jield-webdev/bjy-authorize

基于Laminas\Acl的防火墙系统,用于Laminas/ZF2/3调度保护

维护者

详细信息

github.com/jield-webdev/BjyAuthorize

主页

源代码

安装量: 10,077

依赖项: 7

建议者: 0

安全: 0

星标: 1

关注者: 1

分支: 164

2.0.0 2020-01-16 13:31 UTC

Requires

Requires (Dev)

BSD-3-Clause fcf2c309a290fdad0ff5332a77a887db0021f062

zf2aclzfzfc-userzf3laminas

This package is auto-updated.

Last update: 2024-09-10 01:42:14 UTC

README

Build Status Total Downloads Latest Stable Version

此模块旨在为laminas\Permissions\Acl提供一个门面,以简化模块和应用程序的使用。默认情况下,它通过配置文件或使用laminas\Db或Doctrine ORM/ODM(通过ZfcUserDoctrineORM)提供简单的设置。

信息

这是bjyoungblood/BjyAuthorize的一个分支。我添加了对Laminas/ZF3的支持,因此该模块与Laminas / Zend Framework 2和3兼容。如果您发现了错误,请报告它,只需在gitter上给我发私信或打开一个PullRequest。

BjyAuthorize做什么?

BjyAuthorize会为您的应用程序添加事件监听器,以便您有一个“安全”或“防火墙”,阻止未经授权访问控制器或路由。

这是正常Laminas\Mvc应用程序的工作流程

Laminas Mvc Application workflow

启用BjyAuthorize后的样子

Laminas Mvc Application workflow with BjyAuthorize

要求

安装

Composer

建议的安装方法是通过composer

php composer.phar require kokspflanze/bjy-authorize

配置

以下步骤适用于您想使用ZfcUserLaminas\Db的情况。如果您想使用Doctrine ORM/ODM,您还应查看doctrine文档

  1. 请确保在您的application.config.php文件中按以下顺序启用以下模块
    • ZfcBase
    • ZfcUser
    • BjyAuthorize
  2. 导入位于./vendor/BjyAuthorize/data/schema.sql中的SQL架构。
  3. 创建一个./config/autoload/bjyauthorize.global.php文件,并按照以下注释示例填充配置变量值。

以下是一个注释示例配置文件

<?php

return [
    'bjyauthorize' => [

        // set the 'guest' role as default (must be defined in a role provider)
        'default_role' => 'guest',

        /* this module uses a meta-role that inherits from any roles that should
         * be applied to the active user. the identity provider tells us which
         * roles the "identity role" should inherit from.
         * for ZfcUser, this will be your default identity provider
        */
        'identity_provider' => \BjyAuthorize\Provider\Identity\ZfcUserZendDb::class,

        /* If you only have a default role and an authenticated role, you can
         * use the 'AuthenticationIdentityProvider' to allow/restrict access
         * with the guards based on the state 'logged in' and 'not logged in'.
         *
         * 'default_role'       => 'guest',         // not authenticated
         * 'authenticated_role' => 'user',          // authenticated
         * 'identity_provider'  => \BjyAuthorize\Provider\Identity\AuthenticationIdentityProvider::class,
         */

        /* role providers simply provide a list of roles that should be inserted
         * into the Laminas\Acl instance. the module comes with two providers, one
         * to specify roles in a config file and one to load roles using a
         * Laminas\Db adapter.
         */
        'role_providers' => [

            /* here, 'guest' and 'user are defined as top-level roles, with
             * 'admin' inheriting from user
             */
            \BjyAuthorize\Provider\Role\Config::class => [
                'guest' => [],
                'user'  => ['children' => [
                    'admin' => [],
                ]],
            ],

            // this will load roles from the user_role table in a database
            // format: user_role(role_id(varchar], parent(varchar))
            \BjyAuthorize\Provider\Role\ZendDb::class => [
                'table'                 => 'user_role',
                'identifier_field_name' => 'id',
                'role_id_field'         => 'role_id',
                'parent_role_field'     => 'parent_id',
            ],

