Code Coverage for /srv/web-content/subdomains/skeleton/module/AclUser/src/Permissions/Acl/Acl.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	86.67% covered (success)	86.67%	13 / 15	CRAP	93.88% covered (success)	93.88%	92 / 98
AclUser\Permissions\Acl\Acl	0.00% covered (danger)	0.00%	0 / 1	86.67% covered (success)	86.67%	13 / 15	43.42	93.88% covered (success)	93.88%	92 / 98
defineRoles				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	8 / 8
defineResources				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	3 / 3
joinAclToNavigation				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	3 / 3
checkAddParentRole				100.00% covered (success)	100.00%	1 / 1	4	100.00% covered (success)	100.00%	9 / 9
getPresentUser				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	4 / 4
getPresentUserId				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	4 / 4
getPresentUserEmailAddress				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	5 / 5
addPresentUserAgrigateRole				0.00% covered (danger)	0.00%	0 / 1	3.10	77.78% covered (success)	77.78%	7 / 9
setAgragateRolesByUserId				100.00% covered (success)	100.00%	1 / 1	5	100.00% covered (success)	100.00%	10 / 10
addMemRole				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	3 / 3
onDispatch				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	7 / 7
disallowedRouteRedirect				0.00% covered (danger)	0.00%	0 / 1	10.60	81.82% covered (success)	81.82%	18 / 22
checkThatRouteExists				100.00% covered (success)	100.00%	1 / 1	4	100.00% covered (success)	100.00%	7 / 7
isParticularRoute				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	3 / 3
userIsAllowed				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	1 / 1

1	<?php
2
3	/**
4	* Class Acl
5	*
6	* @package AclUser\Permissions\Acl
7	* @author Nigel Hurnell
8	* @version v.1.0.0
9	* @license BSD
10	* @copyright Copyright (c) 2017, Nigel Hurnell
11	*/
12
13	namespace AclUser\Permissions\Acl;
14
15	use Zend\Mvc\MvcEvent;
16	use Zend\Permissions\Acl\Acl as ZendAcl;
17	use Zend\View\Helper\Navigation;
18	use Zend\Router\Http\RouteMatch;
19
20	/**
21	* Class Acl
22	*
23	* Extends Zend\Acl
24	*
25	* @package AclUser\Permissions\Acl
26	* @author Nigel Hurnell
27	* @version v.1.0.0
28	* @license BSD
29	* @copyright Copyright (c) 2017, Nigel Hurnell
30	*/
31	class Acl extends ZendAcl
32	{
33
34	/**
35	* An array that stores the role name under the role's id as key
36	*
37	* @var array
38	*/
39	protected $roleMemory = [];
40
41	/**
42	* Array (strings) of all roles that exist in database
43	*
44	* @var array
45	*/
46	protected $allRoles;
47
48	/**
49	* Configuration array
50	*
51	* @var array
52	*/
53	protected $config;
54
55	/**
56	* Authentication and Identity management helper
57	*
58	* @var Zend\Authentication\AuthenticationService
59	*/
60	protected $authService;
61
62	/**
63	* UserManager that handles logic for a registered User
64	*
65	* @var AclUser\Service\UserManager
66	*/
67	protected $userManager;
68
69	/**
70	* add all roles used by the application to the access control list parent object
71	*/
72	protected function defineRoles()
73	{
74	$this->addRole('guest');
75	$this->allRoles = ['guest'];
76
77	$roles = $this->userManager->fetchAllRoles();
78	foreach ($roles as $role) {
79	$this->allRoles[] = $role->getName();
80	$this->checkAddParentRole($role);
81	}
82	$this->addPresentUserAgrigateRole();
83	}
84
85	/**
86	* add all resources used by the application to the access control list parent object
87	*
88	* @param array $resources array of (string) resources
89	*/
90	protected function defineResources($resources)
91	{
92	foreach ($resources as $resource) {
93	$this->addResource($resource);
94	}
95	}
96
97	/**
98	* Set user role and this ACL for navigation
99	*/
100	protected function joinAclToNavigation()
101	{
102	Navigation::setDefaultAcl($this);
103	Navigation::setDefaultRole('present_unique_user');
104	}
105
106	/**
107	* Check whether role and parent role has been added to this ACL and store
108	* role so that it is not added a second time
109	*
110	* @param AclUser\Entity\Role $role
