/**
* This runs all the security checks before a method call. The
* security checks are determined by inspecting the controller method
* annotations
* @param string/Controller $controller the controllername or string
* @param string $methodName the name of the method
* @throws SecurityException when a security check fails
*/
public function beforeController($controller, $methodName)
{
// get annotations from comments
$annotationReader = new MethodAnnotationReader($controller, $methodName);
// this will set the current navigation entry of the app, use this only
// for normal HTML requests and not for AJAX requests
$this->app->getServer()->getNavigationManager()->setActiveEntry($this->app->getAppName());
// security checks
$isPublicPage = $annotationReader->hasAnnotation('PublicPage');
if (!$isPublicPage) {
if (!$this->app->isLoggedIn()) {
throw new SecurityException('Current user is not logged in', Http::STATUS_UNAUTHORIZED);
}
if (!$annotationReader->hasAnnotation('NoAdminRequired')) {
if (!$this->app->isAdminUser()) {
throw new SecurityException('Logged in user must be an admin', Http::STATUS_FORBIDDEN);
}
}
}
if (!$annotationReader->hasAnnotation('NoCSRFRequired')) {
if (!$this->request->passesCSRFCheck()) {
throw new SecurityException('CSRF check failed', Http::STATUS_PRECONDITION_FAILED);
}
}
}
