第二个 ZfcRbac 断言不工作 | ZF2
Second ZfcRbac Assertion is not working | ZF2
我在 zfc_rbac.global.php
中添加了以下代码:
return [
'zfc_rbac' => [
'assertion_map' => [
'isAuthorizedToAddUser' => 'Application\Assertions\WhoCanAddUser',
'isBranchOrOrgIdPresentIfNotAdmin' => 'Application\Assertions\BranchOrOrgIdPresentIfNotAdmin'
]
]]
并在控制器内部使用它,如下所示:
if (! $this->authorizationService->isGranted('isBranchOrOrgIdPresentIfNotAdmin')) {
throw new UnauthorizedException('You are not authorized to add this aaa!');
}
但是即使我从 assert 方法 return true
抛出异常。但是如果我用 isAuthorizedToAddUser
替换 isBranchOrOrgIdPresentIfNotAdmin
,它工作正常。这里可能有什么问题。第二个断言 class BranchOrOrgIdPresentIfNotAdmin
只是 WhoCanAddUser
class 的翻版。下面是我的 WhoCanAddUser
断言 class.
namespace Application\Assertions;
use ZfcRbac\Assertion\AssertionInterface;
use ZfcRbac\Service\AuthorizationService;
use ZfcRbac\Exception\UnauthorizedException;
use Zend\Session\Container;
class WhoCanAddUser implements AssertionInterface
{
protected $notAuthorizedMessage = 'You are not authorized to add this user!';
public function __construct()
{
$this->org_session = new Container('org');
}
/**
* Check if this assertion is true
*
* @param AuthorizationService $authorization
* @param mixed $role
*
* @return bool
*/
public function assert(AuthorizationService $authorization, $role = null)
{
return true; //added this for testing if true is working and it worked, but second assertion is not working!
switch($authorization->getIdentity()->getRole()->getName()){
case 'admin':
return true;
break;
case 'owner':
if($role != 'member'){
throw new UnauthorizedException($this->notAuthorizedMessage);
}
return true;
break;
default:
throw new UnauthorizedException($this->notAuthorizedMessage);
break;
}
if($authorization->getIdentity()->getRole()->getName() != 'admin' && !$this->org_session->offsetExists('branchId')){
throw new \Zend\Session\Exception\RuntimeException('You need to be connected to an Organisation's branch before you can add members. Contact your Organisation Owner.');
}
}
}
我是否遗漏了第二个断言根本不起作用的东西。
刚刚发现,isBranchOrOrgIdPresentIfNotAdmin
条目必须在权限 table 内并且必须将该权限分配给 hierarchicalrole_permission
table 内的较低级别角色(该权限将自动以分层方式分配给上层角色)并且它对所有角色都可以正常工作。
我在 zfc_rbac.global.php
中添加了以下代码:
return [
'zfc_rbac' => [
'assertion_map' => [
'isAuthorizedToAddUser' => 'Application\Assertions\WhoCanAddUser',
'isBranchOrOrgIdPresentIfNotAdmin' => 'Application\Assertions\BranchOrOrgIdPresentIfNotAdmin'
]
]]
并在控制器内部使用它,如下所示:
if (! $this->authorizationService->isGranted('isBranchOrOrgIdPresentIfNotAdmin')) {
throw new UnauthorizedException('You are not authorized to add this aaa!');
}
但是即使我从 assert 方法 return true
抛出异常。但是如果我用 isAuthorizedToAddUser
替换 isBranchOrOrgIdPresentIfNotAdmin
,它工作正常。这里可能有什么问题。第二个断言 class BranchOrOrgIdPresentIfNotAdmin
只是 WhoCanAddUser
class 的翻版。下面是我的 WhoCanAddUser
断言 class.
namespace Application\Assertions;
use ZfcRbac\Assertion\AssertionInterface;
use ZfcRbac\Service\AuthorizationService;
use ZfcRbac\Exception\UnauthorizedException;
use Zend\Session\Container;
class WhoCanAddUser implements AssertionInterface
{
protected $notAuthorizedMessage = 'You are not authorized to add this user!';
public function __construct()
{
$this->org_session = new Container('org');
}
/**
* Check if this assertion is true
*
* @param AuthorizationService $authorization
* @param mixed $role
*
* @return bool
*/
public function assert(AuthorizationService $authorization, $role = null)
{
return true; //added this for testing if true is working and it worked, but second assertion is not working!
switch($authorization->getIdentity()->getRole()->getName()){
case 'admin':
return true;
break;
case 'owner':
if($role != 'member'){
throw new UnauthorizedException($this->notAuthorizedMessage);
}
return true;
break;
default:
throw new UnauthorizedException($this->notAuthorizedMessage);
break;
}
if($authorization->getIdentity()->getRole()->getName() != 'admin' && !$this->org_session->offsetExists('branchId')){
throw new \Zend\Session\Exception\RuntimeException('You need to be connected to an Organisation's branch before you can add members. Contact your Organisation Owner.');
}
}
}
我是否遗漏了第二个断言根本不起作用的东西。
刚刚发现,isBranchOrOrgIdPresentIfNotAdmin
条目必须在权限 table 内并且必须将该权限分配给 hierarchicalrole_permission
table 内的较低级别角色(该权限将自动以分层方式分配给上层角色)并且它对所有角色都可以正常工作。