111	*/
112	protected function checkAddParentRole($role)
113	{
114	$parent = $role->getParent();
115	if ($parent) {
116	$this->checkAddParentRole($parent);
117	if (!$this->hasRole($role->getName())) {
118	$this->addMemRole($role, $parent->getName());
119	} else {
120
121	}
122	} else {
123	if (!$this->hasRole($role->getName())) {
124	$this->addMemRole($role);
125	}
126	}
127	}
128
129	/**
130	* Get the User entity object that represents the present (logged in) user
131	*
132	* @return null\|User the logged in user
133	*/
134	public function getPresentUser()
135	{
136	$user = null;
137	if (null !== ($identity = $this->getPresentUserId())) {
138	$user = $this->userManager->getUserById($identity);
139	}
140	return $user;
141	}
142
143	/**
144	* Get the user id (auth service identity) the present (logged in) user
145	*
146	* @return integer\|null the present user id
147	*/
148	public function getPresentUserId()
149	{
150	$identity = null;
151	if ($this->authService->hasIdentity()) {
152	$identity = $this->authService->getIdentity();
153	}
154	return $identity;
155	}
156
157	/**
158	* Get the logged in user's e-mail address
159	*
160	* @return string the logged in user's email address or "Identity" if user is not found
161	*/
162	public function getPresentUserEmailAddress()
163	{
164	$result = 'Identity';
165	$user = $this->getPresentUser();
166	if ($user) {
167	$result = $user->getEmail();
168	}
169	return $result;
170	}
171
172	/**
173	* add the user role 'present_unique_user' that is used for all users
174	* And add the present users roles array as parent of this role
175	*/
176	protected function addPresentUserAgrigateRole()
177	{
178	if (!$this->authService->hasIdentity()) {
179	$this->addRole('present_unique_user', 'guest');
180	} else {
181	$userId = $this->authService->getIdentity();
182	$user = $this->userManager->getUserById($userId);
183	if ($user) {
184	$this->setAgragateRolesByUserId($user);
185	} else {
186	$this->authService->clearIdentity();
187	$this->addRole('present_unique_user', 'guest');
188	}
189	}
190	}
191
192	/**
193	* Concatenate all users roles and add present_unique_user as child of all those roles
194	*
195	* @param Entity\User $user
196	*/
197	protected function setAgragateRolesByUserId($user)
198	{
199	$maps = $user->getRoleMaps();
200	$userRoles = [];
201	if (count($maps) == 0) {
202	$userRoles[] = 'guest';
203	}
204	foreach ($maps as $map) {
205	$role = $map->getRole();
206	if (array_key_exists($role->getId(), $this->roleMemory) && !in_array($role->getName(), $userRoles)) {
207	$userRoles[] = $this->roleMemory[$role->getId()];
208	}
209	}
210	$this->addRole('present_unique_user', $userRoles);
211	}
212
213	/**
214	* Persist roles for later use within this class
215	*
216	* @param AclUser\Entity\Role $role
217	* @param string\|null $parentId
218	*/
219	protected function addMemRole($role, $parentId = NULL)
220	{
221	$this->addRole($role->getName(), $parentId);
222	$this->roleMemory[$role->getId()] = $role->getName();
223	}
224
225	/**
226	* Based on ListenerAggregateInterface this method is called when application dispatches
227	*
228	* @param MvcEvent $event
229	* @return null
230	*/
231	public function onDispatch(MvcEvent $event)
232	{
233
234	$routeMatch = $event->getRouteMatch();
235	$resource = $routeMatch->getParam('controller');
236	$privilege = $routeMatch->getParam('action');
237	$allowed = $this->userIsAllowed($resource, $privilege);
238
239	if ($allowed) {
240	return;
241	}
242	return $this->disallowedRouteRedirect($event, $routeMatch);
243	}
244
245	/**
246	* Handle request if user is not allowed the access the the requested resource and privilege
247	*
248	* @param MvcEvent $event
249	* @param RouteMatch $routeMatch
250	* @return type
251	*/
252	public function disallowedRouteRedirect(MvcEvent $event, RouteMatch $routeMatch)
253	{
254	$controller = $event->getTarget();
255	switch (true) {
256	case (!$this->checkThatRouteExists($routeMatch)):
257	/* route does not exist */
258	$controller->plugin('FlashMessenger')->setNamespace('error')->addMessage('The page that you requested does not exist.');
