0

I'am using ZfcUser module in my application to protect access to /admin route. As I want to block all childroutes of /admin, except for /login, /register etc.

In order to do so, I've added a code from accepted answer here - Zend Framework 2 - Global check for authentication with ZFCUser

protected $whitelist = array('zfcuser/login', 'default');

  public function onBootstrap($e)
  {
      $app = $e->getApplication();
      $em  = $app->getEventManager();
      $sm  = $app->getServiceManager();

      $list = $this->whitelist;
      $auth = $sm->get('zfcuser_auth_service');

      $em->attach(MvcEvent::EVENT_ROUTE, function($e) use ($list, $auth) {
          $match = $e->getRouteMatch();

          // No route match, this is a 404
          if (!$match instanceof RouteMatch) {
              return;
          }

          // Route is whitelisted
          $name = $match->getMatchedRouteName();
          if (in_array($name, $list)) {
              return;
          }

          // User is authenticated
          if ($auth->hasIdentity()) {
              return;
          }

          // Redirect to the user login page, as an example
          $router   = $e->getRouter();
          $url      = $router->assemble(array(), array(
              'name' => 'zfcuser/login'
          ));

          $response = $e->getResponse();
          $response->getHeaders()->addHeaderLine('Location', $url);
          $response->setStatusCode(302);

          return $response;
      }, -100);
  }

It works, however it also block access to root routes - and as there is plenty of them, I do not really want to add every single route to whitelist. Is there any way to restrict access only to /admin routes?

ficus
  • 196
  • 2
  • 17

3 Answers3

1

Is there any way to restrict access only to /admin routes?

That would really mean that rather than a whitelist you would need a blacklist or change the logic of the conditional check.

Depending on your requirements, you could check just part of the route, something like this.

$this->whitelist = [
    'zfcuser/login', 
    'default'
];

// Route is whitelisted
$currentRoute = $match->getMatchedRouteName();

foreach($this->whitelist as $route) {
    if (0 === strpos($currentRoute, $route)) {
        // we matched the start of the route,
        // e.g every route under 'default' would match this
        return;
    }
}
AlexP
  • 9,906
  • 1
  • 24
  • 43
  • Neither blacklist nor whitelist is good solution in this case as I am still forced to type every single child route. Your solution seems to be working after changing place of variables in strpos($currentRoute, $route), however there is something weird about that as I tested that. I will update this topic as I will investigate it further tommorow. Thank you! – ficus Jul 05 '17 at 13:43
  • @ficus whoops; yes It should be `strpos($currentRoute, $route)` . I've updated my answer. – AlexP Jul 05 '17 at 17:26
  • After some tests it works properly, however the need to specify every single route in one way or another is quite annoying. Solution with controller fix that problem. Thank you for your help, I appreciate that! – ficus Jul 06 '17 at 06:58
1

You may protect access to admin area by checking each controller name instead of checking route names. Thus you may control user's accessibility with less effort and it is more portable than checking route names.

List your controllers where you want to limit accesses. So everything related to a controller should be restricted. Wherever you need to restrict access just list them here. You do not need to make your hands dirty with onBootstrap() method anymore.

protected $whitelist = array(
    'ZfcUser\Controller\User', // or use 'zfcuser'
);

Put right controller name in the $whitelist. You can get that by echoing $controller in the onBootstrap() method. Please check out the commented area below.

Next catch up the controller name and then check whether that is listed in your list or not.

public function onBootstrap(MvcEvent $e)
{
    $app = $e->getApplication();
    $em  = $app->getEventManager();
    $sm  = $app->getServiceManager();

    $list = $this->whitelist;
    $auth = $sm->get('zfcuser_auth_service');

    $em->attach(MvcEvent::EVENT_ROUTE, function($e) use ($list, $auth) {

        // get the current route
        $route = $e->getRouteMatch()->getMatchedRouteName();

        // check for 'zfcuser/login' and 'zfcuser/register' routes
        if (in_array($route, array('zfcuser/login', 'zfcuser/register'))) {
            return;
        }   

        // get the current controller name
        $controller = $e->getRouteMatch()->getParam('controller');

        // Check the right controller name by echoing 
        // echo $controller;         

        // check if a user has access on the current controller 
        if (in_array($controller, $list)) {

            if(! $auth->hasIdentity()) {

                $router = $e->getRouter();
                $url = $router->assemble(array(), array(
                    'name' => 'zfcuser/login'
                ));

                $response = $e->getResponse();
                $response->getHeaders()->addHeaderLine('Location', $url);
                $response->setStatusCode(302);

                return $response;
            }
        }

    }, -100);
}

Let us know if it helps you!

unclexo
  • 3,691
  • 2
  • 18
  • 26
  • Yeah, this solution do the job so far! Thanks for clear explanation, you save me once again :-) – ficus Jul 06 '17 at 06:54
1

I suggest taking a look at ZfcRbac. It has a "guards" functionality that I think is exactly what you're looking for:

return [
    'zfc_rbac' => [
        'guards' => [
            'ZfcRbac\Guard\RouteGuard' => [
                'admin*' => ['admin']
            ]
        ]
    ]
];

This would restrict any route starting with admin to users in the admin role. Since the default operation mode is blacklist-based ("protection mode" is "allow"), you only need to specify rules for the routes you want to restrict access to. Any route not matching a RouteGuard will be publicly-accessible.

Adam Lundrigan
  • 598
  • 2
  • 11