/** * Checks if the current user has the priviledge to do something. * * @param string $priviledge * @return AccessProhibitedException **/ protected function _checkAcl($priviledge) { $service = new UserService($this->_em); if (!$this->_acl->isAllowed($service->getCurrentRole(), $this, $priviledge)) { throw new AccessProhibitedException('Access is prohibited.'); } }
/** * Check the acl * * @param string $resource * @param string $privilege * @return boolean */ public function isAllowed($resource = null, $privilege = null) { if (null === $this->acl) { $this->getAcl(); } return $this->acl->isAllowed($this->getIdentity()->getRoleId(), $resource, $privilege); }
public function testBuildItemWillAddRulesToAcl() { $this->assertFalse($this->acl->isAllowed('guest', 'login')); $this->assertFalse($this->acl->isAllowed('user', null, 'GET')); $this->assertTrue($this->object->buildItem()); $this->assertTrue($this->acl->isAllowed('guest', 'login')); $this->assertTrue($this->acl->isAllowed('user', null, 'GET')); }
/** * @param \Zend\Permissions\Acl\Resource\ResourceInterface|string $resource * @param string $action * @return bool */ public function can($resource, $action) { foreach ($this->roles as $role) { if ($this->acl->isAllowed($role, $resource, $action)) { return true; } } return false; }
public function testBuildCanAcceptXMLAsString() { $content = file_get_contents(__DIR__ . '/fixtures/test.xml'); $this->object = new AclBuilder(new StringType($content), $this->acl); $this->assertTrue($this->object->build()); $this->assertTrue($this->acl->hasRole('guest')); $this->assertTrue($this->acl->hasResource('logout')); $this->assertTrue($this->acl->isAllowed('guest', 'login')); $this->assertTrue($this->acl->isAllowed('user', null, 'GET')); }
/** * Run the request filter. * * @param \Illuminate\Http\Request $request * @param \Closure $next * @return mixed */ public function handle(Request $request, Closure $next, $resource = null, $permission = null) { if ($this->auth->guest()) { if (!$this->acl->isAllowed('guest', $resource, $permission)) { return $this->notAllowed($request); } } elseif (!$this->acl->isAllowed($this->auth->user(), $resource, $permission)) { return $this->notAllowed($request); } return $next($request); }
/** * Check is the user is allowed to the resource on the privilege * * @param string $resource * @param string $privilege * @return bool */ public function isAllowed($user, $resource, $privilege) { //Get user roles $roles = $user->getRoles(); //Check each role if one of them was allowed foreach ($roles as $role) { if ($this->acl->isAllowed($role, $resource, $privilege)) { return true; } } return false; }
/** * * @param string $name * @param string $routename * @return boolean */ public function checkAutorisation($name, $routename) { $this->initAcl(); $config = $this->getServiceLocator()->get('Config'); $filePath = $config['auth']['filePath']; $reader = new Ini(); try { $usersData = $reader->fromFile($filePath); } catch (\Exception $e) { error_log($e->getMessage()); return false; } return is_array($usersData) && array_key_exists($name, $usersData) && $this->acl->hasResource($routename) && $this->acl->hasRole($usersData[$name]) && $this->acl->isAllowed($usersData[$name], $routename); }
/** * @group 4226 */ public function testAllowNullPermissionAfterResourcesExistShouldAllowAllPermissionsForRole() { $this->_acl->addRole('admin'); $this->_acl->addResource('newsletter'); $this->_acl->allow('admin'); $this->assertTrue($this->_acl->isAllowed('admin')); }
