File indexing completed on 2025-05-25 05:30:41
0001 <?php 0002 0003 /** 0004 * ocs-webserver 0005 * 0006 * Copyright 2016 by pling GmbH. 0007 * 0008 * This file is part of ocs-webserver. 0009 * 0010 * This program is free software: you can redistribute it and/or modify 0011 * it under the terms of the GNU Affero General Public License as 0012 * published by the Free Software Foundation, either version 3 of the 0013 * License, or (at your option) any later version. 0014 * 0015 * This program is distributed in the hope that it will be useful, 0016 * but WITHOUT ANY WARRANTY; without even the implied warranty of 0017 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 0018 * GNU Affero General Public License for more details. 0019 * 0020 * You should have received a copy of the GNU Affero General Public License 0021 * along with this program. If not, see <http://www.gnu.org/licenses/>. 0022 **/ 0023 class Default_Plugin_Acl extends Zend_Controller_Plugin_Abstract 0024 { 0025 0026 /** @var Zend_Auth */ 0027 private $_auth; 0028 /** @var Zend_Acl */ 0029 private $_acl; 0030 private $_noauth = array( 0031 'module' => 'default', 0032 'controller' => 'authorization', 0033 'action' => 'login' 0034 ); 0035 private $_noacl = array( 0036 'module' => 'default', 0037 'controller' => 'error', 0038 'action' => 'privileges' 0039 ); 0040 private $_authRequired = array( 0041 'module' => 'default', 0042 'controller' => 'error', 0043 'action' => 'login' 0044 ); 0045 private $_authFromCookie = array( 0046 'module' => 'default', 0047 'controller' => 'authorization', 0048 'action' => 'loginfromcookie' 0049 ); 0050 0051 public function __construct($auth, $acl) 0052 { 0053 $this->_auth = $auth; 0054 $this->_acl = $acl; 0055 } 0056 0057 /** 0058 * @param Zend_Controller_Request_Http $request 0059 * 0060 * @throws Zend_Exception 0061 */ 0062 public function preDispatch(Zend_Controller_Request_Abstract $request) 0063 { 0064 $role = $this->readUserRole(); 0065 $controller = $request->getControllerName(); 0066 $action = $request->getActionName(); 0067 $module = ($request->getModuleName()) ? $request->getModuleName() : "default"; 0068 0069 $resource = $module . '_' . $controller; 0070 0071 // check controller/action exists 0072 $front = Zend_Controller_Front::getInstance(); 0073 $dispatcher = $front->getDispatcher(); 0074 if (false === $dispatcher->isDispatchable($request)) { 0075 throw new Zend_Controller_Action_Exception('This page does not exist', 404); 0076 } 0077 0078 // check acl rule exists 0079 if (false == $this->_acl->has($resource)) { 0080 throw new Zend_Acl_Exception("No ACL rule defined for Module:{$module}, Controller:{$controller}, Action:{$action}"); 0081 } 0082 0083 // check access right 0084 if ($this->_acl->isAllowed($role, $resource, $action)) { 0085 return; 0086 } 0087 0088 //access not allowed. test some conditions 0089 0090 //check user authentication status 0091 0092 //user is not logged in 0093 if (false === $this->_auth->hasIdentity()) { 0094 $this->getResponse()->setHttpResponseCode(401); 0095 $encryptUrl = $this->getRequestUrlEncrypted(); 0096 if (false == $this->_request->isXmlHttpRequest()) { 0097 $this->_request->setParam('redirect', $encryptUrl); 0098 $this->_request->setModuleName($this->_noauth['module']); 0099 $this->_request->setControllerName($this->_noauth['controller']); 0100 $this->_request->setActionName($this->_noauth['action']); 0101 } else { 0102 $this->_request->setParam('redirect', $encryptUrl); 0103 $this->_request->setModuleName($this->_authRequired['module']); 0104 $this->_request->setControllerName($this->_authRequired['controller']); 0105 $this->_request->setActionName($this->_authRequired['action']); 0106 } 0107 0108 return; 0109 } 0110 0111 //user has only the remember_me cookie (deprecated since cookieuser has same rights like feuser) 0112 if ($role == Default_Plugin_AclRules::ROLENAME_COOKIEUSER) { 0113 $encryptUrl = $this->getRequestUrlEncrypted(); 0114 $this->_request->setModuleName($this->_authFromCookie['module']); 0115 $this->_request->setControllerName($this->_authFromCookie['controller']); 0116 $this->_request->setActionName($this->_authFromCookie['action']); 0117 $this->_request->setParam('redirect', $encryptUrl); 0118 0119 return; 0120 } 0121 0122 //default behavior. user has no access rights 0123 $this->_request->setModuleName($this->_noacl['module']); 0124 $this->_request->setControllerName($this->_noacl['controller']); 0125 $this->_request->setActionName($this->_noacl['action']); 0126 } 0127 0128 /** 0129 * @return mixed 0130 * @throws Zend_Exception 0131 */ 0132 private function readUserRole() 0133 { 0134 // all users are guests by default 0135 $role = Default_Plugin_AclRules::ROLENAME_GUEST; 0136 0137 $identity = $this->_auth->getIdentity(); 0138 0139 if (empty($identity)) { 0140 return $role; 0141 } 0142 0143 if (false === property_exists($identity, 'roleName')) { 0144 throw new Zend_Exception('property "roleName" does not exist'); 0145 } 0146 0147 $role = $this->_auth->getIdentity()->roleName; 0148 0149 if (empty($role)) { 0150 throw new Zend_Exception('user role is empty in auth identity object'); 0151 } 0152 0153 return $role; 0154 } 0155 0156 /** 0157 * @return mixed 0158 * @throws Zend_Filter_Exception 0159 */ 0160 private function getRequestUrlEncrypted() 0161 { 0162 $urlHelper = new Zend_View_Helper_Url(); 0163 $url = $urlHelper->url($this->_request->getParams(), null, true); 0164 $helperEncryptUrl = new Local_Filter_Url_Encrypt(); 0165 $encryptUrl = $helperEncryptUrl->filter($url); 0166 0167 return $encryptUrl; 0168 } 0169 0170 }