Zend Framework 2 - Global check for authentication with ZFCUser
To be honest, I don't think it is a good idea to block every page for a non-authenticated user. How would you access the login page?
That said, you must know the page being accessed, to make a whitelist of pages accessible for anonymous visitors. To start, I'd suggest to include the login page. You can check pages the easiest by using their route. So check the current matched route against the whitelist. If blocked, act upon. Otherwise, do nothing.
An example would be inside a Module.php from a module, for example your application:
namespace Application;
use Zend\Mvc\MvcEvent;
use Zend\Mvc\Router\RouteMatch;
class Module
{
protected $whitelist = array('zfcuser/login');
public function onBootstrap($e)
{
$app = $e->getApplication();
$em = $app->getEventManager();
$sm = $app->getServiceManager();
$list = $this->whitelist;
$auth = $sm->get('zfcuser_auth_service');
$em->attach(MvcEvent::EVENT_ROUTE, function($e) use ($list, $auth) {
$match = $e->getRouteMatch();
// No route match, this is a 404
if (!$match instanceof RouteMatch) {
return;
}
// Route is whitelisted
$name = $match->getMatchedRouteName();
if (in_array($name, $list)) {
return;
}
// User is authenticated
if ($auth->hasIdentity()) {
return;
}
// Redirect to the user login page, as an example
$router = $e->getRouter();
$url = $router->assemble(array(), array(
'name' => 'zfcuser/login'
));
$response = $e->getResponse();
$response->getHeaders()->addHeaderLine('Location', $url);
$response->setStatusCode(302);
return $response;
}, -100);
}
}
Zend Framework 2. ZfcUser. Authentication error with right email/pass when i added new element in login form
I find out solution! :)
I forgot specify filter for this checkbox with required=false:
$sharedEvents->attach('ZfcUser\Form\LoginFilter', 'init', function($e) {
// @var $form \ZfcUser\Form\LoginFilter
$filter = $e->getTarget();
// Custom field keep_signed_in
$filter->add(array(
'name' => 'keep_signed_in',
'required' => false,
)
);
}
);
zfcuser - whitelist routes and all childroutes
You may protect access to admin area by checking each controller name instead of checking route names. Thus you may control user's accessibility with less effort and it is more portable than checking route names.
List your controllers where you want to limit accesses. So everything related to a controller should be restricted. Wherever you need to restrict access just list them here. You do not need to make your hands dirty with onBootstrap()
method anymore.
protected $whitelist = array(
'ZfcUser\Controller\User', // or use 'zfcuser'
);
Put right controller name in the $whitelist
. You can get that by echoing $controller
in the onBootstrap()
method. Please check out the commented area below.Next catch up the controller name and then check whether that is listed in your list or not.
public function onBootstrap(MvcEvent $e)
{
$app = $e->getApplication();
$em = $app->getEventManager();
$sm = $app->getServiceManager();
$list = $this->whitelist;
$auth = $sm->get('zfcuser_auth_service');
$em->attach(MvcEvent::EVENT_ROUTE, function($e) use ($list, $auth) {
// get the current route
$route = $e->getRouteMatch()->getMatchedRouteName();
// check for 'zfcuser/login' and 'zfcuser/register' routes
if (in_array($route, array('zfcuser/login', 'zfcuser/register'))) {
return;
}
// get the current controller name
$controller = $e->getRouteMatch()->getParam('controller');
// Check the right controller name by echoing
// echo $controller;
// check if a user has access on the current controller
if (in_array($controller, $list)) {
if(! $auth->hasIdentity()) {
$router = $e->getRouter();
$url = $router->assemble(array(), array(
'name' => 'zfcuser/login'
));
$response = $e->getResponse();
$response->getHeaders()->addHeaderLine('Location', $url);
$response->setStatusCode(302);
return $response;
}
}
}, -100);
}
Let us know if it helps you! Zend Framework 2 - ZFCUser - How to exclude landing page from auth
If you insist on checking authentication in the onBoostrap method you could do something like this:
class Module
{
protected $whitelist = array(
'zfcuser/login' => array('login'),
'your-landing-route' => array('your-landing-action'),
);
public function onBootstrap($e)
{
$app = $e->getApplication();
$em = $app->getEventManager();
$sm = $app->getServiceManager();
$list = $this->whitelist;
$auth = $sm->get('zfcuser_auth_service');
$em->attach(MvcEvent::EVENT_ROUTE, function($e) use ($list, $auth) {
$match = $e->getRouteMatch();
// No route match, this is a 404
if (!$match instanceof RouteMatch) {
return;
}
// Route and action is whitelisted
$routeName = $match->getMatchedRouteName();
$action = $match->getParam("action");
if(array_key_exists($routeName,$list) && in_array($action,$list[$routeName])) {
return;
}
// User is authenticated
if ($auth->hasIdentity()) {
return;
}
// Redirect to the user login page, as an example
$router = $e->getRouter();
$url = $router->assemble(array(), array(
'name' => 'zfcuser/login'
));
$response = $e->getResponse();
$response->getHeaders()->addHeaderLine('Location', $url);
$response->setStatusCode(302);
return $response;
}, -100);
}
}
I've just changed the code a little but so your white list also contains specific actions. Then we can check the action parameter to be a little bit more specific with your white listing.I don't know if this is the best way to do it, I'm just showing you how you can do it.
I don't think you even need to check authentication when using BjyAuthorize
as you can just use resource checks. If a user has anything other than a guest role then they are a real user and are authenticated. Again, I'm not 100% on that but I do know that I don't use ZfcUser
authentication checks in my application which uses BjyAuthorize
. I just use route guards to specify the role level needed for a aparticular route.
Maybe somebody else could clarify this?
Related Topics
PHP Warning: Unknown: Input Variables Exceeded 1000
Codeigniter Active Record Not Equal
Possible to View PHP Code of a Website
Missing CSS File and Images After Url Rewrite
How to Access My Wamp Server on Another Local Computer
PHP - Ini_Set('Session.Gc_Maxlifetime', 5) - Why It Doesn't End the Session
Calculating Working Hours Between Two Dates
How to Convert Emoji from Unicode in PHP
Best Way to Get Hostname with PHP
Use PHP to Check If Page Was Accessed with Ssl
Xpath Get Attribute Value in PHP
How to Add/Set Images on PHPoffice/Phpword Template