I have a bugs, actually it is error this is notice but still, I would like to fix it;
When I am try to access pages with null role, it is showing this messages:
Notice: Trying to get property of non-object in C:\Zend\Apache2\htdocs\hotelrwanda\application\plugin\AccessCheck.php on line 18
How can get it fixed here is my script:
public function preDispatch(Zend_Controller_Request_Abstract $request) {
$resource = $request->getControllerName();
$action = $request->getActionName();
$identity = $this->_auth->getStorage()->read();
$role = $identity->role;
if(!$this->_acl->isAllowed($role, $resource, $action)){
$request->setControllerName('users')
->setActionName('login');
}
}
Line: 18 is this line :$role = $identity->role;
public function preDispatch(Zend_Controller_Request_Abstract $request) {
$resource = $request->getControllerName();
$action = $request->getActionName();
$role = 'guest'; //your default role
if(Zend_Auth::getInstance()->hasIdentity())
{
$role = Zend_Auth::getInstance()->getIdentity()->role;
}
if(!$this->_acl->isAllowed($role, $resource, $action)){
$request->setControllerName('users')
->setActionName('login');
}
}
Here 'guest' is acting as default role . You can name it anything you like but make sure to add this role in your acl and give permission to this role accordingly .
Related
I'm working on a API. To give User Access - for example by smartphone - I need to login users by rest.
Is there an existing module available? Actually, I'm using fosUserBundle. Maybe there is a possibility to get those two bundle work together?
The Users which will login by rest are already existing as "normal" fos users.
It would be grest if you could gomme some links, tips or hints cause I'm searching and searching and searching and for the reason that I am new in symfony it's not that easy :):)
rgrds
I use FOSUserBundle for login since a smartphone by the API.
APIBundle/Controller/UserController.php (the default route is /api)
/**
* #Post("/user/login")
* #Template(engine="serializer")
*/
public function loginAction()
{
$request = $this->get('request');
$username = $request->request->get('username');
$password = $request->request->get('password');
return $this->container->get('myproject_user.user_service')
->login($username, $password);
}
in this method, I call a personal service who manage the user's functions. (UserHandler.php)
UserBundle/Handler/UserHandler.php
class UserHandler implements UserHandlerInterface
{
private $om;
private $entityClass;
private $repository;
private $container;
private $manager;
public function __construct(ObjectManager $om, Container $container, $entityClass)
{
$this->om = $om;
$this->entityClass = $entityClass;
$this->repository = $this->om->getRepository($this->entityClass);
$this->container = $container;
$this->manager = $this->container->get('fos_user.user_manager');
}
public function login($username, $password)
{
$jsonErrorCreator = $this->container->get('myproject_api.create_error_json');
$code = 0;
// check the arguments here.
$user = $this->manager->findUserByUsername($username);
if($user === null) $user = $this->manager->findUserByEmail($username);
if($user === null)
{
$code = 224;
return ($jsonErrorCreator->createErrorJson($code, $username));
}
// check the user password
if($this->checkUserPassword($user, $password) === false)
{
$code = 225;
return ($jsonErrorCreator->createErrorJson($code, null));
}
// log the user
$this->loginUser($user);
$jsonCreator = $this->container->get('myproject_api.create_json');
$response = $jsonCreator->createJson(array('success'=>true, 'user'=>$user));
return $response;
}
protected function loginUser(User $user)
{
$security = $this->container->get('security.context');
$providerKey = $this->container->getParameter('fos_user.firewall_name');
$roles = $user->getRoles();
$token = new UsernamePasswordToken($user, null, $providerKey, $roles);
$security->setToken($token);
}
protected function checkUserPassword(User $user, $password)
{
$factory = $this->container->get('security.encoder_factory');
$encoder = $factory->getEncoder($user);
if(!$encoder)
return false;
return $encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt());
}
}
UserBundle/Handler/UserHandlerInterface.php
Interface UserHandlerInterface
{
public function login($username, $password);
}
Don't forget to declare your service !
UserBundle/Resources/config/services.yml
myproject_user.user_service:
class: %myproject_user.user_handler.class%
arguments: [ #doctrine.orm.entity_manager, #service_container, %fos_user.model.user.class%]
You can now login with your smartphone at the adresse api/user/login
I think I got the solution:
http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html
This seems pretty nice to me and paired with Guras inputit should work as well.
We are trying to use FOSUserBundle and HWIOAuthBundle together in the way like it's described there https://gist.github.com/danvbe/4476697
The only difference is that we are using mongodb. This error is fired:
User provider "wf\UserBundle\Document\FOSUBUserProvider" must implement "Symfony\Component\Security\Core\User\UserProviderInterface"
the FOSUBUserProvider is picked from this sample (the src is below). Is not it supposed that HWI\Bundle\OAuthBundle\Security\Core\User\FOSUBUserProvider implements Symfony\Component\Security\Core\User\UserProviderInterface ?
<?php
namespace wf\UserBundle\Document;
use Symfony\Component\Security\Core\User\UserInterface;
use HWI\Bundle\OAuthBundle\OAuth\Response\UserResponseInterface;
use HWI\Bundle\OAuthBundle\Security\Core\User\FOSUBUserProvider as BaseFOSUBUserProvider;
class FOSUBUserProvider extends BaseFOSUBUserProvider
{
/**
* {#inheritDoc}
*/
public function connect(UserInterface $user, UserResponseInterface $response)
{
$property = $this->getProperty($response);
$username = $response->getUsername();
//on connect - get the access token and the user ID
$service = $response->getResourceOwner()->getName();
$setter = 'set'.ucfirst($service);
$setter_id = $setter.'Id';
$setter_token = $setter.'AccessToken';
//we "disconnect" previously connected users
if (null !== $previousUser = $this->userManager->findUserBy(array($property => $username))) {
$previousUser->$setter_id(null);
$previousUser->$setter_token(null);
$this->userManager->updateUser($previousUser);
}
//we connect current user
$user->$setter_id($username);
$user->$setter_token($response->getAccessToken());
$this->userManager->updateUser($user);
}
/**
* {#inheritdoc}
*/
public function loadUserByOAuthUserResponse(UserResponseInterface $response)
{
$username = $response->getUsername();
$user = $this->userManager->findUserBy(array($this->getProperty($response) => $username));
//when the user is registrating
if (null === $user) {
$service = $response->getResourceOwner()->getName();
$setter = 'set'.ucfirst($service);
$setter_id = $setter.'Id';
$setter_token = $setter.'AccessToken';
// create new user here
$user = $this->userManager->createUser();
$user->$setter_id($username);
$user->$setter_token($response->getAccessToken());
//I have set all requested data with the user's username
//modify here with relevant data
$user->setUsername($username);
$user->setEmail($username);
$user->setPassword($username);
$user->setEnabled(true);
$this->userManager->updateUser($user);
return $user;
}
//if user exists - go with the HWIOAuth way
$user = parent::loadUserByOAuthUserResponse($response);
$serviceName = $response->getResourceOwner()->getName();
$setter = 'set' . ucfirst($serviceName) . 'AccessToken';
//update access token
$user->$setter($response->getAccessToken());
return $user;
}
}
FOSUBUserProvider implements AccountConnectorInterface and OAuthAwareUserProviderInterface which are both interfaces so it not possible that they implement UserProviderInterface.
Checking docs in hwioauthbundle I found that OAuthUserProvider is the class that implements UserProviderInterface.
https://github.com/hwi/HWIOAuthBundle/blob/master/Security/Core/User/OAuthUserProvider.php
Using
providers:
fos_userbundle:
id: fos_user.user_manager
in 'security.yml' instead of (custom)
providers:
wf_hwi_provider:
id: wf_user.fos_user_provider
does it
I have created Zend_ACL with three roles :'administrator, guest, *edito*r'. I want guest cannot access /album/index after login. Administrator, editor can access /album/index. All other pages are accessible by all.
I created the access list below with Acl.php in helper.
