private function addAllowAndDeny(Acl $acl) { foreach ($this->config as $roleName => $roleConfig) { $allowList = isset($roleConfig['allow']) ? $roleConfig['allow'] : []; foreach ($allowList as $resource => $privilegeList) { if (empty($privilegeList)) { $acl->allow($roleName, strtolower($resource)); } else { foreach ((array) $privilegeList as $privilege) { $acl->allow($roleName, strtolower($resource), strtolower($privilege)); } } } $denyList = isset($roleConfig['deny']) ? $roleConfig['deny'] : []; foreach ($denyList as $resource => $privilegeList) { if (empty($privilegeList)) { $acl->deny($roleName, strtolower($resource)); } else { foreach ((array) $privilegeList as $privilege) { $acl->deny($roleName, strtolower($resource), strtolower($privilege)); } } } } }
/** * @return Acl */ protected function roleAcl() { if (!$this->roleAcl) { $id = $this->objId(); $this->roleAcl = new Acl(); $this->roleAcl->addRole(new Role($id)); $this->roleAcl->addResource(new Resource('admin')); $q = ' select `denied`, `allowed`, `superuser` from `charcoal_admin_acl_roles` where ident = :id'; $db = \Charcoal\App\App::instance()->getContainer()->get('database'); $sth = $db->prepare($q); $sth->bindParam(':id', $id); $sth->execute(); $permissions = $sth->fetch(\PDO::FETCH_ASSOC); $this->roleAllowed = explode(',', trim($permissions['allowed'])); $this->roleDenied = explode(',', trim($permissions['denied'])); foreach ($this->roleAllowed as $allowed) { $this->roleAcl->allow($id, 'admin', $allowed); } foreach ($this->roleDenied as $denied) { $this->roleAcl->deny($id, 'admin', $denied); } } return $this->roleAcl; }
public function doAuthorization($e) { //setting ACL... $acl = new Acl(); //add role .. $acl->addRole(new Role('anonymous')); $acl->addRole(new Role('user'), 'anonymous'); $acl->addRole(new Role('admin'), 'user'); $acl->addResource(new Resource('Application')); $acl->addResource(new Resource('Login')); $acl->addResource(new Resource('ZfcAdmin')); $acl->deny('anonymous', 'Application', 'view'); $acl->allow('anonymous', 'Login', 'view'); $acl->allow('user', array('Application'), array('view')); //admin is child of user, can publish, edit, and view too ! $acl->allow('admin', array('Application'), array('publish', 'edit')); $controller = $e->getTarget(); $controllerClass = get_class($controller); //echo "<pre>";print_r($controllerClass);exit; $namespace = substr($controllerClass, 0, strpos($controllerClass, '\\')); // echo "<pre>";print_r($namespace);exit; $role = !$this->getSessContainer()->role ? 'anonymous' : $this->getSessContainer()->role; if (!isset($_SESSION['admin']['user_id']) && $namespace == 'ZfcAdmin') { $router = $e->getRouter(); $url = $router->assemble(array(), array('name' => 'zfcadmin')); $response = $e->getResponse(); $response->setStatusCode(302); //redirect to login route... /* change with header('location: '.$url); if code below not working */ $response->getHeaders()->addHeaderLine('Location', $url); $e->stopPropagation(); } }
/** * getAcl - This cannot be called before resources are parsed * * @param string $resourceId resourceId * @param string $providerId @deprecated No Longer Required - providerId * * @return Acl */ public function getAcl($resourceId, $providerId) { if (!isset($this->acl)) { $this->buildAcl(); } /* resources privileges we load the every time so they maybe updated dynamically */ $resources = $this->getResources($resourceId, $providerId); foreach ($resources as $resource) { if (!$this->acl->hasResource($resource)) { $this->acl->addResource($resource, $resource->getParentResource()); } $privileges = $resource->getPrivileges(); if (!empty($privileges)) { foreach ($privileges as $privilege) { if (!$this->acl->hasResource($privilege)) { $this->acl->addResource($privilege, $resource); } } } } // get only for resources $rules = $this->getRules($resources); /** @var AclRule $aclRule */ foreach ($rules as $aclRule) { if ($aclRule->getRule() == AclRule::RULE_ALLOW) { $this->acl->allow($aclRule->getRoleId(), $aclRule->getResourceId(), $aclRule->getPrivileges(), $aclRule->getAssertion()); } elseif ($aclRule->getRule() == AclRule::RULE_DENY) { $this->acl->deny($aclRule->getRoleId(), $aclRule->getResourceId(), $aclRule->getPrivileges(), $aclRule->getAssertion()); } } return $this->acl; }
