ZF2 - Checking permissions for get parameter in ea

2020-05-09 12:00发布

站内问答 / 后端开发
498 1 6

I have a Controller called "TestController" and several actions in it. For each action I receive a get Parameter ("id"). Something like: 

test/action1/1
test/action1/2
test/action2/1
test/action3/1
...

Since this parameter can easily be modified I want to check the permissions for this id. Do I have to include this check method in each single action or is there another way? I know that I can't receive params in the constructor but a way like this would be nice.

My solution at the moment would be to have a check method in a plugin and call it in every action like this:

if(!$this->access()->checkAccess(..., $this->params()->fromRoute('id')) {
 //redirect...
}

1条回答
看我几分像从前
2楼-- · 2020-05-09 12:18

You can use ACL's (or RBAC) to make these checks.

With ACL's you can (must) declare the resources of your application, the roles that use the application and how the roles access the resources.

You can start by attaching a listener to controllers, in the application's Module.php

class Module {
    public function onBootstrap(\Zend\Mvc\MvcEvent $event) {
        $application = $e->getApplication();
        $serviceManager = $application->getServiceManager();
        $sharedManager = $application->getEventManager()->getSharedManager();

        $router = $serviceManager->get('router');
        $request = $serviceManager->get('request');

        $matchedRoute = $router->match($request);
        if (null !== $matchedRoute) {
            $sharedManager->attach(\Zend\Mvc\Controller\AbstractActionController::class, \Zend\Mvc\MvcEvent::EVENT_DISPATCH, function($event) use ($serviceManager) {
                $serviceManager->get('ControllerPluginManager')->get('Application\Controller\Plugin\Acl')->doAuthorization($event);
            }, 2
            );
        }
    }
}

As you can see, we attached the plugin Application\Controller\Plugin\Acl to the dispatch event of every Zend\Mvc\Controller\AbstractActionController.

Then you have to implement your ACLS.

Here is a simple exemple. By default, I prefer to deny access to all resources and then, one by one, allow access to them. You can also allow access to everything and then deny access to single resources, but this way you have to be more careful. If you deny all and forget something, an user will not be able to access something that it should be. If you allow all and forget something, user could see something that they shouldn't. Better be safe than sorry ;)

namespace Application\Controller\Plugin;

class Acl extends \Zend\Mvc\Controller\Plugin\AbstractPlugin implements \Zend\ServiceManager\ServiceLocatorAwareInterface {

    private $serviceLocator;

    public function doAuthorization(\Zend\Mvc\MvcEvent $event) {
        // Retrieve user role, if you have them or just use guest
        $role = 'guest';

        $resource = get_class($event->getTarget());
        $action = $event->getRouteMatch()->getParams()['action'];

        if (!$this->getAcl()->isAllowed($role, $resource, $action)) {
            // Handle the access denied
            // Could be a redirect to login/home page, or just an 404 page
        }

    }

    public function getAcl() {
        // Create the ACL object
        $acl = new \Zend\Permissions\Acl\Acl();

        // Add your roles
        $acl->addRole(new \Zend\Permissions\Acl\Role\GenericRole('guest'));

        // Add your resources
        $acl->addResource(new Resource(\YourModule\Controller\YourController::class));

        // By default, block access to all resources.
        $acl->deny();

        // Add, one by one, access to resources for all roles
        $acl->allow('guest', \YourModule\Controller\YourController::class, ['action1', 'action2'], new \YourModule\Assertion\YourIdAssertion());

        return $acl;

    }

    public function getServiceLocator() {
        return $this->serviceLocator;
    }

    public function setServiceLocator(\Zend\ServiceManager\ServiceLocatorInterface $serviceLocator) {
        $this->serviceLocator = $serviceLocator;
    }

}

The method allow allows you to define these parameters:

  • role (mandatory)
  • resource (mandatory)
  • actions (optional)
  • assertion class (optional)

Finally, after declaring which roles can access a specific action of a specific resource, you can also tell the ACL a "rule", like "access the action only if it this condition is met". These rules are specified through Assertions:

use Zend\Permissions\Acl\Assertion\AssertionInterface;
use Zend\Permissions\Acl\Acl;
use Zend\Permissions\Acl\Role\RoleInterface as Role;
use Zend\Permissions\Acl\Resource\ResourceInterface as Resource;

class YourAssertion implements AssertionInterface {

    public function __construct($serviceManager) {
        // construct

    }

    public function assert(Acl $acl, Role $role = null, Resource $resource = null, $privilege = null) {
        $isAllowed = false;

        // Your logic to check if an user can access a specific id or not
        //  if(...){
        //      $isAllowed = true;
        //  }

        return $isAllowed;

    }

}

Hope this will help you!

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)