Skip to content

Commit 5002d3d

Browse files
thorewithorewi
committed
add ACL-based identity validation to the authenticator
- Introduce `AuthenticatorTrait` to verify user permissions against configured customer and backoffice ACL resources during login. - Configure the DI extension to inject the `FancyAdmin` service into the authenticator to facilitate resource lookups.
1 parent 954decf commit 5002d3d

2 files changed

Lines changed: 35 additions & 0 deletions

File tree

src/DI/FancyAdminExtension.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
use ADT\FancyAdmin\Model\Entities\Profile;
1717
use ADT\FancyAdmin\Model\Entities\ProfileTrait;
1818
use ADT\FancyAdmin\Model\FancyAdmin;
19+
use ADT\FancyAdmin\Model\Security\Authenticator;
1920
use ADT\FancyAdmin\Model\Security\SecurityUser;
2021
use ADT\FancyAdmin\UI\Components\Controls\SidePanel\SidePanelControl;
2122
use ADT\FancyAdmin\UI\Components\Controls\SidePanel\SidePanelControlFactory;
@@ -134,6 +135,9 @@ public function beforeCompile(): void
134135
$securityUserDef = $builder->getDefinitionByType(SecurityUser::class);
135136
$securityUserDef->addSetup('setFullDataAclResource', [$this->config->fullDataAclResource]);
136137
$securityUserDef->addSetup('setBackofficeAclResource', [$this->config->backofficeAclResource]);
138+
139+
$authenticatorDef = $builder->getDefinitionByType(Authenticator::class);
140+
$authenticatorDef->addSetup('setFancyAdmin', [$this->prefix('@administration')]);
137141
}
138142

139143
private function validateTraitInterfaceCompliance(): void

src/Model/Security/AuthenticatorTrait.php

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
<?php
2+
3+
declare(strict_types=1);
4+
5+
namespace ADT\FancyAdmin\Model\Security;
6+
7+
use ADT\DoctrineAuthenticator\OTP\Identity;
8+
use ADT\FancyAdmin\Model\FancyAdmin;
9+
use Nette\Security\AuthenticationException;
10+
11+
trait AuthenticatorTrait
12+
{
13+
protected FancyAdmin $fancyAdmin;
14+
15+
public function setFancyAdmin(FancyAdmin $fancyAdmin): void
16+
{
17+
$this->fancyAdmin = $fancyAdmin;
18+
}
19+
20+
protected function validateIdentity(Identity $identity, ?string $context = null, array $metadata = []): void
21+
{
22+
/** @var \ADT\FancyAdmin\Model\Entities\Identity $identity */
23+
if (
24+
!$identity->isAllowed($this->fancyAdmin->getCustomerAclResource())
25+
&&
26+
!$identity->isAllowed($this->fancyAdmin->getBackofficeAclResource())
27+
) {
28+
throw new AuthenticationException('Nemáte oprávnění pro přihlášení');
29+
}
30+
}
31+
}

0 commit comments

Comments
 (0)