/**
* We can override a method to add, for example, authorisation
*/
public function update($id)
{
if (Authority::cannot('update', 'product', $id)) {
return Response::json(array('message' => 'You are not allowed to update this product'), 401);
}
parent::update($id);
}
|
*/
Route::filter('csrf', function () {
if (Session::token() != Input::get('_token')) {
throw new Illuminate\Session\TokenMismatchException();
}
});
/*
|--------------------------------------------------------------------------
| Resource-based Permissions
|--------------------------------------------------------------------------
|
| Checks if the logged in user can perform the requested action on the
| requested resource item.
| Gets resource type (e.g. User) action (e.g. delete) and item id from request.
|
*/
Route::filter('permission', function ($route, $request) {
// convert dotted route name into array
$routeName = explode('.', $route->getName());
// take the last part as the action
$action = array_pop($routeName);
// get the resource name (without action)
$resource = implode('.', $routeName);
// get resource ids as array
$parameters = $route->parameters();
// test if current user has permission to perform {action} on {resource} with {parameters}
if (Authority::cannot($action, $resource, $parameters)) {
return App::abort(403);
}
});
/**
* Get the current page.
*
* @return array Array of the page data. Can be empty.
*
*/
public static function get_current_page()
{
$page = NULL;
$uri = self::$ci->uri->uri_string();
// Ignore the page named 'page' and get the home page
if ($uri == '') {
$page = self::get_home_page();
} else {
if (config_item('url_mode') == 'short') {
$page = self::get_page_by_short_url(self::$ci->uri->segment(3));
} else {
// Asked entity : Page or article
$entity = self::get_entity();
// Article
if (!empty($entity['type']) && $entity['type'] == 'article') {
$paths = explode('/', $entity['path_ids']);
$id_page = $paths[count($paths) - 2];
$page = self::get_page_by_id($id_page);
} else {
if (!is_null(self::get_special_uri_array())) {
$uri = self::get_page_path_from_special_uri();
if ($uri == '') {
$page = self::get_home_page();
} else {
$page = self::get_page_by_url($uri);
}
} else {
if (!empty($entity['id_entity'])) {
$page = self::get_page_by_id($entity['id_entity']);
} else {
$page = self::get_module_page();
}
}
}
}
}
if (is_null($page) or empty($page)) {
$page = self::get_page_by_code('404');
self::set_400_output(404);
} else {
$resource = 'frontend/page/' . $page['id_page'];
if (Authority::cannot('access', $resource, NULL, TRUE)) {
$http_code = $page['deny_code'];
$page = self::get_page_by_code($page['deny_code']);
self::set_400_output($http_code);
}
}
// Add index to identify current page
$page['__current__'] = TRUE;
return $page;
}
/**
* Gets the parent list list for the parent select dropdown
*
* Receives by $_POST :
* - id_menu : Menu ID
* - id_current : Current page ID
* - id_parent : Parent page ID
*
* @returns string HTML string of options items
*/
public function get_parents_select()
{
$id_menu = $this->input->post('id_menu');
$id_current = $this->input->post('id_current');
$id_parent = $this->input->post('id_parent');
$element_id = $this->input->post('element_id');
$check_add_page = $this->input->post('check_add_page');
$data = $this->page_model->get_lang_list(array('id_menu' => $id_menu), Settings::get_lang('default'));
$parents = array('0' => '/');
($parents_array = $this->structure->get_parent_select($data, $id_current)) ? $parents += $parents_array : '';
if ($check_add_page) {
foreach ($parents as $id_page => $str) {
if (Authority::cannot('add_page', 'backend/page/' . $id_page, NULL, TRUE)) {
unset($parents[$id_page]);
}
}
}
$this->template['pages'] = $parents;
$this->template['id_selected'] = $id_parent;
$this->template['element_id'] = $element_id;
$this->output('page/parent_select');
}
require __DIR__ . DS . 'helpers' . EXT;
// --------------------------------------------------------------
// Load bundles
// --------------------------------------------------------------
//Bundle::start('thirdparty_dbmanager');
Bundle::start('thirdparty_bootsparks');
// --------------------------------------------------------------
// Load namespaces
// --------------------------------------------------------------
Autoloader::namespaces(array('Domain' => __DIR__));
// --------------------------------------------------------------
// Filters
// --------------------------------------------------------------
Route::filter('authority', function ($resource) {
$action = Request::$route->parameters['0'];
if (Authority::cannot($action, $resource)) {
return Response::make('', 401);
}
});
Route::filter('auth', function () {
if (Auth::guest()) {
return Redirect::make('', 401);
}
});
// --------------------------------------------------------------
// Setting system tables
// --------------------------------------------------------------
DBManager::$hidden = Config::get('domain::dbmanager.hidden');
$api_version = Config::get('layla.domain.api.version');
// --------------------------------------------------------------
// Map the Base Controller
/**
* If the resource has one rule, checks if the User has access to the resource.