/** * Check if ACL is Authorized * * @return Ambigous <boolean, NULL> */ public function isAuthorized() { // Get current Role, Resource & Privilege $role = $this->getAdapter()->getRole(); $resource = $this->getAdapter()->getResource(); $privilege = $this->getAdapter()->getPrivilege(); // if resource is defined in ACL resource if ($this->hasResource($resource)) { // If role is not define in ACL, we return an exception if (!$this->hasRole($role)) { throw new Exception\RoleNotDefinedException($role); } $rules = $this->getAdapter()->getRules(); // If the resource is defined in resources list but dont have rules, we generate exception if (isset($rules['allow'])) { $resourcesDefinedInRules = array_keys($rules['allow']); } if (!in_array($resource, $resourcesDefinedInRules)) { throw new Exception\ResourceHaveNoAllowRuleException($resource); } // If the resource dont have allow rule the resource, we dont authorize $privilegesDefinedInResource = array_keys($rules['allow'][$resource]); if (!in_array($privilege, $privilegesDefinedInResource)) { throw new Exception\ResourcePrivilegeHaveNoAllowRuleException($resource, $privilege); } // Check if trio role, resource & privilege allowed $isAuthorized = parent::isAllowed($role, $resource, $privilege); if ($isAuthorized) { return true; } else { throw new Exception\AccessNotAllowedException(); } } return true; }
public function doAuthorization($e) { return; //setting ACL... $acl = new Acl(); //add role .. $acl->addRole(new Role('anonymous')); $acl->addRole(new Role('user'), 'anonymous'); $acl->addRole(new Role('admin'), 'user'); $acl->addResource(new Resource('Stick')); $acl->addResource(new Resource('Auth')); $acl->deny('anonymous', 'Stick', 'list'); $acl->allow('anonymous', 'Auth', 'login'); $acl->allow('anonymous', 'Auth', 'signup'); $acl->allow('user', 'Stick', 'add'); $acl->allow('user', 'Auth', 'logout'); //admin is child of user, can publish, edit, and view too ! $acl->allow('admin', 'Stick'); $controller = $e->getTarget(); $controllerClass = get_class($controller); $namespace = substr($controllerClass, strrpos($controllerClass, '\\') + 1); $role = !$this->getSessContainer()->role ? 'anonymous' : $this->getSessContainer()->role; echo $role; exit; if (!$acl->isAllowed($role, $namespace, 'view')) { $router = $e->getRouter(); $url = $router->assemble(array(), array('name' => 'Login/auth')); $response = $e->getResponse(); $response->setStatusCode(302); //redirect to login route... $response->getHeaders()->addHeaderLine('Location', $url); } }
/** * @param string|ResourceInterface $resource * @param string $privilege * * @return bool */ public function isAllowed($resource, $privilege = null) { $this->loaded && $this->loaded->__invoke(); try { return $this->acl->isAllowed($this->getIdentity(), $resource, $privilege); } catch (InvalidArgumentException $e) { return false; } }
/** * Function to check permission * * @param null $resource * @param null $privilege * @param null $profile * @return bool */ public function allows($resource = null, $privilege = null, $profile = null) { if ($profile === null) { $profile = auth('pulsar')->user()->profile_id_010; } try { return parent::isAllowed($profile, $resource, $privilege); } catch (Exception\InvalidArgumentException $e) { return false; } }
/** * check authorized role for specific resources * @param MvcEvent $e */ public function authorize(MvcEvent $e) { $application = $e->getApplication(); $serviceManger = $application->getServiceManager(); $authenticationService = $serviceManger->get('Zend\\Authentication\\AuthenticationService'); $loggedUser = $authenticationService->getIdentity(); $role = !$loggedUser ? self::DEFAULT_ROLE : $loggedUser->getRole(); //get current resource $routeMatch = $e->getRouteMatch(); $routeName = $routeMatch->getMatchedRouteName(); $controller = $routeMatch->getParam('controller', 'not-found'); $action = $routeMatch->getParam('action'); $this->acl = $this->setAcl(); $isAllowed = $this->acl->isAllowed($role, $controller, $action); if (!$isAllowed) { $response = $e->getResponse(); $response->setStatusCode(404); } return $isAllowed; }
