bjyoungblood/bjy-authorize

该包已被废弃,不再维护。没有建议的替代包。

基于 Zend\Acl 的 ZF2 调度保护防火墙系统

维护者

详细信息

github.com/bjyoungblood/BjyAuthorize

主页

源代码

问题

安装次数: 745 176

依赖关系: 34

建议者: 8

安全: 0

星标: 284

关注者: 46

分支: 165

开放问题: 0

1.5.0-beta1 2013-09-20 12:07 UTC

Requires

Requires (Dev)

BSD-3-Clause 8214a324c3307f6675e8c38228e4b304ceb29fc8

zf2aclzfc-user

This package is not auto-updated.

Last update: 2022-02-01 12:21:26 UTC

README

已废弃

该包现已正式废弃,将不会收到任何未来的更新或错误修复。

由于对 Zend Framework 2 的长期支持已于 2018-03-31 结束,强烈建议当前依赖此包的用户迁移到 Zend Framework 3 或其他框架。

Build Status Coverage Status Total Downloads Latest Stable Version Latest Unstable Version Dependency Status

本模块旨在为 Zend\Permissions\Acl 提供一个外观,这将简化其与模块和应用程序的用法。默认情况下,它通过配置文件或使用 Zend\Db 或 Doctrine ORM/ODM(通过 ZfcUserDoctrineORM)提供简单的设置。

BjyAuthorize 做什么?

BjyAuthorize 为您的应用程序添加事件监听器,以便您拥有一个“安全”或“防火墙”,拒绝未经授权访问您的控制器或路由。

这是正常 Zend\Mvc 应用程序工作流程的样子

Zend Mvc Application workflow

启用 BjyAuthorize 后,它将看起来像这样

Zend Mvc Application workflow with BjyAuthorize

要求

安装

Composer

建议的安装方法是使用 composer

php composer.phar require bjyoungblood/bjy-authorize:1.4.*
php composer.phar require zf-commons/zfc-user:0.1.*

配置

以下步骤适用于您想使用 ZfcUserZend\Db 的情况。如果您想使用 Doctrine ORM/ODM,您还应查看 doctrine 文档

  1. 请确保以下模块按照以下顺序在您的 application.config.php 文件中启用
    • ZfcBase
    • ZfcUser
    • BjyAuthorize
  2. 导入位于 ./vendor/BjyAuthorize/data/schema.sql 的 SQL 架构。
  3. 创建一个 ./config/autoload/bjyauthorize.global.php 文件,并根据以下注释示例填充配置变量值。

以下是一个注释示例配置文件

<?php

// For PHP <= 5.4, you should replace any ::class references with strings
// remove the first \ and the ::class part and encase in single quotes

return [
    'bjyauthorize' => [

        // set the 'guest' role as default (must be defined in a role provider)
        'default_role' => 'guest',

        /* this module uses a meta-role that inherits from any roles that should
         * be applied to the active user. the identity provider tells us which
         * roles the "identity role" should inherit from.
         * for ZfcUser, this will be your default identity provider
        */
        'identity_provider' => \BjyAuthorize\Provider\Identity\ZfcUserZendDb::class,

        /* If you only have a default role and an authenticated role, you can
         * use the 'AuthenticationIdentityProvider' to allow/restrict access
         * with the guards based on the state 'logged in' and 'not logged in'.
         *
         * 'default_role'       => 'guest',         // not authenticated
         * 'authenticated_role' => 'user',          // authenticated
         * 'identity_provider'  => \BjyAuthorize\Provider\Identity\AuthenticationIdentityProvider::class,
         */

        /* role providers simply provide a list of roles that should be inserted
         * into the Zend\Acl instance. the module comes with two providers, one
         * to specify roles in a config file and one to load roles using a
         * Zend\Db adapter.
         */
        'role_providers' => [

            /* here, 'guest' and 'user are defined as top-level roles, with
             * 'admin' inheriting from user
             */
            \BjyAuthorize\Provider\Role\Config::class => [
                'guest' => [],
                'user'  => ['children' => [
                    'admin' => [],
                ]],
            ],

