I am developing a site using laravel 4, and trying to implement my ACL using Sentry 2. I need help on how to structure the following:
I have the following permissions for role HR:
Staffs|View staff details
Staffs|Register new staff
Staffs|Edit staff details
Staffs|Delete staff details
Corresponding to the following routes:
//get route to staffs landing page
Route::get('staffs/view-staffs', 'UsersController#getManageStaffs');
//post routes
Route::post('staffs/add-staff', 'UsersController#postAddStaff');
Route::post('staffs/update-staff', 'UsersController#postUpdateStaff');
Route::post('staffs/delete-staff', 'UsersController#postDeleteStaff');
I need access control for the following:
link on my menu for view-staffs: if all staff permission are disabled, disable link. This is how i am doing it:
if($user->hasAnyAccess(array('Staffs|View staff details', 'Staffs|Register new staff', 'Staffs|Edit staff details', 'Staffs|Delete staff details')))
{
//display menu link
}
my routes: if all staff permissions are disabled, disable all routes that fall under "staffs/"
//For this, i have no idea how to restrict routes based on my permissions
//But i don't want to do it like i did in (1) within my controllers
disable action buttons that corresbond to a disabled permission
//same as no (1)
You can do something like the following:
In app/filters.php, create a filter as follows.
Route::filter('permissions', function()
{
$name = Route::current()->getName();
$name = 'system' . ( ! empty($name) ? '.' : '') . $name;
if (!UserHelper::hasPermission($name)) {
App::abort(401, 'You are not authorized to access route '.$name);
}
});
You can apply the filter by putting a before filter on your route, e.g.
Route::group(array('before' => 'permissions'), function()
{
// routes
}
With this system, you could create permission groups like these:
Sentry::getGroupProvider()->create(array(
'id' => 1,
'name' => 'Super Administrators',
'permissions' => array(
'system' => 1,
),
));
Sentry::getGroupProvider()->create(array(
'id' => 2,
'name' => 'Administrators',
'permissions' => array(
'system.users' => 1,
'system.products' => 1,
'system.store' => 1,
'system.profile' => 1,
),
));
Sentry::getGroupProvider()->create(array(
'id' => $id++,
'name' => 'Managers',
'permissions' => array(
'system.products' => 1,
'system.store' => 1,
'system.profile' => 1,
),
));
So if a user has the system.products permission, he'd be able to use every products route.
Now, for the part where you wish to show links to certain groups, you can do that with a helper like this:
public static function has($permission)
{
$all = [];
$parts = explode('.',$permission);
$permission = '';
foreach($parts as $part) {
$permission .= (!empty($permission) ? '.' : '') . $part;
$all[] = $permission;
}
return Sentry::check() and Sentry::getUser()->hasAnyAccess($all);
}
You'd simply pass the route name (e.g. system.products) to the function and it'll return whether the user has access to it.
Source: https://laracasts.com/forum/conversation/post/2819
There is a cool package for sentry ACL that implements a fully featured admin panel https://github.com/intrip/laravel-authentication-acl
Related
Basically in trying to create an inbox message which "read details" should redirect the user to a custom controller, however i can see the desired url in the browser for a second and then it redirects to the dashboard; this is how, currently, im trying to achieve that:
$myId = $myJson['id'];
$title = "Title of my notice";
$description = $myJson['text'];
$url= Mage::helper("adminhtml")->getUrl('My_Module/Controller/index', array('id' => $myId));
$sendingMessage = Mage::getModel('adminnotification/inbox')->addNotice($title,$description,$url);
The code above successfully adds the message to the inbox, however as i said before, i can see the desired URL in the browser before it gets redirected to the dashboard.
I'm accessing the same controller from another one and it does it as expected, the one that is actually working is a Grid and it looks something like this:
$this->addColumn('action',
array(
'header' => __('Answer'),
'width' => '100',
'type' => 'action',
'getter' => 'getId',
'actions' => array(
array(
'caption' => __('Answer'),
'url' => array('base'=> '*/Controller'),
'field' => 'id'
)),
'filter' => false,
'sortable' => false,
'index' => 'stores',
'is_system' => true,
));
So, am i missing something here ?
BTW, is there any way to make the "read details" link to open in the same page instead of a new tab?
==================================================================
UPDATE
Disabling the "Add Secret Key to URLs" in the security options allowed me get it work, however i would like to make use of the secret keys.
The URLs i'm generating in the first code block actually have a key/value in the URLs, they look something like this:
https://example.com/index.php/mymodule/Controller/index/id/3963566814/key/f84701848a22d2ef36022accdb2a6a69/
It looks like you're trying to generate an admin URL. In modern versions of Magento, admin urls must use the adminhtml front name, using the Magento Front Name Sharing technique (described in this article). That's must as in if you don't, the URLs won't work. Magento removed the ability to create non-adminhtml URLs in the backend.
