Get rule list in zend acl - zend-framework

I'm working with zend framework 2. In there I can Get resource list of acl as getResources();
like this method how to get rule list in the acl in zend framework 2?

Looking at the Acl.php file in ZF2 repository in Github, I guess you should be able to call the function below to get the list of rules associated with a Resource and a Role:
protected function &getRules(Resource\ResourceInterface $resource = null, Role\RoleInterface $role = null, $create = false)
{
}
This is what they have written above the function:
Returns the rules associated with a Resource and a Role, or null if no such rules exist
If either $resource or $role is null, this means that the rules returned are for all Resources or all Roles, respectively. Both can be null to return the default rule set for all Resources and all Roles.
If the $create parameter is true, then a rule set is first created and then returned to the caller.
However, although it's not clear what you want to achieve here, I personally don't find it a good idea to work with the list of rules. You should only play with the roles and let the system take care of the rules. For example in ZF2, as mentioned in their documentation:
Roles can inherit from other existing roles without having to be assigned with some rules directly.
You can read more about the roles in ZF2 and how to implement them here.

Related

Call to undefined method Illuminate\Database\Query\Builder::with() when retrieving orders with providers and services

I am trying to retrieve orders with their service names and provider names all which are in a many to many relationship.
Additionally, I want to use joins to get the client, name.
I have thus used the code bellow
$orders = DB::table('orders')
->join('users', 'orders.user', 'users.id')
->select('users.name As client', 'orders.id', 'orders.amount As amount','orders.description As description', 'orders.status As status')
->with('providers')
->with('services')
->where(['orders.status'=>1])
->get();
In the Order model class, I have implemented the relationships as follows
public function providers()
{
return $this->belongsToMany(ServiceProvider::class)
->as('provider');
}
public function services()
{
return $this->belongsToMany(Service::class)
->as('service');
}
With this I am expecting to retrieve each order with all the services and providers related to it and since I have a foreign key user linking orders to users table, I have used joins to get the name of the user who placed the order as client. Now my problem is that this is not working and is giving the error above. Does this mean that the with() method does not exist in database query builder? if so what method can I use with database query builder to achieve this? Incase there is none, how can I use eloquent ORM to achieve the same purpose?
When you use the DB::table() method, you are not using your Models, so the ->with() method, which is used to include Relationships is not available. To handle this, please use your Models:
$orders = Order::join('users', 'orders.user', 'users.id')
->select('users.name As client', 'orders.id', 'orders.amount As amount','orders.description As description', 'orders.status As status')
->with(['providers', 'services'])
->where('orders.status', 1)
->get();
Additional fixes:
The ->with() method can accept an Array of relationships to include:
->with('providers')->with('services') can be written as ->with(['providers', 'services'])
The where() method can accept an array for multiple where clauses, but is unnecessary for a single where clause:
->where(['orders.status'=>1]) is the same as ->where('orders.status', 1)

Is there a way to setup a field-level authorisation on FaunaDB + GraphQL?

I'm having troubles finding a way to hide user emails from everyone, except the owner (user has access to only his email). Is there a way to hide a certain document field, for a certain roles?
Here is an example I found that creates a role with dynamic access to the whole User collection:
CreateRole({
name: "tier1_role",
membership: {
resource: Collection("User"),
predicate: Query(
Lambda("userRef",
// User attribute based rule:
// It grants access only if the User has TIER1 role.
// If so, further rules specified in the privileges
// section are applied next.
Equals(Select(["data", "role"], Get(Var("userRef"))), "TIER1")
)
)
},
privileges: [
{
// Note: 'allUsers' Index is used to retrieve the
// documents from the File collection. Therefore,
// read access to the Index is required here as well.
resource: Index("allUsers"),
actions: { read: true }
}
]
})
I tried to change it a bit, but I wasn't able to set up field-level access.
Let's say I'd set up FaunaDB with GraphQL schema below.
enum UserRole {
TIER1
}
type User {
email: String! #unique
username: String! #unique
role: UserRole!
}
type Query {
allUsers: [User!]
}
type Mutation {
addUsers(new_users: [UserInput]): [User]
#resolver(name: "add_users", paginated: false)
}
How do create a FaunaDB role in such a way that all of the users (except the current one) in resulting array from allUsers query, will not have email field?
I could break User collection into two: one is public, the other is accessible to a document owner, but this sounds wrong.
I'm new to the noSQL concept, so maybe I'm looking at this problem from the wrong perspective?
it's a request that came up a few times. You probably want to do this straight in FaunaDB's ABAC role system but although it provides row-level security, hiding a specific field is currently not provided yet. The feedback has been logged though, we will look into it.
The current way to do this is to split out Users from Accounts and fetch Users instead of Accounts. It would be useful to have something like hidden fields though in the future.
If you think of it, in this case, it does make sense to split authentication information from User information. You never know that you might offer another way to authentication in the future. I still recall from the Phoenix Framework book that they do it there was well and considered it a good practice.
You could also make a thin wrapper using Apollo in a serverless function and filter out these fields when you pass through the results. There is a guide that explains how to build such a thin Apollo middleware that just delegates to FaunaDB https://www.gatlin.io/blog/post/social-login-with-faunadb-and-auth0

