10. Two step process
WHO
WHAT
Authentication
“a process that ensures and confirms
a user’s identity”
Authorization
“a security mechanism used to determine
user/client privileges or access levels
related to system resources”
Definitions from http://www.techopedia.com
29. Installing and enabling ZfcUser
// composer.json
"require": {
"zf-commons/zfc-user-doctrine-orm": "0.1.*"
}
let’s suppose we use the Doctrine ORM
29
40. ZfcUser also allows to:
•
•
•
•
•
40
Customize login form
Customize User entity fields
Quickly implement a registration form
Interact with either Zend/DB or Doctrine
out of the box
Do much more stuff…
41. ZfcUser also allows to:
•
•
•
•
•
41
Customize login form
Customize User entity fields
Quickly implement a registration form
Interact with either Zend/DB or Doctrine
out of the box
Do much more stuff…
51. What if
a malicious user…
…hits this url:
http://myawesomewebsite/admin/conferences
52. What if
a malicious user…
…hits this url:
http://myawesomewebsite/admin/conferences
accessible to everyone!
53. What if
a malicious user…
…hits this url:
http://myawesomewebsite/admin/conferences
nothing’s protecting
our private area
54. What if
a malicious user…
…hits this url:
http://myawesomewebsite/admin/conferences
nothing’s protecting
our private area
Login form could be
bypassed!
55. No worries!
/*
* On each action
*/
<?php
public function indexAction() {
if (!$this->zfcUserAuthentication()->hasIdentity())
{
return $this->redirect()->toRoute('home');
}
}
55
56. No worries!
/*
* On each action
*/
<?php
public function indexAction() {
if (!$this->zfcUserAuthentication()->hasIdentity())
{
return $this->redirect()->toRoute('home');
}
}
56
in EACH action
of EACH controller
62. Using Zend/Permissions/Acl
<?php
use ZendPermissionsAclAcl;
use ZendPermissionsAclRoleGenericRole as Role;
use ZendPermissionsAclResourceGenericResource as Resource;
$acl = new Acl();
$acl->addRole(new Role('guest'))
->addRole(new Role('admin'));
$acl->addResource(new
$acl->addResource(new
$acl->addResource(new
$acl->addResource(new
$acl->allow('guest',
$acl->allow('admin',
$acl->allow('admin',
$acl->allow('admin',
62
Resource('someResource'));
Resource('adminarea'));
Resource('adminconferencearea'));
Resource('adminsettingsarea'));
'someResource');
'adminarea');
'adminconferencearea ');
'adminsettingsarea ');
63. Welcome BjyAuthorize!
… a facade for ZendPermissionsAcl
that will ease its usage with modules
and applications …
From https://github.com/bjyoungblood/BjyAuthorize
63
64. Welcome BjyAuthorize!
… a facade for ZendPermissionsAcl
that will ease its usage with modules
and applications …
From https://github.com/bjyoungblood/BjyAuthorize
64
77. Guards on controller actions
class ConferencesController {
public function listAction() {
// code...
}
public function manageAction() {
// code...
}
}
77
78. Guards on controller actions
class ConferencesController {
public function listAction() {
// code...
}
Allowed
public function manageAction() {
// code...
}
}
78
to all users
79. Guards on controller actions
class ConferencesController {
public function listAction() {
// code...
}
Allowed
to all users
public function manageAction() {
// code...
}
}
79
Restricted area! For admins only
106. Another controller, another action
//Conferences/Controller/AnotherAdminController.php
class AnotherAdminController extends AbstractActionController {
public function someCrazyAction() {
//...
$this->conferenceService->updateConference($myConference);
}
}
What prevents this?
106
110. Let’s inject the Authorize class
//Conferences/Service/ConferenceServiceFactory.php
namespace ConferencesService;
class ConferenceServiceFactory implements FactoryInterface {
public function createService(ServiceLocatorInterface $serviceLocator)
{
//...
$authorize = $serviceLocator->get('BjyAuthorizeServiceAuthorize');
return new ConferenceService(..., $authorize);
}
}
110
111. Updated conference service
//Conferences/Service/ConferenceService.php
namespace ConferencesService;
class ConferenceService {
//...
public function updateConference($myConf) {
if (!$this->authorize->isAllowed($myConf, 'edit')) {
throw new UnAuthorizedException();
}
// other code...
} // the same for deleteConference method }
111
124. In the same way we could:
•
•
•
124
Restrict access to user owned
onferences only
or conferences owned by a group the
user is belonging to
…and much more!