Second, here's where Magento generates the secret keys
#File: app/code/core/Mage/Adminhtml/Model/Url.php
public function getSecretKey($controller = null, $action = null)
{
$salt = Mage::getSingleton('core/session')->getFormKey();
$p = explode('/', trim($this->getRequest()->getOriginalPathInfo(), '/'));
if (!$controller) {
$controller = !empty($p[1]) ? $p[1] : $this->getRequest()->getControllerName();
}
if (!$action) {
$action = !empty($p[2]) ? $p[2] : $this->getRequest()->getActionName();
}
$secret = $controller . $action . $salt;
return Mage::helper('core')->getHash($secret);
}
and here's where it validates the secret key
#File: app/code/core/Mage/Adminhtml/Controller/Action.php
protected function _validateSecretKey()
{
if (is_array($this->_publicActions) && in_array($this->getRequest()->getActionName(), $this->_publicActions)) {
return true;
}
if (!($secretKey = $this->getRequest()->getParam(Mage_Adminhtml_Model_Url::SECRET_KEY_PARAM_NAME, null))
|| $secretKey != Mage::getSingleton('adminhtml/url')->getSecretKey()) {
return false;
}
return true;
}
Compare the pre/post hash values of $secret to see why Magento's generating the incorrect key on your page.
i am using " romanbican - bicon roles ", i don't see sufficient information for the " Creating Roles ",
code is available but i don't know where i paste this code, please suggest quick steps to implement permissions.
I used this same laravel package and simply created a new controller and route pointing to the the following controller methods:
public function getRoleAdmin()
{
$adminRole = Role::create([
'name' => 'Admin',
'slug' => 'admin',
'description' => 'System Administrator', // optional
'level' => 1, // optional, set to 1 by default
]);
}
public function getRoleModerator()
{
$moderatorRole = Role::create([
'name' => 'Forum Moderator',
'slug' => 'forum.moderator',
'description' => 'Forum Moderator',
'level' => 1,
]);
}
I then created a simple view with a button for each calling the appropriate route/controller/method to create either a new moderator or administrator role. You will see that calling Role::create simply creates a new record in the roles table with these attributes which you could easily perform with a standard DB call to insert into the table. I used the same approach for creating/deleting permissions.
I'm developing an web app using codeigniter. When I try to click
an image (using detail method), it doesn't include the ID of the image in the link.
I have tried many times, but it still doesn't work. I've even run the same project on another team member's PC, but it still doesn't work on my PC.
Here's the code:
public function detail($url_title, $id = '') {
// Get user logged in id
$user_id = $this->auth->userid();
// Decode url id
$id = decode_safe_url(#$id);
// Get survey master info
// division 0 mean survey, status 0 is not publish
$survey = $this->egsurveymaster->get(array('id' => #$id, 'division' => '1', 'status != ' => "0"));
// Redirect if product review is not exist
if (!#$survey) {
redirect('andrasurvey');
}
// Update read count
if (isset($_COOKIE['eblo_pcid'])) {
$this->egsurveymaster->count_read(#$id, $_COOKIE['andra_pcid']);
}
// Title
$this->template->title = asset_title('Andra Survey - ' . #$survey->title);
// Vars
$vars = array(
'contents' => array(
'master_id' => #$survey->id,
'review' => $this->_overviewContent(#$survey->id, #$survey),
),
'snsContents' => array(
'title' => #$survey->title,
'image' => asset_url(#$survey->image),
'url' => base_url('andrasurvey/detail/' . url_title(#$survey->title) . '/' . encode_safe_url(#$survey->id)),
'content' => character_limiter(strip_tags(#$survey->content, 150)),
'keywords' => trim(#$survey->title) . ', ',
'username' => 'andraadmin',
),
);
// Content
$this->template->content->view(asset_content('detail'), #$vars);
// publish the template
$this->template->publish();
}
When I click the image, this is what I get:
http://localhost:1234/andrasurvey/survey/detail/umur-anda-yang-seharusnya/
I really need your help,
Thank you.
I'm implementing an authorisation process based on values not on verb.
Example:
all users/groups are allowed to update a db field
admin can set status to all possible values (confirmed | pending | cancelled)
supplier can set to 'confirmed'
All examples I find go around a user/group being able or not to insert,update or delete something.
Is there something out there to deal with situations like this out of the box, or this has be hard coded?
Basically what you need is something hard to maintain in any application: granular permissions.