public function __construct() { // 添加初始化事件函数 $eventManager = $this->getEventManager(); $serviceLocator = $this->getServiceLocator(); $eventManager->attach(MvcEvent::EVENT_DISPATCH, function ($event) use($eventManager, $serviceLocator) { // 权限控制 $namespace = $this->params('__NAMESPACE__'); $controller = $this->params('controller'); $action = $this->params('action'); if ($namespace == 'Idatabase\\Controller' && php_sapi_name() !== 'cli') { // 身份验证不通过的情况下,执行以下操作 if (!isset($_SESSION['account'])) { $event->stopPropagation(true); $event->setViewModel($this->msg(false, '未通过身份验证')); } // 授权登录后,检查是否有权限访问指定资源 $role = isset($_SESSION['account']['role']) ? $_SESSION['account']['role'] : false; $resources = isset($_SESSION['account']['resources']) ? $_SESSION['account']['resources'] : array(); $action = $this->getMethodFromAction($action); $currentResource = $controller . 'Controller\\' . $action; if ($role && $role !== 'root') { $acl = new Acl(); $acl->addRole(new Role($role)); foreach ($resources as $resource) { $acl->addResource(new Resource($resource)); $acl->allow($role, $resource); } $isAllowed = false; try { if ($acl->isAllowed($role, $currentResource) === true) { $isAllowed = true; } } catch (InvalidArgumentException $e) { } if (!$isAllowed) { $event->stopPropagation(true); $event->setViewModel($this->deny()); } } } $this->preDispatch(); if (method_exists($this, 'init')) { try { $this->init(); } catch (\Exception $e) { $event->stopPropagation(true); $event->setViewModel($this->deny($e->getMessage())); } } }, 200); }
public function onInit(MvcEvent $e) { $routerMatch = $e->getRouteMatch(); $arrayController = explode("\\", $routerMatch->getParam("controller")); $module = strtolower($arrayController[0]); $viewModel = $e->getViewModel(); $this->_mainParam['module'] = strtolower($arrayController[0]); $this->_mainParam['controller'] = strtolower($arrayController[2]); $this->_mainParam['action'] = strtolower($routerMatch->getParam("action")); //truyền ra cho layout $viewModel->params = array("module" => strtolower($arrayController[0]), "controller" => strtolower($arrayController[2]), "action" => strtolower($routerMatch->getParam("action"))); $config = $this->getServiceLocator()->get("config"); $layout = $config["module_for_layouts"][strtolower($arrayController[0])]; //set layout $this->layout($layout); $infoObj = new \ZendVN\System\Info(); //KIEM TRA USER AuTH if ($this->_mainParam['module'] == 'admin') { //chưa đăng nhập if (!$this->identity()) { return $this->redirect()->toRoute('homeShop'); } else { //đăng nhập rồi mà không có quyền vào $group_acp = $infoObj->getGroupInfo('group_acp'); if ($group_acp != 1) { return $this->redirect()->toRoute('homeShop'); } else { // KIEM TRA PERMISSION $aclObj = new Acl(); $role = $infoObj->getPermissionInfo()['role']; $privilegesOfRole = $infoObj->getPermissionInfo()['privileges']; $aclObj->addRole($role); $aclObj->allow($role, null, $privilegesOfRole); $privilegesOfArea = $this->_mainParam['module'] . "|" . $this->_mainParam['controller'] . "|" . $this->_mainParam['action']; if ($aclObj->isAllowed($role, null, $privilegesOfArea) == false) { return $this->goNoAccess(); } } } } //kiem tra controller user khong đăng nhập thi không được vào if ($this->_mainParam['controller'] == 'user' && $this->_mainParam['module'] == 'shop') { //chưa đăng nhập if (!$this->identity()) { return $this->redirect()->toRoute('homeShop'); } } // ------------------------------------------------------------ //func Init() giúp cho các controller extends có thể override onInit() $this->init(); }
