public function initAcl(MvcEvent $e)
{
//Creamos el objeto ACL
$acl = new Acl();
//Incluimos la lista de roles y permisos, nos devuelve un array
$roles = (require 'config/autoload/acl.roles.php');
foreach ($roles as $role => $resources) {
//Indicamos que el rol será genérico
$role = new \Zend\Permissions\Acl\Role\GenericRole($role);
//Añadimos el rol al ACL
$acl->addRole($role);
//Recorremos los recursos o rutas permitidas
foreach ($resources["allow"] as $resource) {
//Si el recurso no existe lo añadimos
if (!$acl->hasResource($resource)) {
$acl->addResource(new \Zend\Permissions\Acl\Resource\GenericResource($resource));
}
//Permitimos a ese rol ese recurso
$acl->allow($role, $resource);
}
foreach ($resources["deny"] as $resource) {
//Si el recurso no existe lo añadimos
if (!$acl->hasResource($resource)) {
$acl->addResource(new \Zend\Permissions\Acl\Resource\GenericResource($resource));
}
//Denegamos a ese rol ese recurso
$acl->deny($role, $resource);
}
}
//Establecemos la lista de control de acceso
$e->getViewModel()->acl = $acl;
}
public function testBuildCanAcceptXMLAsString()
{
$content = file_get_contents(__DIR__ . '/fixtures/test.xml');
$this->object = new AclBuilder(new StringType($content), $this->acl);
$this->assertTrue($this->object->build());
$this->assertTrue($this->acl->hasRole('guest'));
$this->assertTrue($this->acl->hasResource('logout'));
$this->assertTrue($this->acl->isAllowed('guest', 'login'));
$this->assertTrue($this->acl->isAllowed('user', null, 'GET'));
}
private function _load()
{
if ($this->loaded == false) {
// Add roles
$config = $this->serviceLocator->get('config');
if (isset($config['acl']['role_providers'])) {
$roles = [];
foreach ($config['acl']['role_providers'] as $class => $options) {
/** @var \Acl\Provider\Role\ProviderInterface $roleProvider */
$roleProvider = $this->serviceLocator->get($class);
$roles = $roles + $roleProvider->getRoles();
}
foreach ($roles as $role) {
/** @var \Acl\Entity\Role $role */
$this->acl->addRole($role, $role->getParents());
}
}
// Add resources
if (isset($config['acl']['resource_providers'])) {
foreach ($config['acl']['resource_providers'] as $class => $options) {
/** @var \Acl\Provider\Resource\ProviderInterface $resourceProvider */
$resourceProvider = $this->serviceLocator->get($class);
$resources = $resourceProvider->getResources();
if ($resources) {
foreach ($resources as $r) {
if (!$this->acl->hasResource($r)) {
$this->acl->addResource($r);
}
}
}
}
}
// Add rules
if (isset($config['acl']['rule_providers'])) {
$rules = [];
foreach ($config['acl']['rule_providers'] as $class => $options) {
/** @var \Acl\Provider\Rule\ProviderInterface $ruleProvider */
$ruleProvider = $this->serviceLocator->get($class);
$rules = $rules + $ruleProvider->getRules();
}
foreach ($rules as $rule) {
/** @var \Acl\Entity\Rule $rule */
if ($rule->allow) {
$this->acl->allow($rule->obj_id, $rule->resource, $rule->privilege);
} else {
$this->acl->deny($rule->obj_id, $rule->resource, $rule->privilege);
}
}
}
$this->loaded = true;
}
}
public function loadPrivilege()
{
if (!$this->acl || !$this->acl instanceof \Zend\Permissions\Acl\Acl) {
return null;
}
$userService = $this->getServiceLocator()->get('User\\Service\\User');
/*@var $userService \User\Service\User */
if (!$userService->hasIdentity()) {
return null;
}
$user = $userService->getUser();
if (in_array($user->getRole(), [\User\Model\User::ROLE_ADMIN, \User\Model\User::ROLE_SUPERADMIN, \User\Model\User::ROLE_GUEST])) {
return null;
}
$dependence = $this->acl->getDependencies();
$resources = null;
if ($resources) {
foreach ($resources as $resource) {
if ($this->acl->hasResource($resource['resource'])) {
$this->acl->allow($user->getRole(), $resource['resource'], $resource['privilege']);
if (isset($dependence['/' . str_replace(':', '/', $resource['resource']) . '/' . $resource['privilege']])) {
