public function preDispatch(Zend_Controller_Request_Abstract $request)
{
$this->_initAcl();
if ($this->_auth->hasIdentity()) {
$ident = $this->_auth->getIdentity();
$date = new Zend_Date();
$ident->last_login = $date->get(DATABASE_DATE_FORMAT);
$ident->save();
}
if ($request->getControllerName() != 'admin' && $request->getModuleName() != 'admin') {
return;
}
// if this is not admin skip the rest
if (!$this->_auth->hasIdentity() && !($request->getControllerName() == 'auth' && $request->getActionName() == 'login' && $request->getModuleName() == 'admin')) {
$redirect = new Zend_Controller_Action_Helper_Redirector();
$redirect->gotoSimple('login', 'auth', 'admin');
}
if ($request->getModuleName() == 'user' && $request->getControllerName() == 'admin' && $request->getActionName() == 'profile') {
return;
}
// the profile is a free resource
$resource = $request->getModuleName() . '_' . $request->getControllerName();
$hasResource = $this->_acl->has($resource);
if ($hasResource && !$this->_acl->isAllowed('fansubcms_user_custom_role_logged_in_user', $resource, $request->getActionName())) {
throw new FansubCMS_Exception_Denied('The user is not allowd to do this');
}
}
public function checkAccess(Zend_Controller_Request_Abstract $request)
{
$resource = new User_Model_Acl_Resource();
$resource->getPrivileges($request);
if (!$resource->privileges || !$resource->resource_id) {
//error in getting resource privileges or nobody is allowed access, deny access and redirect to forbidden
return false;
}
$acl = new Zend_Acl();
$acl->add(new Zend_Acl_Resource($resource->resource_id));
foreach ($resource->privileges as $key => $privilege) {
if (!$acl->hasRole($privilege["role_id"])) {
$acl->addRole(new Zend_Acl_Role($privilege["role_id"]));
$acl->allow($privilege["role_id"], $resource->resource_id);
}
}
$authorization = Zend_Auth::getInstance();
if ($authorization->hasIdentity()) {
$user = $authorization->getIdentity();
if ($acl->hasRole($user['role_id']) && $acl->isAllowed($user['role_id'], $resource->resource_id)) {
//role has access
return true;
}
//user role does not have access to this resource
return false;
} else {
$aclrole = new User_Model_Acl_Role();
$aclrole->getDefaultRole();
if (!$aclrole->default_role || !$acl->hasRole($aclrole->default_role) || !$acl->isAllowed($aclrole->default_role, $resource->resource_id)) {
//redirect to login
return false;
}
}
return true;
}
/**
* Check the acl
*
* @param string $resource
* @param string $privilege
* @return boolean
*/
public function isAllowed($resource = null, $privilege = null)
{
if (null === $this->_acl) {
return null;
}
return $this->_acl->isAllowed($this->getIdentity(), $resource, $privilege);
}
/**
* Hook into action controller preDispatch() workflow
*
* @return void
*/
public function preDispatch()
{
$role = Zend_Registry::get('config')->acl->defaultRole;
if ($this->_auth->hasIdentity()) {
$user = $this->_auth->getIdentity();
if (is_object($user) && !empty($user->role)) {
$role = $user->role;
}
}
$request = $this->_action->getRequest();
$controller = $request->getControllerName();
$action = $request->getActionName();
$module = $request->getModuleName();
$this->_controllerName = $controller;
$resource = $controller;
$privilege = $action;
if (!$this->_acl->has($resource)) {
$resource = null;
}
if ($resource == 'error' && $privilege == 'error') {
return;
