kokspflanze / bjy-authorize
Laminas\Acl 基于的防火墙系统,用于 Laminas 分发保护
Requires
- php: ^7.3 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0
- laminas/laminas-authentication: ^2.8.0
- laminas/laminas-cache: ^2.13.2 || ^3.1.0
- laminas/laminas-eventmanager: ^3.4.0
- laminas/laminas-http: ^2.15.0
- laminas/laminas-mvc: ^3.2.0
- laminas/laminas-permissions-acl: ^2.8.0
- laminas/laminas-servicemanager: ^3.7.0
- laminas/laminas-view: ^2.14.2
Requires (Dev)
- doctrine/persistence: ^1.3.8 || ^2.2.2
- laminas/laminas-cache-storage-adapter-memory: @stable
- laminas/laminas-coding-standard: ^2.3.0
- laminas/laminas-db: ^2.13.4
- laminas/laminas-developer-tools: ^2.1.1
- lm-commons/lmc-user: ^3.5.0
- phpunit/phpunit: ^9.5.9
README
此模块旨在为 Laminas\Permissions\Acl
提供一个外观,以便于模块和应用程序的使用。默认情况下,它通过配置文件或使用 Laminas\Db
或 Doctrine ORM/ODM 提供简单的设置。
信息
这是对原始 bjyoungblood/BjyAuthorize 模块的分支。我添加了对 Laminas 的支持,因此从 2.0.0 版本开始,该模块与 Laminas 兼容。1.x 系列的版本仍然针对 Zend Framework 2 和 3。如果您发现了一个错误,请报告它,只需在 gitter 中给我发私信或在 PullRequest 中打开。
BjyAuthorize 做什么?
BjyAuthorize 为您的应用程序添加事件监听器,以便您拥有一个“安全”或“防火墙”,禁止未经授权的访问控制器或路由。
这是正常 Laminas\Mvc
应用程序工作流程的样子
启用 BjyAuthorize 后,它将看起来像这样
要求
安装
Composer
建议的安装方法是使用 composer
composer require kokspflanze/bjy-authorize
配置
以下步骤适用于您想使用 LmcUser
与 Laminas\Db
的情况。如果您想使用 Doctrine ORM/ODM,您还应查看 doctrine 文档。
- 请确保在您的
application.config.php
文件中按以下顺序启用了以下模块LmcUser
BjyAuthorize
- 导入位于
./vendor/BjyAuthorize/data/schema.sql
的 SQL 架构。 - 创建一个
./config/autoload/bjyauthorize.global.php
文件,并按以下注释示例填写配置变量值。
以下是一个注释示例配置文件
<?php return [ 'bjyauthorize' => [ // set the 'guest' role as default (must be defined in a role provider) 'default_role' => 'guest', /* this module uses a meta-role that inherits from any roles that should * be applied to the active user. the identity provider tells us which * roles the "identity role" should inherit from. * for LmcUser, this will be your default identity provider */ 'identity_provider' => \BjyAuthorize\Provider\Identity\LmcUserLaminasDb::class, /* If you only have a default role and an authenticated role, you can * use the 'AuthenticationIdentityProvider' to allow/restrict access * with the guards based on the state 'logged in' and 'not logged in'. * * 'default_role' => 'guest', // not authenticated * 'authenticated_role' => 'user', // authenticated * 'identity_provider' => \BjyAuthorize\Provider\Identity\AuthenticationIdentityProvider::class, */ /* role providers simply provide a list of roles that should be inserted * into the Laminas\Acl instance. the module comes with two providers, one * to specify roles in a config file and one to load roles using a * Laminas\Db adapter. */ 'role_providers' => [ /* here, 'guest' and 'user are defined as top-level roles, with * 'admin' inheriting from user */ \BjyAuthorize\Provider\Role\Config::class => [ 'guest' => [], 'user' => ['children' => [ 'admin' => [], ]], ], // this will load roles from the user_role table in a database // format: user_role(role_id(varchar], parent(varchar)) \BjyAuthorize\Provider\Role\LaminasDb::class => [ 'table' => 'user_role', 'identifier_field_name' => 'id', 'role_id_field' => 'role_id', 'parent_role_field' => 'parent_id', ], // this will load roles from // the 'BjyAuthorize\Provider\Role\ObjectRepositoryProvider' service \BjyAuthorize\Provider\Role\ObjectRepositoryProvider::class => [ // class name of the entity representing the role 'role_entity_class' => 'My\Role\Entity', // service name of the object manager 'object_manager' => 'My\Doctrine\Common\Persistence\ObjectManager', ], ], // resource providers provide a list of resources that will be tracked // in the ACL. like roles, they can be hierarchical 'resource_providers' => [ \BjyAuthorize\Provider\Resource\Config::class => [ 'pants' => [], ], ], /* rules can be specified here with the format: * [roles (array), resource, privilege (array|string), assertion] * assertions will be loaded using the service manager and must implement * Laminas\Acl\Assertion\AssertionInterface. * *if you use assertions, define them using the service manager!* */ 'rule_providers' => [ \BjyAuthorize\Provider\Rule\Config::class => [ 'allow' => [ // allow guests and users (and admins, through inheritance) // the "wear" privilege on the resource "pants" [['guest', 'user'], 'pants', 'wear'], ], // Don't mix allow/deny rules if you are using role inheritance. // There are some weird bugs. 'deny' => [ // ... ], ], ], /* Currently, only controller and route guards exist * * Consider enabling either the controller or the route guard depending on your needs. */ 'guards' => [ /* If this guard is specified here (i.e. it is enabled], it will block * access to all controllers and actions unless they are specified here. * You may omit the 'action' index to allow access to the entire controller */ \BjyAuthorize\Guard\Controller::class => [ ['controller' => 'index', 'action' => 'index', 'roles' => ['guest','user']], ['controller' => 'index', 'action' => 'stuff', 'roles' => ['user']], // You can also specify an array of actions or an array of controllers (or both) // allow "guest" and "admin" to access actions "list" and "manage" on these "index", // "static" and "console" controllers [ 'controller' => ['index', 'static', 'console'], 'action' => ['list', 'manage'], 'roles' => ['guest', 'admin'], ], [ 'controller' => ['search', 'administration'], 'roles' => ['staffer', 'admin'], ], ['controller' => 'lmcuser', 'roles' => []], // Below is the default index action used by the LaminasSkeletonApplication // ['controller' => 'Application\Controller\Index', 'roles' => ['guest', 'user']], ], /* If this guard is specified here (i.e. it is enabled], it will block * access to all routes unless they are specified here. */ \BjyAuthorize\Guard\Route::class => [ ['route' => 'lmcuser', 'roles' => ['user']], ['route' => 'lmcuser/logout', 'roles' => ['user']], ['route' => 'lmcuser/login', 'roles' => ['guest']], ['route' => 'lmcuser/register', 'roles' => ['guest']], // Below is the default index action used by the LaminasSkeletonApplication ['route' => 'home', 'roles' => ['guest', 'user']], ], ], ], ];
辅助工具和插件
为此模块注册了视图辅助工具和控制器插件。在控制器或视图脚本中,您可以通过调用 $this->isAllowed($resource[, $privilege])
来查询 ACL,该调用将使用当前认证(或默认)用户的角色。
无论何时您需要停止处理您的操作,都可以抛出 UnAuthorizedException,用户将在 403 页面上看到您的消息。
function cafeAction() { if (!$this->isAllowed('alcohol', 'consume')) { throw new \BjyAuthorize\Exception\UnAuthorizedException('Grow a beard first!'); } // party on ... }
许可证
在 MIT 许可证下发布。请参阅包含在项目源代码中的 LICENSE 文件以获取许可条款的副本。