Generally I have the following business model:
There're users and groups. Each user belongs to only one group and amount of groups is not determined beforehead (as well as amount of users for most sites).
Also there're several different busyness objects, which may belong to user.
Groups are not separate objects, which should be controlled by ACL themselves, but they should affect how other entities should be controlled much like unix groups.
There're 3 basic roles: SUPERADMIN, ADMIN and USER.
SUPERADMIN is able to do anything with any entity.
USER is generally able to read/write own entities (including him/her-self) and read
entitites from his/her group.
ADMIN should have full control of
entities within his group, but not from other groups. I don't
understand how to apply ACL inheritance here (and whether this could
be applied at all).
Also I'm interested in, how denying access could be applied in ACL. Like user have read/write access to all his fields except login. User should only read his login.
I.e. it is logical to provide read/write access to his own profile, but deny write to login, rather than defining read/write access to all his fields (except login) directly.
Ok, here it is. Code isn't perfect at all, but it's better, than nothing.
Voter service.
<?php
namespace Acme\AcmeBundle\Services\Security;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
class GroupedConcernVoter implements VoterInterface {
public function __construct(ContainerInterface $container)
{
$this->container = $container;
$rc = $this->container->getParameter('grouped_concern_voter.config');
// some config normalization performed
$this->rightsConfig = $rc;
}
// even though supportsAttribute and supportsClass methods are required by interface,
// services that I saw, leaves them empty and do not use them
public function supportsAttribute($attribute)
{
return in_array($attribute, array('OWNER', 'MASTER', 'OPERATOR', 'VIEW', 'EDIT', 'CREATE', 'DELETE', 'UNDELETE', 'DEPLOY'))
// hacky way to support per-attribute edit and even view rights.
or preg_match("/^(EDIT|VIEW)(_[A-Z]+)+$/", $attribute);
}
public function supportsClass($object)
{
$object = $object instanceof ObjectIdentity ? $object->getType() : $object;
// all our business object, which should be manageable by that code have common basic class.
// Actually it is a decorator over Propel objects with some php magic... nevermind.
// If one wants similar solution, interface like IOwnableByUserAndGroup with
// getUserId and getGroupId methods may be defined and used
return is_subclass_of($object, "Acme\\AcmeBundle\\CommonBusinessObject");
}
function vote(TokenInterface $token, $object, array $attributes)
{
if (!$this->supportsClass($object)) {
return self::ACCESS_ABSTAIN;
}
if ($object instanceof ObjectIdentity) $object = $object->getType();
if (is_string($object)) {
$scope = 'own';
$entity = $object;
} else {
if ($object->getUserId() == $this->getUser()->getId()) {
$scope = 'own';
} else if ($object->getGroupId() == $this->getUser()->getGroupId()) {
$scope = 'group';
} else {
$scope = 'others';
}
$entity = get_class($object);
}
$user = $token->getUser();
$roles = $user->getRoles();
$role = empty($roles) ? 'ROLE_USER' : $roles[0];
$rights = $this->getRightsFor($role, $scope, $entity);
if ($rights === null) return self::ACCESS_ABSTAIN;
// some complicated logic for checking rights...
foreach ($attributes as $attr) {
$a = $attr;
$field = '';
if (preg_match("/^(EDIT|VIEW)((?:_[A-Z]+)+)$/", $attr, $m)) list(, $a, $field) = $m;
if (!array_key_exists($a, $rights)) return self::ACCESS_DENIED;
if ($rights[$a]) {
if ($rights[$a] === true
or $field === '')
return self::ACCESS_GRANTED;
}
if (is_array($rights[$a])) {
if ($field == '') return self::ACCESS_GRANTED;
$rfield = ltrim(strtolower($field), '_');
if (in_array($rfield, $rights[$a])) return self::ACCESS_GRANTED;
}
return self::ACCESS_DENIED;
}
}
private function getRightsFor($role, $scope, $entity)
{
if (array_key_exists($entity, $this->rightsConfig)) {
$rc = $this->rightsConfig[$entity];
} else {
$rc = $this->rightsConfig['global'];
}
$rc = $rc[$role][$scope];
$ret = array();
foreach($rc as $k => $v) {
if (is_numeric($k)) $ret[$v] = true;
else $ret[$k] = $v;
}
// hacky way to emulate cumulative rights like in ACL
if (isset($ret['OWNER'])) $ret['MASTER'] = true;
if (isset($ret['MASTER'])) $ret['OPERATOR'] = true;
if (isset($ret['OPERATOR']))
foreach(array('VIEW', 'EDIT', 'CREATE', 'DELETE', 'UNDELETE') as $r) $ret[$r] = true;
return $ret;
}
private function getUser() {
if (empty($this->user)) {
// Not sure, how this shortcut works. This is a service (?) returning current authorized user.