}
if (!$this->_acl->isAllowed($role, $resource, $privilege)) {
$request->setModuleName('default')->setControllerName('auth')->setActionName('noaccess');
$request->setDispatched(false);
return;
}
}
/**
* @param Zend_Controller_Request_Abstract $oHttpRequest
*/
public function preDispatch(Zend_Controller_Request_Abstract $oHttpRequest)
{
$sControllerName = $oHttpRequest->getControllerName();
$sActionName = $oHttpRequest->getActionName();
$aRequestedParams = $oHttpRequest->getUserParams();
$sQuery = '';
unset($aRequestedParams['controller']);
unset($aRequestedParams['action']);
// Define user role
if (Zend_Auth::getInstance()->hasIdentity()) {
$aData = Zend_Auth::getInstance()->getStorage()->read();
$sRole = $aData['role'];
} else {
// Default role
$sRole = 'guest';
}
// Check access
if (!$this->_oAcl->isAllowed($sRole, $sControllerName, $sActionName)) {
$oHttpRequest->setParam('referer_controller', $sControllerName);
$oHttpRequest->setParam('referer_action', $sActionName);
$aParams = array();
if (count($aRequestedParams)) {
foreach ($aRequestedParams as $sKey => $sValue) {
$aParams[] = $sKey;
$aParams[] = $sValue;
}
$sQuery = implode('/', $aParams) . '/';
}
$oHttpRequest->setParam('query', $sQuery);
$oHttpRequest->setControllerName('auth')->setActionName('login');
$this->_response->setHttpResponseCode(401);
}
}
public function testDeniesProfileEditToNonAdmin()
{
$mapper = new Default_Model_Mapper_Mongo_UserMapper();
$user = $mapper->findByUserName('foo');
$profile = $mapper->findByUserName('admin');
$b = $this->_acl->isAllowed($user, $profile, 'update');
$this->assertFalse($b);
}
public function isAllowed($resource = null, $privilege = null, $role = null)
{
// Default business rule to return null instead of throwing exceptions for non-known resources
if (!$this->_acl->has($resource)) {
$resource = null;
}
return $this->_acl->isAllowed($resource, $privilege, $role);
}
protected function _isAuthorized($resource, $action)
{
$user = $this->_auth->hasIdentity() ? $this->_auth->getIdentity() : 'guest';
if (!$this->_acl->has($resource) || !$this->_acl->isAllowed($user, $resource, $action)) {
return false;
}
return true;
}
protected function _isAuthorized($controller, $action)
{
$this->_acl = Zend_Registry::get('acl');
$user = $this->_auth->getIdentity();
if (!$this->_acl->has($controller) || !$this->_acl->isAllowed($user, $controller, $action)) {
return false;
}
return true;
}
/**
* 是否有权限
*
* @param string $action
* @param string $controller
* @param string $module
* @param array $params
* @return boolean
*/
public function isAllowed($action, $controller, $module, $params = array())
{
$resource = ZtChart_Model_Acl_Resource::parsePageMvc($action, $controller, $module);
if (!$this->_acl->has($resource)) {
return true;
} else {
return $this->_acl->isAllowed($this->_role(), $resource, $this->_privileges());
}
}
/**
* Checks if user has the right to do privilege on resource
*
* @param Zend_Acl_Resource $resource
* @param string $privilege
* @return boolean
*/
public function isAllowed($resource, $privilege)
{
if (empty(self::$_acl)) {
self::$_acl = Zend_Registry::get('Zend_Acl');
}
if (!self::$_acl->has($resource)) {
return true;
}
return self::$_acl->isAllowed('fansubcms_user_custom_role_logged_in_user', $resource, $privilege);
}
/**
* Grant access if the user owns the record or the parent exhibit.
