neilime/bjy-authorize

基于 Zend\Acl 的 ZF2 分发保护防火墙系统

这个软件包的官方仓库似乎已不存在,因此该软件包已被冻结。

维护者

详细信息

github.com/neilime/BjyAuthorize

主页

源代码

安装量: 3,232

依赖项: 0

建议者: 0

安全: 0

星标: 0

关注者: 1

分支: 163

1.5.0 2016-11-06 16:25 UTC

Requires

Requires (Dev)

BSD-3-Clause ce44e29839a46f31fcba20d33abe14ac22ca5cf2

zf2aclzfc-user

This package is auto-updated.

Last update: 2019-02-23 09:44:09 UTC

README

此分支 (neilime/bjy-authorize)

此分支的唯一更改是最后的发布 1.5.0,其中包含自上次可用发布 "1.4.0" 以来在原始项目 master 上所做的最后更改。当原始项目上起草新发布时将删除。

BjyAuthorize - ZF2 的 Acl 安全性

Build Status Coverage Status Total Downloads Latest Stable Version Latest Unstable Version Dependency Status

此模块旨在提供对 Zend\Permissions\Acl 的外观,以简化其与模块和应用程序的用法。默认情况下,它通过配置文件或使用 Zend\Db 或 Doctrine ORM/ODM(通过 ZfcUserDoctrineORM)提供简单的设置。

BjyAuthorize 做什么?

BjyAuthorize 将事件监听器添加到您的应用程序中,以便您有一个“安全”或“防火墙”,不允许未经授权访问您的控制器或路由。

这是正常 Zend\Mvc 应用程序工作流程的外观

Zend Mvc Application workflow

启用 BjyAuthorize 后,它将看起来像这样

Zend Mvc Application workflow with BjyAuthorize

要求

安装

Composer

建议的安装方法是使用 composer

php composer.phar require bjyoungblood/bjy-authorize:1.4.*
php composer.phar require zf-commons/zfc-user:0.1.*

配置

以下步骤适用于您想使用 ZfcUserZend\Db 的情况。如果您想使用 Doctrine ORM/ODM,还应查看 doctrine 文档

  1. 请确保在您的 application.config.php 文件中按以下顺序启用了以下模块
    • ZfcBase
    • ZfcUser
    • BjyAuthorize
  2. 导入位于 ./vendor/BjyAuthorize/data/schema.sql 的 SQL 架构。
  3. 创建一个 ./config/autoload/bjyauthorize.global.php 文件,并按照以下注释示例填充配置变量值。

以下是一个注释示例配置文件

<?php

// For PHP <= 5.4, you should replace any ::class references with strings
// remove the first \ and the ::class part and encase in single quotes

return [
    'bjyauthorize' => [

        // set the 'guest' role as default (must be defined in a role provider)
        'default_role' => 'guest',

        /* this module uses a meta-role that inherits from any roles that should
         * be applied to the active user. the identity provider tells us which
         * roles the "identity role" should inherit from.
         * for ZfcUser, this will be your default identity provider
        */
        'identity_provider' => \BjyAuthorize\Provider\Identity\ZfcUserZendDb::class,

        /* If you only have a default role and an authenticated role, you can
         * use the 'AuthenticationIdentityProvider' to allow/restrict access
         * with the guards based on the state 'logged in' and 'not logged in'.
         *
         * 'default_role'       => 'guest',         // not authenticated
         * 'authenticated_role' => 'user',          // authenticated
         * 'identity_provider'  => \BjyAuthorize\Provider\Identity\AuthenticationIdentityProvider::class,
         */

        /* role providers simply provide a list of roles that should be inserted
         * into the Zend\Acl instance. the module comes with two providers, one
         * to specify roles in a config file and one to load roles using a
         * Zend\Db adapter.
         */
        'role_providers' => [

            /* here, 'guest' and 'user are defined as top-level roles, with
             * 'admin' inheriting from user
             */
            \BjyAuthorize\Provider\Role\Config::class => [
                'guest' => [],
                'user'  => ['children' => [
                    'admin' => [],
                ]],
            ],

