/** * Called before teh disptach loop gets processed. * * This callback allows for proxy or filter behavior. By altering the * request and resetting its dispatched flag (via * {@link Zend_Controller_Request_Abstract::setDispatched() setDispatched(false)}), * the current action may be skipped. * * The method checks for an authenticated user. It does also compare the * authToken property of teh user with the auth_token field in the db - if the * authToken is set in the db and does not equal to the authToken in the session, * then it is assumed that another user has signed in with the same credentials, and * the user's current session will be invalidated. * * @param Zend_Controller_Request_Abstract $request * @return void */ public function dispatchLoopStartup(Zend_Controller_Request_Abstract $request) { // check here if the user's authentity is already set if (!$this->auth->hasIdentity()) { /** * @see Conjoon_Keys */ require_once 'Conjoon/Keys.php'; if (isset($_COOKIE[Conjoon_Keys::COOKIE_REMEMBERME_UNAME]) && isset($_COOKIE[Conjoon_Keys::COOKIE_REMEMBERME_TOKEN])) { /** * @see Conjoon_Auth_Adapter_Db */ require_once 'Conjoon/Auth/Adapter/Db.php'; $authAdapter = new Conjoon_Auth_Adapter_Db(array('cookie' => array('name' => $_COOKIE[Conjoon_Keys::COOKIE_REMEMBERME_UNAME], 'remember_me_token' => $_COOKIE[Conjoon_Keys::COOKIE_REMEMBERME_TOKEN]))); // if the result is valid, the return value of the adapter will // be stored automatically in the supplied storage object // from the auth object $this->auth->authenticate($authAdapter); } } if ($this->auth->hasIdentity()) { // identity is set. Now check for auth token equality $currentUser = $this->auth->getIdentity(); /** * @see Conjoon_BeanContext_Decorator */ require_once 'Conjoon/BeanContext/Decorator.php'; /** * @see Conjoon_Modules_Default_User_Model_User */ require_once 'Conjoon/Modules/Default/User/Model/User.php'; $decorator = new Conjoon_BeanContext_Decorator(new Conjoon_Modules_Default_User_Model_User()); $tokenedUser = $decorator->getUserAsDto($currentUser->getId()); // check whether the token in the DB equals to the token in the session if ($tokenedUser->authToken != $currentUser->getAuthToken()) { // the application needs to query the registry. That's okay since no secret data will // be transported if the registry sees that there's no login if ($request->action == 'get.entries' && $request->controller == 'registry' && $request->module == 'default') { return; } // user wants to log out - this is needed to sign in again since the // active session will prevent from continue with using the app if ($request->action == 'logout' && $request->controller == 'reception' && $request->module == 'default') { return; } // does not equal - someone has logged in currently // with the same user credentials. // redirect to appropriate controller action $request->setModuleName('default'); $request->setControllerName('reception'); $request->setActionName('auth.token.failure'); } return; } // the user wants to login and requested the login controller's process // action. Let him pass! if ($request->action == 'process' && $request->controller == 'reception' && $request->module == 'default') { return; } // user wants to log out - okay if ($request->action == 'logout' && $request->controller == 'reception' && $request->module == 'default') { return; } // resource not available. if ($request->action == 'resource.not.available' && $request->controller == 'index' && $request->module == 'default') { return; } // the application needs to query the registry. That's okay since no secret data will // be transported if the registry sees that there's no login if ($request->action == 'get.entries' && $request->controller == 'registry' && $request->module == 'default') { return; } // anything other means the user is not logged in $request->setModuleName('default')->setControllerName('reception')->setActionName('index')->setDispatched(false); }