/** * This runs all the security checks before a method call. The * security checks are determined by inspecting the controller method * annotations * @param string/Controller $controller the controllername or string * @param string $methodName the name of the method * @throws SecurityException when a security check fails */ public function beforeController($controller, $methodName) { // get annotations from comments $annotationReader = new MethodAnnotationReader($controller, $methodName); // this will set the current navigation entry of the app, use this only // for normal HTML requests and not for AJAX requests $this->app->getServer()->getNavigationManager()->setActiveEntry($this->app->getAppName()); // security checks $isPublicPage = $annotationReader->hasAnnotation('PublicPage'); if (!$isPublicPage) { if (!$this->app->isLoggedIn()) { throw new SecurityException('Current user is not logged in', Http::STATUS_UNAUTHORIZED); } if (!$annotationReader->hasAnnotation('NoAdminRequired')) { if (!$this->app->isAdminUser()) { throw new SecurityException('Logged in user must be an admin', Http::STATUS_FORBIDDEN); } } } if (!$annotationReader->hasAnnotation('NoCSRFRequired')) { if (!$this->request->passesCSRFCheck()) { throw new SecurityException('CSRF check failed', Http::STATUS_PRECONDITION_FAILED); } } }