public function __construct($roleName, array $permissions, Acl $acl) { parent::__construct(); $this->setAttribute('method', 'post'); $roles = $acl->getRoles(); $parentPermissions = []; foreach ($roles as $role) { if ($acl->inheritsRole($roleName, $role, true)) { foreach ($permissions as $permissionId => $permission) { if ($acl->isAllowed($role, $permission)) { $parentPermissions[$permissionId] = $permissionId; } } } } $permissionGroups = []; foreach ($permissions as $permissionId => $permission) { $fragments = explode('/', $permission); $groupName = reset($fragments); if (!array_key_exists($groupName, $permissionGroups)) { $permissionGroups[$groupName] = []; } $permissionGroups[$groupName][] = $permissionId; } foreach ($permissionGroups as $groupName => $groupPermissions) { foreach ($groupPermissions as $permission) { $permissionCheck = new Checkbox($permission); $permissionCheck->setLabel($permissions[$permission]); if (array_key_exists($permission, $parentPermissions)) { $permissionCheck->setValue(true); $permissionCheck->setAttribute('disabled', true); } $this->add($permissionCheck); if (!array_key_exists($groupName, $this->permissionGroups)) { $this->permissionGroups[$groupName] = []; } $this->permissionGroups[$groupName][] = $permissionCheck; } } $submit = new Submit('save'); $submit->setValue('save'); $submit->setAttribute('class', 'btn btn-primary'); $this->add($submit); }
/** * Override isAllowed function to also support multiple roles * * @see \Zend\Permissions\Acl\Acl::isAllowed() * @param Role\RoleInterface|string|array $role * @param Resource\ResourceInterface|string $resource * @param string $privilege * @return bool */ public function isAllowed($roles = NULL, $resource = NULL, $priviledge = NULL) { if (true === $this->allow_access_when_resource_unknown && !$this->hasResource($resource)) { return true; } try { if (is_array($roles)) { foreach ($roles as $role) { if (true === parent::isAllowed($role, $resource, $priviledge)) { return true; } } } else { return parent::isAllowed($roles, $resource, $priviledge); } } catch (InvalidArgumentException $e) { // Role or Resource was not found (maybe not even configured) return $this->allow_access_when_resource_unknown === true; } return false; }
/** * @param RoleInterface|string|number $role * @param ResourceInterface|string $resource * @param string $privilege * @return bool */ public function isAllowed($role = null, $resource = null, $privilege = null) { if (is_null($this->acl)) { $this->init(); } if (!is_null($role) && !$role instanceof RoleInterface) { $roleEntity = $this->findRole($role); } else { $roleEntity = $role; } if (!$this->hasResource($resource)) { if ($this->moduleOptions->isPermissive()) { $resource = null; } else { return false; } } if ($this->acl->hasRole($roleEntity) || is_null($roleEntity)) { return $this->acl->isAllowed($roleEntity, $resource, $privilege); } else { return false; } }
public function doAuthorization() { //setting ACL... $acl = new Acl(); //add role .. $acl->addRole(new Role('anonymous')); $acl->addRole(new Role('user'), 'anonymous'); $acl->addRole(new Role('admin'), 'user'); $acl->addResource(new Resource('Backend')); $acl->addResource(new Resource('Login')); $acl->deny('anonymous', 'Backend', 'view'); $acl->allow('anonymous', 'Login', 'view'); $acl->allow('user', array('Backend'), array('view')); //admin is child of user, can publish, edit, and view too ! $acl->allow('admin', array('Backend'), array('publish', 'edit')); $controller = $this->getController(); $controllerClass = get_class($controller); $namespace = substr($controllerClass, 0, strpos($controllerClass, '\\')); $role = !$this->getSessContainer()->role ? 'anonymous' : $this->getSessContainer()->role; if (!$acl->isAllowed($role, $namespace, 'view') && $controllerClass !== $namespace . "\\Controller\\LoginController") { // $redirector = $controller->getPluginManager()->get('Redirect'); // return $redirector->toRoute('backend_logout'); } }
