srigi/ipub-security
Composer 安装命令:
composer require srigi/ipub-security
包简介
ACL permissions setter & checker for Nette Framework
README 文档
README
ACL permissions setter & checker for Nette Framework.
srigi/ipub-security is a library that allows easy configuration of Nette Framework ACL system. It supports roles & resources inheritance and also permission assertions are supported.
Installation
The best way to install srigi/ipub-security is by using Composer. To get the latest version of the library run this command at the root of your project:
$ composer require srigi/ipub-security
Or you can specify dependency by hand:
{
"require": {
"srigi/ipub-security": "^1.3.0"
}
}
Setup
After installation you need to register the DI extension. If your'e using Nette 2.3, you can do that by configuration:
extensions: permission: IPub\Security\DI\SecurityExtension
I case of Nette 2.2 register extension in your bootstrap.php:
$configurator = new Nette\Configurator; // ...some other code IPub\Security\DI\SecurityExtension::register($configurator);
The ACL system 101
Nette ACL system brings some terminology you should know befor continuing. First there are resources that one (a role) wants to access (privilege). This forms a permission. Example is the best teacher:
resources - intranet, salesModule, serversDashboard, databaseServersDashboard
roles - admininstrator, guest, authenticated, employee, sales, engineer
privileges - access, powerOn, powerOff, reboot
permission - this is just abstract concept when you combine above three entities:
authenticatedcanaccesstheintranetengineercanreboottheserversDashboardadministratorcan doALLonALL
resources and roles can inherit from each other and create hierarchies:
intranet
├ salesModule
└ serversDashboard
└ databaseServersDashboard
administrator
guest
└ authenticated
└ employee
├ sales
└ engineer
└ backend-engineer
If there is a permission (combination of resource, role and privilege) registered, this inherits down. In our little example engineer can access the intranet because is inheriting this permission from authenticated.
More on this can be found in access control chapter of Nette Framework documentation.
Creating permissions
Permission is represented by instance of IPub\Security\Entities\IPermission. Such instance is providing a IPub\Security\Entities\IResource resource instance, a privilege (defined as string) and assertion (defined as callable). All three components of the permission are optional.
Permissions definitions must be provided by service implementing IPub\Security\Providers\IPermissionsProvider. Library srigi/ipub-security have example implementation of such provider you can use in your project. Or you can write your own.
Defining set of permissions with our PermissionsProvider is very easy:
class MyPermissionsProvider extends IPub\Security\Providers\PermissionsProvider { public function __construct() { $intranet = $this->addResource('intranet'); $this->addPermission($intranet, Nette\Security\IAuthorizator::ALL); $this->addPermission($intranet, 'access'); $this->addPermission($intranet, 'update'); $salesModule = $this->addResource('salesModule', $this->getResource('intranet')); $this->addPermission($salesModule, 'access'); $this->addPermission($salesModule, 'edit', function($acl, $role, $resource, $privilege) { // ...code of permission assertion }); // ... more permissions definitions } }
Now just register your permission provider:
services: - MyPermissionsProvider
Creating roles & assigning permissions
Similarly as permission also roles have its own interface and needs a provider service. This provider should also assign permissions to the role:
class MyRolesProvider extends IPub\Security\Providers\RolesProvider { /** * @param MyPermissionsProvider $permissionsProvider */ public function __construct(MyPermissionsProvider $permissionsProvider) { $permissions = $permissionsProvider->getPermissions(); $this->addRole(Entities\IRole::ROLE_ADMINISTRATOR); $this->addRole(Entities\IRole::ROLE_ANONYMOUS); $this->addRole(Entities\IRole::ROLE_AUTHENTICATED, $this->getRole(Entities\IRole::ROLE_ANONYMOUS), $permissions['intranet:access']); $this->addRole('employee', $this->getRole(Entities\IRole::ROLE_AUTHENTICATED)); $this->addRole('sales', $this->getRole('employee'), [ $permissions['salesModule:'], ]); $this->addRole('engineer', $this->getRole('employee'), [ $permissions['servers:access'], ]); // ...more roles & permissions assignments }
Don't forget to register your roles provider:
services: - MyRolesProvider
Now your'e set!