* If not and $return is FALSE, displays the defined view.
* If no view is defined, displays the default deny view.
*
* Only returns TRUE/FALSE is $return is set to TRUE.
*
* @param $resource
* @param null $view
* @param bool $return
*
* @return bool
*/
public function authority_protect($resource, $view = NULL, $return = FALSE)
{
if (Authority::resource_has_rule($resource)) {
if (Authority::cannot('access', $resource)) {
if (!$return) {
if (is_null($view)) {
$view = self::$_DENY_DEFAULT_VIEW;
}
$this->output($view);
}
return FALSE;
}
}
return TRUE;
}
/**
* @param $page
*
* @return bool
*/
private static function _filter_pages_authorization($page)
{
$resource = 'frontend/page/' . $page['id_page'];
if (Authority::cannot('access', $resource, NULL, TRUE)) {
if (empty($page['deny_code']) or $page['deny_code'] === '404') {
return FALSE;
}
}
return TRUE;
}
private static function _filter_articles_authorization($articles, $filter_codes = NULL)
{
if (is_string($filter_codes)) {
$filter_codes = explode(',', $filter_codes);
}
$codes = array();
if (is_array($filter_codes)) {
foreach ($filter_codes as $code) {
$codes[] = trim($code);
}
}
if (in_array('all', $codes) && count($codes) == 1) {
return $articles;
}
$return = array();
foreach ($articles as $article) {
$resource = 'frontend/article/' . $article['id_article'];
if (Authority::cannot('access', $resource, NULL, TRUE)) {
if (empty($codes)) {
continue;
}
if (in_array($article['deny_code'], $codes)) {
$return[] = $article;
}
} else {
if (in_array('all', $codes)) {
$return[] = $article;
} else {
if (!empty($codes)) {
continue;
} else {
$return[] = $article;
}
}
}
}
return $return;
}
| requested resource item.
| Gets resource type (e.g. User) action (e.g. delete) and item id from request.
|
*/
Route::filter('checkResourcePermission', function ($route, $request) {
// Get request details
$routeName = explode('.', Route::currentRouteName());
$resource = $routeName[0];
$action = $routeName[1];
$item = $route->parameter($resource);
// Replace laravel-style route action names with their CRUD equivalents
$actionsToReplace = array('store', 'show', 'index', 'edit', 'destroy');
$replaceWithAction = array('create', 'read', 'read', 'update', 'delete');
$action = str_replace($actionsToReplace, $replaceWithAction, $action);
// Check if user is forbidden from performing $action on $resource $item
if (Authority::cannot($action, $resource, $item)) {
return App::abort(403, 'You do not have permission to ' . $action . ' ' . $resource . ' ' . $item);
}
});
/*
|--------------------------------------------------------------------------
| Role
|--------------------------------------------------------------------------
|
| Checks if the logged in user has been assigned the specified role
|
*/
Route::filter('hasRole', function ($route, $request, $value) {
$user = Authority::getCurrentUser();
// If not logged in or user does not have role
if (!Auth::check() or !$user->hasRole($value)) {