/library/My/Helper/Acl.php:
public function __construct() {
$this->acl = new Zend_Acl();
}
public function setRoles() {
$this->acl->addRole(new Zend_Acl_Role('guest'));
$this->acl->addRole(new Zend_Acl_Role('editor'));
$this->acl->addRole(new Zend_Acl_Role('administrator'));
}
public function setResource () {
$this->acl->add(new Zend_Acl_Resource('album::index'));
$this->acl->add(new Zend_Acl_Resource('album::add'));
$this->acl->add(new Zend_Acl_Resource('album::edit'));
$this->acl->add(new Zend_Acl_Resource('album::delete'));
$this->acl->add(new Zend_Acl_Resource('auth::index'));
$this->acl->add(new Zend_Acl_Resource('auth::logout'));
$this->acl->add(new Zend_Acl_Resource('error::error'));
}
public function setPrivilages() {
$allowEditorAdmin=array('administrator','editor');
$allowAll=array('administrator','guest','editor');
$this->acl->allow($allowEditorAdmin,'album::index');
$this->acl->allow($allowAll,'album::add');
$this->acl->allow($allowAll,'album::edit');
$this->acl->allow($allowAll,'album::delete');
$this->acl->allow($allowAll,'auth::index');
$this->acl->allow($allowAll,'auth::logout');
$this->acl->allow($allowAll,'error::error');
Then, I create a plugin Acl.php
public function preDispatch(Zend_Controller_Request_Abstract $request) {
$acl1 = new My_Controller_Helper_Acl();
$acl = Zend_Registry::get('acl');
$userNs = new Zend_Session_Namespace('members');
if($userNs->userType=='')
{
$roleName='guest';
}
else
$roleName=$userNs->userType;
if(!$acl->isAllowed($roleName,$request->getControllerName()."::".$request->getActionname()))
{
echo $request->getControllerName()."::".$request->getActionName();
$request->setControllerName('auth');
$request->setActionName('index');
}
else
echo "got authenticated";
}
The problem is my code "isallowed" not work correctly. The 'guest,editor,administrator' cannot access to /album/index after authenticate successfully. They redirect to /auth/index
if(!$acl->isAllowed($roleName,$request->getControllerName()."::".$request->getActionname()))
{
echo $request->getControllerName()."::".$request->getActionName();
$request->setControllerName('auth');
$request->setActionName('index');
}
else
echo "got authenticated";
}
As far as I can tell, You are using 2 different ACL instances, and never set up the appropriate ACL in the first place. I can share a bit of my own code, that does almost the same thing:
In Bootstrap.php
$this->_acl = new Model_AuthAcl();
//Check for access rights
$fc = Zend_Controller_Front::getInstance();
$fc->registerPlugin(new App_Plugin_AccessCheck($this->_acl));
In App_Plugin_AccessCheck
class App_Plugin_AccessCheck extends Zend_Controller_Plugin_Abstract
{
private $_acl = null;
public function __construct(Zend_Acl $acl)
{
$this->_acl = $acl;
}
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
$module = $request->getModuleName();
$resource = $request->getControllerName();
$action = $request->getActionName();
try {
if (!$this->_acl->isAllowed(Zend_Registry::get('role'), $module . ':' . $resource, $action)) {
$request->setControllerName('authentication')->setModuleName('default')
->setActionName('login');
}
}
catch (Exception $ex) {
if (APPLICATION_ENV == "development") {
var_dump($ex->getMessage());
}
}
}
}
In Model_AuthAcl
class Model_AuthAcl extends Zend_Acl
{
/**
* Creates the resource, role trees
*/
public function __construct ()
{
//Create roles
$this->addRole(new Zend_Acl_Role('guest'));
$this->addRole(new Zend_Acl_Role('user'), 'guest');
$this->addRole(new Zend_Acl_Role('admin'), 'user');
//Create resources
//Default module
$this->addResource(new Zend_Acl_Resource('default'))
->addResource(new Zend_Acl_Resource('default:authentication'), 'default')
->addResource(new Zend_Acl_Resource('default:error'), 'default')
//Admin module
->addResource(new Zend_Acl_Resource('admin'))
->addResource(new Zend_Acl_Resource('admin:index'), 'admin')
//Guest permissions
$this->deny('guest')
->allow('guest', 'default:authentication', array('index', 'login', 'logout', 'email', 'forgot'))
->allow('guest', 'default:error', array('error'))
->allow('guest', 'api:authentication', array('index', 'get', 'head', 'post', 'put', 'delete'))
//Admin permissions
->deny('admin', 'admin:admins')
;
}
}
May not be the most OOP solution, bet it sure as hell works.
