public function preDispatch(Zend_Controller_Request_Abstract $request) { $this->_initAcl(); if ($this->_auth->hasIdentity()) { $ident = $this->_auth->getIdentity(); $date = new Zend_Date(); $ident->last_login = $date->get(DATABASE_DATE_FORMAT); $ident->save(); } if ($request->getControllerName() != 'admin' && $request->getModuleName() != 'admin') { return; } // if this is not admin skip the rest if (!$this->_auth->hasIdentity() && !($request->getControllerName() == 'auth' && $request->getActionName() == 'login' && $request->getModuleName() == 'admin')) { $redirect = new Zend_Controller_Action_Helper_Redirector(); $redirect->gotoSimple('login', 'auth', 'admin'); } if ($request->getModuleName() == 'user' && $request->getControllerName() == 'admin' && $request->getActionName() == 'profile') { return; } // the profile is a free resource $resource = $request->getModuleName() . '_' . $request->getControllerName(); $hasResource = $this->_acl->has($resource); if ($hasResource && !$this->_acl->isAllowed('fansubcms_user_custom_role_logged_in_user', $resource, $request->getActionName())) { throw new FansubCMS_Exception_Denied('The user is not allowd to do this'); } }
public function checkAccess(Zend_Controller_Request_Abstract $request) { $resource = new User_Model_Acl_Resource(); $resource->getPrivileges($request); if (!$resource->privileges || !$resource->resource_id) { //error in getting resource privileges or nobody is allowed access, deny access and redirect to forbidden return false; } $acl = new Zend_Acl(); $acl->add(new Zend_Acl_Resource($resource->resource_id)); foreach ($resource->privileges as $key => $privilege) { if (!$acl->hasRole($privilege["role_id"])) { $acl->addRole(new Zend_Acl_Role($privilege["role_id"])); $acl->allow($privilege["role_id"], $resource->resource_id); } } $authorization = Zend_Auth::getInstance(); if ($authorization->hasIdentity()) { $user = $authorization->getIdentity(); if ($acl->hasRole($user['role_id']) && $acl->isAllowed($user['role_id'], $resource->resource_id)) { //role has access return true; } //user role does not have access to this resource return false; } else { $aclrole = new User_Model_Acl_Role(); $aclrole->getDefaultRole(); if (!$aclrole->default_role || !$acl->hasRole($aclrole->default_role) || !$acl->isAllowed($aclrole->default_role, $resource->resource_id)) { //redirect to login return false; } } return true; }
/** * Check the acl * * @param string $resource * @param string $privilege * @return boolean */ public function isAllowed($resource = null, $privilege = null) { if (null === $this->_acl) { return null; } return $this->_acl->isAllowed($this->getIdentity(), $resource, $privilege); }
/** * Hook into action controller preDispatch() workflow * * @return void */ public function preDispatch() { $role = Zend_Registry::get('config')->acl->defaultRole; if ($this->_auth->hasIdentity()) { $user = $this->_auth->getIdentity(); if (is_object($user) && !empty($user->role)) { $role = $user->role; } } $request = $this->_action->getRequest(); $controller = $request->getControllerName(); $action = $request->getActionName(); $module = $request->getModuleName(); $this->_controllerName = $controller; $resource = $controller; $privilege = $action; if (!$this->_acl->has($resource)) { $resource = null; } if ($resource == 'error' && $privilege == 'error') { return; } if (!$this->_acl->isAllowed($role, $resource, $privilege)) { $request->setModuleName('default')->setControllerName('auth')->setActionName('noaccess'); $request->setDispatched(false); return; } }
/** * @param Zend_Controller_Request_Abstract $oHttpRequest */ public function preDispatch(Zend_Controller_Request_Abstract $oHttpRequest) { $sControllerName = $oHttpRequest->getControllerName(); $sActionName = $oHttpRequest->getActionName(); $aRequestedParams = $oHttpRequest->getUserParams(); $sQuery = ''; unset($aRequestedParams['controller']); unset($aRequestedParams['action']); // Define user role if (Zend_Auth::getInstance()->hasIdentity()) { $aData = Zend_Auth::getInstance()->getStorage()->read(); $sRole = $aData['role']; } else { // Default role $sRole = 'guest'; } // Check access if (!$this->_oAcl->isAllowed($sRole, $sControllerName, $sActionName)) { $oHttpRequest->setParam('referer_controller', $sControllerName); $oHttpRequest->setParam('referer_action', $sActionName); $aParams = array(); if (count($aRequestedParams)) { foreach ($aRequestedParams as $sKey => $sValue) { $aParams[] = $sKey; $aParams[] = $sValue; } $sQuery = implode('/', $aParams) . '/'; } $oHttpRequest->setParam('query', $sQuery); $oHttpRequest->setControllerName('auth')->setActionName('login'); $this->_response->setHttpResponseCode(401); } }