You can get this to work easily using Cartalyst's Sentry. Here's how I do it:
All my routes are hierarchically organized and named as such:
<?php
Route::get('login', array('as'=>'logon.login', 'uses'=>'LogonController#login'));
Route::get('logged/out', array('as'=>'logon.loggedOut', 'uses'=>'LogonController#loggedOut'));
Route::group(array('before' => 'auth'), function()
{
Route::get('logout', array('as'=>'logon.logout', 'uses'=>'LogonController#logout'));
Route::group(array('before' => 'permissions'), function()
{
Route::get('store/checkout/shipping/address', array('as'=>'store.checkout.shipping.address', 'uses'=>'StoreController#shippingAddress'));
Route::get('store/checkout/payment/confirmed', array('as'=>'store.checkout.payment.confirmed', 'uses'=>'StoreController#confirmed'));
Route::get('profile', array('as'=>'profile.show', 'uses'=>'ProfileController#show'));
});
});
Those under the filter 'permissions' are subject to check if user has rights to use them:
Route::filter('permissions', function()
{
$name = Route::current()->getName();
$name = 'system' . ( ! empty($name) ? '.' : '') . $name;
if (!Permission::has($name)) {
App::abort(401, 'You are not authorized to access route '.$name);
}
});
Basically here I get the current route name, add 'system.' to it and check if the user has this particular permission.
Here's how I create my groups and populate permissions:
<?php
public function seedPermissions()
{
DB::table('groups')->truncate();
$id = 1;
Sentry::getGroupProvider()->create(array(
'id' => $id++,
'name' => 'Super Administrators',
'permissions' => array(
'system' => 1,
),
));
Sentry::getGroupProvider()->create(array(
'id' => $id++,
'name' => 'Administrators',
'permissions' => array(
'system.users' => 1,
'system.products' => 1,
'system.store' => 1,
'system.profile' => 1,
),
));
Sentry::getGroupProvider()->create(array(
'id' => $id++,
'name' => 'Managers',
'permissions' => array(
'system.products' => 1,
'system.store' => 1,
'system.profile' => 1,
),
));
Sentry::getGroupProvider()->create(array(
'id' => $id++,
'name' => 'Users',
'permissions' => array(
'system.store.checkout' => 1,
'system.profile' => 1,
),
));
}
So if a user is trying to add some shipping address, the route 'store.checkout.payment.confirmed', as every user has access to 'system.store.checkout', everything inside that route will available to him.
And this is how I check for permissions:
public static function has($permission)
{
$all = [];
$parts = explode('.',$permission);
$permission = '';
foreach($parts as $part) {
$permission .= (!empty($permission) ? '.' : '') . $part;
$all[] = $permission;
}
return Sentry::check() and Sentry::getUser()->hasAnyAccess($all);
}
It basically builds a list of routes:
system
system.store
system.store.checkout
system.store.checkout.payment
system.store.checkout.payment.confirmed
And if Sentry finds one of those in the users granular permissions it will return true.
Now I just have to add users to groups:
Sentry::findUserById(1)->addGroup( Sentry::getGroupProvider()->findByName('Users') );
And if I need to go granular on a particular user/permission I just need to:
$user = Sentry::findUserById(1);
$user->permissions['store.checkout.payment'] = false;
$user->save();
And the user will never be able to pay for anything in the store again. :)
I am using the latest Ion Auth files along with the latest version of CodeIgniter 2.
There is a function called edit_user within the auth.php Controller file. This function is restricted to use only by members within the "Admin" group, and any Admin member can edit any other member using the function via this URL...
/auth/edit_user/id
The problem is that I don't see any Controller function or View that allows a regular (non-Admin) user to edit their own account details.
Would this be a new Controller function I'd need to write (modify edit_user function?) or is this something that Ion Auth should already do? If so, how?
Here is the stock Ion Auth edit_user function contained within the auth.php Controller...
function edit_user($id)
{
$this->data['title'] = "Edit User";
if (!$this->ion_auth->logged_in() || !$this->ion_auth->is_admin())
{
redirect('auth', 'refresh');
}
$user = $this->ion_auth->user($id)->row();
//process the phone number
if (isset($user->phone) && !empty($user->phone))
{
$user->phone = explode('-', $user->phone);
}
//validate form input
$this->form_validation->set_rules('first_name', 'First Name', 'required|xss_clean');
$this->form_validation->set_rules('last_name', 'Last Name', 'required|xss_clean');
$this->form_validation->set_rules('phone1', 'First Part of Phone', 'required|xss_clean|min_length[3]|max_length[3]');
$this->form_validation->set_rules('phone2', 'Second Part of Phone', 'required|xss_clean|min_length[3]|max_length[3]');
$this->form_validation->set_rules('phone3', 'Third Part of Phone', 'required|xss_clean|min_length[4]|max_length[4]');
$this->form_validation->set_rules('company', 'Company Name', 'required|xss_clean');
if (isset($_POST) && !empty($_POST))
{
// do we have a valid request?