Hope this helps you set up your dream ACL :)
I have a Federico_Plugin_Acl that extends Zend_Controller_Plugin_Abstract which looks like this:
class Federico_Plugin_Acl extends Zend_Controller_Plugin_Abstract {
private $_acl = null;
private $_auth = null;
const DEFAULT_ROLE = 'guest';
public function __construct($auth) {
$this->_auth = $auth;
$this->_acl = new Zend_Acl();
$this->_acl->addRole(new Zend_Acl_Role(self::DEFAULT_ROLE));
$this->_acl->addRole(new Zend_Acl_Role('user'), self::DEFAULT_ROLE);
$this->_acl->addRole(new Zend_Acl_Role('admin'), 'user');
$this->_acl->addResource(new Zend_Acl_Resource('index'));
$this->_acl->addResource(new Zend_Acl_Resource('users'));
$this->_acl->addResource(new Zend_Acl_Resource('about'));
$this->_acl->addResource(new Zend_Acl_Resource('gisele'));
$this->_acl->addResource(new Zend_Acl_Resource('admin'));
$this->_acl->allow('guest', 'index');
$this->_acl->allow('guest', 'about');
$this->_acl->deny('guest', 'gisele');
$this->_acl->deny('guest', 'users');
$this->_acl->allow('user', 'users', array('index'));
$this->_acl->allow('admin', 'users');
$this->_acl->allow('admin', 'gisele');
}
public function preDispatch(Zend_Controller_Request_Abstract $request) {
if ($this->_auth->hasIdentity()) {
$role = $this->_auth->getStorage()->read()->role;
} else {
$role = self::DEFAULT_ROLE;
}
$action = $request->getActionName();
$controller = $request->getControllerName();
if ($this->_acl->has($controller)) {
if (!$this->_acl->isAllowed($role, $controller, $action)) {
$request->setActionName('login');
$request->setControllerName('index');
}
}
}
}
And this method is in my bootstrap to make use of this class:
protected function _initNavigation()
{
$this->_auth = Zend_Auth::getInstance();
$this->_acl = new Federico_Plugin_Acl($this->_auth);
$this->bootstrap('view');
$view = $this->getResource('view');
$config = new Zend_Config_Xml(APPLICATION_PATH . '/configs/navigation.xml','nav');
$navigation = new Zend_Navigation($config);
$roleAuth = $this->_auth->getIdentity();
if(null == $roleAuth)
$role = 'guest';
else
$role = $roleAuth->role;
$view->navigation($navigation)->setAcl($this->_acl)->setRole($role);
}
With these configurations set like that, I get the following error:
Catchable fatal error: Argument 1 passed to Zend_View_Helper_Navigation_HelperAbstract::setAcl() must be an instance of Zend_Acl, instance of Federico_Plugin_Acl given, called in /home/fiodorovich/public_html/gisele/application/Bootstrap.php on line 118 and defined in /home/fiodorovich/library/ZendFramework/library/Zend/View/Helper/Navigation/HelperAbstract.php on line 333
Call Stack
Which is to be expected since Federico_Plugin_Acl is an instance of Zend_Controller_Plugin_Abstract...Still, if I extend Zend_Acl instead I get this error:
Fatal error: Zend_Acl_Role_Registry_Exception: Role 'guest' not found in /home/fiodorovich/library/ZendFramework/library/Zend/View/Helper/Navigation/HelperAbstract.php on line 522
So...I've been trying for a while to get this thing solved,... but don't seem to get this to work properly...Any ideas on what I'm missing here?