public function testDeniesProfileEditToNonAdmin() { $mapper = new Default_Model_Mapper_Mongo_UserMapper(); $user = $mapper->findByUserName('foo'); $profile = $mapper->findByUserName('admin'); $b = $this->_acl->isAllowed($user, $profile, 'update'); $this->assertFalse($b); }
public function isAllowed($resource = null, $privilege = null, $role = null) { // Default business rule to return null instead of throwing exceptions for non-known resources if (!$this->_acl->has($resource)) { $resource = null; } return $this->_acl->isAllowed($resource, $privilege, $role); }
protected function _isAuthorized($resource, $action) { $user = $this->_auth->hasIdentity() ? $this->_auth->getIdentity() : 'guest'; if (!$this->_acl->has($resource) || !$this->_acl->isAllowed($user, $resource, $action)) { return false; } return true; }
protected function _isAuthorized($controller, $action) { $this->_acl = Zend_Registry::get('acl'); $user = $this->_auth->getIdentity(); if (!$this->_acl->has($controller) || !$this->_acl->isAllowed($user, $controller, $action)) { return false; } return true; }
/** * 是否有权限 * * @param string $action * @param string $controller * @param string $module * @param array $params * @return boolean */ public function isAllowed($action, $controller, $module, $params = array()) { $resource = ZtChart_Model_Acl_Resource::parsePageMvc($action, $controller, $module); if (!$this->_acl->has($resource)) { return true; } else { return $this->_acl->isAllowed($this->_role(), $resource, $this->_privileges()); } }
/** * Checks if user has the right to do privilege on resource * * @param Zend_Acl_Resource $resource * @param string $privilege * @return boolean */ public function isAllowed($resource, $privilege) { if (empty(self::$_acl)) { self::$_acl = Zend_Registry::get('Zend_Acl'); } if (!self::$_acl->has($resource)) { return true; } return self::$_acl->isAllowed('fansubcms_user_custom_role_logged_in_user', $resource, $privilege); }
/** * Grant access if the user owns the record or the parent exhibit. */ public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null) { $allPriv = $privilege . 'All'; $selfPriv = $privilege . 'Self'; if (!$role instanceof User) { return false; } else { $allowedAll = $acl->isAllowed($role, $resource, $allPriv); $allowedSelf = $acl->isAllowed($role, $resource, $selfPriv); $ownsRecord = $this->_userOwnsRecord($role, $resource); return $allowedAll || $allowedSelf && $ownsRecord; } }
/** *(non-PHPdoc) * * @see Zend_Controller_Plugin_Abstract::preDispatch() */ public function preDispatch(Zend_Controller_Request_Abstract $request) { /** * Recupera a identidade do usuario logado * * @var Array */ $role = $this->auth->getIdentity(); /** * Recursos que se deseja acesso * * @var String */ $resource = $this->getRequest()->getModuleName(); /** * Ação permitida dentro de um resource * * @var String */ $action = $this->getRequest()->getModuleName() != 'admin' && $this->getRequest()->getModuleName() != 'sac' ? null : $this->getRequest()->getControllerName(); // Verificação condicional para os controllers e actions de upload if (!($request->getActionName() == 'upload' || $request->getControllerName() == 'upload')) { // Verifica se ha lixo na autenticacao if (!is_array($role)) { // Parametros $params = array(); // Destroi qualquer instancia de autenticacao $this->auth->clearIdentity(); // Altera a rota de destino $request->setModuleName('admin')->setControllerName('login')->setActionName('index'); return; } // Verifica se o recurso existe e se o usuario logado tem acesso if (!$this->acl->has($resource) || !$this->acl->isAllowed($role['usuario'], $resource, $action)) { // Parametros $params = array(); // Redireciona para o controller de login if ($role['usuario'] != 'visitante') { $params['erro'] = 'Você não possui permissão de acesso a este recurso.'; $request->setModuleName('admin')->setControllerName('index')->setActionName('index')->setParams($params); } else { if ($this->getRequest()->getModuleName() == "sac") { $request->setModuleName('sac')->setControllerName('login')->setActionName('index')->setParams($params); } else { $request->setModuleName('admin')->setControllerName('login')->setActionName('index')->setParams($params); } } return; } } }
