tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added permission handlers and related sample config reader 

Please see feature #4108 for sample usage

refs #4108
This commit is contained in:
Thomas Gelf 2014-01-22 13:06:59 +00:00
parent fa861c2c85
commit 0f565aae6a
3 changed files with 169 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
library/Icinga/Authentication/Manager.php
View File

@ -369,6 +369,12 @@ class Manager
return false; return false;
} }
// TODO: We want to separate permissions and restrictions from
// the user object. This will be possible once session
// had been refactored.
$this->user->loadPermissions();
$this->user->loadRestrictions();
if ($persist == true) { if ($persist == true) {
$this->persistCurrentUser(); $this->persistCurrentUser();
$this->session->write(); $this->session->write();
@ -410,6 +416,47 @@ class Manager
return is_object($this->user); return is_object($this->user);
} }
/**
* Whether an authenticated user has a given permission
*
* This is true if the user owns this permission, false if not.
* Also false if there is no authenticated user
*
* TODO: I'd like to see wildcard support, e.g. module/*
*
* @param string $permission Permission name
* @return bool
*/
public function hasPermission($permission)
{
if (! $this->isAuthenticated()) {
return false;
}
foreach ($this->user->getPermissions() as $p) {
if ($p === $permission) {
return true;
}
}
return false;
}
/**
* Get applied restrictions matching a given restriction name
*
* Returns a list of applied restrictions, empty if no user is
* authenticated
*
* @param string $restriction Restriction name
* @return array
*/
public function getRestrictions($restriction)
{
if (! $this->isAuthenticated()) {
return array();
}
return $this->user->getRestrictions($restriction);
}
/** /**
* Purges the current authorisation information and deletes the session * Purges the current authorisation information and deletes the session
**/ **/

93
library/Icinga/User.php
View File

@ -29,12 +29,13 @@
namespace Icinga; namespace Icinga;
use \DateTimeZone; use DateTimeZone;
use \InvalidArgumentException; use Exception;
use \Icinga\User\Preferences; use InvalidArgumentException;
use \Icinga\User\Message; use Icinga\User\Preferences;
use \Icinga\Authentication\PhpSession; use Icinga\User\Message;
use Icinga\Authentication\PhpSession;
use Icinga\Application\Config;
/** /**
* This class represents an authorized user * This class represents an authorized user
@ -93,6 +94,13 @@ class User
*/ */
private $permissions = array(); private $permissions = array();
/**
* Set of restrictions
*
* @var array
*/
private $restrictions = array();
/** /**
* Groups for this user * Groups for this user
* *
@ -198,6 +206,19 @@ class User
return $this->permissions; return $this->permissions;
} }
/**
* Return restriction information for this user
*
* @return Array
*/
public function getRestrictions($name)
{
if (array_key_exists($name, $this->restrictions)) {
return $this->restrictions[$name];
}
return array();
}
/** /**
* Getter for username * Getter for username
* *
@ -303,6 +324,66 @@ class User
return $this->domain; return $this->domain;
} }
/**
* Load permissions for this user from permissions.ini
*
* TODO: - Separate this from the user object once possible
* - Support group permissions once groups are available
*
* @return self
*/
public function loadPermissions()
{
try {
// TODO: Config::app should gracefully handle missing files
$config = Config::app('permissions');
} catch (Exception $e) {
return $this;
}
foreach ($config as $section) {
if ($section->get('user') !== $this->username) {
continue;
}
foreach ($section->toArray() as $key => $val) {
if (false !== ($pos = strpos($key, '_'))
&& substr($key, 0, $pos) === 'permission')
{
$this->permissions[] = $val;
}
}
}
return $this;
}
/**
* Load restrictions for this user from restrictions.ini
*
* TODO: - Separate this from the user object once possible
* - Support group restrictions once groups are available
*
* @return self
*/
public function loadRestrictions()
{
try {
// TODO: Config::app should gracefully handle missing files
$config = Config::app('permissions');
} catch (Exception $e) {
return $this;
}
$config = Config::app('restrictions');
foreach ($config as $section) {
if ($section->get('user') !== $this->username) {
continue;
}
if (! array_key_exists($section->name, $this->restrictions)) {
$this->restrictions[$section->name] = array();
}
$this->restrictions[$section->name][] = $section->restriction;
}
return $this;
}
/** /**
* Set additional information about user * Set additional information about user
* *

35
library/Icinga/Web/Controller/ActionController.php
View File

@ -89,6 +89,41 @@ class ActionController extends Zend_Controller_Action
} }
} }
/**
* Return restriction information for an eventually authenticated user
*
* @param string $name Permission name
* @return Array
*/
public function getRestrictions($name)
{
return AuthManager::getInstance()->getRestrictions($name);
}
/**
* Whether the user currently authenticated has the given permission
*
* @param string $name Permission name
* @return bool
*/
public function hasPermission($name)
{
return AuthManager::getInstance()->hasPermission($name);
}
/**
* Throws an exception if user lacks the given permission
*
* @param string $name Permission name
* @throws Exception
*/
public function assertPermission($name)
{
if (! AuthManager::getInstance()->hasPermission($name)) {
// TODO: Shall this be an Auth Exception? Or a 404?
throw new Exception(sprintf('Auth error, no permission for "%s"', $name));
}
}
/** /**
* Check whether the controller requires a login. That is when the controller requires authentication and the * Check whether the controller requires a login. That is when the controller requires authentication and the