            // this will load roles from the user_role table in a database
            // format: user_role(role_id(varchar], parent(varchar))
            \BjyAuthorize\Provider\Role\ZendDb::class => [
                'table'                 => 'user_role',
                'identifier_field_name' => 'id',
                'role_id_field'         => 'role_id',
                'parent_role_field'     => 'parent_id',
            ],

            // this will load roles from
            // the 'BjyAuthorize\Provider\Role\ObjectRepositoryProvider' service
            \BjyAuthorize\Provider\Role\ObjectRepositoryProvider::class => [
                // class name of the entity representing the role
                'role_entity_class' => 'My\Role\Entity',
                // service name of the object manager
                'object_manager'    => 'My\Doctrine\Common\Persistence\ObjectManager',
            ],
        ],

        // resource providers provide a list of resources that will be tracked
        // in the ACL. like roles, they can be hierarchical
        'resource_providers' => [
            \BjyAuthorize\Provider\Resource\Config::class => [
                'pants' => [],
            ],
        ],

        /* rules can be specified here with the format:
         * [roles (array], resource, [privilege (array|string], assertion])
         * assertions will be loaded using the service manager and must implement
         * Zend\Acl\Assertion\AssertionInterface.
         * *if you use assertions, define them using the service manager!*
         */
        'rule_providers' => [
            \BjyAuthorize\Provider\Rule\Config::class => [
                'allow' => [
                    // allow guests and users (and admins, through inheritance)
                    // the "wear" privilege on the resource "pants"
                    [['guest', 'user'], 'pants', 'wear'],
                ],

                // Don't mix allow/deny rules if you are using role inheritance.
                // There are some weird bugs.
                'deny' => [
                    // ...
                ],
            ],
        ],

        /* Currently, only controller and route guards exist
         *
         * Consider enabling either the controller or the route guard depending on your needs.
         */
        'guards' => [
            /* If this guard is specified here (i.e. it is enabled], it will block
             * access to all controllers and actions unless they are specified here.
             * You may omit the 'action' index to allow access to the entire controller
             */
            \BjyAuthorize\Guard\Controller::class => [
                ['controller' => 'index', 'action' => 'index', 'roles' => ['guest','user']],
                ['controller' => 'index', 'action' => 'stuff', 'roles' => ['user']],
                // You can also specify an array of actions or an array of controllers (or both)
                // allow "guest" and "admin" to access actions "list" and "manage" on these "index",
                // "static" and "console" controllers
                [
                    'controller' => ['index', 'static', 'console'],
                    'action' => ['list', 'manage'],
                    'roles' => ['guest', 'admin'],
                ],
                [
                    'controller' => ['search', 'administration'],
                    'roles' => ['staffer', 'admin'],
                ],
                ['controller' => 'zfcuser', 'roles' => []],
                // Below is the default index action used by the ZendSkeletonApplication
                // ['controller' => 'Application\Controller\Index', 'roles' => ['guest', 'user']],
            ],

            /* If this guard is specified here (i.e. it is enabled], it will block
             * access to all routes unless they are specified here.
             */
            \BjyAuthorize\Guard\Route::class => [
                ['route' => 'zfcuser', 'roles' => ['user']],
                ['route' => 'zfcuser/logout', 'roles' => ['user']],
                ['route' => 'zfcuser/login', 'roles' => ['guest']],
                ['route' => 'zfcuser/register', 'roles' => ['guest']],
                // Below is the default index action used by the ZendSkeletonApplication
                ['route' => 'home', 'roles' => ['guest', 'user']],
            ],
        ],
    ],
];

助手和插件

已为此模块注册了视图助手和控制器插件。在控制器或视图脚本中,您可以调用 $this->isAllowed($resource[, $privilege]),这将使用当前认证(或默认)用户的角色查询 ACL。

在需要停止处理您的操作时,您可以抛出 UnAuthorizedException,用户将在 403 页面上看到您的消息。

function cafeAction() {
    if (!$this->isAllowed('alcohol', 'consume')) {
        throw new \BjyAuthorize\Exception\UnAuthorizedException('Grow a beard first!');
    }

    // party on ...
}

许可

本项目采用MIT许可协议发布。请参阅随源代码一同提供的LICENSE文件,获取许可条款的副本。