Commit 2b13a20f authored by Laurent Lécluse's avatar Laurent Lécluse
Browse files

Intégration de la gestion des privilèges et des droits.

parent 87b6f3a7
......@@ -2,6 +2,7 @@
namespace UnicaenAuth;
use UnicaenAuth\Guard\PrivilegeController;
use Zend\ModuleManager\Feature\AutoloaderProviderInterface;
use Zend\ModuleManager\Feature\ConfigProviderInterface;
use Zend\ModuleManager\Feature\ServiceProviderInterface;
......@@ -23,6 +24,8 @@ class Module implements ConfigProviderInterface, ServiceProviderInterface
return include __DIR__ . '/config/module.config.php';
}
/**
*
* @return array
......@@ -42,26 +45,30 @@ class Module implements ConfigProviderInterface, ServiceProviderInterface
];
}
/**
* This method is called once the MVC bootstrapping is complete,
* after the "loadModule.post" event, once $application->bootstrap() is called.
*
* @param EventInterface $e
*
* @see BootstrapListenerInterface
*/
public function onBootstrap(\Zend\EventManager\EventInterface $e) /* @var \Zend\Mvc\MvcEvent $e */
public function onBootstrap(\Zend\EventManager\EventInterface $e)
/* @var \Zend\Mvc\MvcEvent $e */
{
$application = $e->getApplication();
/* @var $services \Zend\ServiceManager\ServiceManager */
$services = $application->getServiceManager();
$services = $application->getServiceManager();
// transmission des ACL aux aides de vue de navigation
try {
$authorizeService = $services->get('BjyAuthorize\Service\Authorize'); /* @var $authorizeService \BjyAuthorize\Service\Authorize */
$authorizeService = $services->get('BjyAuthorize\Service\Authorize');
/* @var $authorizeService \BjyAuthorize\Service\Authorize */
\Zend\View\Helper\Navigation::setDefaultAcl($authorizeService->getAcl());
\Zend\View\Helper\Navigation::setDefaultRole($authorizeService->getIdentity());
}
catch (\Zend\ServiceManager\Exception\ServiceNotFoundException $snfe) {
} catch (\Zend\ServiceManager\Exception\ServiceNotFoundException $snfe) {
// pas de module BjyAuthorize : pas d'ACL
}
......@@ -75,21 +82,21 @@ class Module implements ConfigProviderInterface, ServiceProviderInterface
$router->addRoutes([
// remplace les routes existantes (cf. config du module)
'zfcuser' => [
'type' => 'Literal',
'priority' => 1000,
'options' => [
'route' => '/auth',
'type' => 'Literal',
'priority' => 1000,
'options' => [
'route' => '/auth',
'defaults' => [
'controller' => 'zfcuser',
'action' => 'index',
],
],
'may_terminate' => true,
'child_routes' => [
'login' => [
'type' => 'Literal',
'child_routes' => [
'login' => [
'type' => 'Literal',
'options' => [
'route' => '/connexion',
'route' => '/connexion',
'defaults' => [
'controller' => 'zfcuser',
'action' => 'authenticate', // zappe l'action 'login'
......@@ -97,9 +104,9 @@ class Module implements ConfigProviderInterface, ServiceProviderInterface
],
],
'logout' => [
'type' => 'Literal',
'type' => 'Literal',
'options' => [
'route' => '/deconnexion',
'route' => '/deconnexion',
'defaults' => [
'controller' => 'zfcuser',
'action' => 'logout',
......@@ -107,11 +114,13 @@ class Module implements ConfigProviderInterface, ServiceProviderInterface
],
],
],
]
],
]);
}
}
/**
*
* @return array
......@@ -122,14 +131,50 @@ class Module implements ConfigProviderInterface, ServiceProviderInterface
return [
'factories' => [
// verrue pour forcer le label de l'identifiant qqsoit l'options 'auth_identity_fields'
'zfcuser_login_form' => function($sm) {
'zfcuser_login_form' => function ($sm) {
$options = $sm->get('zfcuser_module_options');
$form = new \ZfcUser\Form\Login(null, $options);
$form = new \ZfcUser\Form\Login(null, $options);
$form->setInputFilter(new \ZfcUser\Form\LoginFilter($options));
$form->get('identity')->setLabel("Username");
return $form;
},
],
];
}
}
/**
* Retourne le menu de navigation (à placer où vous voulez)!!