*/
public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null)
{
$allPriv = $privilege . 'All';
$selfPriv = $privilege . 'Self';
if (!$role instanceof User) {
return false;
} else {
$allowedAll = $acl->isAllowed($role, $resource, $allPriv);
$allowedSelf = $acl->isAllowed($role, $resource, $selfPriv);
$ownsRecord = $this->_userOwnsRecord($role, $resource);
return $allowedAll || $allowedSelf && $ownsRecord;
}
}
/**
*(non-PHPdoc)
*
* @see Zend_Controller_Plugin_Abstract::preDispatch()
*/
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
/**
* Recupera a identidade do usuario logado
*
* @var Array
*/
$role = $this->auth->getIdentity();
/**
* Recursos que se deseja acesso
*
* @var String
*/
$resource = $this->getRequest()->getModuleName();
/**
* Ação permitida dentro de um resource
*
* @var String
*/
$action = $this->getRequest()->getModuleName() != 'admin' && $this->getRequest()->getModuleName() != 'sac' ? null : $this->getRequest()->getControllerName();
// Verificação condicional para os controllers e actions de upload
if (!($request->getActionName() == 'upload' || $request->getControllerName() == 'upload')) {
// Verifica se ha lixo na autenticacao
if (!is_array($role)) {
// Parametros
$params = array();
// Destroi qualquer instancia de autenticacao
$this->auth->clearIdentity();
// Altera a rota de destino
$request->setModuleName('admin')->setControllerName('login')->setActionName('index');
return;
}
// Verifica se o recurso existe e se o usuario logado tem acesso
if (!$this->acl->has($resource) || !$this->acl->isAllowed($role['usuario'], $resource, $action)) {
// Parametros
$params = array();
// Redireciona para o controller de login
if ($role['usuario'] != 'visitante') {
$params['erro'] = 'Você não possui permissão de acesso a este recurso.';
$request->setModuleName('admin')->setControllerName('index')->setActionName('index')->setParams($params);
} else {
if ($this->getRequest()->getModuleName() == "sac") {
$request->setModuleName('sac')->setControllerName('login')->setActionName('index')->setParams($params);
} else {
$request->setModuleName('admin')->setControllerName('login')->setActionName('index')->setParams($params);
}
}
return;
}
}
}
/**
* Called before an action is dispatched by Zend_Controller_Dispatcher.
*
* This callback allows for proxy or filter behavior. By altering the
* request and resetting its dispatched flag (via
* {@link Zend_Controller_Request_Abstract::setDispatched() setDispatched(false)}),
* the current action may be skipped.
*
* @param Zend_Controller_Request_Abstract $request
* @return void
*/
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
// reset role & resource
Zend_Registry::set('Role', 'guest');
Zend_Registry::set('Resource', '');
// check if ErrorHandler wasn't fired
if ($request->getParam('error_handler')) {
return;
}
$module = $request->getModuleName();
$controller = $request->getControllerName();
$action = $request->getActionName();
$pathInfo = $request->getPathInfo();
$allow = false;
if ($this->_auth->hasIdentity()) {
$userId = $this->_auth->getIdentity();
$roleId = $this->_auth->getRoleId();
$rolesList = $this->_em->find('Roles', $roleId);
$roleName = $rolesList->getRoleName();
$role = new Zend_Acl_Role($roleName);
} else {
$roleName = 'guest';
$role = new Zend_Acl_Role($roleName);
}
$resource = $action == '' ? trim($controller) . '/index' : trim($controller) . '/' . trim($action);
$resource = $module == 'default' ? $resource : $module . "/" . $resource;
// on main page resource might be empty
if ($resource == '') {
$resource = 'index/index';
}
// if resource not exist in db then check permission for controller
if (!$this->_acl->has($resource) && $action != '') {
$resource = trim($controller);
}