$this->user = $this->container->get('acme.user.shortcut');
}
return $this->user;
}
}
And config... actually, it is implementation-specific and its structure is completely arbitrary.
grouped_concern_voter.config:
global:
ROLE_SUPERADMIN:
own: [MASTER]
group: [MASTER]
others: [MASTER]
ROLE_ADMIN:
own: [MASTER]
group: [MASTER]
others: []
ROLE_USER:
own: [VIEW, EDIT, CREATE]
group: [VIEW]
others: []
"Acme\\AcmeBundle\\User":
# rights for ROLE_SUPERADMIN are derived from 'global'
ROLE_ADMIN:
own:
VIEW: [login, email, real_name, properties, group_id]
EDIT: [login, password, email, real_name, properties]
CREATE: true
group:
VIEW: [login, email, real_name, properties]
EDIT: [login, password, email, real_name, properties]
# rights for ROLE_ADMIN/others are derived from 'global'
ROLE_USER:
own:
VIEW: [login, password, email, real_name, properties]
EDIT: [password, email, real_name, properties]
group: []
# rights for ROLE_USER/others are derived from 'global'
"Acme\\AcmeBundle\\Cake":
# most rights are derived from global here.
ROLE_ADMIN:
others: [VIEW]
ROLE_USER:
own: [VIEW]
others: [VIEW]
And finally usage example. Somewhere in controller:
$cake = Acme\AcmeBundle\CakeFactory->produce('strawberry', '1.3kg');
$securityContext = $this->get('security.context');
if ($securityContext->isGranted('EAT', $cake)) {
die ("The cake is a lie");
}
when creating a group, create role ROLE_GROUP_(group id), promote group with this role, and grant permissions with rolesecurityidentity
Related
I'll try to explain my problem.
I have recently started a new projet and wanted to implement a reset password functionnality.
Everything seems to work except the generation of the url which is send by email.
picture of my URL
My URL should look like this : http://localhost/projectName/public/reset-password/reset/xOdfPc0iGC7nmReqX02jcemgX4EIlt2tb5vNYgTZ
But the "/projectName/public/" is missing.
I don't understand what i did wrong.
Here is my twig template for the email :
<h1>Bonjour !</h1>
<p>Pour réinitialiser votre mot de passe, merci de vous rendre sur le lien suivant</p>
{{ url('app_reset_password', { token: resetToken.token }) }}
<p>Ce lien expirera dans {{ resetToken.expirationMessageKey|trans(resetToken.expirationMessageData, 'ResetPasswordBundle') }}.</p>
<p>A bientôt !</p>
Here is the function in the controller that generates the templated email :
private function processSendingPasswordResetEmail(string $emailFormData, MailerInterface $mailer, TranslatorInterface $translator): RedirectResponse
{
$user = $this->entityManager->getRepository(User::class)->findOneBy([
'email' => $emailFormData,
]);
// Do not reveal whether a user account was found or not.
if (!$user) {
return $this->redirectToRoute('app_check_email');
}
try {
$resetToken = $this->resetPasswordHelper->generateResetToken($user);
} catch (ResetPasswordExceptionInterface $e) {
// If you want to tell the user why a reset email was not sent, uncomment
// the lines below and change the redirect to 'app_forgot_password_request'.
// Caution: This may reveal if a user is registered or not.