public function initAcl(MvcEvent $e) { //Creamos el objeto ACL $acl = new Acl(); //Incluimos la lista de roles y permisos, nos devuelve un array $roles = (require 'config/autoload/acl.roles.php'); foreach ($roles as $role => $resources) { //Indicamos que el rol será genérico $role = new \Zend\Permissions\Acl\Role\GenericRole($role); //Añadimos el rol al ACL $acl->addRole($role); //Recorremos los recursos o rutas permitidas foreach ($resources["allow"] as $resource) { //Si el recurso no existe lo añadimos if (!$acl->hasResource($resource)) { $acl->addResource(new \Zend\Permissions\Acl\Resource\GenericResource($resource)); } //Permitimos a ese rol ese recurso $acl->allow($role, $resource); } foreach ($resources["deny"] as $resource) { //Si el recurso no existe lo añadimos if (!$acl->hasResource($resource)) { $acl->addResource(new \Zend\Permissions\Acl\Resource\GenericResource($resource)); } //Denegamos a ese rol ese recurso $acl->deny($role, $resource); } } //Establecemos la lista de control de acceso $e->getViewModel()->acl = $acl; }
public function doAuthorization($e) { return; //setting ACL... $acl = new Acl(); //add role .. $acl->addRole(new Role('anonymous')); $acl->addRole(new Role('user'), 'anonymous'); $acl->addRole(new Role('admin'), 'user'); $acl->addResource(new Resource('Stick')); $acl->addResource(new Resource('Auth')); $acl->deny('anonymous', 'Stick', 'list'); $acl->allow('anonymous', 'Auth', 'login'); $acl->allow('anonymous', 'Auth', 'signup'); $acl->allow('user', 'Stick', 'add'); $acl->allow('user', 'Auth', 'logout'); //admin is child of user, can publish, edit, and view too ! $acl->allow('admin', 'Stick'); $controller = $e->getTarget(); $controllerClass = get_class($controller); $namespace = substr($controllerClass, strrpos($controllerClass, '\\') + 1); $role = !$this->getSessContainer()->role ? 'anonymous' : $this->getSessContainer()->role; echo $role; exit; if (!$acl->isAllowed($role, $namespace, 'view')) { $router = $e->getRouter(); $url = $router->assemble(array(), array('name' => 'Login/auth')); $response = $e->getResponse(); $response->setStatusCode(302); //redirect to login route... $response->getHeaders()->addHeaderLine('Location', $url); } }
/** * Constroi a ACL de acordo com as entities * @see Core\Entity\System\Roles * @todo Inclusao das ACLS no Cache * @return Acl */ public function build() { $em = $this->getServiceManager()->get('Doctrine\\ORM\\EntityManager'); $roles = $em->getRepository('Core\\Entity\\System\\Roles')->findAll(); $resources = $em->getRepository('Core\\Entity\\System\\Resources')->findAll(); $acl = new Acl(); foreach ($roles as $role) { $acl->addRole(new Role($role->getRoleName()), $role->getRoleParent()); } foreach ($resources as $r) { $acl->addResource(new Resource($r->getResourceName())); } foreach ($roles as $role) { $rolename = $role->getRoleName(); $allowed = $em->getRepository('Core\\Entity\\System\\Permissions')->findBy(array('idRole' => $role->getId(), 'permission' => 'allow')); foreach ($allowed as $allow) { $resources = $em->getRepository('Core\\Entity\\System\\Resources')->find($allow->getIdResource()); $acl->allow($rolename, $resources->getResourceName()); } $denyed = $em->getRepository('Core\\Entity\\System\\Permissions')->findBy(array('idRole' => $role->getId(), 'permission' => 'deny')); foreach ($denyed as $deny) { $resources = $em->getRepository('Core\\Entity\\System\\Resources')->find($deny->getIdResource()); $acl->deny($rolename, $resources->getResourceName()); } } return $acl; }
public function createService(ServiceLocatorInterface $serviceLocator) { $config = $serviceLocator->get('config.helper')->get('acl'); $acl = new Acl(); foreach ($config['roles'] as $role => $parents) { if (empty($parents)) { $parents = null; } $role = new GenericRole($role); $acl->addRole($role, $parents); } foreach ($config['resources'] as $permission => $controllers) { foreach ($controllers as $controller => $actions) { if (!$acl->hasResource($controller)) { $acl->addResource(new GenericResource($controller)); } foreach ($actions as $action => $role) { if ($action == '*') { $action = null; } if ($permission == 'allow') { $acl->allow($role, $controller, $action); } elseif ($permission == 'deny') { $acl->deny($role, $controller, $action); } else { throw new Exception('No valid permission defined: ' . $permission); } } } } if (class_exists('Zend\\View\\Helper\\Navigation')) { Navigation::setDefaultAcl($acl); } return $acl; }
public function build() { $authService = $this->getServiceLocator()->get('user-service-auth'); $role = $authService->getRole(); $repositoryPerfil = $this->getEm('Admin\\Entity\\Perfil'); $repositoryResource = $this->getEm('Admin\\Entity\\Resource'); $repositoryAcl = $this->getEm('Admin\\Entity\\Acl'); $config = $repositoryAcl->listaAcl(); $config['acl']['roles'] = $repositoryPerfil->getRoles(); $config['acl']['roles']['visitante'] = null; $config['acl']['resources'] = $repositoryResource->getResources(); $acl = new ZendAcl(); foreach ($config['acl']['roles'] as $role => $parent) { $acl->addRole(new GenericRole($role), $parent); } foreach ($config['acl']['resources'] as $resouce) { $acl->addResource(new GenericResource($resouce)); } if (isset($config['acl']['previlege'])) { foreach ($config['acl']['previlege'] as $role => $privilege) { if (isset($privilege['allow'])) { foreach ($privilege['allow'] as $permissao) { $acl->allow($role, $permissao); } } if (isset($privilege['deny'])) { foreach ($privilege['deny'] as $permissao) { $acl->deny($role, $permissao); } } } } return $acl; }