// check if user is allowed to see the page
$allow = $this->_acl->isAllowed($role, $resource);
if ($allow == false && $this->_auth->hasIdentity()) {
// user logged in but denied permission
$request->setModuleName('default');
$request->setControllerName('error');
$request->setActionName('forbidden');
/* $this->_response->setHeader('Content-type', 'text/html');
$this->_response->setHttpResponseCode(403);
$this->_response->setBody('<h1>403 - Forbidden</h1>');
$this->_response->sendResponse(); */
}
Zend_Registry::set('Role', $role);
Zend_Registry::set('Resource', $resource);
}
public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null)
{
if ($acl->isAllowed($role, $resource, $privilege . ':all')) {
return true;
} elseif ($acl->isAllowed($role, $resource, $privilege . ':mine')) {
if ($resource->createdBy == $role->id) {
return true;
} else {
return false;
}
} else {
return false;
}
}
/**
* @param \Zend_Acl_Role $role
*/
private function checkRole(\Zend_Acl_Role $role)
{
$resource = $this->getResource();
if (!$this->acl->has($resource)) {
$errModule = 'gallery';
$errController = 'error';
$errAction = 'error404';
$this->_request->setModuleName($errModule)->setControllerName($errController)->setActionName($errAction);
return;
}
if (!$this->acl->isAllowed($role, $resource)) {
$this->_request->setModuleName('admin')->setControllerName('auth')->setActionName('login');
return;
}
}
/**
* Hook into action controller preDispatch() workflow
*
* @return void
*/
public function preDispatch()
{
$role = 'guest';
// die($role);
if ($this->_auth->hasIdentity()) {
$user = $this->_auth->getIdentity();
if (is_object($user)) {
$role = $this->_auth->getIdentity()->role;
}
}
$request = $this->_action->getRequest();
$controller = $request->getControllerName();
$action = $request->getActionName();
$module = $request->getModuleName();
// $this->view->getLayout()->setLayout($module);
$this->_controllerName = $controller;
$resource = $controller;
$privilege = $action;
if (!$this->_acl->has($resource)) {
$resource = null;
}
if (!$this->_acl->isAllowed($role, $resource, $privilege)) {
if (!$this->_auth->hasIdentity()) {
$noPermsAction = $this->_acl->getNoAuthAction();
} else {
$noPermsAction = $this->_acl->getNoAclAction();
}
$request->setModuleName($noPermsAction['module']);
$request->setControllerName($noPermsAction['controller']);
$request->setActionName($noPermsAction['action']);
$request->setDispatched(false);
}
}
/**
* Notifies whether the logged-in user has permission for a given resource/
* privilege combination.
*
* If an ACL resource being checked has not been defined, access to that
* resource should not be controlled. This allows plugin writers to
* implement controllers without also requiring them to be aware of the ACL.
*
* Conversely, in the event that an ACL resource has been defined, all access
* permissions for that controller must be properly defined.
*
* The names of resources should correspond to the name of the controller
* class minus 'Controller', e.g.
* Geolocation_IndexController -> 'Geolocation_Index'
* CollectionsController -> 'Collections'
*
* @param string $privilege
* @param Zend_Acl_Resource|string|null (Optional) Resource to check.
* @see getResourceName()
* @return boolean
*/
public function isAllowed($privilege, $resource = null)
{
$allowed = $this->_allowed;
if (isset($allowed[$privilege])) {
return $allowed[$privilege];
}
if ($resource instanceof Zend_Acl_Resource_Interface) {
$resourceObj = $resource;
$resourceName = $resourceObj->getResourceId();
} else {
if (is_string($resource)) {
$resourceName = $resource;
} else {
if (!$resource) {
$resourceName = $this->getResourceName();
}
}
}
// Plugin writers do not need to define an ACL in order for their
// controllers to work.
