/** * authenticate complete menu * checks whether current user/admin fulfills requirements defined in site.ini.xml * * if a menu needs authentication and admin meets the required authentication level the menu entries are checked * if single entries require a higher authentication level, they are hidden by setting their display-property to "none" * * authenticateMenuByTableRowAccess(Menu $m) * authenticateMenuByMiscRules(Menu $m) * should be implemented on a per-application level * * @param Menu $m * @return boolean */ protected function authenticateMenu(Menu $m) { if (is_null($m->getAuth())) { return TRUE; } $admin = User::getSessionUser(); if (!$admin || !$admin->isAuthenticated()) { return FALSE; } // unhide all menu entries, in case privileges have changed foreach ($m->getEntries() as $e) { $e->setAttribute('display', NULL); } // superadmin sees everything if ($admin->hasSuperAdminPrivileges()) { return TRUE; } // handle different authentication levels if ($m->getAuth() === User::AUTH_OBSERVE_TABLE && $admin->getPrivilegeLevel() >= User::AUTH_OBSERVE_TABLE) { if ($this->authenticateMenuByTableRowAccess($m)) { foreach ($m->getEntries() as $e) { if (!$this->authenticateMenuEntry($e)) { $e->setAttribute('display', 'none'); } } return TRUE; } else { return FALSE; } } if ($m->getAuth() === User::AUTH_OBSERVE_ROW && $admin->getPrivilegeLevel() >= User::AUTH_OBSERVE_ROW) { if ($this->authenticateMenuByTableRowAccess($m)) { foreach ($m->getEntries() as $e) { if (!$this->authenticateMenuEntry($e)) { $e->setAttribute('display', 'none'); } } return TRUE; } else { return FALSE; } } if ($m->getAuth() >= $admin->getPrivilegeLevel()) { foreach ($m->getEntries() as $e) { if (!$e->isAuthenticatedBy($admin->getPrivilegeLevel())) { $e->setAttribute('display', 'none'); } } return TRUE; } // optional custom fallback return $this->authenticateMenuByMiscRules($m); }
/** * Parse XML menu entries and creates menu instance * * @param simpleXmlElement $menu * @return Menu */ private function parseMenu(\SimpleXMLElement $menu) { $a = $menu->attributes(); $root = isset($a->script) ? (string) $a->script : $this->site->root_document; $type = isset($a->type) && (string) $a->type === 'dynamic' ? 'dynamic' : 'static'; $service = !empty($a->service) ? (string) $a->service : NULL; $id = !empty($a->id) ? (string) $a->id : NULL; if ($type === 'dynamic' && !$service) { throw new ConfigException("A dynamic menu requires a configured service."); } $m = new Menu($root, $id, $type, $service); if (isset($a->auth)) { // set optional authentication level; if level is not defined, menu is locked for everyone // if auth level is defined, additional authentication parameters can be set $menuAuth = strtoupper(trim((string) $a->auth)); if (defined("vxPHP\\User\\User::AUTH_{$menuAuth}")) { $m->setAuth(constant("vxPHP\\User\\User::AUTH_{$menuAuth}")); if (isset($a->auth_parameters)) { $m->setAuthParameters((string) $a->auth_parameters); } } else { $m->setAuth(-1); } } else { $menuAuth = NULL; } foreach ($menu->children() as $entry) { if ($entry->getName() == 'menuentry') { $a = $entry->attributes(); if (isset($a->page) && isset($a->path)) { throw new ConfigException(sprintf("Menu entry with both page ('%s') and path ('%s') attribute found.", (string) $a->page, (string) $a->path)); } // menu entry comes with a path attribute (which can also link an external resource) if (isset($a->path)) { $path = (string) $a->path; $local = strpos($path, '/') !== 0 && !preg_match('~^[a-z]+://~', $path); $e = new MenuEntry($path, $a, $local); } else { if (isset($a->page)) { $page = (string) $a->page; if (!isset($this->routes[$m->getScript()][$page])) { throw new ConfigException(sprintf("No route for menu entry ('%s') found. Available routes for script '%s' are '%s'.", $page, $m->getScript(), empty($this->routes[$m->getScript()]) ? 'none' : implode("', '", array_keys($this->routes[$m->getScript()])))); } $e = new MenuEntry((string) $this->routes[$m->getScript()][$page]->getPath(NULL, TRUE), $a, TRUE); } } // handle authentication settings of menu entry if ($menuAuth || isset($a->auth)) { // fallback to menu settings, when auth attribute is not set if (!isset($a->auth)) { $e->setAuth($m->getAuth()); $e->setAuthParameters($m->getAuthParameters()); } else { // set optional authentication level; if level is not defined, entry is locked for everyone // if auth level is defined, additional authentication parameters can be set $auth = strtoupper(trim((string) $a->auth)); if (defined("UserAbstract::AUTH_{$auth}")) { $e->setAuth(constant("UserAbstract::AUTH_{$auth}")); if (isset($a->auth_parameters)) { $e->setAuthParameters((string) $a->auth_parameters); } } else { $e->setAuth(-1); } } } $m->appendEntry($e); if (isset($entry->menu)) { $e->appendMenu($this->parseMenu($entry->menu)); } } else { if ($entry->getName() == 'menuentry_placeholder') { $a = $entry->attributes(); $e = new DynamicMenuEntry(NULL, $a); $m->appendEntry($e); } } } return $m; }