public function testNoConfigurations() { Access::reset(); $this->assertIdentical(array(), Access::config()); $this->expectException("Configuration `test_no_config` has not been defined."); Access::check('test_no_config', false, new Request()); }
public function testCheck() { $request = new Request(); $result = Access::check('test_access', array('username' => 'Tom'), $request); $this->assertEqual(array(), $result); $expected = array('message' => 'Access denied.', 'redirect' => '/login'); $result = Access::check('test_access', false, $request, array('redirect' => '/login', 'message' => 'Access denied.')); $this->assertEqual($expected, $result); }
public function testNoRolesConfigured() { $request = new Request(); $config = Access::config('test_no_roles_configured'); $request->params = array('controller' => 'Tests', 'action' => 'granted'); $this->assertTrue(empty($config['roles'])); $this->expectException('No roles defined for adapter configuration.'); Access::check('test_no_roles_configured', array('guest' => null), $request); }
/** * Check Aro's permissions to current Aco * * @return bool */ protected function _checkAccess() { $access = Access::get('acl', $this->_aro, $this->_aco); $action = $this->request->params['action']; if (is_array($access) && (array_key_exists('*', $access) && $access['*'] || array_key_exists($action, $access) && $access[$action])) { return true; } return false; }
public function testAdd() { $request = new Request(); // The add() method to add a rule Access::adapter('test_rulebased')->add('testDeny', function($requester, $request, $options) { return false; }); $rules = array( array('rule' => 'testDeny', 'message' => 'Access denied.') ); $expected = array('rule' => 'testDeny', 'message' => 'Access denied.', 'redirect' => '/'); $result = Access::check('test_rulebased', array('username' => 'Tom'), $request, array('rules' => $rules)); $this->assertEqual($expected, $result); // Make sure the rule got added to the $_rules property $this->assertTrue(is_callable(Access::adapter('test_rulebased')->getRules('testDeny'))); $this->assertTrue(is_array(Access::adapter('test_rulebased')->getRules())); }
<?php /** * li3_access configuration file */ use lithium\security\Auth; use li3_access\security\Access; /** * Auth configurations * Users authorized trough 'inactive' configuration gets message about inactive account! */ Auth::config(array('default' => array('adapter' => 'Form', 'scope' => array('active' => true), 'query' => 'firstWithGroup'), 'inactive' => array('adapter' => 'Form', 'scope' => array('active' => false)))); /** * Access adapters configurations * For details se `li3_access` documentation */ Access::config(array('acl' => array('adapter' => 'DbAcl'), 'rules' => array('adapter' => 'Rules')));
header('Location: ' . Router::match(array('library' => 'li3b_users', 'controller' => 'users', 'action' => 'login'))); } // None shall pass. exit; } } // Sets the current user in each request for convenience. $params['request']->user = $user; return $next; // return $chain->next($self, $params, $chain); }); Access::config(array('default' => array('adapter' => 'Rules', 'filters' => array()))); // Set some basic rules to be used from anywhere // Allow access for users with a role of "administrator" or "content_editor" Access::adapter('default')->add('allowManagers', function ($user, $request, $options) { if ($user && ($user['role'] == 'administrator' || $user['role'] == 'content_editor')) { return true; } return false; }); // Restrict access to documents that have a published field marked as true // (except for users with a role of "administrator" or "content_editor") Access::adapter('default')->add('allowIfPublished', function ($user, $request, $options) { if (isset($options['document']['published']) && $options['document']['published'] === true) { return true; } if ($user && ($user['role'] == 'administrator' || $user['role'] == 'content_editor')) { return true; } return false; });
) ) )); // Set some rules to be used from anywhere // Allow access for users with a role of "administrator" or "content_editor" Access::adapter('minerva_access')->add('allowManagers', function($user, $request, $options) { if(($user) && ($user['role'] == 'administrator' || $user['role'] == 'content_editor')) { return true; } return false; }); // Add a base document access rule to check against Access::adapter('minerva_access')->add('publishStatus', function($user, $request, $options) { if($options['document']['published'] === true) { return true; } if(($user) && ($user['role'] == 'administrator' || $user['role'] == 'content_editor')) { return true; } return false; }); /* Dispatcher::applyFilter('_call', function($self, $params, $chain) { if(isset($params['callable']::$access)) { // TODO: maybe move this to MinervaController and even add an "admin" key to the Controller::$access array for even greater control and flexibility // Check for protected "admin" routes. Only administrators and content editors can access these routes.