/** * Called before an action is dispatched by Zend_Controller_Dispatcher. * * This callback allows for proxy or filter behavior. By altering the * request and resetting its dispatched flag (via * {@link Zend_Controller_Request_Abstract::setDispatched() setDispatched(false)}), * the current action may be skipped. * * @param Zend_Controller_Request_Abstract $request * @return void */ public function preDispatch(Zend_Controller_Request_Abstract $request) { // reset role & resource Zend_Registry::set('Role', 'guest'); Zend_Registry::set('Resource', ''); // check if ErrorHandler wasn't fired if ($request->getParam('error_handler')) { return; } $module = $request->getModuleName(); $controller = $request->getControllerName(); $action = $request->getActionName(); $pathInfo = $request->getPathInfo(); $allow = false; if ($this->_auth->hasIdentity()) { $userId = $this->_auth->getIdentity(); $roleId = $this->_auth->getRoleId(); $rolesList = $this->_em->find('Roles', $roleId); $roleName = $rolesList->getRoleName(); $role = new Zend_Acl_Role($roleName); } else { $roleName = 'guest'; $role = new Zend_Acl_Role($roleName); } $resource = $action == '' ? trim($controller) . '/index' : trim($controller) . '/' . trim($action); $resource = $module == 'default' ? $resource : $module . "/" . $resource; // on main page resource might be empty if ($resource == '') { $resource = 'index/index'; } // if resource not exist in db then check permission for controller if (!$this->_acl->has($resource) && $action != '') { $resource = trim($controller); } // check if user is allowed to see the page $allow = $this->_acl->isAllowed($role, $resource); if ($allow == false && $this->_auth->hasIdentity()) { // user logged in but denied permission $request->setModuleName('default'); $request->setControllerName('error'); $request->setActionName('forbidden'); /* $this->_response->setHeader('Content-type', 'text/html'); $this->_response->setHttpResponseCode(403); $this->_response->setBody('<h1>403 - Forbidden</h1>'); $this->_response->sendResponse(); */ } Zend_Registry::set('Role', $role); Zend_Registry::set('Resource', $resource); }
public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null) { if ($acl->isAllowed($role, $resource, $privilege . ':all')) { return true; } elseif ($acl->isAllowed($role, $resource, $privilege . ':mine')) { if ($resource->createdBy == $role->id) { return true; } else { return false; } } else { return false; } }
/** * @param \Zend_Acl_Role $role */ private function checkRole(\Zend_Acl_Role $role) { $resource = $this->getResource(); if (!$this->acl->has($resource)) { $errModule = 'gallery'; $errController = 'error'; $errAction = 'error404'; $this->_request->setModuleName($errModule)->setControllerName($errController)->setActionName($errAction); return; } if (!$this->acl->isAllowed($role, $resource)) { $this->_request->setModuleName('admin')->setControllerName('auth')->setActionName('login'); return; } }
/** * Hook into action controller preDispatch() workflow * * @return void */ public function preDispatch() { $role = 'guest'; // die($role); if ($this->_auth->hasIdentity()) { $user = $this->_auth->getIdentity(); if (is_object($user)) { $role = $this->_auth->getIdentity()->role; } } $request = $this->_action->getRequest(); $controller = $request->getControllerName(); $action = $request->getActionName(); $module = $request->getModuleName(); // $this->view->getLayout()->setLayout($module); $this->_controllerName = $controller; $resource = $controller; $privilege = $action; if (!$this->_acl->has($resource)) { $resource = null; } if (!$this->_acl->isAllowed($role, $resource, $privilege)) { if (!$this->_auth->hasIdentity()) { $noPermsAction = $this->_acl->getNoAuthAction(); } else { $noPermsAction = $this->_acl->getNoAclAction(); } $request->setModuleName($noPermsAction['module']); $request->setControllerName($noPermsAction['controller']); $request->setActionName($noPermsAction['action']); $request->setDispatched(false); } }
/** * Notifies whether the logged-in user has permission for a given resource/ * privilege combination. * * If an ACL resource being checked has not been defined, access to that * resource should not be controlled. This allows plugin writers to * implement controllers without also requiring them to be aware of the ACL. * * Conversely, in the event that an ACL resource has been defined, all access * permissions for that controller must be properly defined. * * The names of resources should correspond to the name of the controller * class minus 'Controller', e.g. * Geolocation_IndexController -> 'Geolocation_Index' * CollectionsController -> 'Collections' * * @param string $privilege * @param Zend_Acl_Resource|string|null (Optional) Resource to check. * @see getResourceName() * @return boolean */ public function isAllowed($privilege, $resource = null) { $allowed = $this->_allowed; if (isset($allowed[$privilege])) { return $allowed[$privilege]; } if ($resource instanceof Zend_Acl_Resource_Interface) { $resourceObj = $resource; $resourceName = $resourceObj->getResourceId(); } else { if (is_string($resource)) { $resourceName = $resource; } else { if (!