ACL in the Service Layer

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

ACL in the Service Layer

Julian Vidal
In a recent Zend Training class, Evan Coury made the point of putting your
ACL in the Service Layer as opposed to sticking it in each Controller.

While I agree with this, I'm running into an issue with this design and
would need some advice on how to solve it.

My system needs to run a few cron jobs and I have a couple of Console
routes. When running via cron there is no user logged in so the ACL will
naturally block all access to my Service layer.

The only thing that I can think of right now is creating a special admin
user in the system, storing their credentials in my app config and logging
them in manually (verifying that this can only be executed from the
console).

Is this the right way to approach this situation? Can anyone suggest a
better alternative?

Thanks,
Julian.
Reply | Threaded
Open this post in threaded view
|

Re: ACL in the Service Layer

Björn Rylander
I've chosen the approach of; if the command is issued from cli (
php_sapi_name() ) I ignore checking against the acl. I can use this method
since I have control over the server where the application resides and I
know no unauthorized user will execute the application from cli.

If there are better ways I would also be more than happy to know them.

With regards
Björn


2013/11/1 Julian Vidal <[hidden email]>

> In a recent Zend Training class, Evan Coury made the point of putting your
> ACL in the Service Layer as opposed to sticking it in each Controller.
>
> While I agree with this, I'm running into an issue with this design and
> would need some advice on how to solve it.
>
> My system needs to run a few cron jobs and I have a couple of Console
> routes. When running via cron there is no user logged in so the ACL will
> naturally block all access to my Service layer.
>
> The only thing that I can think of right now is creating a special admin
> user in the system, storing their credentials in my app config and logging
> them in manually (verifying that this can only be executed from the
> console).
>
> Is this the right way to approach this situation? Can anyone suggest a
> better alternative?
>
> Thanks,
> Julian.
>
Reply | Threaded
Open this post in threaded view
|

Re: ACL in the Service Layer

Artur Bodera
In reply to this post by Julian Vidal
On Fri, Nov 1, 2013 at 7:24 PM, Julian Vidal <[hidden email]> wrote:

> Is this the right way to approach this situation? Can anyone suggest a
> better alternative?
>

Change the default role when in CLI environment.

For example, using BjyAuthorize:

// authenticate as admin in case we're running from CLI
if(Console::isConsole()) {
    /** @var AuthenticationIdentityProvider $identityProvider */
    $identityProvider =
$this->sm->get('BjyAuthorize\Provider\Identity\ProviderInterface');
    $identityProvider->setDefaultRole('admin');
    $identityProvider->setAuthenticatedRole('admin');
}


--
[hidden email]
+48 695 600 936
http://thinkscape.pro
Reply | Threaded
Open this post in threaded view
|

Re: ACL in the Service Layer

skara
This post has NOT been accepted by the mailing list yet.
If you don`t want to authenticate/authorize console requests at all, you can check to see whether the request object is instance of Zend\Console\Request and bypass acl check completely.

You can try something like this:






Register your acl service in module.config.php:

...
'service_manager' => array(
    'factories' => array(
        ...
        'MyModule\Service\Acl' => 'MyModule\Service\Acl\AclFactory',
    ),
),
...






Register event to do the acl check in your Module.php:

...
public function onBootstrap(MvcEvent $mvcEvent)
{
    $mvcEvent->getTarget()->getEventManager()->attach(MvcEvent::EVENT_DISPATCH, array($this, 'checkAcl'), 1000);
}

public function checkAcl(MvcEvent $mvcEvent)
{
    $request = $mvcEvent->getRequest();

    // Catch web requests to index.php
    if ($request instanceof \Zend\Http\Request) {
        $myAcl = $mvcEvent->getApplication()->getServiceManager()->get('MyModule\Service\Acl');
        $myAcl->doTheAclCheckOrSomething();
    }

    // As opposed to cli requests to index.php
    if ($request instanceof \Zend\Console\Request) {
        // do nothing
    }    
}
...

Reply | Threaded
Open this post in threaded view
|

Re: ACL in the Service Layer

Julian Vidal
In reply to this post by Artur Bodera
Detecting CLI sounds like a good way to do this.

Thanks!

On Sat, Nov 2, 2013 at 11:09 AM, Artur Bodera <[hidden email]> wrote:

>
> On Fri, Nov 1, 2013 at 7:24 PM, Julian Vidal <[hidden email]>wrote:
>
>> Is this the right way to approach this situation? Can anyone suggest a
>> better alternative?
>>
>
> Change the default role when in CLI environment.
>
> For example, using BjyAuthorize:
>
> // authenticate as admin in case we're running from CLI
> if(Console::isConsole()) {
>     /** @var AuthenticationIdentityProvider $identityProvider */
>     $identityProvider =
> $this->sm->get('BjyAuthorize\Provider\Identity\ProviderInterface');
>     $identityProvider->setDefaultRole('admin');
>     $identityProvider->setAuthenticatedRole('admin');
> }
>
>
> --
> [hidden email]
> +48 695 600 936
> http://thinkscape.pro
>