Zend Navigation Multiple ACL roles

I am trying to create an ACL where users may have different roles in different departments.
The user is given a role in the form of role::guest or role::user depending if they are logged in. This is their userRole. (There is also a role::superuser that has access to all departments).
I have also added departmental roles to the ACL in the form of department::role (Eg. bookings::user). This is their departmentRole.
The users departmental roles are stored in the Zend_Auth identity.
The access control part works by extending Zend_Acl and over-riding the isAllowed function.
This successfully allows or denys each user.
public function isAllowed($role = null, $resource = null, $privilege = null)
{
$identity = Zend_Auth::getInstance()->getIdentity();
$userRole = $identity->role;
$departmentRoles = $identity->departmentRoles;
if (parent::isAllowed($userRole, $resource, $privilege))
{
return parent::isAllowed($userRole, $resource, $privilege);
}
else {
foreach ($departmentRoles as $departmentRole)
{
if(parent::isAllowed($departmentRole, $resource, $privilege))
{
return true;
}
}
}
return false;
}
The problem I am having is that Zend_Navigation requires an instance of the Acl and a single user role. My view script which builds the navigation menu uses $this->navigation()->accept($page) which only validates against the single user role.
How can I have multiple Acl roles for each user and have Zend_Navigation display menu items that they have access to?
If there is a better / different / correct approach to this please share.
Thanks
EDIT:
The fact that this approach meant over riding a core function in isAllowed() got me thinking this can't be the correct way to do this.
Now, in my ACL model I fetch all users, departments and associations and loop through creating an array for each user made up of their various roles within their relevant departments. I then create one role for each user and inherit the roles in the array previously created.
This is working well up to now and also means I can also add the users as resources and allow the relevant admin and department managers rights to amend their details etc.
It also means that I can pass a single role to Zend_Navigation and the menu structure should be relevant to their department roles.
IMHO having multiple ACL roles for single user looks like anti-pattern. Zend_Navigation rules are binded to (multiple) resources for single role which makes perferct sense.
What are your constraints that forbids you to allow resources for your (department) roles?
You can always use inheritance for your ACL roles.
If you prefer having multiple roles for single user, you might need to have separate ACL rules.
Zend_View_Helper_Navigation_HelperAbstract::setDefaultAcl($acl);
Zend_View_Helper_Navigation_HelperAbstract::setDefaultRole($role);

In Tastypie is there a way to change a resources excludes based on the authentication?

Consider the example of a user resource that has profile pic and email fields. Where any user may see any other users profile pic but a user may only see their own email address.
Is it possible to setup tastypie so that the set of excluded fields can be varied based on the authenticated user?
I realize that an alternative approach is to create separate full and restricted user resources. But for the moment I just want to know whether the approach of limiting the fields based on user authentication is even doable in tastypie.
Also it doesn't have to be the excludes, in the same vein is there a way instead to change the fields property based on the requesting user?
I dont think excluded fields can be brought back into the picture in an elegant fashion. You could probably manipulate the object list based on the request using some object manipulation by including the get_object_list in your resource
But it would be much better and more logical for you to use the apply_limits method in your custom authorization class.
Yes there is a way to do it.
If you define email to be a separate field, not the one of the User(might work and with that but never did it).
You can define dehydrate_email where the bundle.request contains the current request and you could get it. It won't be exactly excluded as a field but it will be None for others.
I created a ModelResource subclass that can be multiple inherited into the required ModelResource instances. Like:
class ResourceThatNeedsToExcludeSomeFields(ExcludeResource, ModelResource):
pass
It takes in the fields to be excluded via GET parameters (like "&exclude=username")
class ExcludeResource(ModelResource):
"""
Generic class to implement exclusion of fields in all the ModelResource classes
All ModelResource classes will be muliple inherited by this class, whose dehydrate method has been overriden
"""
# STACK: How to exclude some fields from a resource list created by tastypie?
def dehydrate(self, bundle):
# I was taking the exclude fields from get paramaters as a comma separated value
if bundle.request.GET.get('exclude'):
exclude_fields = bundle.request.GET.get('exclude').split(',')
for field in exclude_fields:
if str(field) in bundle.data.keys():
del bundle.data[str(field)]
return bundle
You can modify this to get the exclude fields based on user group (or whatever criteria you base the fields on) like this:
class ExcludeResource(ModelResource):
"""
Generic class to implement exclusion of fields in all the ModelResource classes
All ModelResource classes will be muliple inherited by this class, whose dehydrate method has been overriden
"""
# STACK: How to exclude some fields from a resource list created by tastypie?
def dehydrate(self, bundle):
exclude_fields = <get a comma separated list of fields to be excluded based in bundle.request.user>
for field in exclude_fields:
if str(field) in bundle.data.keys():
del bundle.data[str(field)]
return bundle
However, this snippet will not work for related resources specified with "full=True"

