예제 #1
0
파일: Acl.php 프로젝트: Theodia/theodia.org
 public function __construct(AclAuthorization $authorization)
 {
     $authorization->addRole('member');
     $authorization->addRole('admin');
     $restrictedPrivileges = [Request::METHOD_PUT, Request::METHOD_PATCH, Request::METHOD_DELETE];
     $hasNoRelation = new HasNoRelation();
     $authorization->deny('member', 'Theodia\\V1\\Rest\\Calendar\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\Event\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\Place\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\User\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\PlaceType\\Controller::entity', $restrictedPrivileges);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\Rite\\Controller::entity', $restrictedPrivileges);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\Tag\\Controller::entity', $restrictedPrivileges);
     $relationRestrictedPrivileges = [Request::METHOD_PUT, Request::METHOD_PATCH];
     $lastRelation = new LastRelation();
     $hasNoRelationOrLastRelation = new AssertionAggregate();
     $hasNoRelationOrLastRelation->addAssertion($hasNoRelation);
     $hasNoRelationOrLastRelation->addAssertion($lastRelation);
     $hasNoRelationOrLastRelation->setMode(AssertionAggregate::MODE_AT_LEAST_ONE);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', $relationRestrictedPrivileges, $hasNoRelation);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', $relationRestrictedPrivileges, $hasNoRelation);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', [Request::METHOD_DELETE], $hasNoRelationOrLastRelation);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', [Request::METHOD_DELETE], $hasNoRelationOrLastRelation);
     $authorization->deny('admin', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', [Request::METHOD_DELETE], $lastRelation);
     $authorization->deny('admin', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', [Request::METHOD_DELETE], $lastRelation);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::collection', [Request::METHOD_POST], $hasNoRelation);
     $authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::collection', [Request::METHOD_POST], $hasNoRelation);
 }
예제 #2
0
 /**
  * @description Initialise ACL for all modules/controllers/actions
  * @param MvcEvent $e
  */
 public function initAcl(MvcEvent $e, $config)
 {
     $app = $e->getApplication();
     $eventManager = $app->getEventManager();
     $serviceManager = $app->getServiceManager();
     $aclService = $serviceManager->get('VcoZfAuthAcl\\Service\\AclServiceInterface');
     $acl = $aclService->getAcl();
     /* @var $acl Acl */
     //deny everything by default
     $acl->deny();
     //add roles
     $roles = $config['acl']['roles'];
     if (count($roles) > 0) {
         foreach ($roles as $roleName => $roleParent) {
             if ($roleName == '') {
                 throw new \Exception('Role name can not be empty');
             }
             $role = new GenericRole($roleName);
             $acl->addRole($role, $roleParent);
         }
     }
     //add resources
     $resources = $config['acl']['resources'];
     if (count($resources) > 0) {
         foreach ($resources as $moduleName => $moduleResources) {
             $moduleName = strtolower($moduleName);
             if (!$acl->hasResource($moduleName)) {
                 $acl->addResource(new GenericResource($moduleName));
             }
             if (count($moduleResources) > 0) {
                 foreach ($moduleResources as $moduleResource) {
                     $moduleResource = strtolower($moduleResource);
                     if (!$acl->hasResource($moduleResource)) {
                         $acl->addResource(new GenericResource($moduleResource), $moduleName);
                     }
                 }
             }
         }
     }
     //allows
     $allows = $config['acl']['allow'];
     if (count($allows) > 0) {
         foreach ($allows as $allow) {
             $assertionsConfig = $allow['assertions'];
             $assertion = null;
             if (is_array($assertionsConfig) && count($assertionsConfig) > 0) {
                 $assertion = new AssertionAggregate();
                 foreach ($assertionsConfig as $assertClassName) {
                     $assertion->addAssertion(new $assertClassName());
                 }
             } else {
                 if (is_string($assertionsConfig) && !empty($assertionsConfig)) {
                     $assertion = new $assertionsConfig();
                 }
             }
             $acl->allow($allow['roles'], $allow['resources'], $allow['privileges'], $assertion);
         }
     }
     //denials
     $denials = $config['acl']['deny'];
     if (count($denials) > 0) {
         foreach ($denials as $denial) {
             $assertionsConfig = $denial['assertions'];
             $assertion = null;
             if (is_array($assertionsConfig) && count($assertionsConfig) > 0) {
                 $assertion = new AssertionAggregate();
                 foreach ($assertionsConfig as $assertClassName) {
                     $assertion->addAssertion(new $assertClassName());
                 }
             } else {
                 if (is_string($assertionsConfig) && !empty($assertionsConfig)) {
                     $assertion = new $assertionsConfig();
                 }
             }
             $acl->deny($denial['roles'], $denial['resources'], $denial['privileges'], $assertion);
         }
     }
 }
예제 #3
0
 /**
  * @param string|array|AssertionInterface $assertion
  * @return null|AssertionInterface
  */
 protected function normalizeAssertion($assertion)
 {
     if (!$assertion) {
         return;
     }
     if ($assertion instanceof AssertionInterface) {
         return $assertion;
     }
     $assertion = (array) $assertion;
     if (count($assertion) > 1) {
         $assertionAggregate = new AssertionAggregate();
         foreach ($ruleData['assertion'] as $plugin) {
             if (is_string($plugin) && $this->assertionPluginManager->has($plugin)) {
                 $plugin = $this->assertionPluginManager->get($plugin);
             }
             if ($plugin instanceof AssertionInterface) {
                 $assertionAggregate->addAssertion($plugin);
             }
         }
         return $assertionAggregate;
     }
     $assertion = reset($assertion);
     if (!$assertion instanceof AssertionInterface) {
         if (is_string($assertion) && $this->assertionPluginManager->has($assertion)) {
             $assertion = $this->assertionPluginManager->get($assertion);
         } else {
             $assertion = null;
         }
     }
     return $assertion;
 }
예제 #4
0
 /**
  * Add rules for "site_admin" role.
  *
  * @param Acl $acl
  */
 protected function addRulesForSiteAdmin(Acl $acl)
 {
     $acl->allow('site_admin');
     $acl->deny('site_admin', ['Omeka\\Module\\Manager', 'Omeka\\Controller\\Admin\\Module'], ['activate', 'deactivate', 'install', 'uninstall', 'upgrade', 'configure']);
     $acl->deny('site_admin', 'Omeka\\Controller\\Admin\\Vocabulary', ['import']);
     $acl->deny('site_admin', 'Omeka\\Controller\\Admin\\Setting');
     $acl->deny('site_admin', 'Omeka\\Api\\Adapter\\VocabularyAdapter', ['create', 'update', 'delete']);
     $acl->deny('site_admin', 'Omeka\\Entity\\Media', ['create', 'update', 'delete']);
     $acl->deny('site_admin', 'Omeka\\Entity\\User', 'change-role-admin');
     $acl->deny('site_admin', 'Omeka\\Entity\\User', ['change-role', 'activate-user', 'delete'], new IsSelfAssertion());
     // Site admins should not be able to edit other admin users but should
     // be able to edit themselves
     $denyEdit = new AssertionAggregate();
     $denyEdit->addAssertions([new UserIsAdminAssertion(), new AssertionNegation(new IsSelfAssertion())]);
     $acl->deny('site_admin', 'Omeka\\Entity\\User', ['update', 'delete', 'change-password', 'edit-keys'], $denyEdit);
 }