Security: IAuthorizator needs IIdentity #941

enumag · 2013-01-28T19:09:57Z

See the RFC on Nette forum (czech only).

fprochazka · 2013-01-28T19:11:35Z

👍 Chtělo by to pár testů :)

enumag · 2013-01-28T19:13:19Z

@hosiplan: Ono v podstatě stačí upravit stávající testy, ale to bude chvíli trvat. Mezitím si pls přečti RFC. :-)

hrach · 2013-01-28T19:17:13Z

Nette/Security/Permission.php

@@ -644,68 +639,66 @@ public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege =
 			$this->checkResource($resource);
 		}

+		foreach ($identity->getRoles() as $role) {
+			$this->checkRole($role);
+			if (NULL !== ($result = $this->isRoleAllowed($role, $resource, $privilege))) {


skaredy coding style, takovyto nikde nevyuzivame :)

V Permission je použitý hned na několika místech. Sice se mi to nelíbilo, ale nechci se pouštět do kompletní refaktorizace kódu Permission.

ajo, to je proto, že to David kopiroval z nějakyho jinyho frameworku :D

Mas to v hlavicce... je to ze zendu :D

Ta implementace Permission se mi celkově moc nelíbí. Vlastně bych celou tu třídu nejradši vyhodil do addons. :-D

Majkl578 · 2013-01-30T02:33:56Z

Přemýšlím nad tím a ta vazba přímo na IIdentity mi přijde poměrně zbytečná, až nežádoucí.
Říkám si, jestli by nebylo lepší něco obecnějšího, např. IRoleSet nebo IRolesProvider s metodou getRoles(). IIdentity by jej a) extendovalo a zůstalo současné chování, b) neextendovalo a možnost rolí by zůstala plně v moci uživatele (programátora). Druhá varianta by mi nejspíš dávala větší smysl, sám jsem dělal několik projektů, kde jsem role vůbec nepoužíval a musel hloupě vytvářet metodu getRoles vracející prázdné pole. Zároveň by nebyl problém používat i nadále Permission zcela nezávisle na IIdentity/User (jako tomu bylo doposud a což tento pull request znemožňuje).

Přesunuto k diskusi na fórum.

Majkl578 · 2013-01-30T02:37:05Z

Nette/Security/Permission.php

@@ -644,68 +649,75 @@ public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege =
 			$this->checkResource($resource);
 		}

+		if (!$identity) { // quest
+			$roles = array($this->questRole);


Did you even test it? This wouldn't work at all, there is no questRole, only guestRole (see @tomaswindsor's comment above).

Nope I did not test it yet.

enumag · 2013-02-07T00:00:55Z

Please review.

hrach · 2013-02-07T00:17:09Z

tests/Nette/Security/Permission.IsAllowedNonExistent.phpt

@@ -16,8 +18,9 @@ require __DIR__ . '/../bootstrap.php';


 Assert::exception(function() {
+    $identity = new Identity(1, array('nonexistent'));


indentation.

ups thanks :-)

dg · 2013-03-11T22:09:53Z

Ještě jiný směr, kam by se to mohlo ubírat: http://forum.nette.org/cs/13458-security-iauthorizator-a-identita#p99180

enumag · 2013-06-26T11:36:17Z

@dg Even if the final implementation will be different, the first commit should be merged.

This is taking as long as I was afraid it would so I've already implemented this as an extension.

redwormik · 2013-07-10T21:00:30Z

Hi there! I see two small User-related BC breaks:

Logged in User which was given NULL identity by IAuthenticator (rare, I know) is now seen as logged out.
getRoles() (and isInRole()) used to reflect whether the user was logged in, now they can use roles from IIdentity of logged out user.

enumag · 2013-07-10T21:15:57Z

@redwormik

That's a bug. The login method should throw an exception if NULL was returned by the IAuthenticator.
I didn't like the inconsistency that User::getRoles() and Identity::getRoles() had different return values but now that I think about it again it's probably better.