foreach ($dependence['/' . str_replace(':', '/', $resource['resource']) . '/' . $resource['privilege']] as $depen) {
$arr = explode('/', $depen);
if (count($arr) == 4) {
if ($this->acl->hasResource($arr[1] . ':' . $arr[2])) {
$this->acl->allow($user->getRole(), $arr[1] . ':' . $arr[2], $arr[3]);
}
}
}
}
}
}
}
return $this->acl;
}
/**
* @param string|\Zend\Permissions\Acl\Resource\ResourceInterface $resource
* @return bool|void
*/
public function hasResource($resource)
{
if (is_null($this->acl)) {
$this->init();
}
return $this->acl->hasResource($resource);
}
/**
* autentica o usuário
*/
public function autenticaAction()
{
if ($this->getRequest()->isPost()) {
$this->adapter->setOptions(array('object_manager' => Conn::getConn(), 'identity_class' => 'MyClasses\\Entities\\AclUsuario', 'identity_property' => 'login', 'credential_property' => 'senha'));
$this->adapter->setIdentityValue($this->getRequest()->getPost('login'));
$this->adapter->setCredentialValue(sha1($this->getRequest()->getPost('senha')));
$result = $this->auth->authenticate($this->adapter);
if ($result->isValid()) {
$equipes = $result->getIdentity()->getEquipes();
$acl = new Acl();
$acl->addRole(new Role($equipes[0]->getPerfil()));
$recursos = $equipes[0]->getRecursos();
foreach ($recursos as $recurso) {
if (!$acl->hasResource($recurso->getRecurso())) {
/* echo "add recurso: ".
$perfil->getPerfil().", ".
$recurso->getRecurso()->getRecurso().", ".
$recurso->getPermissao(); */
$acl->addResource(new Resource($recurso->getRecurso()));
$acl->allow($equipes[0]->getPerfil(), $recurso->getRecurso());
}
}
$this->auth->getStorage()->write(array($result->getIdentity(), $equipes[0]->getPerfil(), $acl));
$this->layout()->id = $result->getIdentity()->getId();
$this->layout()->nome = $result->getIdentity()->getNome();
return new ViewModel(array('nome' => $result->getIdentity()->getNome()));
} else {
return new ViewModel(array('erro' => array_pop($result->getMessages())));
}
}
}
/**
* @param Acl $acl
* @param $resource
*/
protected function addAclResource(ZendAcl $acl, AclResource $resource)
{
if (!$acl->hasResource($resource->getResource())) {
$acl->addResource(new \Zend\Permissions\Acl\Resource\GenericResource($resource->getResource()));
}
return $this;
}
/**
* getAcl - This cannot be called before resources are parsed
*
* @param string $resourceId resourceId
* @param string $providerId @deprecated No Longer Required - providerId
*
* @return Acl
*/
public function getAcl($resourceId, $providerId)
{
if (!isset($this->acl)) {
$this->buildAcl();
}
/* resources privileges
we load the every time so they maybe updated dynamically
*/
$resources = $this->getResources($resourceId, $providerId);
foreach ($resources as $resource) {
if (!$this->acl->hasResource($resource)) {
$this->acl->addResource($resource, $resource->getParentResource());
}
$privileges = $resource->getPrivileges();
if (!empty($privileges)) {
foreach ($privileges as $privilege) {
if (!$this->acl->hasResource($privilege)) {
$this->acl->addResource($privilege, $resource);
}
}
}
}
// get only for resources
$rules = $this->getRules($resources);
/** @var AclRule $aclRule */
foreach ($rules as $aclRule) {
if ($aclRule->getRule() == AclRule::RULE_ALLOW) {
$this->acl->allow($aclRule->getRoleId(), $aclRule->getResourceId(), $aclRule->getPrivileges(), $aclRule->getAssertion());
} elseif ($aclRule->getRule() == AclRule::RULE_DENY) {
$this->acl->deny($aclRule->getRoleId(), $aclRule->getResourceId(), $aclRule->getPrivileges(), $aclRule->getAssertion());
}
}
return $this->acl;
}
public function createService(ServiceLocatorInterface $serviceLocator)
{
$config = $serviceLocator->get('config.helper')->get('acl');
$acl = new Acl();
foreach ($config['roles'] as $role => $parents) {
if (empty($parents)) {
$parents = null;
}
$role = new GenericRole($role);
$acl->addRole($role, $parents);
}
