Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: IAuthorizator needs IIdentity #941

Open
wants to merge 6 commits into
base: master
from

Conversation

@enumag
Copy link
Contributor

enumag commented Jan 28, 2013

See the RFC on Nette forum (czech only).

@fprochazka
Copy link
Contributor

fprochazka commented Jan 28, 2013

👍 Chtělo by to pár testů :)

@enumag
Copy link
Contributor Author

enumag commented Jan 28, 2013

@hosiplan: Ono v podstatě stačí upravit stávající testy, ale to bude chvíli trvat. Mezitím si pls přečti RFC. :-)

@hrach
hrach reviewed Jan 28, 2013
View changes
Nette/Security/Permission.php Outdated
@@ -644,68 +639,66 @@ public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege =
$this->checkResource($resource);
}

foreach ($identity->getRoles() as $role) {
$this->checkRole($role);
if (NULL !== ($result = $this->isRoleAllowed($role, $resource, $privilege))) {

This comment has been minimized.

@hrach

hrach Jan 28, 2013 Contributor

skaredy coding style, takovyto nikde nevyuzivame :)

This comment has been minimized.

@enumag

enumag Jan 28, 2013 Author Contributor

V Permission je použitý hned na několika místech. Sice se mi to nelíbilo, ale nechci se pouštět do kompletní refaktorizace kódu Permission.

This comment has been minimized.

@hrach

hrach Jan 28, 2013 Contributor

ajo, to je proto, že to David kopiroval z nějakyho jinyho frameworku :D

This comment has been minimized.

This comment has been minimized.

@hrach

hrach Jan 28, 2013 Contributor

Mas to v hlavicce... je to ze zendu :D

This comment has been minimized.

@enumag

enumag Jan 28, 2013 Author Contributor

Ta implementace Permission se mi celkově moc nelíbí. Vlastně bych celou tu třídu nejradši vyhodil do addons. :-D

@Majkl578
Majkl578 reviewed Jan 28, 2013
View changes
Nette/Security/Permission.php Outdated
* @param string|Permission::ALL|IResource resource
* @param string|Permission::ALL privilege
* @throws Nette\InvalidStateException
* @return bool
*/
public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege = self::ALL)
public function isAllowed(IIdentity $identity, $resource = self::ALL, $privilege = self::ALL)

This comment has been minimized.

@Majkl578

Majkl578 Jan 28, 2013 Contributor

Co třeba zachovat zpětnou kompatibilitu a nevyžadovat IIdentity typehintem?

This comment has been minimized.

@enumag

enumag Jan 28, 2013 Author Contributor

To by musela třída User nějak detekovat zda má IAuthorizator se starým rozhraním nebo s novým rozhraním. Možné by to bylo přes reflexi, ale vyžadovalo by to @param anotaci toho rpvního parametru s typehintem.

V každém případě se mi to nelíbí, dej to kdyžtak do komentů k RFC jako návrh, uvidíme kolik lidí bude pro.

This comment has been minimized.

@hrach

hrach Jan 28, 2013 Contributor

Zadnou zpetnou kompatibilitu!

This comment has been minimized.

@enumag

enumag Jan 28, 2013 Author Contributor

Ona by stejně nebyla úplná kvůli těm změnám co navrhuju pro assertační callbacky plus kvůli odstranění IRole. Proto mi připadá lepší úplný BC break.

@tomaswindsor
tomaswindsor reviewed Jan 30, 2013
View changes
Nette/Security/Permission.php Outdated
@@ -644,68 +649,75 @@ public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege =
$this->checkResource($resource);
}

if (!$identity) { // quest

This comment has been minimized.

@tomaswindsor

tomaswindsor Jan 30, 2013 Contributor

Nemá být "quest" ale "guest". Stejný problém je i s "questRole".

This comment has been minimized.

@enumag

enumag Jan 30, 2013 Author Contributor

Of course, thanks!