if (!$this->_acl->has($resourceName)) {
return true;
}
if (!isset($resourceObj)) {
$resourceObj = $this->_acl->get($resourceName);
}
return $this->_acl->isAllowed($this->_currentUser, $resourceObj, $privilege);
}
/**
* Checl whether the user can execute the action on the named resource
*
* @param String $resourceName The name of the resource
* @param String $action The action to be executred
*/
function checkPermission($resourceName, $action)
{
// make the resourcenmae lower case to match the ones which were loaded
$resourceName = strtolower($resourceName);
if (!$this->availableGroups) {
// there are no groups loaded
return false;
}
foreach ($this->availableGroups as $group) {
try {
// check if the action can be executed on the resource for the specific role
// use the parent method since we are dealing with one role at a time here
if (parent::isAllowed($group, $resourceName, $action)) {
// action is allowed on the resource
return true;
}
} catch (Zend_Exception $ze) {
// either a resource or a group is not defined in the ACL. Deny access to it
error_log($ze->__toString());
return false;
}
}
// by default the action is denied on the resource
return false;
}
/**
* @group 4226
*/
public function testAllowNullPermissionAfterResourcesExistShouldAllowAllPermissionsForRole()
{
$this->_acl->addRole('admin');
$this->_acl->addResource('newsletter');
$this->_acl->allow('admin');
$this->assertTrue($this->_acl->isAllowed('admin'));
}
/**
* Checks if user has the right to do privilege on resource
*
* @param Zend_Acl_Resource $resource
* @param string $privilege
* @return boolean
*/
public function isAllowed($resource, $privilege)
{
if (!$this->acl->has($resource)) {
return true;
}
return $this->acl->isAllowed('fansubcms_user_custom_role_logged_in_user', $resource, $privilege);
}
/**
* Hook into action controller preDispatch() workflow
*
* @return void
*/
public function preDispatch()
{
$role = 'public';
if ($this->getAuth()->hasIdentity()) {
$user = $this->getAuth()->getIdentity();
if (is_object($user)) {
$role = $this->getAuth()->getIdentity()->role;
}
}
$request = $this->getAction()->getRequest();
$controller = $request->getControllerName();
$action = $request->getActionName();
$module = $request->getModuleName();
$this->_controllerName = $controller;
$resource = $controller;
$privilege = $action;
if (!$this->_acl->has($resource)) {
$resource = null;
}
if (!$this->_acl->isAllowed($role, $resource, $privilege)) {
$request->setModuleName('default');
$request->setControllerName('error');
$request->setActionName('notauthorised');
$request->setDispatched(false);
}
}
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role(Model_Role::GUEST));
$acl->addRole(new Zend_Acl_Role(Model_Role::ADMIN), Model_Role::GUEST);
$acl->addResource(new Zend_Acl_Resource('admin'));
$acl->addResource(new Zend_Acl_Resource('blog'));
$acl->addResource(new Zend_Acl_Resource('error'));
$acl->addResource(new Zend_Acl_Resource('index'));
$acl->allow(Model_Role::GUEST, 'blog');
$acl->allow(Model_Role::GUEST, 'error');
$acl->allow(Model_Role::GUEST, 'index');
$acl->allow(Model_Role::GUEST, 'admin', array('login'));
$acl->allow(Model_Role::ADMIN, 'admin');
$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) {
$user = new Model_User($auth->getIdentity());
$role = $user->role_id;
} else {
$role = Model_Role::GUEST;
}
$resource = $request->getControllerName();
$privilege = $request->getActionName();
if (!$acl->isAllowed($role, $resource, $privilege)) {
$this->_request->setControllerName('admin')->setActionName('login');
$this->_response->setRedirect('/admin/login/');
}
}
/**
* Checks the Acl to see if this $user (role) can preform this $action on this $resource. If no specific rules have been defined for this $resource or the specific resource doesn't exist,
* this function will return false.