Zend_Controller_Plugin_Abstract and Zend_Acl are completelly different things. What you want to do is get the ACL object out of your plugin (which is now in private section) and pass it over to
$view->navigation($navigation)->setAcl(<here>);
Can some one guide me for typical implementation example of ACL. Like 'admin' can access 'admin' module, 'user' can access 'user module', and guest can access 'open' pages.
I can paste you my ACL. It consists of three elements: acl.ini, ACL controller plugin (My_Controller_Plugin_Acl) and My_Acl class, and USER table. However it does not deal with modules, but with controllers and actions. Nevertheless it may give you some general idea about ACL. My use of ACL is based on the one in a book called "Zend Framework in Action".
USER table (privilege field is used for ACL):
CREATE TABLE IF NOT EXISTS `USER` (
`user_id` INT UNSIGNED NOT NULL AUTO_INCREMENT ,
`email` VARCHAR(85) NOT NULL ,
`password` CHAR(32) NOT NULL,
`phone` VARCHAR(45) NULL ,
`phone_public` TINYINT(1) NULL DEFAULT 0 ,
`first_name` VARCHAR(45) NULL ,
`last_name` VARCHAR(45) NULL ,
`last_name_public` TINYINT(1) NULL DEFAULT 1 ,
`is_enabled` TINYINT(1) NOT NULL DEFAULT 1 ,
`created` TIMESTAMP NOT NULL,
`privilage` ENUM('BASIC','PREMIUM','ADMIN') NOT NULL DEFAULT 'BASIC' ,
PRIMARY KEY (`user_id`) ,
UNIQUE INDEX `email_UNIQUE` (`email` ASC) )
ENGINE = InnoDB;
acl.ini (I have four privileges, such that basic inherits from guest, premium inherits form basic and administrator for premium):
; roles
acl.roles.guest = null
acl.roles.basic = guest
acl.roles.premium = basic
acl.roles.administrator = premium
; resources
acl.resources.deny.all.all = guest
acl.resources.allow.index.all = guest
acl.resources.allow.error.all = guest
acl.resources.allow.user.login = guest
acl.resources.allow.user.logout = guest
acl.resources.allow.user.create = guest
acl.resources.allow.user.index = basic
acl.resources.allow.user.success = basic
My_Acl class (creates ACL roles and resources based on the ini file):
class My_Acl extends Zend_Acl {
public function __construct() {
$aclConfig = Zend_Registry::get('acl');
$roles = $aclConfig->acl->roles;
$resources = $aclConfig->acl->resources;
$this->_addRoles($roles);
$this->_addResources($resources);
}
protected function _addRoles($roles) {
foreach ($roles as $name => $parents) {
if (!$this->hasRole($name)) {
if (empty($parents)) {
$parents = null;
} else {
$parents = explode(',', $parents);
}
$this->addRole(new Zend_Acl_Role($name), $parents);
}
}
}
protected function _addResources($resources) {
foreach ($resources as $permissions => $controllers) {
foreach ($controllers as $controller => $actions) {
if ($controller == 'all') {
$controller = null;
} else {
if (!$this->has($controller)) {
$this->add(new Zend_Acl_Resource($controller));
}
}
foreach ($actions as $action => $role) {
if ($action == 'all') {
$action = null;
}
if ($permissions == 'allow') {
$this->allow($role, $controller, $action);
}
if ($permissions == 'deny') {
$this->deny($role, $controller, $action);
}
}
}
}
}
}
My_Controller_Plugin_Acl:
class My_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract {
/**
*
* #var Zend_Auth
*/
protected $_auth;
protected $_acl;
protected $_action;
protected $_controller;
protected $_currentRole;
public function __construct(Zend_Acl $acl, array $options = array()) {
$this->_auth = Zend_Auth::getInstance();
$this->_acl = $acl;
}
public function preDispatch(Zend_Controller_Request_Abstract $request) {
$this->_init($request);
// if the current user role is not allowed to do something
if (!$this->_acl->isAllowed($this->_currentRole, $this->_controller, $this->_action)) {
if ('guest' == $this->_currentRole) {
