From 3f5229142af88f0cc44644cc756d908138e5a790 Mon Sep 17 00:00:00 2001 From: xue <> Date: Sun, 16 Sep 2007 19:32:58 +0000 Subject: Make auth rules more consistently handled. --- framework/Security/TAuthorizationRule.php | 68 +++++++++++++++++++++---------- 1 file changed, 46 insertions(+), 22 deletions(-) (limited to 'framework/Security/TAuthorizationRule.php') diff --git a/framework/Security/TAuthorizationRule.php b/framework/Security/TAuthorizationRule.php index 42a11412..bdc0e902 100644 --- a/framework/Security/TAuthorizationRule.php +++ b/framework/Security/TAuthorizationRule.php @@ -85,6 +85,9 @@ class TAuthorizationRule extends TComponent $this->_everyone=false; $this->_guest=false; $this->_authenticated=false; + + if(trim($users)==='') + $users='*'; foreach(explode(',',$users) as $user) { if(($user=trim(strtolower($user)))!=='') @@ -102,16 +105,24 @@ class TAuthorizationRule extends TComponent $this->_users[]=$user; } } + + if(trim($roles)==='') + $roles='*'; foreach(explode(',',$roles) as $role) { if(($role=trim(strtolower($role)))!=='') $this->_roles[]=$role; } - $verb=trim(strtolower($verb)); - if($verb==='' || $verb==='get' || $verb==='post') + + if(($verb=trim(strtolower($verb)))==='') + $verb='*'; + if($verb==='*' || $verb==='get' || $verb==='post') $this->_verb=$verb; else throw new TInvalidDataValueException('authorizationrule_verb_invalid',$verb); + + if(trim($ipRules)==='') + $ipRules='*'; foreach(explode(',',$ipRules) as $ipRule) { if(($ipRule=trim($ipRule))!=='') @@ -185,38 +196,50 @@ class TAuthorizationRule extends TComponent } /** + * @param IUser the user object + * @param string the request verb (GET, PUT) + * @param string the request IP address * @return integer 1 if the user is allowed, -1 if the user is denied, 0 if the rule does not apply to the user */ - public function isUserAllowed(IUser $user,$verb) + public function isUserAllowed(IUser $user,$verb,$ip) { - $decision=($this->_action==='allow')?1:-1; - if($this->_verb==='' || strcasecmp($verb,$this->_verb)===0) - { - if(!$this->isHostAddressMatched()) - return 0; - if($this->_everyone || ($this->_guest && $user->getIsGuest()) || ($this->_authenticated && !$user->getIsGuest())) - return $decision; - if(in_array(strtolower($user->getName()),$this->_users)) - return $decision; - foreach($this->_roles as $role) - if($user->isInRole($role)) - return $decision; - } - return 0; + if($this->isVerbMatched($verb) && $this->isIpMatched($ip) && $this->isUserMatched($user) && $this->isRoleMatched($user)) + return ($this->_action==='allow')?1:-1; + else + return 0; } - private function isHostAddressMatched() + private function isIpMatched($ip) { if(empty($this->_ipRules)) return 1; - $ip=Prado::getApplication()->getRequest()->getUserHostAddress(); foreach($this->_ipRules as $rule) { - if($rule===$ip || (($pos=strpos($rule,'*'))!==false && strncmp($ip,$rule,$pos)===0)) + if($rule==='*' || $rule===$ip || (($pos=strpos($rule,'*'))!==false && strncmp($ip,$rule,$pos)===0)) return 1; } return 0; } + + private function isUserMatched($user) + { + return ($this->_everyone || ($this->_guest && $user->getIsGuest()) || ($this->_authenticated && !$user->getIsGuest())); + } + + private function isRoleMatched($user) + { + foreach($this->_roles as $role) + { + if($role==='*' || $user->isInRole($role)) + return true; + } + return false; + } + + private function isVerbMatched($verb) + { + return ($this->_verb==='*' || strcasecmp($verb,$this->_verb)===0); + } } @@ -235,16 +258,17 @@ class TAuthorizationRuleCollection extends TList /** * @param IUser the user to be authorized * @param string verb, can be empty, 'post' or 'get'. + * @param string the request IP address * @return boolean whether the user is allowed */ - public function isUserAllowed($user,$verb) + public function isUserAllowed($user,$verb,$ip) { if($user instanceof IUser) { $verb=strtolower(trim($verb)); foreach($this as $rule) { - if(($decision=$rule->isUserAllowed($user,$verb))!==0) + if(($decision=$rule->isUserAllowed($user,$verb,$ip))!==0) return ($decision>0); } return true; -- cgit v1.2.3