$resource) { $resourceName = $this->getResourceName(); } } } // Plugin writers do not need to define an ACL in order for their // controllers to work. if (!$this->_acl->has($resourceName)) { return true; } if (!isset($resourceObj)) { $resourceObj = $this->_acl->get($resourceName); } return $this->_acl->isAllowed($this->_currentUser, $resourceObj, $privilege); }
/** * Checl whether the user can execute the action on the named resource * * @param String $resourceName The name of the resource * @param String $action The action to be executred */ function checkPermission($resourceName, $action) { // make the resourcenmae lower case to match the ones which were loaded $resourceName = strtolower($resourceName); if (!$this->availableGroups) { // there are no groups loaded return false; } foreach ($this->availableGroups as $group) { try { // check if the action can be executed on the resource for the specific role // use the parent method since we are dealing with one role at a time here if (parent::isAllowed($group, $resourceName, $action)) { // action is allowed on the resource return true; } } catch (Zend_Exception $ze) { // either a resource or a group is not defined in the ACL. Deny access to it error_log($ze->__toString()); return false; } } // by default the action is denied on the resource return false; }
/** * @group 4226 */ public function testAllowNullPermissionAfterResourcesExistShouldAllowAllPermissionsForRole() { $this->_acl->addRole('admin'); $this->_acl->addResource('newsletter'); $this->_acl->allow('admin'); $this->assertTrue($this->_acl->isAllowed('admin')); }
/** * Checks if user has the right to do privilege on resource * * @param Zend_Acl_Resource $resource * @param string $privilege * @return boolean */ public function isAllowed($resource, $privilege) { if (!$this->acl->has($resource)) { return true; } return $this->acl->isAllowed('fansubcms_user_custom_role_logged_in_user', $resource, $privilege); }
/** * Hook into action controller preDispatch() workflow * * @return void */ public function preDispatch() { $role = 'public'; if ($this->getAuth()->hasIdentity()) { $user = $this->getAuth()->getIdentity(); if (is_object($user)) { $role = $this->getAuth()->getIdentity()->role; } } $request = $this->getAction()->getRequest(); $controller = $request->getControllerName(); $action = $request->getActionName(); $module = $request->getModuleName(); $this->_controllerName = $controller; $resource = $controller; $privilege = $action; if (!$this->_acl->has($resource)) { $resource = null; } if (!$this->_acl->isAllowed($role, $resource, $privilege)) { $request->setModuleName('default'); $request->setControllerName('error'); $request->setActionName('notauthorised'); $request->setDispatched(false); } }
public function preDispatch(Zend_Controller_Request_Abstract $request) { $acl = new Zend_Acl(); $acl->addRole(new Zend_Acl_Role(Model_Role::GUEST)); $acl->addRole(new Zend_Acl_Role(Model_Role::ADMIN), Model_Role::GUEST); $acl->addResource(new Zend_Acl_Resource('admin')); $acl->addResource(new Zend_Acl_Resource('blog')); $acl->addResource(new Zend_Acl_Resource('error')); $acl->addResource(new Zend_Acl_Resource('index')); $acl->allow(Model_Role::GUEST, 'blog'); $acl->allow(Model_Role::GUEST, 'error'); $acl->allow(Model_Role::GUEST, 'index'); $acl->allow(Model_Role::GUEST, 'admin', array('login')); $acl->allow(Model_Role::ADMIN, 'admin'); $auth = Zend_Auth::getInstance(); if ($auth->hasIdentity()) { $user = new Model_User($auth->getIdentity()); $role = $user->role_id; } else { $role = Model_Role::GUEST; } $resource = $request->getControllerName(); $privilege = $request->getActionName(); if (!$acl->isAllowed($role, $resource, $privilege)) { $this->_request->setControllerName('admin')->setActionName('login'); $this->_response->setRedirect('/admin/login/'); } }
/** * Checks the Acl to see if this $user (role) can preform this $action on this $resource. If no specific rules have been defined for this $resource or the specific resource doesn't exist, * this function will return false. * * @param string|Zend_Acl_Role_Interface $user The user to check * @param string|Zend_Acl_Resource_Interface $resource The resource to check * @param string $action The privilege to check * @return boolean */ function isSpecificallyAllowed($user, $resource, $action) { if ($this->acl->has($resource)) { return $this->acl->isAllowed($user, $resource, $action); } return false; }
