1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
<?php
/**
* UserFrosting (http://www.userfrosting.com)
*
* @link https://github.com/userfrosting/UserFrosting
* @license https://github.com/userfrosting/UserFrosting/blob/master/licenses/UserFrosting.md (MIT License)
*/
namespace UserFrosting\Sprinkle\Account\Authorize;
use Interop\Container\ContainerInterface;
use UserFrosting\Sprinkle\Account\Database\Models\User;
/**
* AuthorizationManager class.
*
* Manages a collection of access condition callbacks, and uses them to perform access control checks on user objects.
* @author Alex Weissman (https://alexanderweissman.com)
*/
class AuthorizationManager
{
/**
* @var ContainerInterface The global container object, which holds all your services.
*/
protected $ci;
/**
* @var array[callable] An array of callbacks that accept some parameters and evaluate to true or false.
*/
protected $callbacks = [];
/**
* Create a new AuthorizationManager object.
*
* @param ContainerInterface $ci The global container object, which holds all your services.
*/
public function __construct(ContainerInterface $ci, array $callbacks = [])
{
$this->ci = $ci;
$this->callbacks = $callbacks;
}
/**
* Register an authorization callback, which can then be used in permission conditions.
*
* To add additional callbacks, simply extend the `authorizer` service in your Sprinkle's service provider.
* @param string $name
* @param callable $callback
*/
public function addCallback($name, $callback)
{
$this->callbacks[$name] = $callback;
return $this;
}
/**
* Get all authorization callbacks.
*
* @return callable[]
*/
public function getCallbacks()
{
return $this->callbacks;
}
/**
* Checks whether or not a user has access on a particular permission slug.
*
* Determine if this user has access to the given $slug under the given $params.
*
* @param UserFrosting\Sprinkle\Account\Database\Models\User $user
* @param string $slug The permission slug to check for access.
* @param array $params[optional] An array of field names => values, specifying any additional data to provide the authorization module
* when determining whether or not this user has access.
* @return boolean True if the user has access, false otherwise.
*/
public function checkAccess(User $user, $slug, array $params = [])
{
$debug = $this->ci->config['debug.auth'];
if ($debug) {
$trace = array_slice(debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, 3), 1);
$this->ci->authLogger->debug("Authorization check requested at: ", $trace);
$this->ci->authLogger->debug("Checking authorization for user {$user->id} ('{$user->user_name}') on permission '$slug'...");
}
if ($this->ci->authenticator->guest()) {
if ($debug) {
$this->ci->authLogger->debug("User is not logged in. Access denied.");
}
return false;
}
// The master (root) account has access to everything.
// Need to use loose comparison for now, because some DBs return `id` as a string.
if ($user->id == $this->ci->config['reserved_user_ids.master']) {
if ($debug) {
$this->ci->authLogger->debug("User is the master (root) user. Access granted.");
}
return true;
}
// Find all permissions that apply to this user (via roles), and check if any evaluate to true.
$permissions = $user->getCachedPermissions();
if (empty($permissions) || !isset($permissions[$slug])) {
if ($debug) {
$this->ci->authLogger->debug("No matching permissions found. Access denied.");
}
return false;
}
$permissions = $permissions[$slug];
if ($debug) {
$this->ci->authLogger->debug("Found matching permissions: \n" . print_r($this->getPermissionsArrayDebugInfo($permissions), true));
}
$nodeVisitor = new ParserNodeFunctionEvaluator($this->callbacks, $this->ci->authLogger, $debug);
$ace = new AccessConditionExpression($nodeVisitor, $user, $this->ci->authLogger, $debug);
foreach ($permissions as $permission) {
$pass = $ace->evaluateCondition($permission->conditions, $params);
if ($pass) {
if ($debug) {
$this->ci->authLogger->debug("User passed conditions '{$permission->conditions}' . Access granted.");
}
return true;
}
}
if ($debug) {
$this->ci->authLogger->debug("User failed to pass any of the matched permissions. Access denied.");
}
return false;
}
/**
* Remove extraneous information from the permission to reduce verbosity.
*
* @param array
* @return array
*/
protected function getPermissionsArrayDebugInfo($permissions)
{
$permissionsInfo = [];
foreach ($permissions as $permission) {
$permissionData = array_only($permission->toArray(), ['id', 'slug', 'name', 'conditions', 'description']);
// Remove this until we can find an efficient way to only load these once during debugging
//$permissionData['roles_via'] = $permission->roles_via->pluck('id')->all();
$permissionsInfo[] = $permissionData;
}
return $permissionsInfo;
}
}
|