*
* @return array
*/
static public function getDroitsNavigation($label=null, $title=null)
{
if (!$label) $label = "Droits d'accès";
if (!$title) $title = "Gestion des droits d'accès";
return [
'label' => $label,
'title' => $title,
'route' => 'droits',
'resource' => PrivilegeController::getResourceId('UnicaenAuth\Controller\Droits','index'),
'pages' => [
'roles' => [
'label' => "Rôles",
'title' => "Gestion des rôles",
'route' => 'droits/roles',
'resource' => PrivilegeController::getResourceId('UnicaenAuth\Controller\Droits','roles'),
'withtarget' => true,
],
'privileges' => [
'label' => "Privilèges",
'title' => "Gestion des privilèges",
'route' => 'droits/privileges',
'resource' => PrivilegeController::getResourceId('UnicaenAuth\Controller\Droits','privileges'),
'withtarget' => true,
],
],
];
}
}
\ No newline at end of file
<?php
use UnicaenAuth\Provider\Privilege\Privileges;
$settings = [
'entity_manager_name' => 'doctrine.entitymanager.orm_default', // nom du gestionnaire d'entités à utiliser
/**
* Fournisseurs d'identité.
*/
'identity_providers' => [
'identity_providers' => [
300 => 'UnicaenAuth\Provider\Identity\Basic', // en 1er
200 => 'UnicaenAuth\Provider\Identity\Db', // en 2e
100 => 'UnicaenAuth\Provider\Identity\Ldap', // en 3e
],
];
$zfcuserSettings = [
/**
* Enable registration
* Allows users to register through the website.
* Accepted values: boolean true or false
*/
'enable_registration' => true,
/**
* Modes for authentication identity match
* Specify the allowable identity modes, in the order they should be
* checked by the Authentication plugin.
* Default value: array containing 'email'
* Accepted values: array containing one or more of: email, username
*/
'auth_identity_fields' => ['username', 'email'],
/**
* Login Redirect Route
* Upon successful login the user will be redirected to the entered route
* Default value: 'zfcuser'
* Accepted values: A valid route name within your application
*/
'login_redirect_route' => 'home',
/**
* Logout Redirect Route
* Upon logging out the user will be redirected to the enterd route
* Default value: 'zfcuser/login'
* Accepted values: A valid route name within your application
*/
'logout_redirect_route' => 'home',
/**
* Enable Username
* Enables username field on the registration form, and allows users to log
* in using their username OR email address. Default is false.
* Accepted values: boolean true or false
*/
'enable_username' => false,
/**
* Enable Display Name
* Enables a display name field on the registration form, which is persisted
* in the database. Default value is false.
* Accepted values: boolean true or false
*/
'enable_display_name' => true,
/**
* Authentication Adapters
* Specify the adapters that will be used to try and authenticate the user
* Default value: array containing 'ZfcUser\Authentication\Adapter\Db' with priority 100
* Accepted values: array containing services that implement 'ZfcUser\Authentication\Adapter\ChainableAdapter'
*/
'auth_adapters' => [
300 => 'UnicaenAuth\Authentication\Adapter\Ldap', // notifié en 1er
200 => 'UnicaenAuth\Authentication\Adapter\Db', // ensuite (si échec d'authentification Ldap)
100 => 'UnicaenAuth\Authentication\Adapter\Cas', // ensuite (si échec d'authentification Db)
100 => 'UnicaenAuth\Provider\Identity\Ldap', // en 3e @deprecated
],
// telling ZfcUser to use our own class
'user_entity_class' => 'UnicaenAuth\Entity\Db\User',
// telling ZfcUserDoctrineORM to skip the entities it defines
'enable_default_entities' => false,
];
$bjyauthorize = [
/* this module uses a meta-role that inherits from any roles that should
* be applied to the active user. the identity provider tells us which
* roles the "identity role" should inherit from.
*
* for ZfcUser, this will be your default identity provider
*/
'identity_provider' => 'UnicaenAuth\Provider\Identity\Chain',
/* role providers simply provide a list of roles that should be inserted
* into the Zend\Acl instance. the module comes with two providers, one
* to specify roles in a config file and one to load roles using a
* Zend\Db adapter.
*/
'role_providers' => [
return [
'zfcuser' => [
/**
* 2 rôles doivent systématiquement exister dans les ACL :
* - le rôle par défaut 'guest', c'est le rôle de tout utilisateur non authentifié.
* - le rôle 'user', c'est le rôle de tout utilisateur authentifié.
* Enable registration
* Allows users to register through the website.
* Accepted values: boolean true or false
*/
'UnicaenAuth\Provider\Role\Config' => [
'guest' => ['name' => "Non authentifié(e)", 'selectable' => false, 'children' => [
'user' => ['name' => "Authentifié(e)", 'selectable' => false],
]],
],
'enable_registration' => true,
/**
* Fournit les rôles issus de la base de données éventuelle de l'appli.