//
// $this->addFlash('reset_password_error', sprintf(
// '%s - %s',
// $translator->trans(ResetPasswordExceptionInterface::MESSAGE_PROBLEM_HANDLE, [], 'ResetPasswordBundle'),
// $translator->trans($e->getReason(), [], 'ResetPasswordBundle')
// ));
return $this->redirectToRoute('app_check_email');
}
$email = (new TemplatedEmail())
->from(new Address('assistance#asintel.com', 'AS Intel - Assistance'))
->to($user->getEmail())
->subject('Your password reset request')
->htmlTemplate('reset_password/email.html.twig')
->context([
'resetToken' => $resetToken,
])
;
$mailer->send($email);
// Store the token object in session for retrieval in check-email route.
$this->setTokenObjectInSession($resetToken);
return $this->redirectToRoute('app_check_email');
}
And this is the function with app_reset_password route :
/**
* Validates and process the reset URL that the user clicked in their email.
*
* #Route("/reset/{token}", name="app_reset_password")
*/
public function reset(Request $request, UserPasswordHasherInterface $userPasswordHasher, TranslatorInterface $translator, string $token = null): Response
{
if ($token) {
// We store the token in session and remove it from the URL, to avoid the URL being
// loaded in a browser and potentially leaking the token to 3rd party JavaScript.
$this->storeTokenInSession($token);
return $this->redirectToRoute('app_reset_password');
}
$token = $this->getTokenFromSession();
if (null === $token) {
throw $this->createNotFoundException('No reset password token found in the URL or in the session.');
}
try {
$user = $this->resetPasswordHelper->validateTokenAndFetchUser($token);
} catch (ResetPasswordExceptionInterface $e) {
$this->addFlash('reset_password_error', sprintf(
'%s - %s',
$translator->trans(ResetPasswordExceptionInterface::MESSAGE_PROBLEM_VALIDATE, [], 'ResetPasswordBundle'),
$translator->trans($e->getReason(), [], 'ResetPasswordBundle')
));
return $this->redirectToRoute('app_forgot_password_request');
}
// The token is valid; allow the user to change their password.
$form = $this->createForm(ChangePasswordFormType::class);
$form->handleRequest($request);
if ($form->isSubmitted() && $form->isValid()) {
// A password reset token should be used only once, remove it.
$this->resetPasswordHelper->removeResetRequest($token);
// Encode(hash) the plain password, and set it.
$encodedPassword = $userPasswordHasher->hashPassword(
$user,
$form->get('plainPassword')->getData()
);
$user->setPassword($encodedPassword);
$this->entityManager->flush();
// The session is cleaned up after the password has been changed.
$this->cleanSessionAfterReset();
return $this->redirectToRoute('main_index');
}
return $this->render('reset_password/reset.html.twig', [
'resetForm' => $form->createView(),
]);
}
Does someone have an idea what i should do to fix this problem ?
Thanks a lot
I have a Symfony login form authenticating against an Ldap server. I can successfully query and authenticate a user using either samaccountname or userprincipalname and the uid key in my config settings. I want to be able to allow the user to enter either their username or their username#domain.com
I have tried a preg_replace on the username in the loadUserbyUsername() method in the LdapUserProviderClass (I know is not ideal). That takes a username such as username#domain.com and passes on username. I was able to verify that the correct user was returned from the Ldap server but I'm still returned to the login form with 'Invalid Credentials'. I believe the reason why this happens in the AuthenticationUtils class request is processed and the username in the request is still username#domain.com and that does not match the username in the user object coming from the Ldap authentication which is username. If anyone has advice on how to accomplish allowing both username#domain.com and username being authenticated against Ldap I would greatly appreciate it.