public function testOptionOverride() { $expected = array( 'message' => 'Rule access denied message.', 'redirect' => '/', 'options' => array( 'class' => 'notice' ) ); $result = Access::check('test_option_override', null, $this->_request, array('whatt')); $this->assertIdentical($expected, $result); }
public function getDocument($options=array()) { $defaults = array('action' => null, 'request' => null, 'find_type' => 'first', 'conditions' => array(), 'limit' => null, 'offset' => 0, 'order' => 'created.desc'); $options += $defaults; extract($options); // $action=null, $request=null, $find_type='first', $conditions=array(), $limit=null, $offset=0, $order=null // 1. Determine the proper model to be using $controller = $request->params['controller']; $controller_pieces = explode('.', $controller); if(count($controller_pieces) > 1) { $controller = end($controller_pieces); } $model = Inflector::classify(Inflector::singularize($controller)); $modelClass = 'minerva\models\\'.$model; $library = null; $library_name_haystack = array(); // if the action is read, update, or delete then the document will be able to tell us the library name if(($request->params['action'] == 'read') || ($request->params['action'] == 'update') || ($request->params['action'] == 'delete')) { // could be using the MongoId or the pretty URL in the route. Both work, but prefer the URL if set and there's no need to use both. $conditions = array(); if(isset($request->params['id'])) { $conditions = array('_id' => $request->params['id']); } if(isset($request->params['url'])) { $conditions = array('url' => $request->params['url']); } $record = $modelClass::first(array('request_params' => $request->params, 'conditions' => $conditions, 'fields' => $this->library_fields)); $library_name_haystack = ($record) ? $record->data():array(); } else { // otherwise for index and create methods the library name is passed in the routes. as page_type or user_type or block_type $library_name_haystack = $request->params; } // get the library name foreach($this->library_fields as $field) { if(in_array($field, array_keys($library_name_haystack))) { $library = $library_name_haystack[$field]; } } $class = '\minerva\libraries\\'.$library.'\models\\'.$model; // Don't load the model if it doesn't exist if(class_exists($class)) { // instantiate it so it can apply its properties to the base model along with any filters, etc. $modelClass = new $class(); } // 2. Authentication & Access Check for Core Minerva Controllers // (properties set in model for core controllers) ... transfer those settings to the controller $controller_pieces = explode('::', $action); if(count($controller_pieces) > 1) { $action = $controller_pieces[1]; } $controllerClass = '\minerva\controllers\\'.$controller.'Controller'; // If the $controllerClass doesn't exist, it means it's a controller that Minerva doesn't have. That means it's not core and the access can be set there on that controller. if((isset($modelClass::$access)) && (class_exists($controllerClass))) { // Don't completely replace core Minerva controller with new access rules, but append all the rules (giving the library model's access property priority) $controllerClass::$access = $modelClass::$access += $controllerClass::$access; } // Get the rules for this action $rules = (isset($controllerClass::$access[$request->params['action']])) ? $controllerClass::$access[$request->params['action']]:array(); // Check access for the action in general $action_access = Access::check('minerva_access', Auth::check('minerva_user'), $request, array('rules' => $rules['action'])); if(!empty($action_access)) { FlashMessage::set($action_access['message'], array('options' => array('type' => 'error', 'pnotify_title' => 'Error', 'pnotify_opacity' => '.8'))); $this->redirect($action_access['redirect']); } // Before getting documents, make sure the calling method actually wanted to get documents. if($find_type === false) { return true; } /** * 3. Get Document(s) * If we're here, we now need to get the document(s) to determine any document based access * and we'll return the document(s) back to the controller too. */ $document = $modelClass::find($find_type, array( 'conditions' => $conditions, 'limit' => $limit, 'order' => Util::format_dot_order($order), 'request_params' => $request->params // this is not used for Lithium's find() but gives some useful data if find() is filtered )); // 4. Document Access Control if($document) { // add the document to the document access rules so it can be checked against $i=0; foreach($rules as $rule) { $rules['document'][$i] = $document->data(); $i++; } $document_access = Access::check('minerva_access', Auth::check('minerva_user'), $request, array('rules' => $rules['document'])); if(!empty($document_access)) { FlashMessage::set($document_access['message'], array('options' => array('type' => 'error', 'pnotify_title' => 'Error', 'pnotify_opacity' => '.8'))); $this->redirect($document_access['redirect']); } } //read() // $document = $modelClass::find('first', array('conditions' => array('url' => $url), 'request_params' => $this->request->params)); // modelClass will either be a core Minerva model class or the extended matching library model class return $document; }