public function initialAclRole($e, $serviceAdministratorConfigManager, $authenticationServiceStorage) { $oAcl = new Acl(); $oAcl->deny(); $oAcl->addRole(new Role('staff_1')); $oAcl->addRole(new Role('staff_2')); $oAcl->addRole(new Role('administrator')); $oAcl->addResource('administrator'); $oAcl->addResource('api'); $oAcl->allow('staff_1', 'administrator', 'index:index'); $oAcl->allow('staff_1', 'administrator', 'user:profile'); $oAcl->allow('staff_1', 'administrator', 'user:list'); $oAcl->allow('staff_1', 'administrator', 'menu:list'); $controllerClass = get_class($e->getTarget()); $moduleName = strtolower(substr($controllerClass, 0, strpos($controllerClass, '\\'))); $routeMatch = $e->getRouteMatch(); $aName = strtolower($routeMatch->getParam('action', 'not-found')); $cName = strtolower($routeMatch->getParam('__CONTROLLER__', 'not-found')); /* if (!$oAcl->isAllowed("staff_1",$moduleName, "{$cName}:{$aName}")) { $response = $e->getResponse(); $response->setStatusCode(302); $response->getHeaders()->addHeaderLine('Location', $e->getRouter()->assemble($serviceAdministratorConfigManager['options']['constraints'], array('name' => $_SERVER['HTTP_HOST']. '/'. 'default'))); $e->stopPropagation(); } */ }
/** * Constroi a ACL * @return Acl */ public function build() { // servico de config (array de configuracao) $config = $this->getServiceManager()->get('Config'); $acl = new Acl(); foreach ($config['acl']['roles'] as $role => $parent) { $acl->addRole(new Role($role), $parent); } foreach ($config['acl']['resources'] as $r) { $acl->addResource(new Resource($r)); } foreach ($config['acl']['privilege'] as $role => $privilege) { if (isset($privilege['allow'])) { foreach ($privilege['allow'] as $p) { $acl->allow($role, $p); } } if (isset($privilege['deny'])) { foreach ($privilege['deny'] as $p) { $acl->deny($role, $p); } } } return $acl; }
private function _load() { if ($this->loaded == false) { // Add roles $config = $this->serviceLocator->get('config'); if (isset($config['acl']['role_providers'])) { $roles = []; foreach ($config['acl']['role_providers'] as $class => $options) { /** @var \Acl\Provider\Role\ProviderInterface $roleProvider */ $roleProvider = $this->serviceLocator->get($class); $roles = $roles + $roleProvider->getRoles(); } foreach ($roles as $role) { /** @var \Acl\Entity\Role $role */ $this->acl->addRole($role, $role->getParents()); } } // Add resources if (isset($config['acl']['resource_providers'])) { foreach ($config['acl']['resource_providers'] as $class => $options) { /** @var \Acl\Provider\Resource\ProviderInterface $resourceProvider */ $resourceProvider = $this->serviceLocator->get($class); $resources = $resourceProvider->getResources(); if ($resources) { foreach ($resources as $r) { if (!$this->acl->hasResource($r)) { $this->acl->addResource($r); } } } } } // Add rules if (isset($config['acl']['rule_providers'])) { $rules = []; foreach ($config['acl']['rule_providers'] as $class => $options) { /** @var \Acl\Provider\Rule\ProviderInterface $ruleProvider */ $ruleProvider = $this->serviceLocator->get($class); $rules = $rules + $ruleProvider->getRules(); } foreach ($rules as $rule) { /** @var \Acl\Entity\Rule $rule */ if ($rule->allow) { $this->acl->allow($rule->obj_id, $rule->resource, $rule->privilege); } else { $this->acl->deny($rule->obj_id, $rule->resource, $rule->privilege); } } } $this->loaded = true; } }
public function getPermissionsACL(\Zend\Permissions\Acl\Acl $acl, \Doctrine\ORM\EntityManager $em) { $repoPermissao = $em->getRepository('Security\\Entity\\PermissaoAcl'); $permissions = $repoPermissao->getPermissions(); foreach ($permissions as $permission) { if ($permission->getPermissao() == 'allow') { $acl->allow($permission->getGrupo()->getNome(), $permission->getRecursoSistema()->getUrl()); } else { $acl->deny($permission->getGrupo()->getNome(), $permission->getRecursoSistema()->getUrl()); } } return $acl; }