foreach ($config['resources'] as $permission => $controllers) {
foreach ($controllers as $controller => $actions) {
if (!$acl->hasResource($controller)) {
$acl->addResource(new GenericResource($controller));
}
foreach ($actions as $action => $role) {
if ($action == '*') {
$action = null;
}
if ($permission == 'allow') {
$acl->allow($role, $controller, $action);
} elseif ($permission == 'deny') {
$acl->deny($role, $controller, $action);
} else {
throw new Exception('No valid permission defined: ' . $permission);
}
}
}
}
if (class_exists('Zend\\View\\Helper\\Navigation')) {
Navigation::setDefaultAcl($acl);
}
return $acl;
}
/**
* Create the service using the configuration from the modules config-file
*
* @param ServiceLocator $services The ServiceLocator
*
* @see \Zend\ServiceManager\FactoryInterface::createService()
* @return Hybrid_Auth
*/
public function createService(ServiceLocatorInterface $serviceLocator)
{
$config = $serviceLocator->get('config');
$config = $config['acl'];
if (!isset($config['roles']) || !isset($config['resources'])) {
throw new \Exception('Invalid ACL Config found');
}
$roles = $config['roles'];
if (!isset($roles[self::DEFAULT_ROLE])) {
$roles[self::DEFAULT_ROLE] = '';
}
$this->admins = $config['admins'];
if (!isset($this->admins)) {
throw new \UnexpectedValueException('No admin-user set');
}
$acl = new Acl();
foreach ($roles as $name => $parent) {
if (!$acl->hasRole($name)) {
if (empty($parent)) {
$parent = array();
} else {
$parent = explode(',', $parent);
}
$acl->addRole(new Role($name), $parent);
}
}
foreach ($config['resources'] as $permission => $controllers) {
foreach ($controllers as $controller => $actions) {
if ($controller == 'all') {
$controller = null;
} else {
if (!$acl->hasResource($controller)) {
$acl->addResource(new Resource($controller));
}
}
foreach ($actions as $action => $role) {
if ($action == 'all') {
$action = null;
}
$assert = null;
if (is_array($role)) {
$assert = $serviceLocator->get($role['assert']);
$role = $role['role'];
}
$role = explode(',', $role);
foreach ($role as $roleItem) {
if ($permission == 'allow') {
$acl->allow($roleItem, $controller, $action, $assert);
} elseif ($permission == 'deny') {
$acl->deny($roleItem, $controller, $action, $assert);
} else {
continue;
}
}
}
}
}
return $acl;
}
private function addResources(Acl $acl)
{
foreach ($this->modules as $module) {
if (!$acl->hasResource($module)) {
$acl->addResource(strtolower($module));
}
}
}
public function getResourcesACL(\Zend\Permissions\Acl\Acl $acl, \Doctrine\ORM\EntityManager $em)
{
$repo = $em->getRepository('Security\\Entity\\RecursoSistema');
foreach ($repo->fetchPairs() as $recurso) {
$acl->addResource($recurso);
}
// carrega os recurso desprotegidos
foreach ($this->getRecursosDesprotegidos() as $recurso) {
if (!$acl->hasResource($recurso)) {
$acl->addResource($recurso);
}
}
return $acl;
}
/**
*/
private function initAcl()
{
if (!is_null($this->acl)) {
return;
}
$this->acl = new Acl();
$config = $this->getServiceLocator()->get('Config');
$roles = $config['acl']['roles'];
$allResources = array();
foreach ($roles as $role => $resources) {
$role = new GenericRole($role);
$this->acl->addRole($role);
$allResources = array_merge($resources, $allResources);
foreach ($resources as $resource) {
if (!$this->acl->hasResource($resource)) {
$this->acl->addResource(new GenericResource($resource));
}
}
foreach ($allResources as $resource) {
$this->acl->allow($role, $resource);
}
}
}
/**
* Tests basic Resource inheritance
*
* @return void
*/
public function testResourceInherits()
{
$resourceCity = new Resource\GenericResource('city');
$resourceBuilding = new Resource\GenericResource('building');
$resourceRoom = new Resource\GenericResource('room');
$this->_acl->addResource($resourceCity)->addResource($resourceBuilding, $resourceCity->getResourceId())->addResource($resourceRoom, $resourceBuilding);