/** * @group ZF-9643 */ public function testRemoveDenyWithNullResourceAppliesToAllResources() { $this->_acl->addRole('guest'); $this->_acl->addResource('blogpost'); $this->_acl->addResource('newsletter'); $this->_acl->allow(); $this->_acl->deny('guest', 'blogpost', 'read'); $this->_acl->deny('guest', 'newsletter', 'read'); $this->assertFalse($this->_acl->isAllowed('guest', 'blogpost', 'read')); $this->assertFalse($this->_acl->isAllowed('guest', 'newsletter', 'read')); $this->_acl->removeDeny('guest', 'newsletter', 'read'); $this->assertFalse($this->_acl->isAllowed('guest', 'blogpost', 'read')); $this->assertTrue($this->_acl->isAllowed('guest', 'newsletter', 'read')); $this->_acl->removeDeny('guest', null, 'read'); $this->assertTrue($this->_acl->isAllowed('guest', 'blogpost', 'read')); $this->assertTrue($this->_acl->isAllowed('guest', 'newsletter', 'read')); // ensure deny null/all resources works $this->_acl->deny('guest', null, 'read'); $this->assertFalse($this->_acl->isAllowed('guest', 'blogpost', 'read')); $this->assertFalse($this->_acl->isAllowed('guest', 'newsletter', 'read')); }
/** * Return whether or not this role has access to a certain resource * * @param string the permission being asked about * @param QFrame_Permissible (optional) the permissible object in question * @return boolean */ public function hasAccess($permission, QFrame_Permissible $permissible = null) { $resource = $permissible === null ? "GLOBAL" : $permissible->getPermissionID(); if (!$this->acl->hasRole($permission) || !$this->acl->has($resource)) { return false; } return $this->acl->isAllowed($permission, $resource); }
/** * Assert whether or not the ACL should allow access. */ public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null) { $allPriv = $privilege . 'All'; $selfPriv = $privilege . 'Self'; if (!$role instanceof User) { $allowed = false; } else { if ($resource instanceof Omeka_Record_AbstractRecord) { $allowed = $acl->isAllowed($role, $resource, $allPriv) || $acl->isAllowed($role, $resource, $selfPriv) && $this->_userOwnsRecord($role, $resource); } else { // The "generic" privilege is allowed if the user can // edit any of the given record type whatsoever. $allowed = $acl->isAllowed($role, $resource, $allPriv) || $acl->isAllowed($role, $resource, $selfPriv); } } return $allowed; }
/** * Assert whether or not the ACL should allow access. */ public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null) { $allPriv = $privilege . 'All'; $selfPriv = $privilege . 'Self'; if (!$role instanceof User) { $allowed = false; } else { if ($resource instanceof NeatlineTimeTimeline) { $allowed = $acl->isAllowed($role, $resource, $allPriv) || $acl->isAllowed($role, $resource, $selfPriv) && $this->_userOwnsTimeline($role, $resource); } else { // The "generic" privilege is allowed if the user can // edit any items whatsoever. $allowed = $acl->isAllowed($role, $resource, $allPriv) || $acl->isAllowed($role, $resource, $selfPriv); } } return $allowed; }
public function preDispatch(Zend_Controller_Request_Abstract $request) { $resource = null; $module = $request->getModuleName(); $controller = $request->getControllerName(); $action = $request->getActionName(); $front = Zend_Controller_Front::getInstance(); $defaultModule = $front->getDefaultModule(); if ($module != '' && $module != $defaultModule) { $resource .= $module . ':'; } $resource .= $controller; if ($this->_acl->has(new Zend_Acl_Resource($resource))) { if (!$this->_acl->isAllowed(new Zend_Acl_Role($this->_role), new Zend_Acl_Resource($resource), $action)) { $request->setModuleName($defaultModule)->setControllerName('error')->setActionName($this->_denyAction)->setParam('error_handler', true); } } }
/** * Pre dispatch hock * Checks if the current user identified by role has rights to the requested url (module/controller/action) * If not, it will call denyAccess to be redirected to errorPage * * @return void **/ public function preDispatch(Zend_Controller_Request_Abstract $request) { $this->setRequest($request); /** Check if the controller/action can be accessed by the current user */ if (!$this->_acl->isAllowed($this->getRole(), $this->getResource($request), $this->_getPrivilege($request))) { /** Redirect to access denied page */ $this->denyAccess(); } }