public function setupAcl(MvcEvent $e) { $acl = new Acl(); $rolInvitado = new Role('invitado'); $admin = new Admin(); $rolAdmin = new Role($admin->getRol()); $acl->addRole($rolInvitado); $acl->addRole($rolAdmin, $rolInvitado); //el admin hereda los permisos de invitado $acl->addResource('index_empleado'); $acl->addResource('login'); $acl->deny($rolInvitado, 'index_empleado'); $acl->allow($rolInvitado, 'login'); //$acl->allow($rolAdmin, 'login'); $acl->allow($rolAdmin, 'index_empleado'); $vista = $e->getApplication()->getMvcEvent()->getViewModel(); $vista->acl = $acl; $this->acl = $acl; }
/** * @group ZF2-3454 */ public function testAclResourcePermissionsAreInheritedWithMultilevelResourcesAndDenyPolicy() { $this->_acl->addRole('guest'); $this->_acl->addResource('blogposts'); $this->_acl->addResource('feature', 'blogposts'); $this->_acl->addResource('post_1', 'feature'); $this->_acl->addResource('post_2', 'feature'); // Allow a guest to read feature posts and // comment on everything except feature posts. $this->_acl->deny(); $this->_acl->allow('guest', 'feature', 'read'); $this->_acl->allow('guest', null, 'comment'); $this->_acl->deny('guest', 'feature', 'comment'); $this->assertFalse($this->_acl->isAllowed('guest', 'feature', 'write')); $this->assertTrue($this->_acl->isAllowed('guest', 'post_1', 'read')); $this->assertTrue($this->_acl->isAllowed('guest', 'post_2', 'read')); $this->assertFalse($this->_acl->isAllowed('guest', 'post_1', 'comment')); $this->assertFalse($this->_acl->isAllowed('guest', 'post_2', 'comment')); }
/** * Returns BlogController instance. * * @param ServiceLocatorInterface $serviceLocator * @return BlogController * @override **/ public function createService(ServiceLocatorInterface $serviceLocator) { /* @var $serviceLocator Zend\Mvc\Controller\ControllerManager */ $sm = $serviceLocator->getServiceLocator(); $em = $sm->get('em'); $service = new PostService($em); $controller = new BlogController(); $controller->setEntityManager($em); $controller->setPostService($service); $acl = new Acl(); $acl->addRole(new Role(UserService::ROLE_GUEST)); $acl->addRole(new Role(UserService::ROLE_ADMIN)); $acl->addResource($controller); $acl->allow(UserService::ROLE_ADMIN, $controller); $acl->allow(UserService::ROLE_GUEST, $controller); $acl->deny(UserService::ROLE_GUEST, $controller, array('create', 'edit', 'view-all')); $controller->setAcl($acl); return $controller; }
/** * set Roles and Resource for ACL * * @return Acl */ protected function setAcl() { $guestRole = new Role(self::DEFAULT_ROLE); $userRole = new Role(self::USER_ROLE); $adminRole = new Role(self::ADMIN_ROLE); $this->acl->addRole($guestRole); $this->acl->addRole($userRole, $guestRole); $this->acl->addRole($adminRole, $userRole); $roleResource = new RoleResourcePermissionFromArray(); $roles = $roleResource->getListRoleResourcePermission(); foreach ($roles as $role => $roleResource) { //adding resources foreach ($roleResource as $permission => $resources) { foreach ($resources as $resource) { if (!$this->acl->hasResource($resource['resource'])) { $this->acl->addResource(new Resource($resource['resource'])); } if (count($resource['permission']) > 0 && $permission != 'deny') { $this->acl->allow($role, $resource['resource'], $resource['permission']); } else { $this->acl->deny($role, $resource['resource'], $resource['permission']); } } } } /* foreach ($roles['deny'] as $role => $resources) { //adding resources foreach ($resources as $resource) { if (!$this->acl->hasResource($resource['resource'])) $this->acl->addResource(new Resource($resource['resource'])); if (count($resource['permission']) > 0) $this->acl->deny($role, $resource['resource'], $resource['permission']); } } */ return $this->acl; }
/** * @deprecated this method will be removed in BjyAuthorize 2.0.x * * @param mixed $rule * @param mixed $type * * @throws \InvalidArgumentException */ protected function loadRule(array $rule, $type) { $privileges = $assertion = null; $ruleSize = count($rule); if (4 === $ruleSize) { list($roles, $resources, $privileges, $assertion) = $rule; $assertion = $this->serviceLocator->get($assertion); } elseif (3 === $ruleSize) { list($roles, $resources, $privileges) = $rule; } elseif (2 === $ruleSize) { list($roles, $resources) = $rule; } else { throw new \InvalidArgumentException('Invalid rule definition: ' . print_r($rule, true)); } if (is_string($assertion)) { $assertion = $this->serviceLocator->get($assertion); } if (static::TYPE_ALLOW === $type) { $this->acl->allow($roles, $resources, $privileges, $assertion); } else { $this->acl->deny($roles, $resources, $privileges, $assertion); } }
