From 5d63c8b1378939fa7fdff4018acc94906404dc3c Mon Sep 17 00:00:00 2001 From: Tom Udding Date: Sun, 29 Dec 2024 16:40:44 +0100 Subject: [PATCH] feat: dynamically evaluate page access permissions Instead of loading all pages as separate resources into the ACL, we dynamically evaluate whether someone may access the page or not. A visitor can access a page if they have the required role or if they inherit the required role. --- module/Frontpage/src/Model/Page.php | 2 +- module/Frontpage/src/Module.php | 26 +------------- module/Frontpage/src/Service/AclService.php | 16 ++------- .../IsAfterMembershipEndedAndNotTagged.php | 8 +---- .../Assertion/IsAllowedToViewPage.php | 35 +++++++++++++++++++ .../src/Permissions/Assertion/IsCreator.php | 8 +---- .../Assertion/IsCreatorOrOrganMember.php | 8 +---- .../Permissions/Assertion/IsOrganMember.php | 8 +---- phpcs.xml.dist | 1 + 9 files changed, 45 insertions(+), 67 deletions(-) create mode 100644 module/User/src/Permissions/Assertion/IsAllowedToViewPage.php diff --git a/module/Frontpage/src/Model/Page.php b/module/Frontpage/src/Model/Page.php index 1da4f7dbd2..329c69927f 100644 --- a/module/Frontpage/src/Model/Page.php +++ b/module/Frontpage/src/Model/Page.php @@ -201,6 +201,6 @@ public function toArray(): array */ public function getResourceId(): string { - return 'page' . $this->getId(); + return 'page'; } } diff --git a/module/Frontpage/src/Module.php b/module/Frontpage/src/Module.php index f93e9daaab..9697c19461 100644 --- a/module/Frontpage/src/Module.php +++ b/module/Frontpage/src/Module.php @@ -31,11 +31,8 @@ use Frontpage\Service\Page as PageService; use Frontpage\Service\Poll as PollService; use Psr\Container\ContainerInterface; -use RuntimeException; use User\Authorization\AclServiceFactory; -use function sprintf; - class Module { /** @@ -58,28 +55,7 @@ public function getServiceConfig(): array return [ 'factories' => [ // Services - AclService::class => static function ( - ContainerInterface $container, - $requestedName, - ?array $options = null, - ) { - $aclService = (new AclServiceFactory())->__invoke($container, $requestedName, $options); - - if ($aclService instanceof AclService) { - $pages = $container->get(PageMapper::class)->findAll(); - $aclService->setPages($pages); - - return $aclService; - } - - throw new RuntimeException( - sprintf( - 'Expected service of type %s, got service of type %s', - AclService::class, - $aclService::class, - ), - ); - }, + AclService::class => AclServiceFactory::class, FrontpageService::class => FrontpageServiceFactory::class, NewsService::class => NewsServiceFactory::class, PageService::class => PageServiceFactory::class, diff --git a/module/Frontpage/src/Service/AclService.php b/module/Frontpage/src/Service/AclService.php index 7f609e918e..a6c7a60e0e 100644 --- a/module/Frontpage/src/Service/AclService.php +++ b/module/Frontpage/src/Service/AclService.php @@ -4,23 +4,11 @@ namespace Frontpage\Service; -use Frontpage\Model\Page as PageModel; use Laminas\Permissions\Acl\Resource\GenericResource as Resource; +use User\Permissions\Assertion\IsAllowedToViewPage; class AclService extends \User\Service\AclService { - /** - * @param PageModel[] $pages - */ - public function setPages(array $pages): void - { - foreach ($pages as $page) { - $requiredRole = $page->getRequiredRole()->value; - $this->acl->addResource($page); - $this->acl->allow($requiredRole, $page, 'view'); - } - } - protected function createAcl(): void { parent::createAcl(); @@ -36,5 +24,7 @@ protected function createAcl(): void $this->acl->allow('user', 'infimum', 'view'); $this->acl->allow('user', 'poll', ['vote', 'request']); $this->acl->allow('user', 'poll_comment', ['view', 'create', 'list']); + + $this->acl->allow(null, 'page', 'view', new IsAllowedToViewPage()); } } diff --git a/module/User/src/Permissions/Assertion/IsAfterMembershipEndedAndNotTagged.php b/module/User/src/Permissions/Assertion/IsAfterMembershipEndedAndNotTagged.php index 6e3d255065..7ffbd90fd6 