$this->assertTrue($this->_acl->inheritsResource($resourceBuilding, $resourceCity, true));
$this->assertTrue($this->_acl->inheritsResource($resourceRoom, $resourceBuilding, true));
$this->assertTrue($this->_acl->inheritsResource($resourceRoom, $resourceCity));
$this->assertFalse($this->_acl->inheritsResource($resourceCity, $resourceBuilding));
$this->assertFalse($this->_acl->inheritsResource($resourceBuilding, $resourceRoom));
$this->assertFalse($this->_acl->inheritsResource($resourceCity, $resourceRoom));
$this->_acl->removeResource($resourceBuilding);
$this->assertFalse($this->_acl->hasResource($resourceRoom));
}
/**
* @deprecated this method will be removed in BjyAuthorize 2.0.x
*
* @param string[]|\Zend\Permissions\Acl\Resource\ResourceInterface[] $resources
* @param mixed|null $parent
*/
protected function loadResource(array $resources, $parent = null)
{
foreach ($resources as $key => $value) {
if (is_string($key)) {
$key = new GenericResource($key);
} elseif (is_int($key)) {
$key = new GenericResource($value);
}
if (is_array($value)) {
$this->acl->addResource($key, $parent);
$this->loadResource($value, $key);
} elseif (!$this->acl->hasResource($key)) {
$this->acl->addResource($key, $parent);
}
}
}
/**
* @deprecated this method will be removed in BjyAuthorize 2.0.x
*
* @param string[]|\Zend\Permissions\Acl\Resource\ResourceInterface[] $resources
* @param mixed|null $parent
*/
protected function loadResource($resources, $parent = null)
{
if (!is_array($resources) && !$resources instanceof \Traversable) {
throw new \InvalidArgumentException('Resources argument must be traversable: ' . print_r($resources, true));
}
foreach ($resources as $key => $value) {
if ($value instanceof ResourceInterface) {
$key = $value;
} elseif (is_string($key)) {
$key = new GenericResource($key);
} elseif (is_int($key)) {
$key = new GenericResource($value);
}
if (is_array($value) || $value instanceof \Traversable) {
$this->acl->addResource($key, $parent);
$this->loadResource($value, $key);
} elseif (!$this->acl->hasResource($key)) {
$this->acl->addResource($key, $parent);
}
}
}
/**
* set Roles and Resource for ACL
*
* @return Acl
*/
protected function setAcl()
{
$guestRole = new Role(self::DEFAULT_ROLE);
$userRole = new Role(self::USER_ROLE);
$adminRole = new Role(self::ADMIN_ROLE);
$this->acl->addRole($guestRole);
$this->acl->addRole($userRole, $guestRole);
$this->acl->addRole($adminRole, $userRole);
$roleResource = new RoleResourcePermissionFromArray();
$roles = $roleResource->getListRoleResourcePermission();
foreach ($roles as $role => $roleResource) {
//adding resources
foreach ($roleResource as $permission => $resources) {
foreach ($resources as $resource) {
if (!$this->acl->hasResource($resource['resource'])) {
$this->acl->addResource(new Resource($resource['resource']));
}
if (count($resource['permission']) > 0 && $permission != 'deny') {
$this->acl->allow($role, $resource['resource'], $resource['permission']);
} else {
$this->acl->deny($role, $resource['resource'], $resource['permission']);
}
}
}
}
/*
foreach ($roles['deny'] as $role => $resources) {
//adding resources
foreach ($resources as $resource) {
if (!$this->acl->hasResource($resource['resource']))
$this->acl->addResource(new Resource($resource['resource']));
if (count($resource['permission']) > 0)
$this->acl->deny($role, $resource['resource'], $resource['permission']);
}
}
*/
return $this->acl;
}
/**
* Builds ACL from base ACL + database table acl_allow
* @return Zend\Permissions\Acl $acl
*/
public function buildAcl()
{
// 2015-03-19 DB: ACL is now built completely from the ground up
$acl = new Acl();
// NOTE: roles are defined in config/autoload/roles.global.php
foreach ($this->rolesInheritance as $key => $value) {
if ($value) {
$acl->addRole($key, $value);
} else {
$acl->addRole($key);
}
}
// get list of resources
$allowList = $this->aclAllowTable->fetchAll();