            // this will load roles from the user_role table in a database
            // format: user_role(role_id(varchar], parent(varchar))
            \BjyAuthorize\Provider\Role\ZendDb::class => [
                'table'                 => 'user_role',
                'identifier_field_name' => 'id',
                'role_id_field'         => 'role_id',
                'parent_role_field'     => 'parent_id',
            ],

            // this will load roles from
            // the 'BjyAuthorize\Provider\Role\ObjectRepositoryProvider' service
            \BjyAuthorize\Provider\Role\ObjectRepositoryProvider::class => [
                // class name of the entity representing the role
                'role_entity_class' => 'My\Role\Entity',
                // service name of the object manager
                'object_manager'    => 'My\Doctrine\Common\Persistence\ObjectManager',
            ],
        ],

        // resource providers provide a list of resources that will be tracked
        // in the ACL. like roles, they can be hierarchical
        'resource_providers' => [
            \BjyAuthorize\Provider\Resource\Config::class => [
                'pants' => [],
            ],
        ],

        /* rules can be specified here with the format:
         * [roles (array], resource, [privilege (array|string], assertion])
         * assertions will be loaded using the service manager and must implement
         * Zend\Acl\Assertion\AssertionInterface.
         * *if you use assertions, define them using the service manager!*
         */
        'rule_providers' => [
            \BjyAuthorize\Provider\Rule\Config::class => [
                'allow' => [
                    // allow guests and users (and admins, through inheritance)
                    // the "wear" privilege on the resource "pants"
                    [['guest', 'user'], 'pants', 'wear'],
                ],

                // Don't mix allow/deny rules if you are using role inheritance.
                // There are some weird bugs.
                'deny' => [
                    // ...
                ],
            ],
        ],

        /* Currently, only controller and route guards exist
         *
         * Consider enabling either the controller or the route guard depending on your needs.
         */
        'guards' => [
            /* If this guard is specified here (i.e. it is enabled], it will block
             * access to all controllers and actions unless they are specified here.
             * You may omit the 'action' index to allow access to the entire controller
             */
            \BjyAuthorize\Guard\Controller::class => [
                ['controller' => 'index', 'action' => 'index', 'roles' => ['guest','user']],
                ['controller' => 'index', 'action' => 'stuff', 'roles' => ['user']],
                // You can also specify an array of actions or an array of controllers (or both)
                // allow "guest" and "admin" to access actions "list" and "manage" on these "index",
                // "static" and "console" controllers
                [
                    'controller' => ['index', 'static', 'console'],
                    'action' => ['list', 'manage'],
                    'roles' => ['guest', 'admin'],
                ],
                [
                    'controller' => ['search', 'administration'],
                    'roles' => ['staffer', 'admin'],
                ],
                ['controller' => 'zfcuser', 'roles' => []],
                // Below is the default index action used by the ZendSkeletonApplication
                // ['controller' => 'Application\Controller\Index', 'roles' => ['guest', 'user']],
            ],

            /* If this guard is specified here (i.e. it is enabled], it will block
             * access to all routes unless they are specified here.
             */
            \BjyAuthorize\Guard\Route::class => [
                ['route' => 'zfcuser', 'roles' => ['user']],
                ['route' => 'zfcuser/logout', 'roles' => ['user']],
                ['route' => 'zfcuser/login', 'roles' => ['guest']],
                ['route' => 'zfcuser/register', 'roles' => ['guest']],
                // Below is the default index action used by the ZendSkeletonApplication
                ['route' => 'home', 'roles' => ['guest', 'user']],
            ],
        ],
    ],
];

助手和插件

为此模块注册了视图助手和控制器插件。在控制器或视图脚本中,您可以通过调用 $this->isAllowed($resource[, $privilege]) 来查询 ACL,该调用将使用当前认证(或默认)用户的角色。

当您需要停止处理您的操作时,您可以抛出 UnAuthorizedException,用户将在 403 页面上看到您的消息。

function cafeAction() {
    if (!$this->isAllowed('alcohol', 'consume')) {
        throw new \BjyAuthorize\Exception\UnAuthorizedException('Grow a beard first!');
    }

    // party on ...
}

许可协议

本项目采用MIT许可协议发布。请参阅该项目源代码中包含的LICENSE文件,以获取许可条款的副本。