HOR-1440 Create class AccessControl to implement ACL functionality in endpoints
up observations
This commit is contained in:
Ronald Q
@@ -38,5 +38,10 @@
|
|||||||
"require-dev": {
|
"require-dev": {
|
||||||
"guzzle/guzzle": "~3.1.1",
|
"guzzle/guzzle": "~3.1.1",
|
||||||
"behat/behat": "2.4.*@stable"
|
"behat/behat": "2.4.*@stable"
|
||||||
|
},
|
||||||
|
"autoload": {
|
||||||
|
"psr-0": {
|
||||||
|
"ProcessMaker\\": "workflow/engine/src"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -252,6 +252,8 @@ class WebApplication
|
|||||||
$apiIniFile = $servicesDir . DS . 'api.ini';
|
$apiIniFile = $servicesDir . DS . 'api.ini';
|
||||||
// $authenticationClass - contains the class name that validate the authentication for Restler
|
// $authenticationClass - contains the class name that validate the authentication for Restler
|
||||||
$authenticationClass = 'ProcessMaker\\Services\\OAuth2\\Server';
|
$authenticationClass = 'ProcessMaker\\Services\\OAuth2\\Server';
|
||||||
|
// $accessControlClass - contains the class name that validate the Access Control for Restler
|
||||||
|
$accessControlClass = 'ProcessMaker\\Policies\\AccessControl';
|
||||||
// $pmOauthClientId - contains PM Local OAuth Id (Web Designer)
|
// $pmOauthClientId - contains PM Local OAuth Id (Web Designer)
|
||||||
$pmOauthClientId = 'x-pm-local-client';
|
$pmOauthClientId = 'x-pm-local-client';
|
||||||
|
|
||||||
@@ -297,6 +299,8 @@ class WebApplication
|
|||||||
$this->rest->setAPIVersion($version);
|
$this->rest->setAPIVersion($version);
|
||||||
// adding $authenticationClass to Restler
|
// adding $authenticationClass to Restler
|
||||||
$this->rest->addAuthenticationClass($authenticationClass, '');
|
$this->rest->addAuthenticationClass($authenticationClass, '');
|
||||||
|
// adding $accessControlClass to Restler
|
||||||
|
$this->rest->addAuthenticationClass($accessControlClass);
|
||||||
|
|
||||||
// Setting database connection source
|
// Setting database connection source
|
||||||
list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, '');
|
list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, '');
|
||||||
|
|||||||
105
workflow/engine/src/ProcessMaker/Policies/AccessControl.php
Normal file
105
workflow/engine/src/ProcessMaker/Policies/AccessControl.php
Normal file
@@ -0,0 +1,105 @@
|
|||||||
|
<?php
|
||||||
|
namespace ProcessMaker\Policies;
|
||||||
|
|
||||||
|
use \Luracast\Restler\iAuthenticate;
|
||||||
|
use \Luracast\Restler\RestException;
|
||||||
|
use \Luracast\Restler\Defaults;
|
||||||
|
use \Luracast\Restler\Util;
|
||||||
|
use \Luracast\Restler\Scope;
|
||||||
|
use \OAuth2\Request;
|
||||||
|
use \ProcessMaker\Services\OAuth2\Server;
|
||||||
|
use \ProcessMaker\BusinessModel\User;
|
||||||
|
|
||||||
|
class AccessControl implements iAuthenticate
|
||||||
|
{
|
||||||
|
public static $role;
|
||||||
|
public static $permission;
|
||||||
|
public static $className;
|
||||||
|
private $userUid = null;
|
||||||
|
private $oUser;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method checks if an endpoint permission or permissions access
|
||||||
|
*
|
||||||
|
* @return bool
|
||||||
|
* @throws RestException
|
||||||
|
*/
|
||||||
|
public function __isAllowed()
|
||||||
|
{
|
||||||
|
$response = true;
|
||||||
|
$oServerOauth = new Server();
|
||||||
|
$this->oUser = new User();
|
||||||
|
$server = $oServerOauth->getServer();
|
||||||
|
$request = Request::createFromGlobals();
|
||||||
|
$allowed = $server->verifyResourceRequest($request);
|
||||||
|
$this->userUid = $oServerOauth->getUserId();
|
||||||
|
$this->oUser->loadUserRolePermission('PROCESSMAKER', $this->userUid);
|
||||||
|
$metadata = Util::nestedValue($this->restler, 'apiMethodInfo', 'metadata');
|
||||||
|
if ($allowed && !empty($this->userUid) && (!empty($metadata['access']) && $metadata['access'] == 'protected')) {
|
||||||
|
$parameters = Util::nestedValue($this->restler, 'apiMethodInfo', 'parameters');
|
||||||
|
if (!is_null(self::$className) && is_string(self::$className)) {
|
||||||
|
$authObj = Scope::get(self::$className);
|
||||||
|
$authObj->parameters = $parameters;
|
||||||
|
$authObj->permission = self::$permission;
|
||||||
|
if (!method_exists($authObj, Defaults::$authenticationMethod)) {
|
||||||
|
throw new RestException (
|
||||||
|
500,
|
||||||
|
'Authentication Class should implement iAuthenticate');
|
||||||
|
} elseif (!$authObj->{Defaults::$authenticationMethod}()) {
|
||||||
|
throw new RestException(401);
|
||||||
|
}
|
||||||
|
} elseif (!$this->verifyAccess(self::$permission)) {
|
||||||
|
throw new RestException(401);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $response;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function __getWWWAuthenticateString()
|
||||||
|
{
|
||||||
|
return '';
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $permissions
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
public function verifyAccess($permissions)
|
||||||
|
{
|
||||||
|
$response = false;
|
||||||
|
$access = -1;
|
||||||
|
if (!is_array($permissions)) {
|
||||||
|
$access = $this->userCanAccess($permissions);
|
||||||
|
} elseif (count($permissions) > 0) {
|
||||||
|
foreach ($permissions as $perm) {
|
||||||
|
$access = $this->userCanAccess($perm);
|
||||||
|
if ($access == 1) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ($access == 1 || empty($permissions)) {
|
||||||
|
$response = true;
|
||||||
|
}
|
||||||
|
return $response;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function userCanAccess($perm)
|
||||||
|
{
|
||||||
|
$res = -1;
|
||||||
|
$permissions = Util::nestedValue($this->oUser, 'aUserInfo', 'PROCESSMAKER', 'PERMISSIONS');
|
||||||
|
if (isset($permissions)) {
|
||||||
|
$res = -3;
|
||||||
|
foreach ($permissions as $key => $val) {
|
||||||
|
if ($perm == $val['PER_CODE']) {
|
||||||
|
$res = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $res;
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user