How to setup an ACL within modules

Hi,

I am not able to setup a existing ACL list to secure my backend. Do I have to put it into the bootstrap or the Module.php? And do I have to define the module in my resource list like this:

         $privateResources = array(
            'backend' => array(
                'administration' => array(
                    'index',
                )
            ),
            'frontend' => array(
            )
        );

Thanks!

edited Jul '16

What you mean ? Into bootstrap, but currently phalcon don't have anything for securing controllers and/or actions if you mean this. There is waiting PR for 2.1.x with firewall based on acl/annotations but it will be postpone to 2.2.x/3.0.x. But you can add some code dispatcher event beforeExecuteRoute to check it yourself if user has acess or not.



4.3k
edited Jul '16

Hi, @jurigag. With securing I just meant securing from login ;) (https://docs.phalconphp.com/en/latest/reference/acl.html)

I just switched to a module system where I separate the backend from the frontend. Before that, I already used a working security plugin to secure the logged in area. But now I don't know how to transfer it to the module system. For example, do I have to setup two different plugins for backend and frontend or can I combine it to one?

I don't know. Just check/edit security plugin and that's it. By default phalcon don't have any security mechanism to secure logging or something. Just do whatever you want mean :)

For example in dispatch listener i have code like this:

        $moduleName = $dispatcher->getModuleName();
        $controllerName = lcfirst($dispatcher->getControllerName());
        $resourceName = "$moduleName:$controllerName";
        if (!$this->securityService->checkAcl($resourceName, $action)) {
            // TODO : change this to forbidden exception when it will be implemented in phalcon
            // throw new ForbiddenException("Nie posiadasz wystarczających uprawnień do danej akcji.");
            $response = new Response();
            $response->setStatusCode(403);
            $response->setJsonContent(['error' => 'Nie posiadasz wystarczających uprawnień do danej akcji.']);
            $dispatcher->setReturnedValue($response);
            return false;
        }


4.3k

But where to put the code?

I have the modules:

class Module implements ModuleDefinitionInterface {

        public function registerServices(DiInterface $di) {
          $di->set('dispatcher', function () use ($di) {
          $eventsManager = new EventsManager;
          $eventsManager->attach('dispatch:beforeDispatch', new SecurityPlugin);
          $dispatcher = new Dispatcher;
          $dispatcher->setEventsManager($eventsManager);
          return $dispatcher;
        });
        }   
}

And I have the bootstrap (index.php):

    try {
  require '../vendor/autoload.php';

  $di = new FactoryDefault();

      $di->set('dispatcher', function () use ($di) {
          $eventsManager = new EventsManager;
          $eventsManager->attach('dispatch:beforeDispatch', new SecurityPlugin);
          $dispatcher = new Dispatcher;
          $dispatcher->setEventsManager($eventsManager);
          return $dispatcher;
        });

  $application = new Application($di);

  $application->registerModules([
      'frontend' => [
          'className' => 'Run\Frontend\Module',
          'path' => '../app/frontend/Module.php'
      ],
      'backend' => [
          'className' => 'Run\Backend\Module',
          'path' => '../app/backend/Module.php'
      ]
  ]);

  require '../app/services/filters.php';

  echo $application->handle()->getContent();
      } catch (\Exception $e) {
    echo "Exception: ", $e->getMessage();
    }

To securityPlugin obviously :) Just edit it to working with multi-modules and that's it.