This pull request is probably not going to be merged so it's useless to push the fix here. I will fix both in my extension though.

hrach reviewed Jan 28, 2013
View reviewed changes

Majkl578 reviewed Jan 30, 2013
View reviewed changes

enumag added 5 commits January 30, 2013 18:37

Fixed coding style in Permission

97c6bd5

Security: IAuthorizator gets IIdentity instead of a role (BC break!)

591c790

Security: Guest and authenticated roles moved to Permission (BC break!)

ff7760a

Tests: Fixed compatibility with new IAuthorizator

f16caf0

Tests: Added tests for Permission guest and authenticated roles

48728a8

hrach reviewed Feb 7, 2013
View reviewed changes

typo

aaa43d6

dg removed this from the 2.2 milestone Jun 19, 2014

dg force-pushed the master branch 3 times, most recently from 991ba1a to e23de7a Compare August 26, 2014 15:04

dg force-pushed the master branch from 872d693 to 1467a8d Compare January 31, 2015 12:17

dg force-pushed the master branch from c0c86b9 to a5bb8c7 Compare December 22, 2016 00:27

dg force-pushed the master branch 2 times, most recently from 489cca2 to 0b969cd Compare May 10, 2018 20:14

dg force-pushed the master branch from 156e5fb to e2f9921 Compare September 18, 2018 13:00

dg force-pushed the master branch from 7530609 to eb00ed0 Compare November 23, 2018 17:13

dg force-pushed the master branch from eb00ed0 to e4e3b65 Compare February 5, 2019 22:23

dg force-pushed the master branch 2 times, most recently from 09a7d92 to b9698a8 Compare February 10, 2019 23:23

dg force-pushed the master branch 3 times, most recently from 5a8c108 to 3aa3147 Compare February 26, 2019 14:39

dg force-pushed the master branch from 3aa3147 to 5fc0e2f Compare February 28, 2019 18:08

dg force-pushed the master branch from cf89671 to 21aad98 Compare November 19, 2019 18:11

dg force-pushed the master branch 2 times, most recently from 5feee0e to 3fc1e40 Compare January 5, 2021 15:23

dg force-pushed the master branch 5 times, most recently from 688f189 to 1bc9d13 Compare January 13, 2023 04:18

dg force-pushed the master branch from 1bc9d13 to ae0f5eb Compare February 4, 2023 02:05

dg force-pushed the master branch from ae0f5eb to 42f6b10 Compare February 28, 2023 13:51

dg force-pushed the master branch from 42f6b10 to e0eca2b Compare November 5, 2023 22:11

dg force-pushed the master branch 2 times, most recently from 7215ae6 to 71b2047 Compare February 12, 2024 20:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: IAuthorizator needs IIdentity #941

Security: IAuthorizator needs IIdentity #941

enumag commented Jan 28, 2013

fprochazka commented Jan 28, 2013

enumag commented Jan 28, 2013

hrach Jan 28, 2013

enumag Jan 28, 2013

hrach Jan 28, 2013

rostenkowski Jan 28, 2013

hrach Jan 28, 2013

enumag Jan 28, 2013

Majkl578 commented Jan 30, 2013

Majkl578 Jan 30, 2013

enumag Jan 30, 2013

enumag commented Feb 7, 2013

hrach Feb 7, 2013

enumag Feb 7, 2013

dg commented Mar 11, 2013

enumag commented Jun 26, 2013

redwormik commented Jul 10, 2013

enumag commented Jul 10, 2013

		@@ -16,8 +18,9 @@ require __DIR__ . '/../bootstrap.php';


		Assert::exception(function() {
		$identity = new Identity(1, array('nonexistent'));

Security: IAuthorizator needs IIdentity #941

Are you sure you want to change the base?

Security: IAuthorizator needs IIdentity #941

Conversation

enumag commented Jan 28, 2013

fprochazka commented Jan 28, 2013

enumag commented Jan 28, 2013

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Majkl578 commented Jan 30, 2013

Choose a reason for hiding this comment

Choose a reason for hiding this comment

enumag commented Feb 7, 2013

Choose a reason for hiding this comment

Choose a reason for hiding this comment

dg commented Mar 11, 2013

enumag commented Jun 26, 2013

redwormik commented Jul 10, 2013

enumag commented Jul 10, 2013