Binds access control with user authentication and session management.
/**
* Sets defaults for configs.
*
* @return void
*/
protected function _setDefaults()
{
parent::_setDefaults();
if ($this->config('verifyAction') === null) {
$this->config('verifyAction', ['controller' => 'TwoFactorAuth', 'action' => 'verify', 'plugin' => 'TwoFactorAuth', 'prefix' => false]);
}
}
/**
* Constructor hook method
* @param array $config The configuration settings provided to this
* component
* @return void
* @see http://api.cakephp.org/3.3/class-Cake.Controller.Component.html#_initialize
*/
public function initialize(array $config)
{
parent::initialize($config);
//The authorization error is shown only if the user is already logged
// in and he is trying to do something not allowed
if (!$this->user('id')) {
$this->config('authError', false);
}
}
public function __construct(ComponentRegistry $registry, array $config = [])
{
parent::__construct($registry, $config);
if ($this->user('role')) {
$this->role = $this->user('role');
}
if (!file_exists(CONFIG . "locker.php")) {
throw new Exception(_('locker.php not found in config directory'));
}
//Load configuration directives for Locker
$params = $this->request->params;
Configure::load('locker');
$this->roles = Configure::read('locker.roles');
$this->controllers = Configure::read('locker.controllers');
$path = "/{$params['controller']}/{$params['action']}";
if (!empty($params['prefix'])) {
$path = "/{$params['prefix']}" . $path;
}
if (!empty($params['plugin'])) {
$path = "/{$params['plugin']}" . $path;
}
$base = strtolower($path);
$exact = strtolower($path . '/' . implode('/', $params['pass']));
$wildcard = strtolower($base . '/*');
if ($this->role != 'public' && !in_array($this->role, $this->roles)) {
throw new Exception(__('Your user role is not present in locker configuration'));
}
if (!empty($this->controllers[$exact])) {
if ($this->check($exact)) {
return $this->allow();
}
if ($this->user()) {
throw new MethodNotAllowedException(sprintf(__("You do not have permission to access this area: %s"), $exact));
}
return;
}
if (!empty($this->controllers[$wildcard]) && !empty($params['pass'])) {
if ($this->check($wildcard)) {
return $this->allow();
}
if ($this->user()) {
throw new MethodNotAllowedException(sprintf(__("You do not have permission to access this area: %s"), $wildcard));
}
return;
}
if (!empty($this->controllers[$base])) {
if ($this->check($base)) {
return $this->allow();
}
if ($this->user()) {
throw new MethodNotAllowedException(sprintf(__("You do not have permission to access this area: %s"), $base));
}
return;
}
throw new Exception(__('Method is not present on locker.php configuration'));
}
public function authCheck(Event $event)
{
if (isset($this->earlyAuthTest)) {
if ($this->_config['checkAuthIn'] !== $event->name()) {
return;
}
$this->authCheckCalledFrom = $event->name();
return;
}
return parent::authCheck($event);
}
/**
* Initialize hook method.
*
* @param array $config
* @return void
*/
public function initialize(array $config)
{
$this->config('loginRedirect', $this->_loginRedirect());
$controller = $this->_registry->getController();
$this->_controller = $controller;
$permissions = new Permissions($this->user(), $this->request);
$allowedActions = $permissions->getAllowed();
$isAllowed = Arr::in($this->request->param('action'), $allowedActions);
$this->request->offsetSet('isAllowed', $isAllowed);
if ($this->user('role_id') == Role::ADMIN_ID) {
$this->allow();
} else {
$this->allow($allowedActions);
}
$controller->set('loggedUser', $this->_getLoggedUserForView());
parent::initialize($config);
}
public function beforeDelete(Event $event, Entity $entity, ArrayObject $options)
{
if (empty($options['loggedInUser'])) {
$options['loggedInUser'] = $this->_Auth->user('id');
}
}
/**
* Overwrite setUser to implement an event after set user.
*
* @param array $user
*/
public function setUser($user)
{
parent::setUser($user);
$this->eventManager()->dispatch(new Event('Auth.after.setUser', $this->_registry->getController(), ['user' => $user]));
}
/**
* {@inheritdoc}
*/
public function initialize(array $config)
{
$this->config(['authenticate' => ['Form' => ['scope' => ['Users.status' => 1], 'fields' => ['username' => 'email', 'password' => 'password']]], 'loginAction' => ['plugin' => 'Pie/Users', 'controller' => 'Users', 'action' => 'login', 'prefix' => false], 'loginRedirect' => Configure::read('pie.users.auth.loginRedirect'), 'logoutRedirect' => Configure::read('pie.users.auth.logoutRedirect'), 'unauthorizedRedirect' => Configure::read('pie.users.auth.unauthorizedRedirect'), 'authError' => Configure::read('pie.users.auth.authError'), 'authorize' => ['Controller'], 'flash' => Configure::read('pie.users.auth.flash')]);
parent::initialize($config);
$this->config($config);
}
/**
* @param \Cake\Event\Event $event Event instance.
* @return \Cake\Network\Response|null
*/
public function startup(Event $event)
{
$this->_prepareAuthentication();
return parent::startup($event);
}
/**
* Constructor
*
* @param ComponentRegistry $registry A ComponentRegistry this component can use to lazy load its components
* @param array $config Array of configuration settings.
*/
public function __construct(ComponentRegistry $registry, array $config = [])
{
$this->_defaultConfig = $this->_defaultConfig + $this->_defaultAdditionalConfig;
parent::__construct($registry, $config);
}
/**
* testStatelessAuthNoSessionStart method
*
* @return void
*/
public function testStatelessAuthNoSessionStart()
{
if (Session::id()) {
session_destroy();
Session::$id = null;
}
$event = new Event('Controller.startup', $this->Controller);
AuthComponent::$sessionKey = false;
$this->Auth->config('authenticate', ['Basic' => array('userModel' => 'AuthUsers')]);
$this->Controller->request['action'] = 'admin_add';
$this->Controller->request->env('PHP_AUTH_USER', 'mariano');
$this->Controller->request->env('PHP_AUTH_PW', 'cake');
$result = $this->Auth->startup($event);
$this->assertNull($result);
$this->assertNull(Session::id());
}