259	return $controller->redirect()->toRoute('default', ['controller' => 'index', 'action' => 'index']);
260	case $this->authService->hasIdentity() && $this->isParticularRoute($routeMatch, 'user-auth', 'login'):
261	/* route exists but user is not permitted */
262	$controller->plugin('FlashMessenger')->setNamespace('error')->addMessage('You tried to log in but you are already logged in.');
263	return $controller->redirect()->toRoute('default', ['controller' => 'index', 'action' => 'index']);
264	case $this->authService->hasIdentity():
265	/* route exists but user is not permitted */
266	$controller->plugin('FlashMessenger')->setNamespace('error')->addMessage('You do not have permission to visit the requested page.');
267	return $controller->redirect()->toRoute('default', ['controller' => 'index', 'action' => 'index']);
268	case (!$this->isParticularRoute($routeMatch, 'user-auth', 'login') && $this->userIsAllowed('user-auth', 'login')):
269	if ($this->isParticularRoute($routeMatch, 'user-auth', 'logout')) {
270	/* in case user who is not logged in tries to log out */
271	$controller->plugin('FlashMessenger')->setNamespace('error')->addMessage('You tried to log out but you are not logged in.');
272	return $controller->redirect()->toRoute('default', ['controller' => 'user-auth', 'action' => 'login']);
273	}
274	/* route exists - user is not logged in so redirect to login with redirect url so that they can maybe login and then access */
275	$uri = $event->getApplication()->getRequest()->getUri();
276	// Make the URL relative (remove scheme, user info, host name and port)
277	// to avoid redirecting to other domain by a malicious user.
278	$uri->setScheme(null)->setHost(null)->setPort(null)->setUserInfo(null);
279	$controller->plugin('FlashMessenger')->setNamespace('error')->addMessage('You do not have permission to visit the requested page.');
280	return $controller->redirect()->toRoute('default', ['controller' => 'user-auth', 'action' => 'login'], ['query' => ['redirectUrl' => $uri->toString()]]);
281	case (!$this->isParticularRoute($routeMatch, 'user-auth', 'logout') && $this->userIsAllowed('user-auth', 'logout')):
282	return $controller->redirect()->toRoute('default', ['controller' => 'user-auth', 'action' => 'logout']);
283	default:
284	$controller->plugin('FlashMessenger')->setNamespace('error')->addMessage('Something went wrong.');
285	return $controller->redirect()->toRoute('default', ['controller' => 'index', 'action' => 'index']);
286	}
287	}
288
289	/**
290	* Check whether this route corresponds to a real controller and action
291	*
292	* @param RouteMatch $routeMatch
293	*/
294	private function checkThatRouteExists(RouteMatch $routeMatch)
295	{
296	$controller = $routeMatch->getParam('controller');
297	if (!$this->hasResource($controller)) {
298	//note that this cannot fail because The requested controller could not be mapped to an existing controller class. would have been called
299	}
300	$action = $routeMatch->getParam('action');
301	foreach ($this->allRoles as $role) {
302	if ($this->isAllowed($role, $controller, $action)) {
303	return true;
304	}
305	}
306	return false;
307	}
308
309	/**
310	* Check whether this is particular route as defined by the controller and the action
311	*
312	* @param RouteMatch $routeMatch
313	* @param string $controller
314	* @param string $action
315	* @return boolean
316	*/
317	private function isParticularRoute(RouteMatch $routeMatch, $controller, $action)
318	{
319	$isController = $routeMatch->getParam('controller') == $controller;
320	$isAction = $routeMatch->getParam('action') == $action;
321	return $isController && $isAction;
322	}
323
324	/**
325	* Check whether current user is allowed to access this resource and privilege
326	*
327	* @param string $resource
328	* @param string $privilege
329	* @return boolean whether user is permitted to access this route
330	*/
331	public function userIsAllowed($resource, $privilege)
332	{
333	return $this->isAllowed('present_unique_user', $resource, $privilege);
334	}
335
336	}