Zend Framework 2 - Global Check for Authentication with Zfcuser

Zend Framework 2 - Global check for authentication with ZFCUser

To be honest, I don't think it is a good idea to block every page for a non-authenticated user. How would you access the login page?

That said, you must know the page being accessed, to make a whitelist of pages accessible for anonymous visitors. To start, I'd suggest to include the login page. You can check pages the easiest by using their route. So check the current matched route against the whitelist. If blocked, act upon. Otherwise, do nothing.

An example would be inside a Module.php from a module, for example your application:

namespace Application;

use Zend\Mvc\MvcEvent;
use Zend\Mvc\Router\RouteMatch;

class Module
{
    protected $whitelist = array('zfcuser/login');

    public function onBootstrap($e)
    {
        $app = $e->getApplication();
        $em  = $app->getEventManager();
        $sm  = $app->getServiceManager();

        $list = $this->whitelist;
        $auth = $sm->get('zfcuser_auth_service');

        $em->attach(MvcEvent::EVENT_ROUTE, function($e) use ($list, $auth) {
            $match = $e->getRouteMatch();

            // No route match, this is a 404
            if (!$match instanceof RouteMatch) {
                return;
            }

            // Route is whitelisted
            $name = $match->getMatchedRouteName();
            if (in_array($name, $list)) {
                return;
            }

            // User is authenticated
            if ($auth->hasIdentity()) {
                return;
            }

            // Redirect to the user login page, as an example
            $router   = $e->getRouter();
            $url      = $router->assemble(array(), array(
                'name' => 'zfcuser/login'
            ));

            $response = $e->getResponse();
            $response->getHeaders()->addHeaderLine('Location', $url);
            $response->setStatusCode(302);

            return $response;
        }, -100);
    }
}

Zend Framework 2. ZfcUser. Authentication error with right email/pass when i added new element in login form

I find out solution! :)

I forgot specify filter for this checkbox with required=false:

$sharedEvents->attach('ZfcUser\Form\LoginFilter', 'init', function($e) {
        // @var $form \ZfcUser\Form\LoginFilter
        $filter = $e->getTarget();

        // Custom field keep_signed_in
        $filter->add(array(
                'name'       => 'keep_signed_in',
                'required'   => false,
            )
        );

    }
);

zfcuser - whitelist routes and all childroutes

You may protect access to admin area by checking each controller name instead of checking route names. Thus you may control user's accessibility with less effort and it is more portable than checking route names.

List your controllers where you want to limit accesses. So everything related to a controller should be restricted. Wherever you need to restrict access just list them here. You do not need to make your hands dirty with onBootstrap() method anymore.

protected $whitelist = array(
    'ZfcUser\Controller\User', // or use 'zfcuser'
); 

Put right controller name in the $whitelist. You can get that by echoing $controller in the onBootstrap() method. Please check out the commented area below.

Next catch up the controller name and then check whether that is listed in your list or not.

public function onBootstrap(MvcEvent $e)
{
    $app = $e->getApplication();
    $em  = $app->getEventManager();
    $sm  = $app->getServiceManager();

    $list = $this->whitelist;
    $auth = $sm->get('zfcuser_auth_service');

    $em->attach(MvcEvent::EVENT_ROUTE, function($e) use ($list, $auth) {

        // get the current route
        $route = $e->getRouteMatch()->getMatchedRouteName();

        // check for 'zfcuser/login' and 'zfcuser/register' routes
        if (in_array($route, array('zfcuser/login', 'zfcuser/register'))) {
            return;
        }   

        // get the current controller name
        $controller = $e->getRouteMatch()->getParam('controller');

        // Check the right controller name by echoing 
        // echo $controller;         

        // check if a user has access on the current controller 
        if (in_array($controller, $list)) {

            if(! $auth->hasIdentity()) {

                $router = $e->getRouter();
                $url = $router->assemble(array(), array(
                    'name' => 'zfcuser/login'
                ));

                $response = $e->getResponse();
                $response->getHeaders()->addHeaderLine('Location', $url);
                $response->setStatusCode(302);

                return $response;
            }
        }

    }, -100);
}    

Let us know if it helps you!

Zend Framework 2 - ZFCUser - How to exclude landing page from auth

If you insist on checking authentication in the onBoostrap method you could do something like this:

class Module
{
    protected $whitelist = array(
        'zfcuser/login' => array('login'),
        'your-landing-route' => array('your-landing-action'),
    );

    public function onBootstrap($e)
    {
        $app = $e->getApplication();
        $em  = $app->getEventManager();
        $sm  = $app->getServiceManager();

        $list = $this->whitelist;
        $auth = $sm->get('zfcuser_auth_service');

        $em->attach(MvcEvent::EVENT_ROUTE, function($e) use ($list, $auth) {
            $match = $e->getRouteMatch();

            // No route match, this is a 404
            if (!$match instanceof RouteMatch) {
                return;
            }

            // Route and action is whitelisted
            $routeName = $match->getMatchedRouteName();
            $action = $match->getParam("action");

            if(array_key_exists($routeName,$list) && in_array($action,$list[$routeName])) {
                return;
            }

            // User is authenticated
            if ($auth->hasIdentity()) {
                return;
            }

            // Redirect to the user login page, as an example
            $router   = $e->getRouter();
            $url      = $router->assemble(array(), array(
                'name' => 'zfcuser/login'
            ));

            $response = $e->getResponse();
            $response->getHeaders()->addHeaderLine('Location', $url);
            $response->setStatusCode(302);

            return $response;
        }, -100);
    }
}

I've just changed the code a little but so your white list also contains specific actions. Then we can check the action parameter to be a little bit more specific with your white listing.

I don't know if this is the best way to do it, I'm just showing you how you can do it.

I don't think you even need to check authentication when using BjyAuthorize as you can just use resource checks. If a user has anything other than a guest role then they are a real user and are authenticated. Again, I'm not 100% on that but I do know that I don't use ZfcUser authentication checks in my application which uses BjyAuthorize. I just use route guards to specify the role level needed for a aparticular route.

Maybe somebody else could clarify this?

---

Related Topics