/** * @group ZF-7973 */ public function testAclPassesPrivilegeToAssertClass() { $assertion = new TestAsset\AssertionZF7973(); $acl = new Acl\Acl(); $acl->addRole('role'); $acl->addResource('resource'); $acl->allow('role', null, null, $assertion); $allowed = $acl->isAllowed('role', 'resource', 'privilege', $assertion); $this->assertTrue($allowed); }
public function testOverrideIsAllowed() { $acl = new Acl(); $acl->addRole('role1'); $acl->addResource('resource1'); $acl->addResource('resource2'); $acl->allow(null, 'resource1', null); $acl->allow(null, 'resource2', 'view'); $acl->deny('role1', 'resource1', null); $service = $this->serviceManager->get('AclService4'); $service->loadResource(null, null); $this->assertSame($acl->isAllowed('role1', 'resource1', 'add'), $service->isAllowed('role1', 'resource1', 'add')); $this->assertSame($acl->isAllowed('role1', 'resource2', 'add'), $service->isAllowed('role1', 'resource2', 'add')); $this->assertSame($acl->isAllowed('role1', 'resource2', 'view'), $service->isAllowed('role1', 'resource2', 'view')); }
/** * @param string $role_id * @param string $resource_id * @return bool */ public function isAllowed($role_id = '', $resource_id = '') { return $this->acl->isAllowed($role_id, $resource_id); }
/** * Returns true if and only if the Role has access to the Resource * * @param Zend\Permissions\Acl\Role\RoleInterface|string $role * @param Zend\Permissions\Acl\Resource\ResourceInterface|string $resource * @param string $privilege * @return bool */ public function isAllowed($role = null, $resource = null, $privilege = null) { if (!$this->hasRole($role)) { return false; } if (!$this->hasResource($resource)) { return false; } return parent::isAllowed($role, $resource, $privilege); }
public function initAcl(MvcEvent $e) { $application = $e->getApplication(); $sm = $application->getServiceManager(); $acl = new Acl(); $roles = $sm->get("Application\\Model\\RolesBO"); $recursos = $sm->get("Application\\Model\\RecursosBO"); $rolesRecursos = $sm->get("Application\\Model\\RolesRecursosBO"); $usuarios = $sm->get("Application\\Model\\UsuariosBO"); // Se listan todos los recursos y se los agrega a la ACL foreach ($recursos->obtenerTodos() as $recurso) { if (!$acl->hasResource($recurso->getRecursosID())) { $genericResource = new GenericResource($recurso->getRecursosID()); $acl->addResource($genericResource); } } // Se registra el rol en la ACL $sesion = new Container("CoreAppSesion"); if (!$acl->hasRole($sesion->user_rol_id)) { $genericRole = new GenericRole($sesion->user_rol_id); $acl->addRole($genericRole); } $services = $application->getServiceManager(); // obtenemos todos los recuersosque tiene la ACL foreach ($acl->getResources() as $resource) { // Obtenemos los recursos disponibles para el rol foreach ($rolesRecursos->obtenerRecursosPorRol($sesion->user_rol_id) as $recursoAsignado) { // Si el recurso asignado es el mismo recurso de la ACL lo permitimos if ($resource == $recursoAsignado->getAppRecursosID()) { $acl->allow($genericRole, $acl->getResource($resource)); } } } // Si el recurso no esta permitido lo denegamos foreach ($acl->getResources() as $resource) { if (!$acl->isAllowed($genericRole, $acl->getResource($resource))) { $acl->deny($genericRole, $acl->getResource($resource)); } } $this->acl = $acl; }
/** * Check if a role has privilege to access given resource * * @param string $role * @param string $resource * @param string $privilege * @return bool */ public function isAllowed($role = null, $resource = null, $privilege = null) { $this->_load(); return $this->acl->isAllowed($role, $resource, $privilege); }
