HOR-1440 Create class AccessControl to implement ACL functionality in endpoints
up observations
This commit is contained in:
Ronald Q
@@ -38,5 +38,10 @@
|
||||
"require-dev": {
|
||||
"guzzle/guzzle": "~3.1.1",
|
||||
"behat/behat": "2.4.*@stable"
|
||||
},
|
||||
"autoload": {
|
||||
"psr-0": {
|
||||
"ProcessMaker\\": "workflow/engine/src"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -252,6 +252,8 @@ class WebApplication
|
||||
$apiIniFile = $servicesDir . DS . 'api.ini';
|
||||
// $authenticationClass - contains the class name that validate the authentication for Restler
|
||||
$authenticationClass = 'ProcessMaker\\Services\\OAuth2\\Server';
|
||||
// $accessControlClass - contains the class name that validate the Access Control for Restler
|
||||
$accessControlClass = 'ProcessMaker\\Policies\\AccessControl';
|
||||
// $pmOauthClientId - contains PM Local OAuth Id (Web Designer)
|
||||
$pmOauthClientId = 'x-pm-local-client';
|
||||
|
||||
@@ -297,6 +299,8 @@ class WebApplication
|
||||
$this->rest->setAPIVersion($version);
|
||||
// adding $authenticationClass to Restler
|
||||
$this->rest->addAuthenticationClass($authenticationClass, '');
|
||||
// adding $accessControlClass to Restler
|
||||
$this->rest->addAuthenticationClass($accessControlClass);
|
||||
|
||||
// Setting database connection source
|
||||
list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, '');
|
||||
|
||||
105
workflow/engine/src/ProcessMaker/Policies/AccessControl.php
Normal file
105
workflow/engine/src/ProcessMaker/Policies/AccessControl.php
Normal file
@@ -0,0 +1,105 @@
|
||||
<?php
|
||||
namespace ProcessMaker\Policies;
|
||||
|
||||
use \Luracast\Restler\iAuthenticate;
|
||||
use \Luracast\Restler\RestException;
|
||||
use \Luracast\Restler\Defaults;
|
||||
use \Luracast\Restler\Util;
|
||||
use \Luracast\Restler\Scope;
|
||||
use \OAuth2\Request;
|
||||
use \ProcessMaker\Services\OAuth2\Server;
|
||||
use \ProcessMaker\BusinessModel\User;
|
||||
|
||||
class AccessControl implements iAuthenticate
|
||||
{
|
||||
public static $role;
|
||||
public static $permission;
|
||||
public static $className;
|
||||
private $userUid = null;
|
||||
private $oUser;
|
||||
|
||||
/**
|
||||
* This method checks if an endpoint permission or permissions access
|
||||
*
|
||||
* @return bool
|
||||
* @throws RestException
|
||||
*/
|
||||
public function __isAllowed()
|
||||
{
|
||||
$response = true;
|
||||
$oServerOauth = new Server();
|
||||
$this->oUser = new User();
|
||||
$server = $oServerOauth->getServer();
|
||||
$request = Request::createFromGlobals();
|
||||
$allowed = $server->verifyResourceRequest($request);
|
||||
$this->userUid = $oServerOauth->getUserId();
|
||||
$this->oUser->loadUserRolePermission('PROCESSMAKER', $this->userUid);
|
||||
$metadata = Util::nestedValue($this->restler, 'apiMethodInfo', 'metadata');
|
||||
if ($allowed && !empty($this->userUid) && (!empty($metadata['access']) && $metadata['access'] == 'protected')) {
|
||||
$parameters = Util::nestedValue($this->restler, 'apiMethodInfo', 'parameters');
|
||||
if (!is_null(self::$className) && is_string(self::$className)) {
|
||||
$authObj = Scope::get(self::$className);
|
||||
$authObj->parameters = $parameters;
|
||||
$authObj->permission = self::$permission;
|
||||
if (!method_exists($authObj, Defaults::$authenticationMethod)) {
|
||||
throw new RestException (
|
||||
500,
|
||||
'Authentication Class should implement iAuthenticate');
|
||||
} elseif (!$authObj->{Defaults::$authenticationMethod}()) {
|
||||
throw new RestException(401);
|
||||
}
|
||||
} elseif (!$this->verifyAccess(self::$permission)) {
|
||||
throw new RestException(401);
|
||||
}
|
||||
}
|
||||
return $response;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function __getWWWAuthenticateString()
|
||||
{
|
||||
return '';
|
||||
}
|
||||
|
||||
/**
|
||||
* @param $permissions
|
||||
* @return bool
|
||||
*/
|
||||
public function verifyAccess($permissions)
|
||||
{
|
||||
$response = false;
|
||||
$access = -1;
|
||||
if (!is_array($permissions)) {
|
||||
$access = $this->userCanAccess($permissions);
|
||||
} elseif (count($permissions) > 0) {
|
||||
foreach ($permissions as $perm) {
|
||||
$access = $this->userCanAccess($perm);
|
||||
if ($access == 1) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($access == 1 || empty($permissions)) {
|
||||
$response = true;
|
||||
}
|
||||
return $response;
|
||||
}
|
||||
|
||||
public function userCanAccess($perm)
|
||||
{
|
||||
$res = -1;
|
||||
$permissions = Util::nestedValue($this->oUser, 'aUserInfo', 'PROCESSMAKER', 'PERMISSIONS');
|
||||
if (isset($permissions)) {
|
||||
$res = -3;
|
||||
foreach ($permissions as $key => $val) {
|
||||
if ($perm == $val['PER_CODE']) {
|
||||
$res = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
return $res;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user