/** * @param string|ResourceInterface $resource */ private function loadResource($resource) { if ($this->acl->hasResource($resource)) { return; } $parent = null; if ($resource instanceof HierarchicalResourceInterface && ($parent = $resource->getParent())) { is_array($parent) ? $this->loadResources($parent) : $this->loadResource($parent); } $this->acl->addResource($resource, $parent); }
/** * Invoke middleware. * * @param RequestInterface $req PSR7 request object * @param ResponseInterface $res PSR7 response object * @param callable $next Next middleware callable * * @return ResponseInterface PSR7 response object */ public function __invoke(Request $req, Response $res, callable $next) { if (!$req->getAttribute('route')) { return $res->withStatus(404); } $isAllowed = false; if ($this->acl->hasResource('route' . $req->getAttribute('route')->getPattern())) { $isAllowed = $isAllowed || $this->acl->isAllowed($this->currentUserRole, 'route' . $req->getAttribute('route')->getPattern(), strtolower($req->getMethod())); } if (is_string($req->getAttribute('route')->getCallable()) && $this->acl->hasResource('callable/' . $req->getAttribute('route')->getCallable())) { $isAllowed = $isAllowed || $this->acl->isAllowed($this->currentUserRole, 'callable/' . $req->getAttribute('route')->getCallable()); } if (!$isAllowed && $this->currentUserRole === $this->defaultRole) { return $res->withRedirect($this->loginUrl); } if (!$isAllowed) { $res = $res->withStatus(403, $this->currentUserRole . ' is not allowed access to this location.'); $res->getBody()->write('Forbidden'); return $res; } return $next($req, $res); }
public function configureAcl(AclInterface $acl) { foreach ($this->getRoles() as $roleId => $parents) { $acl->addRole(new GenericRole($roleId), $parents); foreach ($this->getRules($roleId, 'allow') as $spec) { if (!$acl->hasResource($spec['resource'])) { $acl->addResource(new GenericResource($spec['resource'])); } $acl->allow($roleId, $spec['resource'], $spec['privilege'], $spec['assertion']); } foreach ($this->getRules($roleId, 'deny') as $spec) { if (null !== $spec['resource'] && !$acl->hasResource($spec['resource'])) { $acl->addResource(new GenericResource($spec['resource'])); } $acl->deny($roleId, $spec['resource'], $spec['privilege'], $spec['assertion']); } } return $acl; }