*
* @param string|Zend_Acl_Role_Interface $user The user to check
* @param string|Zend_Acl_Resource_Interface $resource The resource to check
* @param string $action The privilege to check
* @return boolean
*/
function isSpecificallyAllowed($user, $resource, $action)
{
if ($this->acl->has($resource)) {
return $this->acl->isAllowed($user, $resource, $action);
}
return false;
}
/**
* @group ZF-9643
*/
public function testRemoveDenyWithNullResourceAppliesToAllResources()
{
$this->_acl->addRole('guest');
$this->_acl->addResource('blogpost');
$this->_acl->addResource('newsletter');
$this->_acl->allow();
$this->_acl->deny('guest', 'blogpost', 'read');
$this->_acl->deny('guest', 'newsletter', 'read');
$this->assertFalse($this->_acl->isAllowed('guest', 'blogpost', 'read'));
$this->assertFalse($this->_acl->isAllowed('guest', 'newsletter', 'read'));
$this->_acl->removeDeny('guest', 'newsletter', 'read');
$this->assertFalse($this->_acl->isAllowed('guest', 'blogpost', 'read'));
$this->assertTrue($this->_acl->isAllowed('guest', 'newsletter', 'read'));
$this->_acl->removeDeny('guest', null, 'read');
$this->assertTrue($this->_acl->isAllowed('guest', 'blogpost', 'read'));
$this->assertTrue($this->_acl->isAllowed('guest', 'newsletter', 'read'));
// ensure deny null/all resources works
$this->_acl->deny('guest', null, 'read');
$this->assertFalse($this->_acl->isAllowed('guest', 'blogpost', 'read'));
$this->assertFalse($this->_acl->isAllowed('guest', 'newsletter', 'read'));
}
/**
* Return whether or not this role has access to a certain resource
*
* @param string the permission being asked about
* @param QFrame_Permissible (optional) the permissible object in question
* @return boolean
*/
public function hasAccess($permission, QFrame_Permissible $permissible = null)
{
$resource = $permissible === null ? "GLOBAL" : $permissible->getPermissionID();
if (!$this->acl->hasRole($permission) || !$this->acl->has($resource)) {
return false;
}
return $this->acl->isAllowed($permission, $resource);
}
/**
* Assert whether or not the ACL should allow access.
*/
public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null)
{
$allPriv = $privilege . 'All';
$selfPriv = $privilege . 'Self';
if (!$role instanceof User) {
$allowed = false;
} else {
if ($resource instanceof Omeka_Record_AbstractRecord) {
$allowed = $acl->isAllowed($role, $resource, $allPriv) || $acl->isAllowed($role, $resource, $selfPriv) && $this->_userOwnsRecord($role, $resource);
} else {
// The "generic" privilege is allowed if the user can
// edit any of the given record type whatsoever.
$allowed = $acl->isAllowed($role, $resource, $allPriv) || $acl->isAllowed($role, $resource, $selfPriv);
}
}
return $allowed;
}
/**
* Assert whether or not the ACL should allow access.
*/
public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null)
{
$allPriv = $privilege . 'All';
$selfPriv = $privilege . 'Self';
if (!$role instanceof User) {
$allowed = false;
} else {
if ($resource instanceof NeatlineTimeTimeline) {
$allowed = $acl->isAllowed($role, $resource, $allPriv) || $acl->isAllowed($role, $resource, $selfPriv) && $this->_userOwnsTimeline($role, $resource);
} else {
// The "generic" privilege is allowed if the user can
// edit any items whatsoever.
$allowed = $acl->isAllowed($role, $resource, $allPriv) || $acl->isAllowed($role, $resource, $selfPriv);
}
}
return $allowed;
}
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
$resource = null;
$module = $request->getModuleName();
$controller = $request->getControllerName();
$action = $request->getActionName();
$front = Zend_Controller_Front::getInstance();
$defaultModule = $front->getDefaultModule();
if ($module != '' && $module != $defaultModule) {
$resource .= $module . ':';
}
$resource .= $controller;
if ($this->_acl->has(new Zend_Acl_Resource($resource))) {
if (!$this->_acl->isAllowed(new Zend_Acl_Role($this->_role), new Zend_Acl_Resource($resource), $action)) {
$request->setModuleName($defaultModule)->setControllerName('error')->setActionName($this->_denyAction)->setParam('error_handler', true);
}
}
}
/**
* Pre dispatch hock
* Checks if the current user identified by role has rights to the requested url (module/controller/action)
* If not, it will call denyAccess to be redirected to errorPage
*
* @return void
**/
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
$this->setRequest($request);
/** Check if the controller/action can be accessed by the current user */
if (!$this->_acl->isAllowed($this->getRole(), $this->getResource($request), $this->_getPrivilege($request))) {
/** Redirect to access denied page */
$this->denyAccess();
}
}
