tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added permission handlers and related sample config reader 

Please see feature #4108 for sample usage

refs #4108
This commit is contained in:
Thomas Gelf 2014-01-22 13:06:59 +00:00
parent fa861c2c85
commit 0f565aae6a
3 changed files with 169 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
library/Icinga/Authentication/Manager.php
View File

@ -369,6 +369,12 @@ class Manager
return false;
}
// TODO: We want to separate permissions and restrictions from
// the user object. This will be possible once session
// had been refactored.
$this->user->loadPermissions();
$this->user->loadRestrictions();
if ($persist == true) {
$this->persistCurrentUser();
$this->session->write();
@ -410,6 +416,47 @@ class Manager
return is_object($this->user);
}
/**
* Whether an authenticated user has a given permission
*
* This is true if the user owns this permission, false if not.
* Also false if there is no authenticated user
*
* TODO: I'd like to see wildcard support, e.g. module/*
*
* @param string $permission Permission name
* @return bool
*/
public function hasPermission($permission)
{
if (! $this->isAuthenticated()) {
return false;
}
foreach ($this->user->getPermissions() as $p) {
if ($p === $permission) {
return true;
}
}
return false;
}
/**
* Get applied restrictions matching a given restriction name
*
* Returns a list of applied restrictions, empty if no user is
* authenticated
*
* @param string $restriction Restriction name
* @return array
*/
public function getRestrictions($restriction)
{
if (! $this->isAuthenticated()) {
return array();
}
return $this->user->getRestrictions($restriction);
}
/**
* Purges the current authorisation information and deletes the session
**/

93
library/Icinga/User.php
View File

@ -29,12 +29,13 @@
namespace Icinga;
use \DateTimeZone;
use \InvalidArgumentException;
use \Icinga\User\Preferences;
use \Icinga\User\Message;
use \Icinga\Authentication\PhpSession;
use DateTimeZone;
use Exception;
use InvalidArgumentException;
use Icinga\User\Preferences;
use Icinga\User\Message;
use Icinga\Authentication\PhpSession;
use Icinga\Application\Config;
/**
* This class represents an authorized user
@ -93,6 +94,13 @@ class User
*/
private $permissions = array();
/**
* Set of restrictions
*
* @var array
*/
private $restrictions = array();
/**
* Groups for this user
*
@ -198,6 +206,19 @@ class User
return $this->permissions;
}
/**
* Return restriction information for this user
*
* @return Array
*/
public function getRestrictions($name)
{
if (array_key_exists($name, $this->restrictions)) {
return $this->restrictions[$name];
}
return array();
}
/**
* Getter for username
*
@ -303,6 +324,66 @@ class User
return $this->domain;
}
/**
* Load permissions for this user from permissions.ini
*
* TODO: - Separate this from the user object once possible
* - Support group permissions once groups are available
*
* @return self
*/
public function loadPermissions()
{
try {
// TODO: Config::app should gracefully handle missing files
$config = Config::app('permissions');
} catch (Exception $e) {
return $this;
}
foreach ($config as $section) {
if ($section->get('user') !== $this->username) {
continue;
}
foreach ($section->toArray() as $key => $val) {
if (false !== ($pos = strpos($key, '_'))
&& substr($key, 0, $pos) === 'permission')
{
$this->permissions[] = $val;
}
}
}
return $this;
}
/**
* Load restrictions for this user from restrictions.ini
*
* TODO: - Separate this from the user object once possible
* - Support group restrictions once groups are available
*
* @return self
*/
public function loadRestrictions()
{
try {
// TODO: Config::app should gracefully handle missing files
$config = Config::app('permissions');
} catch (Exception $e) {
return $this;
}
$config = Config::app('restrictions');
foreach ($config as $section) {
if ($section->get('user') !== $this->username) {
continue;
}
if (! array_key_exists($section->name, $this->restrictions)) {
$this->restrictions[$section->name] = array();
}
$this->restrictions[$section->name][] = $section->restriction;
}
return $this;
}
/**
* Set additional information about user
*

35
library/Icinga/Web/Controller/ActionController.php
View File

@ -89,6 +89,41 @@ class ActionController extends Zend_Controller_Action
}
}
/**
* Return restriction information for an eventually authenticated user
*
* @param string $name Permission name
* @return Array
*/
public function getRestrictions($name)
{
return AuthManager::getInstance()->getRestrictions($name);
}
/**
* Whether the user currently authenticated has the given permission
*
* @param string $name Permission name
* @return bool
*/
public function hasPermission($name)
{
return AuthManager::getInstance()->hasPermission($name);
}
/**
* Throws an exception if user lacks the given permission
*
* @param string $name Permission name
* @throws Exception
*/
public function assertPermission($name)
{
if (! AuthManager::getInstance()->hasPermission($name)) {
// TODO: Shall this be an Auth Exception? Or a 404?
throw new Exception(sprintf('Auth error, no permission for "%s"', $name));
}
}
/**
* Check whether the controller requires a login. That is when the controller requires authentication and the