* NB: si le rôle par défaut 'guest' est fourni ici, il ne sera pas ajouté en double dans les ACL.
* NB: si la connexion à la base échoue, ce n'est pas bloquant!
* Modes for authentication identity match
* Specify the allowable identity modes, in the order they should be
* checked by the Authentication plugin.
* Default value: array containing 'email'
* Accepted values: array containing one or more of: email, username
*/
'UnicaenAuth\Provider\Role\DbRole' => [
'object_manager' => 'doctrine.entitymanager.orm_default',
'role_entity_class' => 'UnicaenAuth\Entity\Db\Role',
],
'auth_identity_fields' => ['username', 'email'],
/**
* Login Redirect Route
* Upon successful login the user will be redirected to the entered route
* Default value: 'zfcuser'
* Accepted values: A valid route name within your application
*/
'login_redirect_route' => 'home',
/**
* Fournit le rôle correspondant à l'identifiant de connexion de l'utilisateur.
* Cela est utile lorsque l'on veut gérer les habilitations d'un utilisateur unique
* sur des ressources.
* Logout Redirect Route
* Upon logging out the user will be redirected to the enterd route
* Default value: 'zfcuser/login'
* Accepted values: A valid route name within your application
*/
'UnicaenAuth\Provider\Role\Username' => [],
'logout_redirect_route' => 'home',
/**
* Enable Username
* Enables username field on the registration form, and allows users to log
* in using their username OR email address. Default is false.
* Accepted values: boolean true or false
*/
'enable_username' => false,
/**
* Enable Display Name
* Enables a display name field on the registration form, which is persisted
* in the database. Default value is false.
* Accepted values: boolean true or false
*/
'enable_display_name' => true,
/**
* Authentication Adapters
* Specify the adapters that will be used to try and authenticate the user
* Default value: array containing 'ZfcUser\Authentication\Adapter\Db' with priority 100
* Accepted values: array containing services that implement 'ZfcUser\Authentication\Adapter\ChainableAdapter'
*/
'auth_adapters' => [
300 => 'UnicaenAuth\Authentication\Adapter\Ldap', // notifié en 1er
200 => 'UnicaenAuth\Authentication\Adapter\Db', // ensuite (si échec d'authentification Ldap)
100 => 'UnicaenAuth\Authentication\Adapter\Cas', // ensuite (si échec d'authentification Db)
],
// telling ZfcUser to use our own class
'user_entity_class' => 'UnicaenAuth\Entity\Db\User',
// telling ZfcUserDoctrineORM to skip the entities it defines
'enable_default_entities' => false,
],
'bjyauthorize' => [
/* this module uses a meta-role that inherits from any roles that should
* be applied to the active user. the identity provider tells us which
* roles the "identity role" should inherit from.
*
* for ZfcUser, this will be your default identity provider
*/
'identity_provider' => 'UnicaenAuth\Provider\Identity\Chain',
// strategy service name for the strategy listener to be used when permission-related errors are detected
// 'unauthorized_strategy' => 'BjyAuthorize\View\RedirectionStrategy',
'unauthorized_strategy' => 'UnicaenAuth\View\RedirectionStrategy',
/* role providers simply provide a list of roles that should be inserted
* into the Zend\Acl instance. the module comes with two providers, one
* to specify roles in a config file and one to load roles using a
* Zend\Db adapter.
*/
'role_providers' => [
/**
* 2 rôles doivent systématiquement exister dans les ACL :
* - le rôle par défaut 'guest', c'est le rôle de tout utilisateur non authentifié.
* - le rôle 'user', c'est le rôle de tout utilisateur authentifié.
*/
'UnicaenAuth\Provider\Role\Config' => [
'guest' => ['name' => "Non authentifié(e)", 'selectable' => false, 'children' => [
'user' => ['name' => "Authentifié(e)", 'selectable' => false],
]],
],
/**
* Fournit les rôles issus de la base de données éventuelle de l'appli.
* NB: si le rôle par défaut 'guest' est fourni ici, il ne sera pas ajouté en double dans les ACL.
* NB: si la connexion à la base échoue, ce n'est pas bloquant!
*/
'UnicaenAuth\Provider\Role\DbRole' => [],
/**
* Fournit le rôle correspondant à l'identifiant de connexion de l'utilisateur.
* Cela est utile lorsque l'on veut gérer les habilitations d'un utilisateur unique
* sur des ressources.
*/
'UnicaenAuth\Provider\Role\Username' => [],
],
/* Currently, only controller and route guards exist
*/
'guards' => [
/* If this guard is specified here (i.e. it is enabled), it will block
* access to all controllers and actions unless they are specified here.