public function index06Action() { $aclObj = new Acl(); $aclObj->addRole("member")->addRole("manager", "member")->addRole("admin", "manager"); //add controller //module abc $aclObj->addResource("abc:news")->addResource("def:books"); //it's mean Role member có thể truy cập vào action "info,index" trong controller news $aclObj->allow("member", "abc:news", array("info", "index")); $aclObj->allow("member", "def:books", array("info", "index", "edit", "add")); $role = "member"; $resource = "def:books"; $privileges = array("info", "index", "add", "edit", "delete"); if ($aclObj->hasRole($role)) { foreach ($privileges as $privilege) { if ($aclObj->isAllowed($role, $resource, $privilege)) { echo sprintf("<h3 style='color:red;font-weight:bold'>%s : Được quyền truy cập %s - %s</h3>", $role, $resource, $privilege); } else { echo sprintf("<h3 style='color:red;font-weight:bold'>%s : Không được quyền truy cập %s - %s</h3>", $role, $resource, $privilege); } } } return false; }
/** * Authorizes a request. If the authorization fails a 403 response code * will be set and the propagation will be stopped * * @param MvcEvent $e * @return void */ public function authorize(MvcEvent $e) { $routeParams = $e->getRouteMatch()->getParams(); $controller = isset($routeParams['controller']) ? $routeParams['controller'] : null; $action = isset($routeParams['action']) ? $routeParams['action'] : null; if (empty($controller) or empty($action)) { throw new \Exception('Couldn\'t resolve controller or action'); } $application = $e->getApplication(); $sm = $application->getServiceManager(); // Load the configuration $config = $sm->get('config'); if (!isset($config['acl']) or !is_array($config['acl']) or !isset($config['acl']['roles']) or !is_array($config['acl']['roles']) or !isset($config['acl']['resources']) or !is_array($config['acl']['resources']) or !isset($config['acl']['rules']) or !is_array($config['acl']['rules'])) { throw new \Exception('ACL\'s are not configured correctly'); } $aclConfig =& $config['acl']; $acl = new Acl(); // Deny as default policy $acl->deny(); // Add the roles foreach ($aclConfig['roles'] as $role) { $inherit = null; if (is_array($role)) { $inherit = $role[1]; $role = $role[0]; } $acl->addRole(new Role($role), $inherit); } // Add the resources foreach ($aclConfig['resources'] as $resource) { if (strpos($resource, $this->resourcePrefix . ':') === 0) { $acl->addResource(new Resource($resource)); } } // Set up the rules foreach ($aclConfig['rules'] as $rule) { $type = isset($rule[0]) ? $rule[0] : null; $role = isset($rule[1]) ? $rule[1] : null; $resource = isset($rule[2]) ? $rule[2] : null; if (!$type) { throw new \Exception('No type defined'); } if (!$role) { throw new \Exception('No role defined'); } switch ($type) { case 'allow': $acl->allow($role, $resource); break; case 'deny': $acl->deny($role, $resource); break; default: throw new \Exception('Invalid rule type'); break; } } // Set the resource based on the request params $resource = 'controller:' . $controller . ':' . $action; // Set the users role $role = 'guest'; $identity = $sm->get('ControllerPluginManager')->get('identity'); if ($user = $identity()) { $role = $user->role; } // Authorize try { return $acl->isAllowed($role, $resource); } catch (\Zend\Permissions\Acl\Exception\InvalidArgumentException $exception) { // If the route cannot be matched the router will show a 404 page; // everyone can access the 404 page $routeMatch = $e->getRouteMatch(); if (!$routeMatch or !$routeMatch->getMatchedRouteName()) { return true; } // Check if the controller/action exists. If they don't we return // true to make sure the 404 page is rendered $controllerLoader = $sm->get('ControllerLoader'); if (!$controllerLoader->has($controller)) { return true; } $controller = $controllerLoader->get($controller); $method = $controller::getMethodFromAction($action); if (!method_exists($controller, $method)) { return true; } $logger = $sm->get('Logger'); $logger->debug('Invalid ACL ressource requested: ' . $resource . ' (' . $exception->getMessage() . ')'); return false; } }