SecurityController.php
public function login(Request $request, AuthenticationUtils $authenticationUtils): Response
{
// get the login error if there is one
$error = $authenticationUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authenticationUtils->getLastUsername();
$newLastUsername = trim(preg_replace('/#.*/', '',$lastUsername));
return $this->render('security/login.html.twig', ['last_username' => $newLastUsername, 'error' => $error]);
}
security.yml
providers:
dsg_ldap:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: '%env(BASE_DSN)%'
search_dn: '%env(SEARCH_DN)%'
search_password: '%env(SEARCH_PWD)%'
uid_key: '%env(UID_KEY)%'
#filter: '({uid_key}={_username})'
default_roles: ROLE_USER
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
form_login_ldap:
login_path: login
check_path: login
service: Symfony\Component\Ldap\Ldap
provider: dsg_ldap
dn_string: '%env(DN_STRING)%\{username}'
My LdapUserProvider.php
class LdapUserProvider extends SymfonyLdapUserProvider
{
/** #var array maps ldap groups to roles */
private $groupMapping = [
'**' => '**',
'**' => '**',
'**' => '**',
'**' => '**'
];
/** #var string extracts group name from dn string */
private $groupNameRegExp = '/CN=(.+?),/';
protected function loadUser($username, Entry $entry)
{
$roles = ['ROLE_USER'];
// Check if the entry has attribute with the group
if (!$entry->hasAttribute('memberOf')) {
return new User($username, '', $roles);
}
// Iterate through each group entry line
foreach ($entry->getAttribute('memberOf') as $groupLine) {
// Extract the group name from the line
$groupName = $this->getGroupName($groupLine);
// Check if the group is in the mapping
if (array_key_exists($groupName, $this->groupMapping)) {
// Map the group to the role(s) the user will have
$roles[] = $this->groupMapping[$groupName];
}
}
// Create and return the user object
return new User($username, null, $roles);
}
/**
* Get the group name from the DN
* #param string $dn
* #return string
*/
private function getGroupName($dn)
{
$matches = [];
return preg_match($this->groupNameRegExp, $dn, $matches) ? $matches[1] : '';
}
}
Symfony\Component\Security\Core\User\LdapUserProvider.php
public function loadUserByUsername($username)
{
try {
$this->ldap->bind($this->searchDn, $this->searchPassword);
// what i added
$username = trim(preg_replace('/#.*/', '',$username));
$username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_FILTER);
$query = str_replace('{username}', $username, $this->defaultSearch);
$search = $this->ldap->query($this->baseDn, $query);
} catch (ConnectionException $e) {
throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username), 0, $e);
}
$entries = $search->execute();
$count = \count($entries);
if (!$count) {
throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username));
}
if ($count > 1) {
throw new UsernameNotFoundException('More than one user found');
}
$entry = $entries[0];
try {
if (null !== $this->uidKey) {
$username = $this->getAttributeValue($entry, $this->uidKey);
}
} catch (InvalidArgumentException $e) {
}
return $this->loadUser($username, $entry);
}
In the loadUserByUsername function, add another query if the first one fails. Your $this->defaultSearch is probably a constant which represents an LDAP filter.
If you create the same line in the first if (!$count) {...} like this:
$query = str_replace('{username}', $username, "(userPrincipalName={username})");
and then execute that query, you are performing a second search for the userPrincipalName which is of the form user#domain
I am trying to reproduce the behaviour of the facebook batch requests function on their graph api.
So I think that the easiest solution is to make several requests on a controller to my application like:
public function batchAction (Request $request)
{
$requests = $request->all();
$responses = [];
foreach ($requests as $req) {
$response = $this->get('some_http_client')
->request($req['method'],$req['relative_url'],$req['options']);
$responses[] = [
'method' => $req['method'],
'url' => $req['url'],
'code' => $response->getCode(),
'headers' => $response->getHeaders(),
'body' => $response->getContent()
]
}
return new JsonResponse($responses)
}
So with this solution, I think that my functional tests would be green.
However, I fill like initializing the service container X times might make the application much slower. Because for each request, every bundle is built, the service container is rebuilt each time etc...
Do you see any other solution for my problem?
In other words, do I need to make complete new HTTP requests to my server to get responses from other controllers in my application?
Thank you in advance for your advices!
Internally Symfony handle a Request with the http_kernel component. So you can simulate a Request for every batch action you want to execute and then pass it to the http_kernel component and then elaborate the result.