public function index04Action() { $aclObj = new Acl(); $aclObj->addRole("member")->addRole("manager", "member")->addRole("admin", "manager"); $aclObj->allow("member", null, array("info", "index")); $aclObj->allow("manager", null, array("add", "edit")); $aclObj->allow("admin", null, array("delete")); $aclObj->deny("admin", null, array("info")); $aclObj->removeAllow("manager", null, array("add", "edit")); $aclObj->removeDeny("admin", null, array("info")); $role = "admin"; $privileges = array("info", "index", "add", "edit", "delete"); if ($aclObj->hasRole($role)) { foreach ($privileges as $privilege) { if ($aclObj->isAllowed($role, null, $privilege)) { echo sprintf("<h3 style='color:red;font-weight:bold'>%s : Được quyền truy cập %s</h3>", $role, $privilege); } else { echo sprintf("<h3 style='color:red;font-weight:bold'>%s : Không được quyền truy cập %s</h3>", $role, $privilege); } } } return false; }
public function doAuthorization() { //setting ACL... $acl = new Acl(); //add role .. $acl->addRole(new Role('anonymous')); $acl->addRole(new Role('user'), 'anonymous'); $acl->addRole(new Role('admin'), 'user'); $acl->addResource(new Resource('Backend')); $acl->addResource(new Resource('Login')); $acl->deny('anonymous', 'Backend', 'view'); $acl->allow('anonymous', 'Login', 'view'); $acl->allow('user', array('Backend'), array('view')); //admin is child of user, can publish, edit, and view too ! $acl->allow('admin', array('Backend'), array('publish', 'edit')); $controller = $this->getController(); $controllerClass = get_class($controller); $namespace = substr($controllerClass, 0, strpos($controllerClass, '\\')); $role = !$this->getSessContainer()->role ? 'anonymous' : $this->getSessContainer()->role; if (!$acl->isAllowed($role, $namespace, 'view') && $controllerClass !== $namespace . "\\Controller\\LoginController") { // $redirector = $controller->getPluginManager()->get('Redirect'); // return $redirector->toRoute('backend_logout'); } }
public function testOverrideIsAllowed() { $acl = new Acl(); $acl->addRole('role1'); $acl->addResource('resource1'); $acl->addResource('resource2'); $acl->allow(null, 'resource1', null); $acl->allow(null, 'resource2', 'view'); $acl->deny('role1', 'resource1', null); $service = $this->serviceManager->get('AclService4'); $service->loadResource(null, null); $this->assertSame($acl->isAllowed('role1', 'resource1', 'add'), $service->isAllowed('role1', 'resource1', 'add')); $this->assertSame($acl->isAllowed('role1', 'resource2', 'add'), $service->isAllowed('role1', 'resource2', 'add')); $this->assertSame($acl->isAllowed('role1', 'resource2', 'view'), $service->isAllowed('role1', 'resource2', 'view')); }
/** * @param string $role_id * @param string $resource_id */ public function addDeny($role_id = '', $resource_id = '') { $this->acl->deny($role_id, $resource_id); }
private function getConfiguredAcl() { $acl = new Acl(); $acl->addRole(new Role('guest')); $acl->addRole(new Role('member'), 'guest'); $acl->addRole(new Role('admin')); $acl->addResource('/'); $acl->addResource('/login'); $acl->addResource('/member'); $acl->addResource('/member/photo/:id'); $acl->addResource('/admin'); $acl->allow('guest', '/'); $acl->allow('guest', '/login', array('GET', 'POST')); $acl->deny('guest', '/admin'); $acl->allow('member', '/member'); $acl->allow('member', '/member/photo/:id', 'DELETE'); // admin gets everything $acl->allow('admin'); return $acl; }
protected function applyRolePermissions(Acl $role_acl, GenericRole $role, PermissionListMap $role_permissions_map) { $permitted_scopes = []; foreach ($role_permissions_map as $scope => $role_permissions) { foreach ($role_permissions as $permission) { $expression = $permission->getExpression(); $expression_assert = null; if (!empty($expression)) { $expression_assert = new ExpressionAssert(['expression' => $expression, 'expression_service' => $this->expression_service]); } if ($permission->getAccessType() === Permission::ALLOW) { $role_acl->allow($role, $permission->getAccessScope(), $permission->getName()); // implicitly register a global right for each scope (to serve for example: action.getCredentials) if (!in_array($permission->getAccessScope(), $permitted_scopes)) { $permitted_scopes[] = $permission->getAccessScope(); $role_acl->allow($role, null, $permission->getAccessScope(), $expression_assert); } } else { $role_acl->deny($role, $permission->getAccessScope(), $permission->getName(), $expression_assert); } } } }
/** * Init acl * * @param array $currentUserIdentity * @return void */ protected static function initAcl(array $currentUserIdentity) { // create a new ACL role $acl = new AclZend(); $acl->addRole(new Role($currentUserIdentity['role'])); $aclModel = ServiceLocatorService::getServiceLocator()->get('Application\\Model\\ModelManager')->getInstance('Acl\\Model\\AclBase'); // get assigned acl resources if (null != ($resources = $aclModel->getAclResources($currentUserIdentity['role'], $currentUserIdentity['user_id']))) { // process acl resources $resourcesInfo = []; foreach ($resources as $resource) { // add a new resource $acl->addResource(new Resource($resource['resource'])); // add the resource's permission $resource['permission'] == AclBaseModel::ACTION_ALLOWED ? $acl->allow($currentUserIdentity['role'], $resource['resource']) : $acl->deny($currentUserIdentity['role'], $resource['resource']); $resourcesInfo[$resource['resource']] = $resource; } self::$currentAclResources = $resourcesInfo; } self::$currentAcl = $acl; }
