kokspflanze/bjy-authorize

Laminas\Acl 基于的防火墙系统,用于 Laminas 分发保护

2.4.3 2024-02-05 11:47 UTC

README

Continuous Integration Total Downloads Latest Stable Version

此模块旨在为 Laminas\Permissions\Acl 提供一个外观,以便于模块和应用程序的使用。默认情况下,它通过配置文件或使用 Laminas\Db 或 Doctrine ORM/ODM 提供简单的设置。

信息

这是对原始 bjyoungblood/BjyAuthorize 模块的分支。我添加了对 Laminas 的支持,因此从 2.0.0 版本开始,该模块与 Laminas 兼容。1.x 系列的版本仍然针对 Zend Framework 2 和 3。如果您发现了一个错误,请报告它,只需在 gitter 中给我发私信或在 PullRequest 中打开。

BjyAuthorize 做什么?

BjyAuthorize 为您的应用程序添加事件监听器,以便您拥有一个“安全”或“防火墙”,禁止未经授权的访问控制器或路由。

这是正常 Laminas\Mvc 应用程序工作流程的样子

Laminas Mvc Application workflow

启用 BjyAuthorize 后,它将看起来像这样

Laminas Mvc Application workflow with BjyAuthorize

要求

安装

Composer

建议的安装方法是使用 composer

composer require kokspflanze/bjy-authorize

配置

以下步骤适用于您想使用 LmcUserLaminas\Db 的情况。如果您想使用 Doctrine ORM/ODM,您还应查看 doctrine 文档

  1. 请确保在您的 application.config.php 文件中按以下顺序启用了以下模块
    • LmcUser
    • BjyAuthorize
  2. 导入位于 ./vendor/BjyAuthorize/data/schema.sql 的 SQL 架构。
  3. 创建一个 ./config/autoload/bjyauthorize.global.php 文件,并按以下注释示例填写配置变量值。

以下是一个注释示例配置文件

<?php

return [
    'bjyauthorize' => [

        // set the 'guest' role as default (must be defined in a role provider)
        'default_role' => 'guest',

        /* this module uses a meta-role that inherits from any roles that should
         * be applied to the active user. the identity provider tells us which
         * roles the "identity role" should inherit from.
         * for LmcUser, this will be your default identity provider
        */
        'identity_provider' => \BjyAuthorize\Provider\Identity\LmcUserLaminasDb::class,

        /* If you only have a default role and an authenticated role, you can
         * use the 'AuthenticationIdentityProvider' to allow/restrict access
         * with the guards based on the state 'logged in' and 'not logged in'.
         *
         * 'default_role'       => 'guest',         // not authenticated
         * 'authenticated_role' => 'user',          // authenticated
         * 'identity_provider'  => \BjyAuthorize\Provider\Identity\AuthenticationIdentityProvider::class,
         */

        /* role providers simply provide a list of roles that should be inserted
         * into the Laminas\Acl instance. the module comes with two providers, one
         * to specify roles in a config file and one to load roles using a
         * Laminas\Db adapter.
         */
        'role_providers' => [

            /* here, 'guest' and 'user are defined as top-level roles, with
             * 'admin' inheriting from user
             */
            \BjyAuthorize\Provider\Role\Config::class => [
                'guest' => [],
                'user'  => ['children' => [
                    'admin' => [],
                ]],
            ],

            // this will load roles from the user_role table in a database
            // format: user_role(role_id(varchar], parent(varchar))
            \BjyAuthorize\Provider\Role\LaminasDb::class => [
                'table'                 => 'user_role',
                'identifier_field_name' => 'id',
                'role_id_field'         => 'role_id',
                'parent_role_field'     => 'parent_id',
            ],

            // this will load roles from
            // the 'BjyAuthorize\Provider\Role\ObjectRepositoryProvider' service
            \BjyAuthorize\Provider\Role\ObjectRepositoryProvider::class => [
                // class name of the entity representing the role
                'role_entity_class' => 'My\Role\Entity',
                // service name of the object manager
                'object_manager'    => 'My\Doctrine\Common\Persistence\ObjectManager',
            ],
        ],

        // resource providers provide a list of resources that will be tracked
        // in the ACL. like roles, they can be hierarchical
        'resource_providers' => [
            \BjyAuthorize\Provider\Resource\Config::class => [
                'pants' => [],
            ],
        ],

        /* rules can be specified here with the format:
         * [roles (array), resource, privilege (array|string), assertion]
         * assertions will be loaded using the service manager and must implement
         * Laminas\Acl\Assertion\AssertionInterface.
         * *if you use assertions, define them using the service manager!*
         */
        'rule_providers' => [
            \BjyAuthorize\Provider\Rule\Config::class => [
                'allow' => [
                    // allow guests and users (and admins, through inheritance)
                    // the "wear" privilege on the resource "pants"
                    [['guest', 'user'], 'pants', 'wear'],
                ],

                // Don't mix allow/deny rules if you are using role inheritance.
                // There are some weird bugs.
                'deny' => [
                    // ...
                ],
            ],
        ],

        /* Currently, only controller and route guards exist
         *
         * Consider enabling either the controller or the route guard depending on your needs.
         */
        'guards' => [
            /* If this guard is specified here (i.e. it is enabled], it will block
             * access to all controllers and actions unless they are specified here.
             * You may omit the 'action' index to allow access to the entire controller
             */
            \BjyAuthorize\Guard\Controller::class => [
                ['controller' => 'index', 'action' => 'index', 'roles' => ['guest','user']],
                ['controller' => 'index', 'action' => 'stuff', 'roles' => ['user']],
                // You can also specify an array of actions or an array of controllers (or both)
                // allow "guest" and "admin" to access actions "list" and "manage" on these "index",
                // "static" and "console" controllers
                [
                    'controller' => ['index', 'static', 'console'],
                    'action' => ['list', 'manage'],
                    'roles' => ['guest', 'admin'],
                ],
                [
                    'controller' => ['search', 'administration'],
                    'roles' => ['staffer', 'admin'],
                ],
                ['controller' => 'lmcuser', 'roles' => []],
                // Below is the default index action used by the LaminasSkeletonApplication
                // ['controller' => 'Application\Controller\Index', 'roles' => ['guest', 'user']],
            ],

            /* If this guard is specified here (i.e. it is enabled], it will block
             * access to all routes unless they are specified here.
             */
            \BjyAuthorize\Guard\Route::class => [
                ['route' => 'lmcuser', 'roles' => ['user']],
                ['route' => 'lmcuser/logout', 'roles' => ['user']],
                ['route' => 'lmcuser/login', 'roles' => ['guest']],
                ['route' => 'lmcuser/register', 'roles' => ['guest']],
                // Below is the default index action used by the LaminasSkeletonApplication
                ['route' => 'home', 'roles' => ['guest', 'user']],
            ],
        ],
    ],
];

辅助工具和插件

为此模块注册了视图辅助工具和控制器插件。在控制器或视图脚本中,您可以通过调用 $this->isAllowed($resource[, $privilege]) 来查询 ACL,该调用将使用当前认证(或默认)用户的角色。

无论何时您需要停止处理您的操作,都可以抛出 UnAuthorizedException,用户将在 403 页面上看到您的消息。

function cafeAction() {
    if (!$this->isAllowed('alcohol', 'consume')) {
        throw new \BjyAuthorize\Exception\UnAuthorizedException('Grow a beard first!');
    }

    // party on ...
}

许可证

在 MIT 许可证下发布。请参阅包含在项目源代码中的 LICENSE 文件以获取许可条款的副本。