Consider this Example controller:
/**
* #Route("/batchAction", name="batchAction")
*/
public function batchAction()
{
// Simulate a batch request of existing route
$requests = [
[
'method' => 'GET',
'relative_url' => '/b',
'options' => 'a=b&cd',
],
[
'method' => 'GET',
'relative_url' => '/c',
'options' => 'a=b&cd',
],
];
$kernel = $this->get('http_kernel');
$responses = [];
foreach($requests as $aRequest){
// Construct a query params. Is only an example i don't know your input
$options=[];
parse_str($aRequest['options'], $options);
// Construct a new request object for each batch request
$req = Request::create(
$aRequest['relative_url'],
$aRequest['method'],
$options
);
// process the request
// TODO handle exception
$response = $kernel->handle($req);
$responses[] = [
'method' => $aRequest['method'],
'url' => $aRequest['relative_url'],
'code' => $response->getStatusCode(),
'headers' => $response->headers,
'body' => $response->getContent()
];
}
return new JsonResponse($responses);
}
With the following controller method:
/**
* #Route("/a", name="route_a_")
*/
public function aAction(Request $request)
{
return new Response('A');
}
/**
* #Route("/b", name="route_b_")
*/
public function bAction(Request $request)
{
return new Response('B');
}
/**
* #Route("/c", name="route_c_")
*/
public function cAction(Request $request)
{
return new Response('C');
}
The output of the request will be:
[
{"method":"GET","url":"\/b","code":200,"headers":{},"body":"B"},
{"method":"GET","url":"\/c","code":200,"headers":{},"body":"C"}
]
PS: I hope that I have correctly understand what you need.
There are ways to optimise test-speed, both with PHPunit configuration (for example, xdebug config, or running the tests with the phpdbg SAPI instead of including the Xdebug module into the usual PHP instance).
Because the code will always be running the AppKernel class, you can also put some optimisations in there for specific environments - including initiali[zs]ing the container less often during a test.
I'm using one such example by Kris Wallsmith. Here is his sample code.
class AppKernel extends Kernel
{
// ... registerBundles() etc
// In dev & test, you can also set the cache/log directories
// with getCacheDir() & getLogDir() to a ramdrive (/tmpfs).
// particularly useful when running in VirtualBox
protected function initializeContainer()
{
static $first = true;
if ('test' !== $this->getEnvironment()) {
parent::initializeContainer();
return;
}
$debug = $this->debug;
if (!$first) {
// disable debug mode on all but the first initialization
$this->debug = false;
}
// will not work with --process-isolation
$first = false;
try {
parent::initializeContainer();
} catch (\Exception $e) {
$this->debug = $debug;
throw $e;
}
$this->debug = $debug;
}
My question could be a duplicate of this one, but I can't find any satisfying answer so I will try to make this one more precise.
I am building an import service from an other API. And I don't want any duplicate in my new database.
So here an example of my current implementation:
The Controller:
public function mainAction ()
{
$em = $this->getDoctrine()->getManager();
$persons_data = [
[
'first_name' => 'John',
'last_name' => 'Doe'
],
[
'first_name' => 'John',
'last_name' => 'Doe'
]
];
$array = [];
foreach($persons_data as $person_data)
{
$person = $this->get('my_service')->findOrCreatePerson($person_data);
$array[] = $person;
}
$em->flush();
return new Response();
}
A service function:
public function findOrCreatePerson ($data)
{
$em = $this->em;
$person = $em->getRepository('AppBundle:Person')->findOneBy([
'first_name' => $data['first_name'],
'last_name' => $data['last_name']
]);
if(is_null($person)) {
$person = new Person();
$person->setFirstName($data['first_name']);
$person->setLastName($data['last_name']);
$em->persist($person);
}
return $person
}
I tried to make it as simple as possible.
As you can see, I would like to make only one DB transaction to get some performance improvements.
Problem is, if I don't flush at the end of the findOrCreatePerson() method, the query to the Person repository won't find the first object and will create duplicates in the database.
My question is simple: How should I implement such a thing?
This is a job for memoize!
// Cache
private $persons = [];
public function findOrCreatePerson ($data)
{
// Need unique identifier for persons
$personKey = $data['first_name'] . $data['last_name'];
// Already processed ?
if (isset($this->persons[$personKey])) {
return $this->persons[$personKey];
}
$em = $this->em;
$person = $em->getRepository('AppBundle:Person')->findOneBy([
'first_name' => $data['first_name'],
'last_name' => $data['last_name']
]);
if(is_null($person)) {
$person = new Person();
$person->setFirstName($data['first_name']);
$person->setLastName($data['last_name']);
$em->persist($person);
}
// Cache
$this->persons[$personKey] = $person;
return $person
}
Cerad's answer (memoization) is a good one, but I'd encourage you to reconsider something.