Preceding any database access with specific command in CakePHP

I'm new to CakePHP and using version 1.3.
How can I dynamically change the 'schema' property as found in DATABASE_CONFIG prior to any database operation? What is the class where I could have the postgres-specific command "set search_path to 'schema_xyz'" executed before any database interaction?
I want to use Postgres' ability to maintain multiple distinct namespaces (aka schema in postgres parlance) within a single database to implement multi-tenancy in my application. That is, every namespace will contain the same set of tables, but evidently with different content. Here, it's important not to understand schema as meaning table metadata, but rather as the postgres-specific concept of namespace where a schema is a container for tables. The exact Postgres command isn't important. What is, is the mechanism by which it can be invoked, and steering clear of Cake's typical meaning of table description, as seen in the SchemaShell. The only place I have found where Cake exposes the concept of namespace is in the database.php file, which is then used when the DB connection is first established. See: api13.cakephp.org/view_source/dbo-postgres/#line-113 (new user link limit, sorry)
if ($this->connection) {
$this->connected = true;
$this->_execute("SET search_path TO " . $config['schema']);
I want to set that search_path before ALL DB queries, not just at connection time as is currently done.
As a proof of concept, I have tried setting $useDbConfig in my models, but according to the debug output where the SQL commands are printed, this only seems to affect a subset of all queries. I've moved this up into app_model.php with the same result. As did augmenting that with creating a db_config instance on the fly and passing to the ConnectionManager through loadDataSource. Maybe I should slap that code in all flavors of before... methods.
I have seen many posts online where people discuss using one of several DB configurations in database.php to use different databases for dev, lab and production environments. But I have a single database with multiple namespaces/schemas. Also, my number of such namespaces will be too high and dynamic to make hardcoding a new variable in database.php practical.
Thus, where is the spot in CakePHP where I could insert something to set the search_path prior to any database command? I'll deal with optimizing that later. Remember that I'm new to Cake, so try to be as specific as you can. Let me know if I can clarify this question.
Thanks in advance. Here's the partially working code snippet:
class AppModel extends Model {
function beforeFind($queryData)
{
App::import("ConnectionManager");
$cm = &ConnectionManager::getInstance();
$namespace = 'xyz_namespace'; //name of the new schema/namespace/search path
$new_db_config_name = 'new_config'; //name for the new DB config to be used in the ConnectionManager
$new_db_config = $cm->config->default; //copy the 'default' DB config into an array
$new_db_config['schema'] = $namespace; //change/add the new schema/namespace/search path
$cm->create($new_db_config_name, $new_db_config); //turn the array into a DbConfig object
$cm->loadDataSource($new_db_config_name); //load the new DbConfig into the ConnectionManager
$this->useDbConfig = $new_db_config_name; //tell the model to new use the Db Config
return $queryData;
}
}
There is a very simple way in PostgreSQL if you want to switch schema per login role:
ALTER ROLE foo SET search_path=bar, public;
ALTER ROLE baz SET search_path=bam, public;
Thus a connection initiated by that role has that search_path set automatically.
If your login names are the same as the desired schema names, there is an even simpler way, I quote the fine manual:
If one of the list items is the special value $user, then the schema
having the name returned by SESSION_USER is substituted, if there is
such a schema. (If not, $user is ignored.)
But be advised that - the fine manual again:
Role-specific variable settings take effect only at login; SET ROLE
and SET SESSION AUTHORIZATION do not process role-specific variable
settings.
If I understand your question correctly, (bear with me, I know little about Postgres but basically I think you mean, reloading the schema whenever the table perspective changes?), here's how to dynamically switch schemas in your controller:
// Model::getDataSource()->configKeyName holds whichever db config you're using
if ($this->Model->getDataSource()->configKeyName != 'default') {
// do something...
$this->loadModel("Special")
$this->Model->table = "extras";
$this->Model->schema(true);
} else {
// predictably, Model::setDataSource($configKey) changes configs
$this->Model->setDataSource("offsite"); // this could be a string variable
}
Or from the model, $this->getDataSource()->configKeyName and $this->schema(true) and so forth. Note $this->schema(true) actually reloads the model schema and registers it with cake. app_model, a component, or config/bootstrap might be an appropriate place for this. I'm not sure where Cake would have defined the search_path the first time, but it would almost certainly be a property of the dataSource object and could be redefined there just like the table name, etc. And then reload Cake's schema to register the changed path. It is necessary to ensure Cake unloads any default it may have picked up, and load the correct schema based on the currently defined table. (It sounds like this may have been the only step you were missing.)
If this does not answer your question or if I misunderstood, let me know. HTH. :)