* You may omit the 'action' index to allow access to the entire controller
'rule_providers' => [
//'UnicaenAuth\Provider\Rule\PrivilegeRuleProvider' => [],
],
'resource_providers' => [
'UnicaenAuth\Service\Privilege' => [],
],
// strategy service name for the strategy listener to be used when permission-related errors are detected
// 'unauthorized_strategy' => 'BjyAuthorize\View\RedirectionStrategy',
'unauthorized_strategy' => 'UnicaenAuth\View\RedirectionStrategy',
/* Currently, only controller and route guards exist
*/
'BjyAuthorize\Guard\Controller' => [
['controller' => 'index', 'action' => 'index', 'roles' => []],
['controller' => 'zfcuser', 'roles' => []],
['controller' => 'Application\Controller\Index', 'roles' => []],
'guards' => [
/* If this guard is specified here (i.e. it is enabled), it will block
* access to all controllers and actions unless they are specified here.
* You may omit the 'action' index to allow access to the entire controller
*/
'BjyAuthorize\Guard\Controller' => [
['controller' => 'index', 'action' => 'index', 'roles' => []],
['controller' => 'zfcuser', 'roles' => []],
['controller' => 'Application\Controller\Index', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'etab', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'apropos', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'contact', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'plan', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'mentions-legales', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'informatique-et-libertes', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'refresh-session', 'roles' => []],
['controller' => 'UnicaenAuth\Controller\Utilisateur', 'action' => 'selectionner-profil', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'etab', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'apropos', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'contact', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'plan', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'mentions-legales', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'informatique-et-libertes', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'refresh-session', 'roles' => []],
['controller' => 'UnicaenAuth\Controller\Utilisateur', 'action' => 'selectionner-profil', 'roles' => []],
],
'UnicaenAuth\Guard\PrivilegeController' => [
[
'controller' => 'UnicaenAuth\Controller\Droits',
'action' => ['index'],
'privileges' => [
Privileges::DROIT_ROLE_VISUALISATION,
Privileges::DROIT_PRIVILEGE_VISUALISATION,
],
],
[
'controller' => 'UnicaenAuth\Controller\Droits',
'action' => ['roles'],
'privileges' => [Privileges::DROIT_ROLE_VISUALISATION],
],
[
'controller' => 'UnicaenAuth\Controller\Droits',
'action' => ['privileges'],
'privileges' => [Privileges::DROIT_PRIVILEGE_VISUALISATION],
],
[
'controller' => 'UnicaenAuth\Controller\Droits',
'action' => ['role-edition', 'role-suppression'],
'privileges' => [Privileges::DROIT_ROLE_EDITION],
],
[
'controller' => 'UnicaenAuth\Controller\Droits',
'action' => ['privileges-modifier'],
'privileges' => [Privileges::DROIT_PRIVILEGE_EDITION],
],
],
],
],
];
return [
'zfcuser' => $zfcuserSettings,
'bjyauthorize' => $bjyauthorize,
'unicaen-auth' => $settings,
'doctrine' => [
'driver' => [
......@@ -170,41 +206,6 @@ return [
],
],
],
'service_manager' => [
'aliases' => [
'Zend\Authentication\AuthenticationService' => 'zfcuser_auth_service',
],
'invokables' => [
'unicaen-auth_user_service' => 'UnicaenAuth\Service\User',
'UnicaenAuth\Authentication\Storage\Db' => 'UnicaenAuth\Authentication\Storage\Db',
'UnicaenAuth\Authentication\Storage\Ldap' => 'UnicaenAuth\Authentication\Storage\Ldap',
'UnicaenAuth\View\RedirectionStrategy' => 'UnicaenAuth\View\RedirectionStrategy',
'authUserContext' => 'UnicaenAuth\Service\UserContext',
],
'abstract_factories' => [
'UnicaenAuth\Authentication\Adapter\AbstractFactory',
],
'factories' => [
'unicaen-auth_module_options' => 'UnicaenAuth\Options\ModuleOptionsFactory',
