charcoal-user 0.7.0

Key Features

Authorizer

Refactored Authorizer to extend an interface and an abstract class. The new AbstractAuthorizer provides a variety of new methods to check permissions against roles and ACL resources.

Old API

Internally, the old permission checking methods (rolesAllowed() and userAllowed()) now use the new methods (which fixes support for multiple roles) but preserves the default behavior of allowing access to everything.

New API

• isRoleGrantedAll() — Check if access is granted to the role, and the resource, for all permissions.
  • allRolesGrantedAll() — Check if access is granted to all roles, and the resource, for all permissions.
  • anyRolesGrantedAll() — Check if access is granted to any one of the roles, and the resource, for all permissions.
  • isUserGranted() — Check if access is granted to the user's role(s), and the resource, for permissions.
• isRoleGrantedAny() — Check if access is granted to the role, and the resource, for any one of the permissions.
  • allRolesGrantedAny() — Check if access is granted to all roles, and the resource, for any one of the permissions.
  • anyRolesGrantedAny() — Check if access is granted to any one of the roles, and the resource, for any one of the permissions.
• isAllowed() — Check if the role has access to the resource and privilege.
• hasRole() — Check if the role is registered.
• inheritsRole() — Check if the role inherits from another role.
• hasResource() — Check if the resource is registered.
• inheritsResource() — Check if the resource inherits from another resource.

Example

Example #​1

Using the new API with the default "charcoal" resource.

if (!$authorizer->isUserGranted($user, Authorizer::DEFAULT_RESOURCE, 'edit')) {
    return $response->withStatus(403);
}

Example #​2

public function isAuthorizedToManageOthers()
{
    $obj        = $this->obj();
    $objType    = $obj->objType();
    $authorizer = $this->authorizer();

    if ($authorizer->hasResource($objType)) {
        $user = $this->authenticator()->getUser();
        if ($user) {
            return $authorizer->isUserGranted($user, $objType, 'object/manage/others');
        }
    }

    return false;
}

protected function prepareAuthorship(ModelInterface $obj)
{
    $old    = $this->prevObj;
    $userId = $this->authenticator()->getUserId();

    if ($old->hasAuthor($userId) && !$obj->hasAuthor($userId)) {
        // Redirect if current user is no longer an author
        if (!$this->isAuthorizedToManageOthers()) {
            $url = $this->getObjectBrowseUrl();
            $url = $obj->renderTemplate($url);
            $this->setSuccessUrl($url);
        }
    }
}

---

Complete commits list: 0.6.4...0.7.0

Deprecated:

• rolesAllowed() in favour of anyRolesGrantedAll()
• userAllowed() in favour of anyRolesGrantedAll() (via isUserGranted())
• Authorizer resource option renamed to defaultResource

Fixed:

• Type-hint AuthenticatorInterface instead of Authenticator

charcoal-user 0.6.4

Complete commits list: 0.6.3...0.6.4

Summary:

• Replaced zendframework/zend-permissions-acl with laminas/laminas-permissions-acl
• Updated dependencies to PHP 7.1+
• Cleaned up repository

charcoal-user 0.6.3

Complete commits list: 0.6.2...0.6.3

Summary:

• Added support for setting a token path (used by cookies) on an AuthToken

charcoal-user 0.6.2

Complete commits list: 0.6.1...0.6.2

Summary:

• Fixed email comparison validation

charcoal-user 0.6.1

Complete commits list: 0.6.0.3...0.6.1

Summary:

• Fixed strict validation of email identifier
• Fixed email comparison validation

charcoal-user 0.6.0

Key Features

Authenticator

Refactored Authenticator to centralize authentication and password-handling. Moved login/logout/session/cookie handling from other classes to new AbstractAuthenticator and AuthenticatorInterface classes.

Auth Tokens

Refactored AuthToken to allow easier customization through new AbstractAuthToken and AuthTokenInterface classes.

Authenticatable

Added AuthenticatableInterface and trait to decouple access to properties required for authentication; which means Charcoal is no longer hardcoded to "email" and "password" and developers can easily swap user identifier for concepts like "username".

The Authenticator is dependent on AuthenticatableInterface instead of UserInterface.

The UserInterface now extends ModelInterface instead of ContentInterface (which is provided through AbstractUser's inheritance of Content).

BC Breaks

⚠️ This release WILL break your codebase

• Login/logout/reset-password is handled by Authenticator instead of User
• "Remember Me" feature is supported by the Authenticator
• User models must support AuthenticatableInterface

---

Complete commits list: 0.5.2...0.6.0

Deprecated:

• AuthTokenMetadata option "cookie_name" in favour of "token_name"
• AuthTokenMetadata option "cookie_duration" in favour of "token_duration"

Added:

• Method AbstractUser::validateLoginRequired() to check email address is compliant
• Method AbstractUser::validateLoginUnique() to lookup email address is unique
• Method AbstarAuthenticator::validateAuthentication() to allow sub-classes to customize requirements

charcoal-user 0.5.2

Complete commits list: 0.5.1.1...0.5.2

Summary:

• Add container service "authorizer/acl", used by "authorizer"
• Add trait AclAwareTrait
• Cleanup SQL query in Acl\Manager, collapsed whitespace for easier reading in logs

charcoal-user 0.5.1.1

Fix logout with a token

charcoal-user 0.5.1

Fix authentication with token (remember me)

charcoal-user 0.5.0

Use getFoo() instead of foo() as getters.
Use ArrayAccess for interacting with models and properties.