Because I wasn't satisfied with current state of nette authorization mechanism I decided to port Symfony/Security into Nette.
It is largely based on Symfony/Security-Core. Sadly Nette authentication mechanism and Nette\Security\User class are incompatible with pure Symfony/Security-Core, so it was necessary to rewrite it.
Currently this project handles only Authorization for Authentication you have to use Nette classes. Also ACL isn't currently supported.
For more info how it works internally please refer to symfony security documentation.
This project requires php 5.4
The best way to install Zycon42/Security is using the Composer:
$ composer require zycon42/security:~0.1and then you have to enable it in your config.neon
extensions:
security: Zycon42\Security\DI\SecurityExtensionMain entry point for authorizations is SecurityContext class. Sample usage:
if (!$securityContext->isGranted('ROLE_ADMIN'))
throw new ForbiddenRequestException('You need to be admin');Code above will deny access if current user doesn't have role named ADMIN. Instead of roles you can use IS_AUTHENTICATED or IS_ANONYMOUS that grant access only to authenticated users or anonymous users respectively.
Also you can utilize optional secondary parameter object of isGranted method and ask if current user can perform given action on given resource like this:
if (!$securityContext->isGranted('EDIT', $post))
throw new ForbiddenRequestException("You are not able to edit this $post");Symfony security uses idea of voters that vote if user will be granted or denied. Access decision manager collects these votes and decides based on them. Project ships with three voters. One for roles, second for IS_AUTHENTICATED, IS_ANONYMOUS tokens and last one for expressions which we will discuss later.
Using voters you can easily extend range of supported attributes and objects. You can for example implement typical use-case of user only allowed to edit own posts.
Create new voter implementing Zycon42\Security\Authorization\Voters\IVoter interface and then register it in DIC with specific tag
services:
foo:
class: YourVoter
tags: [security.voter]When you tag service with security.voter tag it will be added into AccessDecisionManager as voter.
For more information about voters and how to implement new one please refer to symfony documentation only remember that instead of TokenInterface we use IIdentity from nette.
To be able to write more complex access rules you can use expressions. For parsing it we use symfony/expression-language.
There are several functions you can use in them:
isAnonymous()returns true if current user isn't authenticatedisAuthenticated()returns true if current user is authenticatedhasRole(string $role)checks if user is in given rolehasPermission($object, $action)checks if user has permission to perform action on object
Also you can access several variables:
identitycurrent user identityusernette user objectNette\Security\Userobjectobject that was passed as second parameter intoisGrantedmethod.rolesarray of identity roles
Example usage:
$securityContext->isGranted(new Expression("isAuthenticated() && !hasRole('CLIENT')"));To be able to use presenter annotations for granting/denying access use this in your secured presenter, which all your presenters that needs to use this, derive:
class SecuredPresenter extends BasePresenter
{
// ... some code
/**
* @var PresenterRequirementsChecker
* @inject
*/
public $requirementsChecker;
/**
* {@inheritdoc}
*/
public function checkRequirements($element) {
if (!$this->requirementsChecker->checkRequirement($element, $this->request)) {
// logged users get 403 and anonymous users get redirect to sign in
if ($this->user->isLoggedIn()) {
$expr = $this->requirementsChecker->getFailedExpression();
throw new ForbiddenRequestException("Request didn't passed security expression \"$expr\"");
} else {
$this->redirect('Sign:in', ['backLink' => $this->storeRequest()]);
}
}
}
// ... some code
}Remember not to override checkRequirements method in your derived presenters.
Now you can annotate your presenters and its action/render/handle methods with @Security annotations. Small example:
/**
* @Security("hasRole('ADMIN')")
*/
class UsersPresenter extends SecuredPresenter
{
// ... some code
}or on action method
class UsersPresenter extends SecuredPresenter
{
// ... some code
/**
* @Security("hasRole('ADMIN')")
*/
public function actionEdit($id) {
// ... implementation
}
}When using annotations on presenters note that annotations are inherited and are checked in order from base class to derived classes.
Expressions in annotations are same as these on isGranted but additionally you have access to all current request parameters as variables and object variable contains current request. So if you use something that converts presenter methods parameters from id to actual objects by adding additional request variables like zycon42/param-converters you will be able to write:
class PostPresenter extends SecuredPresenter
{
// ... some code
/**
* @Security("hasPermission(post, 'EDIT')")
*/
public function actionEdit(Post $post) {
// ... implementation
}
}Here you can find possible configuration options and its default values
security:
decisionManager:
strategy: affirmative
allowIfAllAbstain: false
allowIfEqualGrantedDenied: true
voters:
role: on
authenticated: on
expression: on
roleHierarchy: falseIn roleHierarchy section you can define how roles inherit from each other
security:
roleHierarchy:
ADMIN: { USER, MANAGER }
MANAGER: { USER, CLIENT }
CLIENT: GUESTNote that ADMIN inheriting from USER is redundant because ADMIN inherits from USER through MANAGER. But here is list of each role effective list:
- ADMIN: ADMIN, USER, MANAGER, CLIENT, GUEST
- MANAGER: MANAGER, USER, CLIENT, GUEST
- CLIENT: CLIENT, GUEST
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent