend\\Authentication\\AuthenticationService' => 'user_auth_service'], 'invokables' => ['user_auth_storage' => 'Zend\\Authentication\\Storage\\Session', 'user_service_user' => 'User\\Service\\User', 'user_service_apiuser' => 'User\\Service\\ApiUser', 'user_service_email' => 'User\\Service\\Email'], 'factories' => ['user_bcrypt' => function ($sm) {
$bcrypt = new \Zend\Crypt\Password\Bcrypt();
$config = $sm->get('config');
$bcrypt->setCost($config['bcrypt_cost']);
return $bcrypt;
}, 'user_hydrator' => function ($sm) {
return new \DoctrineModule\Stdlib\Hydrator\DoctrineObject($sm->get('user_doctrine_em'));
}, 'user_form_activate' => function ($sm) {
return new \User\Form\Activate($sm->get('translator'));
}, 'user_form_register' => function ($sm) {
return new \User\Form\Register($sm->get('translator'));
}, 'user_form_login' => function ($sm) {
return new \User\Form\Login($sm->get('translator'));
}, 'user_form_password' => function ($sm) {
return new \User\Form\Password($sm->get('translator'));
}, 'user_form_passwordreset' => function ($sm) {
return new \User\Form\Register($sm->get('translator'));
}, 'user_form_passwordactivate' => function ($sm) {
return new \User\Form\Activate($sm->get('translator'));
}, 'user_form_apitoken' => function ($sm) {
$form = new \User\Form\ApiToken($sm->get('translator'));
$form->setHydrator($sm->get('user_hydrator'));
return $form;
}, 'user_mapper_user' => function ($sm) {
return new \User\Mapper\User($sm->get('user_doctrine_em'));
}, 'user_mapper_newuser' => function ($sm) {
return new \User\Mapper\NewUser($sm->get('user_doctrine_em'));
}, 'user_mapper_apiuser' => function ($sm) {
return new \User\Mapper\ApiUser($sm->get('user_doctrine_em'));
}, 'user_mail_transport' => function ($sm) {
$config = $sm->get('config');
$config = $config['email'];
$class = '\\Zend\\Mail\\Transport\\' . $config['transport'];
$optionsClass = '\\Zend\\Mail\\Transport\\' . $config['transport'] . 'Options';
$transport = new $class();
$transport->setOptions(new $optionsClass($config['options']));
return $transport;
}, 'user_auth_adapter' => function ($sm) {
$adapter = new \User\Authentication\Adapter\Mapper($sm->get('user_bcrypt'), $sm->get('application_service_legacy'));
$adapter->setMapper($sm->get('user_mapper_user'));
return $adapter;
}, 'user_pin_auth_adapter' => function ($sm) {
$adapter = new \User\Authentication\Adapter\PinMapper($sm->get('application_service_legacy'));
$adapter->setMapper($sm->get('user_mapper_user'));
return $adapter;
}, 'user_auth_service' => function ($sm) {
return new \Zend\Authentication\AuthenticationService($sm->get('user_auth_storage'), $sm->get('user_auth_adapter'));
}, 'user_pin_auth_service' => function ($sm) {
return new \Zend\Authentication\AuthenticationService($sm->get('user_auth_storage'), $sm->get('user_pin_auth_adapter'));
}, 'user_remoteaddress' => function ($sm) {
$remote = new \Zend\Http\PhpEnvironment\RemoteAddress();
return $remote->getIpAddress();
}, 'user_role' => function ($sm) {
$authService = $sm->get('user_auth_service');
if ($authService->hasIdentity()) {
return $authService->getIdentity();
}
$apiService = $sm->get('user_service_apiuser');
if ($apiService->hasIdentity()) {
return 'apiuser';
}
$range = $sm->get('config')['tue_range'];
if (strpos($sm->get('user_remoteaddress'), $range) === 0) {
return 'tueguest';
}
return 'guest';
}, 'acl' => function ($sm) {
// initialize the ACL
$acl = new Acl();
/**
* Define all basic roles.
*
* - guest: everyone gets at least this access level
* - tueguest: guest from the TU/e
* - user: GEWIS-member
* - apiuser: Automated tool given access by an admin
* - admin: Defined administrators
*/
$acl->addRole(new Role('guest'));
$acl->addRole(new Role('tueguest'), 'guest');
$acl->addRole(new Role('user'), 'tueguest');
$acl->addrole(new Role('apiuser'), 'guest');
$acl->addrole(new Role('sosuser'), 'apiuser');
$acl->addrole(new Role('active_member'), 'user');
$acl->addRole(new Role('admin'));
$user = $sm->get('user_role');
// add user to registry
if ($user instanceof User) {
$roles = $user->getRoleNames();
// if the user has no roles, add the 'user' role by default
if (empty($roles)) {
$roles = ['user'];
}
// TODO: change this to getActiveOrganInstalltions() once 529 is fixed
if (count($user->getMember()->getOrganInstallations()) > 0) {
$roles[] = 'active_member';
}
$acl->addRole($user, $roles);
}
// admins are allowed to do everything
$acl->allow('admin');
// board members also are admins
$acl->allow('user', null, null, new \User\Permissions\Assertion\IsBoardMember());
// configure the user ACL
$acl->addResource(new Resource('apiuser'));
$acl->addResource(new Resource('user'));
$acl->allow('user', 'user', ['password_change']);
// sosusers can't do anything
$acl->deny('sosuser');
return $acl;
}, 'user_doctrine_em' => function ($sm) {
return $sm->get('doctrine.entitymanager.orm_default');
}], 'shared' => ['user_role' => false]];
}