            // this will load roles from
            // the 'BjyAuthorize\Provider\Role\ObjectRepositoryProvider' service
            \BjyAuthorize\Provider\Role\ObjectRepositoryProvider::class => [
                // class name of the entity representing the role
                'role_entity_class' => 'My\Role\Entity',
                // service name of the object manager
                'object_manager'    => 'My\Doctrine\Common\Persistence\ObjectManager',
            ],
        ],

        // resource providers provide a list of resources that will be tracked
        // in the ACL. like roles, they can be hierarchical
        'resource_providers' => [
            \BjyAuthorize\Provider\Resource\Config::class => [
                'pants' => [],
            ],
        ],

        /* rules can be specified here with the format:
         * [roles (array], resource, [privilege (array|string], assertion])
         * assertions will be loaded using the service manager and must implement
         * Laminas\Acl\Assertion\AssertionInterface.
         * *if you use assertions, define them using the service manager!*
         */
        'rule_providers' => [
            \BjyAuthorize\Provider\Rule\Config::class => [
                'allow' => [
                    // allow guests and users (and admins, through inheritance)
                    // the "wear" privilege on the resource "pants"
                    [['guest', 'user'], 'pants', 'wear'],
                ],

                // Don't mix allow/deny rules if you are using role inheritance.
                // There are some weird bugs.
                'deny' => [
                    // ...
                ],
            ],
        ],

        /* Currently, only controller and route guards exist
         *
         * Consider enabling either the controller or the route guard depending on your needs.
         */
        'guards' => [
            /* If this guard is specified here (i.e. it is enabled], it will block
             * access to all controllers and actions unless they are specified here.
             * You may omit the 'action' index to allow access to the entire controller
             */
            \BjyAuthorize\Guard\Controller::class => [
                ['controller' => 'index', 'action' => 'index', 'roles' => ['guest','user']],
                ['controller' => 'index', 'action' => 'stuff', 'roles' => ['user']],
                // You can also specify an array of actions or an array of controllers (or both)
                // allow "guest" and "admin" to access actions "list" and "manage" on these "index",
                // "static" and "console" controllers
                [
                    'controller' => ['index', 'static', 'console'],
                    'action' => ['list', 'manage'],
                    'roles' => ['guest', 'admin'],
                ],
                [
                    'controller' => ['search', 'administration'],
                    'roles' => ['staffer', 'admin'],
                ],
                ['controller' => 'zfcuser', 'roles' => []],
                // Below is the default index action used by the LaminasSkeletonApplication
                // ['controller' => 'Application\Controller\Index', 'roles' => ['guest', 'user']],
            ],

            /* If this guard is specified here (i.e. it is enabled], it will block
             * access to all routes unless they are specified here.
             */
            \BjyAuthorize\Guard\Route::class => [
                ['route' => 'zfcuser', 'roles' => ['user']],
                ['route' => 'zfcuser/logout', 'roles' => ['user']],
                ['route' => 'zfcuser/login', 'roles' => ['guest']],
                ['route' => 'zfcuser/register', 'roles' => ['guest']],
                // Below is the default index action used by the LaminasSkeletonApplication
                ['route' => 'home', 'roles' => ['guest', 'user']],
            ],
        ],
    ],
];

辅助工具和插件

为此模块注册了视图辅助工具和控制器插件。在控制器或视图脚本中,您可以调用$this->isAllowed($resource[, $privilege]),这将使用当前认证的(或默认的)用户的角色查询ACL。

当您需要停止处理您的操作时,您可以抛出UnAuthorizedException,用户将在403页面上看到您的消息。

function cafeAction() {
    if (!$this->isAllowed('alcohol', 'consume')) {
        throw new \BjyAuthorize\Exception\UnAuthorizedException('Grow a beard first!');
    }

    // party on ...
}

许可证

在MIT许可证下发布。请参阅随源代码一起提供的LICENSE文件,以获取许可证条款的副本。