/** * @param string $attribute * @param ResourceNode $resourceNode * @param null $user * * @return bool */ protected function isGranted($attribute, $resourceNode, $user = null) { // Make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof UserInterface) { return false; } // Checking admin roles $authChecker = $this->container->get('security.authorization_checker'); // Admins have access to everything if ($authChecker->isGranted('ROLE_ADMIN')) { // return true; } // Check if I'm the owner $creator = $resourceNode->getCreator(); if ($creator instanceof UserInterface && $user->getUsername() == $creator->getUsername()) { //return true; } // Checking possible links connected to this resource $request = $this->container->get('request_stack')->getCurrentRequest(); $courseCode = $request->get('course'); $sessionId = $request->get('session'); $links = $resourceNode->getLinks(); $linkFound = false; /** @var ResourceLink $link */ foreach ($links as $link) { $linkUser = $link->getUser(); $linkCourse = $link->getCourse(); $linkSession = $link->getSession(); $linkUserGroup = $link->getUserGroup(); // Check if resource was sent to the current user if ($linkUser instanceof UserInterface && $linkUser->getUsername() == $creator->getUsername()) { $linkFound = true; break; } // @todo Check if resource was sent to a usergroup // @todo Check if resource was sent to a group inside a course // Check if resource was sent to a course inside a session if ($linkSession instanceof Session && !empty($sessionId) && $linkCourse instanceof Course && !empty($courseCode)) { $session = $this->container->get('chamilo_core.manager.session')->find($sessionId); $course = $this->container->get('chamilo_core.manager.course')->findOneByCode($courseCode); if ($session instanceof Session && $course instanceof Course && $linkCourse->getCode() == $course->getCode() && $linkSession->getId() == $session->getId()) { $linkFound = true; break; } } // Check if resource was sent to a course if ($linkCourse instanceof Course && !empty($courseCode)) { $course = $this->container->get('chamilo_core.manager.course')->findOneByCode($courseCode); if ($course instanceof Course && $linkCourse->getCode() == $course->getCode()) { $linkFound = true; break; } } } // No link was found! if ($linkFound === false) { return false; } // Getting rights from the link $rightFromResourceLink = $link->getRights(); if ($rightFromResourceLink->count()) { // Taken rights from the link $rights = $rightFromResourceLink; } else { // Taken the rights from the default tool $rights = $link->getResourceNode()->getTool()->getToolResourceRights(); } // Asked mask $mask = new MaskBuilder(); $mask->add($attribute); $askedMask = $mask->get(); // Check all the right this link has. $roles = array(); foreach ($rights as $right) { $roles[$right->getMask()] = $right->getRole(); } // Setting zend simple ACL $acl = new Acl(); // Creating roles // @todo move this in a service $userRole = new Role('ROLE_USER'); $teacher = new Role(self::ROLE_CURRENT_COURSE_TEACHER); $student = new Role(self::ROLE_CURRENT_COURSE_STUDENT); $superAdmin = new Role('ROLE_SUPER_ADMIN'); $admin = new Role('ROLE_ADMIN'); // Adding roles to the ACL // User role $acl->addRole($userRole); // Adds role student $acl->addRole($student); // Adds teacher role, inherit student role $acl->addRole($teacher, $student); $acl->addRole($superAdmin); $acl->addRole($admin); // Adds a resource $resource = new Resource($link); $acl->addResource($resource); // Role and permissions settings // Students can view // Student can just view (read) $acl->allow($student, null, self::getReaderMask()); // Teacher can view/edit $acl->allow($teacher, null, array(self::getReaderMask(), self::getEditorMask())); // Admin can do everything $acl->allow($admin); $acl->allow($superAdmin); foreach ($user->getRoles() as $role) { if ($acl->isAllowed($role, $resource, $askedMask)) { dump('passed'); return true; } } dump('not allowed to ' . $attribute); return false; }
