Inheritance: extends lithium\core\Adaptable
Exemplo n.º 1
0
 public function testNoConfigurations()
 {
     Access::reset();
     $this->assertIdentical(array(), Access::config());
     $this->expectException("Configuration `test_no_config` has not been defined.");
     Access::check('test_no_config', false, new Request());
 }
Exemplo n.º 2
0
 public function testCheck()
 {
     $request = new Request();
     $result = Access::check('test_access', array('username' => 'Tom'), $request);
     $this->assertEqual(array(), $result);
     $expected = array('message' => 'Access denied.', 'redirect' => '/login');
     $result = Access::check('test_access', false, $request, array('redirect' => '/login', 'message' => 'Access denied.'));
     $this->assertEqual($expected, $result);
 }
Exemplo n.º 3
0
	public function testNoRolesConfigured() {
		$request = new Request();

		$config = Access::config('test_no_roles_configured');
		$request->params = array('controller' => 'Tests', 'action' => 'granted');

		$this->assertTrue(empty($config['roles']));
		$this->expectException('No roles defined for adapter configuration.');
		Access::check('test_no_roles_configured', array('guest' => null), $request);
	}
Exemplo n.º 4
0
 /**
  * Check Aro's permissions to current Aco
  *
  * @return bool
  */
 protected function _checkAccess()
 {
     $access = Access::get('acl', $this->_aro, $this->_aco);
     $action = $this->request->params['action'];
     if (is_array($access) && (array_key_exists('*', $access) && $access['*'] || array_key_exists($action, $access) && $access[$action])) {
         return true;
     }
     return false;
 }
Exemplo n.º 5
0
	public function testAdd() {
		$request = new Request();

		// The add() method to add a rule
		Access::adapter('test_rulebased')->add('testDeny', function($requester, $request, $options) {
			return false;
		});

		$rules = array(
			array('rule' => 'testDeny', 'message' => 'Access denied.')
		);
		$expected = array('rule' => 'testDeny', 'message' => 'Access denied.', 'redirect' => '/');
		$result = Access::check('test_rulebased', array('username' => 'Tom'), $request, array('rules' => $rules));
		$this->assertEqual($expected, $result);

		// Make sure the rule got added to the $_rules property
		$this->assertTrue(is_callable(Access::adapter('test_rulebased')->getRules('testDeny')));

		$this->assertTrue(is_array(Access::adapter('test_rulebased')->getRules()));
	}
Exemplo n.º 6
0
<?php

/**
 * li3_access configuration file
 */
use lithium\security\Auth;
use li3_access\security\Access;
/**
 * Auth configurations
 * Users authorized trough 'inactive' configuration gets message about inactive account!
 */
Auth::config(array('default' => array('adapter' => 'Form', 'scope' => array('active' => true), 'query' => 'firstWithGroup'), 'inactive' => array('adapter' => 'Form', 'scope' => array('active' => false))));
/**
 * Access adapters configurations
 * For details se `li3_access` documentation
 */
Access::config(array('acl' => array('adapter' => 'DbAcl'), 'rules' => array('adapter' => 'Rules')));
Exemplo n.º 7
0
                header('Location: ' . Router::match(array('library' => 'li3b_users', 'controller' => 'users', 'action' => 'login')));
            }
            // None shall pass.
            exit;
        }
    }
    // Sets the current user in each request for convenience.
    $params['request']->user = $user;
    return $next;
    // return $chain->next($self, $params, $chain);
});
Access::config(array('default' => array('adapter' => 'Rules', 'filters' => array())));
// Set some basic rules to be used from anywhere
// Allow access for users with a role of "administrator" or "content_editor"
Access::adapter('default')->add('allowManagers', function ($user, $request, $options) {
    if ($user && ($user['role'] == 'administrator' || $user['role'] == 'content_editor')) {
        return true;
    }
    return false;
});
// Restrict access to documents that have a published field marked as true
// (except for users with a role of "administrator" or "content_editor")
Access::adapter('default')->add('allowIfPublished', function ($user, $request, $options) {
    if (isset($options['document']['published']) && $options['document']['published'] === true) {
        return true;
    }
    if ($user && ($user['role'] == 'administrator' || $user['role'] == 'content_editor')) {
        return true;
    }
    return false;
});
Exemplo n.º 8
0
            )
	)
));

// Set some rules to be used from anywhere

// Allow access for users with a role of "administrator" or "content_editor"
Access::adapter('minerva_access')->add('allowManagers', function($user, $request, $options) {
   if(($user) && ($user['role'] == 'administrator' || $user['role'] == 'content_editor')) {
   return true;
   }
   return false;
});

// Add a base document access rule to check against
Access::adapter('minerva_access')->add('publishStatus', function($user, $request, $options) {
   if($options['document']['published'] === true) {
   return true;
   }
   if(($user) && ($user['role'] == 'administrator' || $user['role'] == 'content_editor')) {
   return true;
   }
   return false;
});