if ($this->_valid_csrf_nonce() === FALSE || $id != $this->input->post('id'))
{
show_error('This form post did not pass our security checks.');
}
$data = array(
'first_name' => $this->input->post('first_name'),
'last_name' => $this->input->post('last_name'),
'company' => $this->input->post('company'),
'phone' => $this->input->post('phone1') . '-' . $this->input->post('phone2') . '-' . $this->input->post('phone3'),
);
//update the password if it was posted
if ($this->input->post('password'))
{
$this->form_validation->set_rules('password', 'Password', 'required|min_length[' . $this->config->item('min_password_length', 'ion_auth') . ']|max_length[' . $this->config->item('max_password_length', 'ion_auth') . ']|matches[password_confirm]');
$this->form_validation->set_rules('password_confirm', 'Password Confirmation', 'required');
$data['password'] = $this->input->post('password');
}
if ($this->form_validation->run() === TRUE)
{
$this->ion_auth->update($user->id, $data);
//check to see if we are creating the user
//redirect them back to the admin page
$this->session->set_flashdata('message', "User Saved");
redirect("auth", 'refresh');
}
}
//display the edit user form
$this->data['csrf'] = $this->_get_csrf_nonce();
//set the flash data error message if there is one
$this->data['message'] = (validation_errors() ? validation_errors() : ($this->ion_auth->errors() ? $this->ion_auth->errors() : $this->session->flashdata('message')));
//pass the user to the view
$this->data['user'] = $user;
$this->data['first_name'] = array(
'name' => 'first_name',
'id' => 'first_name',
'type' => 'text',
'value' => $this->form_validation->set_value('first_name', $user->first_name),
);
$this->data['last_name'] = array(
'name' => 'last_name',
'id' => 'last_name',
'type' => 'text',
'value' => $this->form_validation->set_value('last_name', $user->last_name),
);
$this->data['company'] = array(
'name' => 'company',
'id' => 'company',
'type' => 'text',
'value' => $this->form_validation->set_value('company', $user->company),
);
$this->data['phone1'] = array(
'name' => 'phone1',
'id' => 'phone1',
'type' => 'text',
'value' => $this->form_validation->set_value('phone1', $user->phone[0]),
);
$this->data['phone2'] = array(
'name' => 'phone2',
'id' => 'phone2',
'type' => 'text',
'value' => $this->form_validation->set_value('phone2', $user->phone[1]),
);
$this->data['phone3'] = array(
'name' => 'phone3',
'id' => 'phone3',
'type' => 'text',
'value' => $this->form_validation->set_value('phone3', $user->phone[2]),
);
$this->data['password'] = array(
'name' => 'password',
'id' => 'password',
'type' => 'password'
);
$this->data['password_confirm'] = array(
'name' => 'password_confirm',
'id' => 'password_confirm',
'type' => 'password'
);
$this->load->view('auth/edit_user', $this->data);
}
Unless I'm missing something, I ended up modifying the edit_user function within the auth.php Controller as follows.
I changed this line which checks to see that the user is "not logged in" OR "not an admin" before dumping them out...
if (!$this->ion_auth->logged_in() || !$this->ion_auth->is_admin())
{
redirect('auth', 'refresh');
}
...into this, which check to see that the user is "not logged in" OR ("not an admin" AND "not the user") before dumping them out...
if (!$this->ion_auth->logged_in() || (!$this->ion_auth->is_admin() && !($this->ion_auth->user()->row()->id == $id)))
This seems to be working...
Admin can edit all accounts
User can only edit his own account
and somebody not logged in, can't edit any account.
Edit: However, the user also has access to the "groups" setting and could simply put themself into the "admin" group. Not good.
Ion Auth's developer refers to the files he provides as working "examples". Therefore, it's up to the end-developer to edit Ion Auth to suit the needs of the project.
To prevent the user from being able to make himself an "admin" requires a simple change to the edit_user.php view file.
Verifies the user is already an "admin" before creating the checkboxes...
<?php if ($this->ion_auth->is_admin()): ?>
// code that generates Groups checkboxes
<?php endif ?>
Then you'll also need to thoroughly test and adjust as needed. For example, after editing a user profile, you're redirected to the auth view. Since the user doesn't have permission to see the auth view, there is a "must be an admin" error. In the controller file, you'll have to add the appropriate logic to properly redirect the user when they're not an "admin".
No Ion Auth doesn't do this as is - it's pretty light weight. But it's not hard to do and your on the right track, just grab that edit_user method and take out the admin checks and make it so the user can only edit their own account, just alter it so that it only updates user details for the currently logged in user.
Check the ion auth docs, have a crack at it and come back with some code if you have any problems.