Checking permissions
Library provide a PHP trait, which enables pleasant quering Nette ACL system we've just configured. Please note that traits are available from PHP 5.4, for older versions of PHP you must copy/paste trait contents. This trait is effective only in presenter(s).
class BasePresenter extends Nette\Application\UI\Presenter { use IPub\Security\TPermission; }
Using annotations
You can fine-tune checking logic by this set of annotations:
/** * @Secured * @Secured\User(loggedIn) * @Secured\Resource(RESOURCE_NAME) * @Secured\Privilege(PRIVILEGE_NAME) * @Secured\Permission(RESOURCE_NAME: PRIVILEGE_NAME) * @Secured\Role(ROLE_NAME) */ class IntranetPresenter extends BasePresenter { /** * @Secured * @Secured\Permission(RESOURCE_NAME: PRIVILEGE_NAME) */ public function renderDefault() { } }
@Secured
This annotation instruct security system that presenter is subject to the permissions check. Without it permission checking will be skipped completely!
@Secured\User
This annotation accept value loggedIn or guest. Access to any resource and any privilege is controled only by login state of the current user.
Next annotations are working over Nette\Security\User roles assigned during login process.
@Secured\Resource
Access is granted only if role is allowed to access specified resource.
@Secured\Privilege
This grand access only if role is allowed to access specified privilege.
@Secured\Permission
Combination of above two - access is granted only if role have resource: privilege permission.
@Secured\Role
Grand access only to specified role.
On every place where *_NAME applies, you can specify multiple names separated by comma.
Using in presenters, components, models, etc.
Permission check can be performed also manually. You just need Nette\Security\User instance on which you call:
$user->isAllowed('resource', 'privilege');
TRUE of FALSE is returned respecively.
Using in Latte
In latte you can use two special macros.
<p>This text is for everyone...</p> {ifAllowed resource => 'intranet', privilege => 'access'} <p>But this one is only for special persons...</p> {/ifAllowed}
Macro ifAllowed is very similar to annotations definitions. You can use here one or all of available parameters: user, resource, privilege, permission or role.
This macro can be also used as n: macro:
<p>This text is for everyone...</p> <p n:ifAllowed resource => 'intranet', privilege => 'access'> But this one is only for special persons...</p>
And second special macro is for links:
<a n:allowedHref="Intranet:">Link to Intranet...</a>
Macro n:allowedHref is expecting only valid link and in case user doesn't have permission to that resource, link isn't displayed.
Redirect to login page
If user is not logged-in and tries to access secured resource a default action is throwing the Nette\Application\ForbiddenRequestException. However if you configure so called redirectUrl, request will be redirected to this url (login page) when this situation occurs.
Also all parameters of the original request will be stored. That way you are able to restore original request and be redirected to secured resource after successful login. To configure redirectUrl add this to your configuration:
permission:
redirectUrl: 'Login:default'
To restore the original request prepare persistent param backlink in the presenter and use it in login procedure (callback)
class LoginPresenter { /** @persistent */ public $backlink; public function processLoginForm($form) { // try $this->getUser()->login($form->getValues()); $this->restoreRequest($this->backlink); $this->redirect('Admin:default'); // catch } }
TODO
- check
IPub\Security\Entities\Permissionconstructor types - make documentation examples to be in sync w/ tests
- tests for
IPub\Security\Providers\* - latte macros tests
- check annotations test logic
- permissions-assertions tests/doc
RolesProvider::allow,RolesProvider::denymethods
History
- 1.3.4 Add
redirectUrlfunctionality - 1.3.0 Rename
RolesModelandIPub\Security\ModelstoRolesProviderandIPub\Security\Providers - 1.2.0 Rewrite
Security\Permissionto support resource inheritance & permissions assertions - 1.1.0 Cloned library into
srigi/ipub-permissions - 1.0.1 Added roles inheritance
License
New BSD License or the GNU General Public License (GPL) version 2 or 3, see license.md.
srigi/ipub-security 适用场景与选型建议
srigi/ipub-security 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1.63k 次下载、GitHub Stars 达 2, 最近一次更新时间为 2015 年 11 月 09 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「annotations」 「library」 「annotation」 「nette」 「acl」 「permission」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 srigi/ipub-security 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 srigi/ipub-security 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 srigi/ipub-security 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
A collection of helpers for PHPUnit to ease testing Tarantool libraries.
Symfony bundle to add arbitrary metadata to classes and their constants by annotation
Inbox pattern process implementation for your Laravel Applications
The last validation library you will ever need!
Core library that defines common interfaces used by the rest of the intahwebz..
Customizations for routing
统计信息
- 总下载量: 1.63k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 2
- 点击次数: 19
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: BSD-3-Clause
- 更新时间: 2015-11-09