/*
Dispatcher::applyFilter('_call', function($self, $params, $chain) {
    
    if(isset($params['callable']::$access)) {
        // TODO: maybe move this to MinervaController and even add an "admin" key to the Controller::$access array for even greater control and flexibility
        // Check for protected "admin" routes. Only administrators and content editors can access these routes.
Exemplo n.º 9
0
	public function testOptionOverride() {
		$expected = array(
			'message' => 'Rule access denied message.',
			'redirect' => '/',
			'options' => array(
				'class' => 'notice'
			)
		);
		$result = Access::check('test_option_override', null, $this->_request, array('whatt'));
		$this->assertIdentical($expected, $result);
	}
Exemplo n.º 10
0
 public function getDocument($options=array()) {
     $defaults = array('action' => null, 'request' => null, 'find_type' => 'first', 'conditions' => array(), 'limit' => null, 'offset' => 0, 'order' => 'created.desc');
     $options += $defaults;
     extract($options);
     
     // $action=null, $request=null, $find_type='first', $conditions=array(), $limit=null, $offset=0, $order=null
     // 1. Determine the proper model to be using
     $controller = $request->params['controller'];
     $controller_pieces = explode('.', $controller);
     if(count($controller_pieces) > 1) {
         $controller = end($controller_pieces);
     }
     $model = Inflector::classify(Inflector::singularize($controller));
    
     $modelClass = 'minerva\models\\'.$model;
     
     $library = null;
     $library_name_haystack = array();
     
     // if the action is read, update, or delete then the document will be able to tell us the library name
     if(($request->params['action'] == 'read') || ($request->params['action'] == 'update') || ($request->params['action'] == 'delete')) {
         // could be using the MongoId or the pretty URL in the route. Both work, but prefer the URL if set and there's no need to use both.
         $conditions = array();
         if(isset($request->params['id'])) {
             $conditions = array('_id' => $request->params['id']);
         }
         if(isset($request->params['url'])) {
             $conditions = array('url' => $request->params['url']);
         }
         $record = $modelClass::first(array('request_params' => $request->params, 'conditions' => $conditions, 'fields' => $this->library_fields));
         $library_name_haystack = ($record) ? $record->data():array();
     } else {
         // otherwise for index and create methods the library name is passed in the routes. as page_type or user_type or block_type
         $library_name_haystack = $request->params;
     }
     
     // get the library name
     foreach($this->library_fields as $field) {
         if(in_array($field, array_keys($library_name_haystack))) {
             $library = $library_name_haystack[$field];
         }
     }
     
     $class = '\minerva\libraries\\'.$library.'\models\\'.$model;
     // Don't load the model if it doesn't exist
     if(class_exists($class)) {
         // instantiate it so it can apply its properties to the base model along with any filters, etc.
         $modelClass = new $class();
     }
   
     // 2. Authentication & Access Check for Core Minerva Controllers
     // (properties set in model for core controllers) ... transfer those settings to the controller
     $controller_pieces = explode('::', $action);
     if(count($controller_pieces) > 1) {
         $action = $controller_pieces[1];
     }
     
     $controllerClass = '\minerva\controllers\\'.$controller.'Controller';
     
     // If the $controllerClass doesn't exist, it means it's a controller that Minerva doesn't have. That means it's not core and the access can be set there on that controller.
     if((isset($modelClass::$access)) && (class_exists($controllerClass))) {
         // Don't completely replace core Minerva controller with new access rules, but append all the rules (giving the library model's access property priority)
         $controllerClass::$access = $modelClass::$access += $controllerClass::$access;
     }
     
     // Get the rules for this action
     $rules = (isset($controllerClass::$access[$request->params['action']])) ? $controllerClass::$access[$request->params['action']]:array();
     
     // Check access for the action in general
     $action_access = Access::check('minerva_access', Auth::check('minerva_user'), $request, array('rules' => $rules['action']));
     
     if(!empty($action_access)) {
         FlashMessage::set($action_access['message'], array('options' => array('type' => 'error', 'pnotify_title' => 'Error', 'pnotify_opacity' => '.8')));
         $this->redirect($action_access['redirect']);
     }
     
     // Before getting documents, make sure the calling method actually wanted to get documents.
     if($find_type === false) {
         return true;
     }
     
     /**
      * 3. Get Document(s)
      * If we're here, we now need to get the document(s) to determine any document based access
      * and we'll return the document(s) back to the controller too.
     */
     $document = $modelClass::find($find_type, array(
         'conditions' => $conditions,
         'limit' => $limit,
         'order' => Util::format_dot_order($order),
         'request_params' => $request->params // this is not used for Lithium's find() but gives some useful data if find() is filtered
     ));
     
     // 4. Document Access Control
     if($document) {
         // add the document to the document access rules so it can be checked against
         $i=0;
         foreach($rules as $rule) {
             $rules['document'][$i] = $document->data();
             $i++;
         }
         
         $document_access = Access::check('minerva_access', Auth::check('minerva_user'), $request, array('rules' => $rules['document']));
         if(!empty($document_access)) {
             FlashMessage::set($document_access['message'], array('options' => array('type' => 'error', 'pnotify_title' => 'Error', 'pnotify_opacity' => '.8')));
             $this->redirect($document_access['redirect']);
         }
     }
     
     
     //read()
     // $document = $modelClass::find('first', array('conditions' => array('url' => $url), 'request_params' => $this->request->params));
     
     // modelClass will either be a core Minerva model class or the extended matching library model class
     return $document;
 }