100644 --- a/module/User/src/Permissions/Assertion/IsAfterMembershipEndedAndNotTagged.php +++ b/module/User/src/Permissions/Assertion/IsAfterMembershipEndedAndNotTagged.php @@ -21,13 +21,7 @@ class IsAfterMembershipEndedAndNotTagged implements AssertionInterface { /** - * Returns true if and only if the assertion conditions are met. - * - * This method is passed the ACL, Role, Resource, and privilege to which the authorization query applies. If the - * $role, $resource, or $privilege parameters are null, it means that the query applies to all Roles, Resources, or - * privileges, respectively. - * - * @param string|null $privilege + * @inheritDoc */ public function assert( Acl $acl, diff --git a/module/User/src/Permissions/Assertion/IsAllowedToViewPage.php b/module/User/src/Permissions/Assertion/IsAllowedToViewPage.php new file mode 100644 index 0000000000..88ec425ff9 --- /dev/null +++ b/module/User/src/Permissions/Assertion/IsAllowedToViewPage.php @@ -0,0 +1,35 @@ +getRequiredRole()->value; + + return $role->getRoleId() === $requiredRole || $acl->inheritsRole($role, $requiredRole); + } +} diff --git a/module/User/src/Permissions/Assertion/IsCreator.php b/module/User/src/Permissions/Assertion/IsCreator.php index 19a43d3dab..7db061a543 100644 --- a/module/User/src/Permissions/Assertion/IsCreator.php +++ b/module/User/src/Permissions/Assertion/IsCreator.php @@ -18,13 +18,7 @@ class IsCreator implements AssertionInterface { /** - * Returns true if and only if the assertion conditions are met. - * - * This method is passed the ACL, Role, Resource, and privilege to which the authorization query applies. If the - * $role, $resource, or $privilege parameters are null, it means that the query applies to all Roles, Resources, or - * privileges, respectively. - * - * @param string|null $privilege + * @inheritDoc */ public function assert( Acl $acl, diff --git a/module/User/src/Permissions/Assertion/IsCreatorOrOrganMember.php b/module/User/src/Permissions/Assertion/IsCreatorOrOrganMember.php index 42e8e83905..58f681b544 100644 --- a/module/User/src/Permissions/Assertion/IsCreatorOrOrganMember.php +++ b/module/User/src/Permissions/Assertion/IsCreatorOrOrganMember.php @@ -16,13 +16,7 @@ class IsCreatorOrOrganMember implements AssertionInterface { /** - * Returns true if and only if the assertion conditions are met. - * - * This method is passed the ACL, Role, Resource, and privilege to which the authorization query applies. If the - * $role, $resource, or $privilege parameters are null, it means that the query applies to all Roles, Resources, or - * privileges, respectively. - * - * @param string|null $privilege + * @inheritDoc */ public function assert( Acl $acl, diff --git a/module/User/src/Permissions/Assertion/IsOrganMember.php b/module/User/src/Permissions/Assertion/IsOrganMember.php index 057b14fb67..cd3d2b0364 100644 --- a/module/User/src/Permissions/Assertion/IsOrganMember.php +++ b/module/User/src/Permissions/Assertion/IsOrganMember.php @@ -20,13 +20,7 @@ class IsOrganMember implements AssertionInterface { /** - * Returns true if and only if the assertion conditions are met. - * - * This method is passed the ACL, Role, Resource, and privilege to which the authorization query applies. If the - * $role, $resource, or $privilege parameters are null, it means that the query applies to all Roles, Resources, or - * privileges, respectively. - * - * @param string|null $privilege + * @inheritDoc */ public function assert( Acl $acl, diff --git a/phpcs.xml.dist b/phpcs.xml.dist index 29259e6590..4323e06c3b 100644 --- a/phpcs.xml.dist +++ b/phpcs.xml.dist @@ -140,6 +140,7 @@ module/User/src/Service/Factory/UserFactory.php module/User/src/Permissions/Assertion/IsAfterMembershipEndedAndNotTagged.php + module/User/src/Permissions/Assertion/IsAllowedToViewPage.php module/User/src/Permissions/Assertion/IsCreator.php module/User/src/Permissions/Assertion/IsCreatorOrOrganMember.php module/User/src/Permissions/Assertion/IsOrganMember.php