'zfcuser_auth_service' => 'UnicaenAuth\Authentication\AuthenticationServiceFactory',
'UnicaenAuth\Authentication\Storage\Chain' => 'UnicaenAuth\Authentication\Storage\ChainServiceFactory',
'UnicaenAuth\Provider\Identity\Chain' => 'UnicaenAuth\Provider\Identity\ChainServiceFactory',
'UnicaenAuth\Provider\Identity\Ldap' => 'UnicaenAuth\Provider\Identity\LdapServiceFactory',
'UnicaenAuth\Provider\Identity\Db' => 'UnicaenAuth\Provider\Identity\DbServiceFactory',
'UnicaenAuth\Provider\Identity\Basic' => 'UnicaenAuth\Provider\Identity\BasicServiceFactory',
'UnicaenAuth\Provider\Role\Config' => 'UnicaenAuth\Provider\Role\ConfigServiceFactory',
'UnicaenAuth\Provider\Role\DbRole' => 'UnicaenAuth\Provider\Role\DbRoleServiceFactory',
'UnicaenAuth\Provider\Role\Username' => 'UnicaenAuth\Provider\Role\UsernameServiceFactory',
],
'initializers' => [
'UnicaenAuth\Service\UserAwareInitializer',
],
],
'controllers' => [
'invokables' => [
'UnicaenAuth\Controller\Utilisateur' => 'UnicaenAuth\Controller\UtilisateurController',
],
],
'view_manager' => [
'template_map' => [
'error/403' => __DIR__ . '/../view/error/403.phtml',
......@@ -295,6 +296,80 @@ return [
],
],
],
'droits' => [
'type' => 'Literal',
'options' => [
'route' => '/droits',
'defaults' => [
'__NAMESPACE__' => 'UnicaenAuth\Controller',
'controller' => 'Droits',
'action' => 'index',
],
],
'may_terminate' => true,
'child_routes' => [
'roles' => [
'type' => 'Segment',
'may_terminate' => true,
'options' => [
'route' => '/roles',
'defaults' => [
'action' => 'roles',
],
],
'child_routes' => [
'edition' => [
'type' => 'Segment',
'may_terminate' => true,
'options' => [
'route' => '/edition[/:role]',
'constraints' => [
'role' => '[0-9]*',
],
'defaults' => [
'action' => 'role-edition',
],
],
],
'suppression' => [
'type' => 'Segment',
'may_terminate' => true,
'options' => [
'route' => '/suppression/:role',
'constraints' => [
'role' => '[0-9]*',
],
'defaults' => [
'action' => 'role-suppression',
],
],
],
],
],
'privileges' => [
'type' => 'Literal',
'may_terminate' => true,
'options' => [
'route' => '/privileges',
'defaults' => [
'action' => 'privileges',
],
],
'child_routes' => [
'modifier' => [
'type' => 'Segment',
'may_terminate' => true,
'options' => [
'route' => '/modifier',
'defaults' => [
'action' => 'privileges-modifier',
],
],
],
],
],
],
],
],
],
// All navigation-related configuration is collected in the 'navigation' key
......@@ -318,8 +393,59 @@ return [
],
],
],
'service_manager' => [
'aliases' => [
'Zend\Authentication\AuthenticationService' => 'zfcuser_auth_service',
'UnicaenAuth\Privilege\PrivilegeProvider' => 'UnicaenAuth\Service\Privilege',
'unicaen-auth_user_service' => 'UnicaenAuth\Service\User', // pour la compatibilité
'authUserContext' => 'UnicaenAuth\Service\UserContext', // pour la compatibilité
],
'invokables' => [
'UnicaenAuth\Authentication\Storage\Db' => 'UnicaenAuth\Authentication\Storage\Db',
'UnicaenAuth\Authentication\Storage\Ldap' => 'UnicaenAuth\Authentication\Storage\Ldap',
'UnicaenAuth\View\RedirectionStrategy' => 'UnicaenAuth\View\RedirectionStrategy',
'UnicaenAuth\Service\UserContext' => 'UnicaenAuth\Service\UserContext',
'UnicaenAuth\Service\User' => 'UnicaenAuth\Service\User',
'UnicaenAuth\Service\Privilege' => 'UnicaenAuth\Service\PrivilegeService',
'UnicaenAuth\Service\CategoriePrivilege' => 'UnicaenAuth\Service\CategoriePrivilegeService',
'UnicaenAuth\Service\Role' => 'UnicaenAuth\Service\RoleService',
],
'abstract_factories' => [
'UnicaenAuth\Authentication\Adapter\AbstractFactory',
],
'factories' => [
'unicaen-auth_module_options' => 'UnicaenAuth\Options\ModuleOptionsFactory',
'zfcuser_auth_service' => 'UnicaenAuth\Authentication\AuthenticationServiceFactory',
'UnicaenAuth\Authentication\Storage\Chain' => 'UnicaenAuth\Authentication\Storage\ChainServiceFactory',
'UnicaenAuth\Provider\Identity\Chain' => 'UnicaenAuth\Provider\Identity\ChainServiceFactory',
'UnicaenAuth\Provider\Identity\Ldap' => 'UnicaenAuth\Provider\Identity\LdapServiceFactory',