public function __invoke(MvcAuthEvent $mvcAuthEvent) { /** @var AclAuthorization $authorization */ $authorization = $mvcAuthEvent->getAuthorizationService(); $authenticaton = $mvcAuthEvent->getAuthenticationService(); /** * Regardless of how our configuration is currently through via the Apigility UI, * we want to ensure that the default rule for the service we want to give access * to a particular identity has a DENY BY DEFAULT rule. * * Naturally, if you have many versions, or many methods, you would want to build * some kind of logic to build all the possible strings, and push these into the * ACL. If this gets too cumbersome, writing an assertion would be the next best * approach. */ $authorization->deny(null, 'DbApi\\V1\\Rest\\User\\Controller::collection', 'GET'); $authorization->deny(null, 'DbApi\\V1\\Rest\\User\\Controller::entity', 'GET'); if ($authenticaton->hasIdentity() && $authenticaton->getIdentity()->getAuthenticationIdentity()) { /** @var \ZF\MvcAuth\Identity\IdentityInterface $currentUser */ $currentUser = $authenticaton->getIdentity()->getAuthenticationIdentity(); /** * Now, add the name of the identity in question as a role to the ACL */ $authorization->addRole($currentUser['user_id']); /** * Next, assign the particular privilege that this identity needs. */ $authorization->allow($currentUser['user_id'], 'DbApi\\V1\\Rest\\User\\Controller::entity', 'GET'); } }
public function authorization(MvcAuthEvent $event) { /** @var \ZF\MvcAuth\Identity\AuthenticatedIdentity $identity */ $identity = $event->getIdentity(); if (!$identity instanceof IdentityInterface || $identity instanceof GuestIdentity) { return; } $method = $event->getMvcEvent()->getRequest()->getMethod(); /** @var \ZF\MvcAuth\Authorization\AclAuthorization $authorization */ $authorization = $event->getAuthorizationService(); $sl = $event->getMvcEvent()->getApplication()->getServiceManager(); /** @var \Zend\Permissions\Acl\Assertion\AssertionInterface $resourceAssertion */ $resourceAssertion = $sl->get('Zfegg\\Admin\\MvcAuth\\Authorization\\ResourceAssertion'); if (!$authorization->hasRole($identity)) { $authorization->addRole($identity); } if (!$authorization->hasResource($event->getResource())) { $authorization->addResource($event->getResource()); } $authorization->deny($identity, $event->getResource(), $method, $resourceAssertion); }
/** * Attempt to authorize the discovered identity based on the ACLs present * * @param MvcAuthEvent $mvcAuthEvent * @void */ public function __invoke(MvcAuthEvent $mvcAuthEvent) { $imageService = $this->getServiceLocator()->get('AqilixAPI\\Image\\Service\\Image'); $authService = $mvcAuthEvent->getAuthorizationService(); $config = $this->getServiceLocator()->get('Config')['authorization']; $imageService->setUser($this->getServiceLocator()->get('image.authenticated.user')); $identity = $mvcAuthEvent->getIdentity(); if ($identity instanceof \ZF\MvcAuth\Identity\GuestIdentity) { return; } // resource:method $requestedResource = $mvcAuthEvent->getResource() . ':' . $mvcAuthEvent->getMvcEvent()->getRequest()->getMethod(); foreach ($config['scopes'] as $scope => $scopeConfig) { $resource = $scopeConfig['resource'] . ':' . $scopeConfig['method']; // if authorization resource equals to requested resource if ($resource == $requestedResource) { // check scope in identity if (!in_array($scope, explode(' ', $identity->getAuthenticationIdentity()['scope']))) { return $mvcAuthEvent->getMvcEvent()->getResponse()->setStatusCode(401); } } } }
public function testGetAuthorizationService() { $this->assertInstanceOf('Zend\\Permissions\\Acl\\Acl', $this->mvcAuthEvent->getAuthorizationService()); }