public function setPermissions(Acl $acl) { foreach ($this->getConfig()->permissions as $role => $type) { if ($type->allow) { foreach ($type->allow as $allow) { $acl->allow($role, $allow->get('resource'), $allow->get('params')); } } if ($type->deny) { foreach ($type->deny as $deny) { $acl->deny($role, $deny->get('resource'), $deny->get('params')); } } } }
/** * @param Container $container Pimple DI Container. * @return void */ public function register(Container $container) { /** * @param Container $container Pimple DI container * @return array */ $container['admin/acl/roles'] = function (Container $container) { $db = $container['database']; $q = ' SELECT `ident`, `parent` FROM `charcoal_admin_acl_roles` ORDER BY `position` ASC'; $container['logger']->debug($q); // Put inside a try-catch block because ACL is optional; table might not exist. try { $sth = $db->query($q); $roles = $sth->fetchAll(PDO::FETCH_KEY_PAIR); } catch (PDOException $e) { $container['logger']->warning('Can not fetch ACL roles: ' . $e->getMessage()); $roles = []; } return $roles; }; /** * @param Container $container Pimple DI container * @return array */ $container['admin/acl/permissions'] = function (Container $container) { $db = $container['database']; $q = ' SELECT `ident`, `denied`, `allowed`, `superuser` FROM `charcoal_admin_acl_roles` ORDER BY `position` ASC'; $container['logger']->debug($q); $permissions = []; // Put inside a try-catch block because ACL is optional; table might not exist. try { $sth = $db->query($q); while ($row = $sth->fetch(PDO::FETCH_ASSOC)) { $ident = $row['ident']; if ($row['superuser']) { $permissions[$ident] = 'superuser'; } else { $allowed = explode(',', trim($row['allowed'])); $denied = explode(',', trim($row['denied'])); $permissions[$ident] = ['allow' => $allowed, 'deny' => $denied]; } } } catch (PDOException $e) { $container['logger']->warning('Can not fetch ACL roles: ' . $e->getMessage()); $permissions = []; } return $permissions; }; /** * @param Container $container Pimple DI container * @return Acl */ $container['admin/acl'] = function (Container $container) { $acl = new Acl(); // Default role, which will contain default permissions $acl->addRole(new Role('default')); // Add roles $roles = $container['admin/acl/roles']; foreach ($roles as $role => $parentRole) { if ($parentRole) { $acl->addRole(new Role($role), $parentRole); } else { $acl->addRole(new Role($role), 'default'); } } // Add resources $acl->addResource(new Resource('admin')); // Setup default permissions (from admin config) $adminConfig = $container['admin/config']; $defaultPermissions = $adminConfig['acl.default_permissions']; foreach ($defaultPermissions['allowed'] as $allowed) { $acl->allow('default', 'admin', $allowed); } foreach ($defaultPermissions['denied'] as $denied) { $acl->deny('default', 'admin', $denied); } // Add permissions $permissions = $container['admin/acl/permissions']; foreach ($permissions as $role => $permissions) { if ($permissions === 'superuser') { // Allow all $acl->allow($role); } else { foreach ($permissions['allow'] as $allowed) { $acl->allow($role, 'admin', $allowed); } foreach ($permissions['deny'] as $denied) { $acl->deny($role, 'admin', $denied); } } } return $acl; }; }
/** * Registriert die Module aus der DB mit Zend/Auth * Setzt die Rechte der Gruppen * * @param $sm */ public function __construct($sm) { $authSessionStorage = new Session('AUTH_IDENTITY'); parent::__construct($authSessionStorage); $em = $sm->get('Doctrine\\ORM\\EntityManager'); $acl = new ZendAcl(); // add roles foreach ($em->getRepository('Auth\\Entity\\Role')->findBy(array(), array('parentId' => 'ASC')) as $role) { if ($role->parent) { $parentName = $role->parent->name; } else { $parentName = null; } $acl->addRole(new GenericRole($role->name), $parentName); } // add resources + action foreach ($em->getRepository('Auth\\Entity\\Resource')->findBy(array(), array('modul' => 'DESC')) as $resource) { $ressouceName = $resource->modul; if ($resource->action) { $ressouceName .= '/' . $resource->action; } if ($resource->subAction) { $ressouceName .