As you can see, I would like to make only one DB transaction to get some performance improvements.
And there are a few things wrong with that sentence.
The main one is that you're conflating flush() with a single, atomic transaction. You can manually manage transaction boundaries, and it's often very advantageous to do so.
The second thing is that when you're talking about bulk imports, you'll quickly learn that the first performance issue you hit is not the database at all. It's the the EntityManager itself. As the EM's internal identity map gets swollen, computing changes to persist to the DB gets very, very slow.
I'd consider rewriting your core loop as follows, and see if it's fast enough. Only then consider memoization if necessary.
$em->beginTransaction();
foreach($persons_data as $person_data)
{
$person = $this->get('my_service')->findOrCreatePerson($person_data);
$em->flush();
$em->clear(); // don't keep previously inserted entities in the EM.
}
$em->commit();
I have just installed and configured the payum bundle. I am having an exception:
Request SecuredCaptureRequest{model: Payment} is not supported.
It occurs after the redirect in the preparePaypalExpressCheckoutPaymentAction in the PaymentController.
Payum config:
payum:
contexts:
payment_with_paypal_express:
storages:
Service\Bundle\PaymentBundle\Entity\Payment:
doctrine:
driver: orm
paypal_express_checkout_nvp:
api:
options:
username: %paypal.express.username%
password: %paypal.express.password%
signature: %paypal.express.signature%
sandbox: %paypal.express.sandbox%
security:
token_storage:
Service\Bundle\PaymentBundle\Entity\PayumSecurityToken:
doctrine:
driver: orm
Payment controller:
class PaymentController extends HelperController
{
public function preparePaypalExpressCheckoutPaymentAction()
{
$paymentName = 'payment_with_paypal_express';
$storage = $this->get('payum')->getStorageForClass(
'Service\Bundle\PaymentBundle\Entity\Payment',
$paymentName
);
# ---- Set payment details below
$package = $this->getPackageRepository()->loadOneByAliasAndDuration(Package::TYPE_SUBSCRIPTION,1);
$accountPackages = new ArrayCollection();
$accountPackages->add((new AccountPackage())->setPackage($package)->setQuantity(1));
/**
* #var Payment $payment
*/
$payment = $storage->createModel();
# Account must be set first, packages must be set before paid attribute
$payment->setAccount($this->getAccount())
->setPackages($accountPackages)
->setPaid(false);
# ---- Set payment details above
$storage->updateModel($payment);
$captureToken = $this->get('payum.security.token_factory')->createCaptureToken(
$paymentName,
$payment,
'service_payment_done' // the route to redirect after capture;
);
$payment->setReturnUrl($captureToken->getTargetUrl())
->setCancelUrl($captureToken->getTargetUrl());
$storage->updateModel($payment);
return $this->redirect($captureToken->getTargetUrl());
}
public function paymentDoneAction(Request $request)
{
$token = $this->get('payum.security.http_request_verifier')->verify($request);
$payment = $this->get('payum')->getPayment($token->getPaymentName());
# $paymentDetails = $token->getDetails();
$status = new BinaryMaskStatusRequest($token);
$payment->execute($status);
if ($status->isSuccess()) {
$this->getUser()->addCredits(100);
$this->get('session')->getFlashBag()->set(
'notice',
'Payment success. Credits were added'
);
}
else if ($status->isPending()) {
$this->get('session')->getFlashBag()->set(
'notice',
'Payment is still pending. Credits were not added'
);
}
else {
$this->get('session')->getFlashBag()->set('error', 'Payment failed');
}
return $this->redirect('service_home');
}
}
Does someone have any hints what I am doing wrong? In the official documentation the payment details were presented as an object/array (a little confusing), but in my controller I made it an object, any thoughts there?
I worked it out. Forgot to extend my Payment details with ArrayObject from Payum:)