$request->setControllerName('user');
$request->setActionName('login');
} else {
$request->setControllerName('error');
$request->setActionName('noauth');
}
}
}
protected function _init($request) {
$this->_action = $request->getActionName();
$this->_controller = $request->getControllerName();
$this->_currentRole = $this->_getCurrentUserRole();
}
protected function _getCurrentUserRole() {
if ($this->_auth->hasIdentity()) {
$authData = $this->_auth->getIdentity();
$role = isset($authData->property->privilage)?strtolower($authData->property->privilage): 'guest';
} else {
$role = 'guest';
}
return $role;
}
}
Finally a part of Bootstrap.php where everything is initialized:
protected function _initLoadAclIni() {
$config = new Zend_Config_Ini(APPLICATION_PATH . '/configs/acl.ini');
Zend_Registry::set('acl', $config);
}
protected function _initAclControllerPlugin() {
$this->bootstrap('frontcontroller');
$this->bootstrap('loadAclIni');
$front = Zend_Controller_Front::getInstance();
$aclPlugin = new My_Controller_Plugin_Acl(new My_Acl());
$front->registerPlugin($aclPlugin);
}
I have a simple example that might fits your needs
class Dagho_Acl_Main extends Zend_Acl {
public function __construct() {
$anonymous = new Zend_Acl_Role("anonymous");
$customer = new Zend_Acl_Role("customer");
$admin = new Zend_Acl_Role("admin");
$anonymousResource = new Zend_Acl_Resource("acl");
$defaultResource = new Zend_Acl_Resource("default");
$customerResource = new Zend_Acl_Resource("user");
$adminResource = new Zend_Acl_Resource("manage");
$this->addRole($anonymous)
->addRole($customer)
->addRole($admin);
$this->addResource($anonymousResource)
->addResource($defaultResource)
->addResource($customerResource)
->addResource($adminResource);
$this->allow($anonymous, $anonymousResource);
$this->allow($anonymous, $defaultResource);
$this->deny($anonymous, $customerResource);
$this->deny($anonymous, $adminResource);
$this->allow($customer, $anonymousResource);
$this->allow($customer, $defaultResource);
$this->allow($customer, $customerResource);
$this->deny($customer, $adminResource);
$this->allow($admin, $defaultResource);
$this->allow($admin, $anonymousResource);
$this->allow($admin, $adminResource);
$this->deny($admin, $customerResource);
return $this ;
}
}
and here is my plugin :
<?php
class Dagho_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract {
public function preDispatch(Zend_Controller_Request_Abstract $request) {
$module = $request->getModuleName();
$controller = $request->getControllerName();
$action = $request->getActionName();
$doctrineAuth = new Dagho_Auth_Doctrine();
$logged = $doctrineAuth->checklogin();
$identity = $doctrineAuth->getIdentity();
Zend_Registry::set("identity", $identity);
if ($logged && $identity["role"] !== "anonymous") {
/// user had an identity let's check the ACL
$acl = new Dagho_Acl_Main();
$isAllowed = $acl->isAllowed($identity["role"], $module);
if (!$isAllowed) {
return $request->setModuleName("acl")->setControllerName("index")
->setActionName("denied")->setDispatched(true);
} else {
/// user has identity and he is allowed to access it
return;
}
} elseif ($logged === false || ($logged && $identity["role"] === "anonymous" )) {
//// user not logged on > login.php or its his first visit
$identity = $doctrineAuth->getStorage()->write(array('name' => 'anonymous', 'role' => "anonymous",));
Zend_Registry::set("identity", $identity);
return $request->setModuleName("acl")->setControllerName("index")
->setActionName("login")->setDispatched(true);
} else {
return $request->setModuleName("acl")->setControllerName("index")
->setActionName("denied")->setDispatched(true);
}
parent::preDispatch($request);
}
}