public function doAuthorization(\Zend\Mvc\MvcEvent $event) { // Ignore ACL if in console if ($event->getRequest() instanceof Request) { return; } $controller = $event->getTarget(); $controllerClass = get_class($controller); $moduleName = substr($controllerClass, 0, strpos($controllerClass, '\\')); $routeMatch = $event->getRouteMatch()->getMatchedRouteName(); $manager = $this->getController()->getServiceLocator()->get('ModuleManager'); $loadedModules = $manager->getLoadedModules(); $certigateAclConfig = $loadedModules['CertigateAcl']->getConfig()['roles_management']; $excludedModules = $certigateAclConfig['excluded_modules']; $anonymousRoutes = $certigateAclConfig['anonymous_routes']; $signInController = 'DefaultModule\\Controller\\SignController'; $router = $event->getRouter(); // return if the target is in excluded modules if (in_array($moduleName, $excludedModules)) { return; } // return if not logged in $auth = new AuthenticationService(); $authenticated = true; if (!$auth->hasIdentity()) { $authenticated = false; } // set ACL $acl = new ZendAcl(); $acl->deny(); // Defining Resources foreach ($loadedModules as $k => $v) { if (!in_array($k, $excludedModules)) { $acl->addResource($k); } } if (count($anonymousRoutes) > 0) { $acl->addRole(new ZendRole(Role::ANONYMOUS_ROLE)); foreach ($anonymousRoutes as $privilege => $anonymousRoute) { $acl->allow(Role::ANONYMOUS_ROLE, $anonymousRoute['resource'], $privilege); } } if ($authenticated === true) { /* @var $em \Doctrine\ORM\EntityManager */ $em = $this->getController()->getServiceLocator()->get('Doctrine\\ORM\\EntityManager'); // Roles $roles = $em->getRepository('Users\\Entity\\Role')->findAll(); foreach ($roles as $r) { $acl->addRole(new ZendRole($r->getName())); } // Fetching Privileges $privileges = $em->getRepository('Users\\Entity\\Acl')->findAll(); $allRolesPriveleges = []; foreach ($privileges as $p) { $allRolesPriveleges[$p->getRole()->getName()][$p->getModule()][] = $p->getRoute(); } // Defining Permissions $acl->allow('Admin'); // allow everything for Admin foreach ($allRolesPriveleges as $role => $modules) { foreach ($modules as $module => $routes) { foreach ($routes as $r) { $acl->allow($role, $module, $r); } } } // get logged in user roles $userRoles = $em->find('\\Users\\Entity\\User', $auth->getIdentity()['id'])->getRoles(); $isAllowed = false; if ($acl->isAllowed(Role::ANONYMOUS_ROLE, $moduleName, $routeMatch)) { $isAllowed = true; } else { foreach ($userRoles as $userRole) { if ($acl->isAllowed($userRole->getName(), $moduleName, $routeMatch)) { $isAllowed = true; break; } } } if ($isAllowed === false) { $url = $router->assemble(array(), array('name' => 'noaccess')); $status = 302; } } if ($authenticated === false && $controllerClass != $signInController) { if (!$acl->isAllowed(Role::ANONYMOUS_ROLE, $moduleName, $routeMatch)) { // redirect to sign/in $url = $router->assemble(array('action' => 'in'), array('name' => 'defaultSign')); $status = 200; } } if (isset($url) && isset($status)) { $response = $event->getResponse(); $response->setStatusCode(302); // redirect to login page or other page. $response->getHeaders()->addHeaderLine('Location', $url); $event->stopPropagation(); } }