diff options
| -rw-r--r-- | HISTORY | 1 | ||||
| -rw-r--r-- | demos/quickstart/protected/pages/Advanced/Auth.page | 2 | ||||
| -rw-r--r-- | framework/Security/TAuthorizationRule.php | 20 |
3 files changed, 20 insertions, 3 deletions
@@ -4,6 +4,7 @@ BUG: Ticket#621 - TWizardNavigationButtonStyle could not be found (Qiang) BUG: Ticket#627 - Logout did not set correct status to the user object (Qiang) BUG: Ticket#650 - Fixed TMysqlMetaData bug about SHOW FULL TABLES (Qiang) BUG: TWizard Sidebar using TDataListItemRenderer has error (Qiang) +ENH: Ticket#625 - Added @ to represent authenticated users in auth rules (Qiang) ENH: Ticket#631 - Make TQueue implement Countable as the other collection classes (Knut) ENH: Ticket#634 - Override __toString for TXmlElement and TXmlDocument (Knut) ENH: Ticket#639 - Added setters for certain properties of TTheme (Qiang) diff --git a/demos/quickstart/protected/pages/Advanced/Auth.page b/demos/quickstart/protected/pages/Advanced/Auth.page index c8380901..a306c2ae 100644 --- a/demos/quickstart/protected/pages/Advanced/Auth.page +++ b/demos/quickstart/protected/pages/Advanced/Auth.page @@ -57,7 +57,7 @@ An authorization rule can be either an <tt>allow</tt> rule or a <tt>deny</tt> ru </p>
<ul id="u1" class="block-content">
<li><tt>pages</tt> - list of comma-separated page names that this rule applies to. If empty or not set, this rule will apply to all pages under the current directory and all its subdirectories recursively.</li>
-<li><tt>users</tt> - list of comma-separated user names that this rule applies to. A character * refers to all users including anonymous/guest user. And a character ? refers to anonymous/guest user.</li>
+<li><tt>users</tt> - list of comma-separated user names that this rule applies to. A character * refers to all users including anonymous/guest user. A character ? refers to anonymous/guest user. And a character @ refers to authenticated users (available since v3.1).</li>
<li><tt>roles</tt> - list of comma-separated user roles that this rule applies to.</li>
<li><tt>verb</tt> - page access method that this rule applies to. It can be either <tt>get</tt> or <tt>post</tt>. If empty or not set, the rule applies to both methods.</li>
</ul>
diff --git a/framework/Security/TAuthorizationRule.php b/framework/Security/TAuthorizationRule.php index c5c9f23c..fa1eb134 100644 --- a/framework/Security/TAuthorizationRule.php +++ b/framework/Security/TAuthorizationRule.php @@ -18,6 +18,7 @@ * Action can be either 'allow' or 'deny'.
* Guest (anonymous, unauthenticated) users are represented by question mark '?'.
* All users (including guest users) are represented by asterisk '*'.
+ * Authenticated users are represented by '@'.
* Users/roles are case-insensitive.
* Different users/roles are separated by comma ','.
* Verb can be either 'get' or 'post'. If it is absent, it means both.
@@ -53,6 +54,10 @@ class TAuthorizationRule extends TComponent * @var boolean if this rule applies to guest user
*/
private $_guest;
+ /**
+ * @var boolean if this rule applies to authenticated users
+ */
+ private $_authenticated;
/**
* Constructor.
@@ -72,6 +77,7 @@ class TAuthorizationRule extends TComponent $this->_roles=array();
$this->_everyone=false;
$this->_guest=false;
+ $this->_authenticated=false;
foreach(explode(',',$users) as $user)
{
if(($user=trim(strtolower($user)))!=='')
@@ -83,6 +89,8 @@ class TAuthorizationRule extends TComponent }
else if($user==='?')
$this->_guest=true;
+ else if($user==='@')
+ $this->_authenticated=true;
else
$this->_users[]=$user;
}
@@ -136,7 +144,7 @@ class TAuthorizationRule extends TComponent */
public function getGuestApplied()
{
- return $this->_guest;
+ return $this->_guest || $this->_everyone;
}
/**
@@ -148,6 +156,14 @@ class TAuthorizationRule extends TComponent }
/**
+ * @return boolean if this rule applies to authenticated users
+ */
+ public function getAuthenticatedApplied()
+ {
+ return $this->_authenticated || $this->_everyone;
+ }
+
+ /**
* @return integer 1 if the user is allowed, -1 if the user is denied, 0 if the rule does not apply to the user
*/
public function isUserAllowed(IUser $user,$verb)
@@ -155,7 +171,7 @@ class TAuthorizationRule extends TComponent $decision=($this->_action==='allow')?1:-1;
if($this->_verb==='' || strcasecmp($verb,$this->_verb)===0)
{
- if($this->_everyone || ($this->_guest && $user->getIsGuest()))
+ if($this->_everyone || ($this->_guest && $user->getIsGuest()) || ($this->_authenticated && !$user->getIsGuest()))
return $decision;
if(in_array(strtolower($user->getName()),$this->_users))
return $decision;
|