// add resources to ACL
foreach ($allowList as $item) {
$resource = $item->controller;
if (!$acl->hasResource($resource)) {
$acl->addResource($resource);
}
$acl->allow($item->role, $resource, explode(',', $item->actions));
}
return $acl;
}
/**
* Create acl instance
*
* @return Acl
*/
public function buildAcl()
{
// create acl
$acl = new Acl();
$acl->addRole('guest');
$acl->addRole('customer', 'guest');
$acl->addRole('staff', 'customer');
$acl->addRole('admin', 'staff');
// loop through role data
foreach ($this->config as $role => $resources) {
// loop through resource data
foreach ($resources as $resource => $rules) {
// check for resource
if (!$acl->hasResource($resource)) {
$acl->addResource($resource);
}
// loop trough rules
foreach ($rules as $rule => $privileges) {
// add rule with privileges
$acl->{$rule}($role, $resource, $privileges);
}
}
}
// pass acl
return $acl;
}
public function testBuildItemWillAddResourcesToAcl()
{
$this->assertFalse($this->acl->hasResource('logout'));
$this->assertTrue($this->object->buildItem());
$this->assertTrue($this->acl->hasResource('logout'));
}
public function initAcl(MvcEvent $e)
{
$application = $e->getApplication();
$sm = $application->getServiceManager();
$acl = new Acl();
$roles = $sm->get("Application\\Model\\RolesBO");
$recursos = $sm->get("Application\\Model\\RecursosBO");
$rolesRecursos = $sm->get("Application\\Model\\RolesRecursosBO");
$usuarios = $sm->get("Application\\Model\\UsuariosBO");
// Se listan todos los recursos y se los agrega a la ACL
foreach ($recursos->obtenerTodos() as $recurso) {
if (!$acl->hasResource($recurso->getRecursosID())) {
$genericResource = new GenericResource($recurso->getRecursosID());
$acl->addResource($genericResource);
}
}
// Se registra el rol en la ACL
$sesion = new Container("CoreAppSesion");
if (!$acl->hasRole($sesion->user_rol_id)) {
$genericRole = new GenericRole($sesion->user_rol_id);
$acl->addRole($genericRole);
}
$services = $application->getServiceManager();
// obtenemos todos los recuersosque tiene la ACL
foreach ($acl->getResources() as $resource) {
// Obtenemos los recursos disponibles para el rol
foreach ($rolesRecursos->obtenerRecursosPorRol($sesion->user_rol_id) as $recursoAsignado) {
// Si el recurso asignado es el mismo recurso de la ACL lo permitimos
if ($resource == $recursoAsignado->getAppRecursosID()) {
$acl->allow($genericRole, $acl->getResource($resource));
}
}
}
// Si el recurso no esta permitido lo denegamos
foreach ($acl->getResources() as $resource) {
if (!$acl->isAllowed($genericRole, $acl->getResource($resource))) {
$acl->deny($genericRole, $acl->getResource($resource));
}
}
$this->acl = $acl;
}
/**
* Check if the ACL allows accessing the function or method
*
* @param string|object $object Object or class being accessed
* @param string $function Function or method being accessed
* @return unknown_type
* @throws Exception\RuntimeException
*/
protected function _checkAcl($object, $function)
{
if (!$this->_acl) {
return true;
}
if ($object) {
$isObject = is_object($object);
$class = $isObject ? get_class($object) : $object;
if (!$this->_acl->hasResource($class)) {
$this->_acl->addResource(new Acl\Resource\GenericResource($class));
}
if (method_exists($object, 'initAcl')) {
// if initAcl returns false, no ACL check
if ($isObject) {
if (!$object->initAcl($this->_acl)) {
return true;
}
} elseif (!$class::initAcl($this->_acl)) {
return true;
}
}
} else {
$class = null;
}
$auth = $this->getAuthService();
if ($auth->hasIdentity()) {
$role = $auth->getIdentity()->role;
} else {
if ($this->_acl->hasRole(Constants::GUEST_ROLE)) {
$role = Constants::GUEST_ROLE;
} else {
throw new Exception\RuntimeException("Unauthenticated access not allowed");
}
}
if ($this->_acl->isAllowed($role, $class, $function)) {
return true;
} else {
throw new Exception\RuntimeException("Access not allowed");
}
}