= '/' . $resource->subAction; } $acl->addResource(new GenericResource($ressouceName)); } unset($ressouceName); // deny all $acl->deny(null); // add permissions foreach ($em->getRepository('Auth\\Entity\\Permission')->findAll() as $permission) { // allow $permissionName = $permission->resource->modul; if ($permission->resource->action) { $permissionName .= '/' . $permission->resource->action; } if ($permission->resource->subAction) { $permissionName .= '/' . $permission->resource->subAction; } $acl->allow($permission->gruppe->name, $permissionName); } // register identity if (!$this->hasIdentity()) { // register as gast $benutzer = new Benutzer(); $benutzer->setUsername('Unbekannter User'); $benutzer->setId(0); $benutzer->setLoggedIn(false); $gruppe = new Role(); $gruppe->id = 2; $gruppe->name = 'Gast'; $gruppe->supervisor = 0; $benutzer->setGruppe($gruppe); if (!$benutzer) { throw new \Exception('Gastbenutzer mit der ID -1 nicht vorhanden - bitte direkt in der Datenbank anlegen'); } $this->getStorage()->write($benutzer); } // register acl in navigation \Zend\View\Helper\Navigation\AbstractHelper::setDefaultAcl($acl); \Zend\View\Helper\Navigation\AbstractHelper::setDefaultRole($this->getIdentity()->getGruppe()->name); $this->acl = $acl; $this->sm = $sm; $this->em = $em; return $this; }
/** * Authorizes a request. If the authorization fails a 403 response code * will be set and the propagation will be stopped * * @param MvcEvent $e * @return void */ public function authorize(MvcEvent $e) { $routeParams = $e->getRouteMatch()->getParams(); $controller = isset($routeParams['controller']) ? $routeParams['controller'] : null; $action = isset($routeParams['action']) ? $routeParams['action'] : null; if (empty($controller) or empty($action)) { throw new \Exception('Couldn\'t resolve controller or action'); } $application = $e->getApplication(); $sm = $application->getServiceManager(); // Load the configuration $config = $sm->get('config'); if (!isset($config['acl']) or !is_array($config['acl']) or !isset($config['acl']['roles']) or !is_array($config['acl']['roles']) or !isset($config['acl']['resources']) or !is_array($config['acl']['resources']) or !isset($config['acl']['rules']) or !is_array($config['acl']['rules'])) { throw new \Exception('ACL\'s are not configured correctly'); } $aclConfig =& $config['acl']; $acl = new Acl(); // Deny as default policy $acl->deny(); // Add the roles foreach ($aclConfig['roles'] as $role) { $inherit = null; if (is_array($role)) { $inherit = $role[1]; $role = $role[0]; } $acl->addRole(new Role($role), $inherit); } // Add the resources foreach ($aclConfig['resources'] as $resource) { if (strpos($resource, $this->resourcePrefix . ':') === 0) { $acl->addResource(new Resource($resource)); } } // Set up the rules foreach ($aclConfig['rules'] as $rule) { $type = isset($rule[0]) ? $rule[0] : null; $role = isset($rule[1]) ? $rule[1] : null; $resource = isset($rule[2]) ? $rule[2] : null; if (!$type) { throw new \Exception('No type defined'); } if (!$role) { throw new \Exception('No role defined'); } switch ($type) { case 'allow': $acl->allow($role, $resource); break; case 'deny': $acl->deny($role, $resource); break; default: throw new \Exception('Invalid rule type'); break; } } // Set the resource based on the request params $resource = 'controller:' . $controller . ':' . $action; // Set the users role $role = 'guest'; $identity = $sm->get('ControllerPluginManager')->get('identity'); if ($user = $identity()) { $role = $user->role; } // Authorize try { return $acl->isAllowed($role, $resource); } catch (\Zend\Permissions\Acl\Exception\InvalidArgumentException $exception) { // If the route cannot be matched the router will show a 404 page; // everyone can access the 404 page $routeMatch = $e->getRouteMatch(); if (!$routeMatch or !$routeMatch->getMatchedRouteName()) { return true; } // Check if the controller/action exists. If they don't we return // true to make sure the 404 page is rendered $controllerLoader = $sm->get('ControllerLoader'); if (!$controllerLoader->has($controller)) { return true; } $controller = $controllerLoader->get($controller); $method = $controller::getMethodFromAction($action); if (!method_exists($controller, $method)) { return true; } $logger = $sm->get('Logger'); $logger->debug('Invalid ACL ressource requested: ' . $resource . ' (' . $exception->getMessage() . ')'); return false; } }