@Majkl578
Copy link
Contributor

Majkl578 commented Jan 30, 2013

Přemýšlím nad tím a ta vazba přímo na IIdentity mi přijde poměrně zbytečná, až nežádoucí.
Říkám si, jestli by nebylo lepší něco obecnějšího, např. IRoleSet nebo IRolesProvider s metodou getRoles(). IIdentity by jej a) extendovalo a zůstalo současné chování, b) neextendovalo a možnost rolí by zůstala plně v moci uživatele (programátora). Druhá varianta by mi nejspíš dávala větší smysl, sám jsem dělal několik projektů, kde jsem role vůbec nepoužíval a musel hloupě vytvářet metodu getRoles vracející prázdné pole. Zároveň by nebyl problém používat i nadále Permission zcela nezávisle na IIdentity/User (jako tomu bylo doposud a což tento pull request znemožňuje).

Přesunuto k diskusi na fórum.

@Majkl578
Majkl578 reviewed Jan 30, 2013
View changes
Nette/Security/Permission.php Outdated
@@ -644,68 +649,75 @@ public function isAllowed($role = self::ALL, $resource = self::ALL, $privilege =
$this->checkResource($resource);
}

if (!$identity) { // quest
$roles = array($this->questRole);

This comment has been minimized.

@Majkl578

Majkl578 Jan 30, 2013 Contributor

Did you even test it? This wouldn't work at all, there is no questRole, only guestRole (see @tomaswindsor's comment above).

This comment has been minimized.

@enumag

enumag Jan 30, 2013 Author Contributor

Nope I did not test it yet.

@enumag
Copy link
Contributor Author

enumag commented Feb 7, 2013

Please review.

@@ -16,8 +18,9 @@ require __DIR__ . '/../bootstrap.php';


Assert::exception(function() {
$identity = new Identity(1, array('nonexistent'));

This comment has been minimized.

@hrach

hrach Feb 7, 2013 Contributor

indentation.

This comment has been minimized.

@enumag

enumag Feb 7, 2013 Author Contributor

ups thanks :-)

@dg
Copy link
Member

dg commented Mar 11, 2013

Ještě jiný směr, kam by se to mohlo ubírat: http://forum.nette.org/cs/13458-security-iauthorizator-a-identita#p99180

@enumag
Copy link
Contributor Author

enumag commented Jun 26, 2013

@dg Even if the final implementation will be different, the first commit should be merged.

This is taking as long as I was afraid it would so I've already implemented this as an extension.

@redwormik
Copy link

redwormik commented Jul 10, 2013

Hi there! I see two small User-related BC breaks:

  1. Logged in User which was given NULL identity by IAuthenticator (rare, I know) is now seen as logged out.
  2. getRoles() (and isInRole()) used to reflect whether the user was logged in, now they can use roles from IIdentity of logged out user.
@enumag
Copy link
Contributor Author

enumag commented Jul 10, 2013

@redwormik

  1. That's a bug. The login method should throw an exception if NULL was returned by the IAuthenticator.
  2. I didn't like the inconsistency that User::getRoles() and Identity::getRoles() had different return values but now that I think about it again it's probably better.

This pull request is probably not going to be merged so it's useless to push the fix here. I will fix both in my extension though.

@dg dg removed this from the 2.2 milestone Jun 19, 2014
@dg dg force-pushed the nette:master branch 3 times, most recently from 991ba1a to e23de7a Aug 26, 2014
@dg dg force-pushed the nette:master branch from 872d693 to 1467a8d Jan 31, 2015
@dg dg force-pushed the nette:master branch from c0c86b9 to a5bb8c7 Dec 22, 2016
@dg dg force-pushed the nette:master branch 2 times, most recently from 489cca2 to 0b969cd May 10, 2018
@dg dg force-pushed the nette:master branch from 156e5fb to e2f9921 Sep 18, 2018
@dg dg force-pushed the nette:master branch from 7530609 to eb00ed0 Nov 23, 2018
@dg dg force-pushed the nette:master branch from eb00ed0 to e4e3b65 Feb 5, 2019
@dg dg force-pushed the nette:master branch 2 times, most recently from 09a7d92 to b9698a8 Feb 5, 2019
@dg dg force-pushed the nette:master branch 3 times, most recently from 5a8c108 to 3aa3147 Feb 20, 2019
@dg dg force-pushed the nette:master branch from 3aa3147 to 5fc0e2f Feb 28, 2019
@dg dg force-pushed the nette:master branch from cf89671 to 21aad98 Nov 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

8 participants
You can’t perform that action at this time.