/** * Get service configuration. * * @return array Service configuration */ public function getServiceConfig() { return ['aliases' => ['Zend\\Authentication\\AuthenticationService' => 'user_auth_service'], 'invokables' => ['user_auth_storage' => 'Zend\\Authentication\\Storage\\Session', 'user_service_user' => 'User\\Service\\User', 'user_service_apiuser' => 'User\\Service\\ApiUser', 'user_service_email' => 'User\\Service\\Email'], 'factories' => ['user_bcrypt' => function ($sm) { $bcrypt = new \Zend\Crypt\Password\Bcrypt(); $config = $sm->get('config'); $bcrypt->setCost($config['bcrypt_cost']); return $bcrypt; }, 'user_hydrator' => function ($sm) { return new \DoctrineModule\Stdlib\Hydrator\DoctrineObject($sm->get('user_doctrine_em')); }, 'user_form_activate' => function ($sm) { return new \User\Form\Activate($sm->get('translator')); }, 'user_form_register' => function ($sm) { return new \User\Form\Register($sm->get('translator')); }, 'user_form_login' => function ($sm) { return new \User\Form\Login($sm->get('translator')); }, 'user_form_password' => function ($sm) { return new \User\Form\Password($sm->get('translator')); }, 'user_form_passwordreset' => function ($sm) { return new \User\Form\Register($sm->get('translator')); }, 'user_form_passwordactivate' => function ($sm) { return new \User\Form\Activate($sm->get('translator')); }, 'user_form_apitoken' => function ($sm) { $form = new \User\Form\ApiToken($sm->get('translator')); $form->setHydrator($sm->get('user_hydrator')); return $form; }, 'user_mapper_user' => function ($sm) { return new \User\Mapper\User($sm->get('user_doctrine_em')); }, 'user_mapper_newuser' => function ($sm) { return new \User\Mapper\NewUser($sm->get('user_doctrine_em')); }, 'user_mapper_apiuser' => function ($sm) { return new \User\Mapper\ApiUser($sm->get('user_doctrine_em')); }, 'user_mail_transport' => function ($sm) { $config = $sm->get('config'); $config = $config['email']; $class = '\\Zend\\Mail\\Transport\\' . $config['transport']; $optionsClass = '\\Zend\\Mail\\Transport\\' . $config['transport'] . 'Options'; $transport = new $class(); $transport->setOptions(new $optionsClass($config['options'])); return $transport; }, 'user_auth_adapter' => function ($sm) { $adapter = new \User\Authentication\Adapter\Mapper($sm->get('user_bcrypt'), $sm->get('application_service_legacy')); $adapter->setMapper($sm->get('user_mapper_user')); return $adapter; }, 'user_pin_auth_adapter' => function ($sm) { $adapter = new \User\Authentication\Adapter\PinMapper($sm->get('application_service_legacy')); $adapter->setMapper($sm->get('user_mapper_user')); return $adapter; }, 'user_auth_service' => function ($sm) { return new \Zend\Authentication\AuthenticationService($sm->get('user_auth_storage'), $sm->get('user_auth_adapter')); }, 'user_pin_auth_service' => function ($sm) { return new \Zend\Authentication\AuthenticationService($sm->get('user_auth_storage'), $sm->get('user_pin_auth_adapter')); }, 'user_remoteaddress' => function ($sm) { $remote = new \Zend\Http\PhpEnvironment\RemoteAddress(); return $remote->getIpAddress(); }, 'user_role' => function ($sm) { $authService = $sm->get('user_auth_service'); if ($authService->hasIdentity()) { return $authService->getIdentity(); } $apiService = $sm->get('user_service_apiuser'); if ($apiService->hasIdentity()) { return 'apiuser'; } $range = $sm->get('config')['tue_range']; if (strpos($sm->get('user_remoteaddress'), $range) === 0) { return 'tueguest'; } return 'guest'; }, 'acl' => function ($sm) { // initialize the ACL $acl = new Acl(); /** * Define all basic roles. * * - guest: everyone gets at least this access level * - tueguest: guest from the TU/e * - user: GEWIS-member * - apiuser: Automated tool given access by an admin * - admin: Defined administrators */ $acl->addRole(new Role('guest')); $acl->addRole(new Role('tueguest'), 'guest'); $acl->addRole(new Role('user'), 'tueguest'); $acl->addrole(new Role('apiuser'), 'guest'); $acl->addrole(new Role('sosuser'), 'apiuser'); $acl->addrole(new Role('active_member'), 'user'); $acl->addRole(new Role('admin')); $user = $sm->get('user_role'); // add user to registry if ($user instanceof User) { $roles = $user->getRoleNames(); // if the user has no roles, add the 'user' role by default if (empty($roles)) { $roles = ['user']; } // TODO: change this to getActiveOrganInstalltions() once 529 is fixed if (count($user->getMember()->getOrganInstallations()) > 0) { $roles[] = 'active_member'; } $acl->addRole($user, $roles); } // admins are allowed to do everything $acl->allow('admin'); // board members also are admins $acl->allow('user', null, null, new \User\Permissions\Assertion\IsBoardMember()); // configure the user ACL $acl->addResource(new Resource('apiuser')); $acl->addResource(new Resource('user')); $acl->allow('user', 'user', ['password_change']); // sosusers can't do anything $acl->deny('sosuser'); return $acl; }, 'user_doctrine_em' => function ($sm) { return $sm->get('doctrine.entitymanager.orm_default'); }], 'shared' => ['user_role' => false]]; }