[Applications] Refactor assertion for application access.

* Now one Assertion handles all access. (Currently only "read" and "delete");
* Small fixes and improvements in Acl and Authentication handling

Author: TiSiE

module/Applications/config/module.config.php

@@ -103,83 +103,28 @@
                             ),
                         ),
                     ),
-                    'applicationsData' => array(
-                        'type' => 'Segment',
-                        'options' => array(
-                            'route' => '/rest/applications/:method/:key',
-                            'constraints' => array(
-                                'method' => '(get|set)',
-                                'key' => '.+',
-                            ),
-                            'defaults' => array(
-                                'controller' => '\Applications\Controller\Manage',
-                                'action' => 'rest',
-                            ),
-                        ),
-                        'may_terminate' => true,
-                        'child_routes' => array(
-                            'detail' => array(
-                                'type' => 'Segment',
-                                'options' => array(
-                                    'route' => '/:id',
-                                    'constraints' => array(
-                                        'id' => '[a-z0-9]+',
-                                    ),
-                                    'defaults' => array(
-                                        'action' => 'detail',
-                                    ),
-                                ),
-                            ),
-                        ),
-                    ),
-                ),
-            ),
-            'applicationsData' => array(
-                'type' => 'Segment',
-                'options' => array(
-                    'route' => '/rest/applications/:method/:key',
-                    'constraints' => array(
-                        'method' => '(get|set)',
-                        'key' => '.+',
-                    ),
-                    'defaults' => array(
-                        'controller' => '\Applications\Controller\Manage',
-                        'action' => 'rest',
-                    ),
-                ),
-                'may_terminate' => true,
-                'child_routes' => array(
-                    'detail' => array(
-                        'type' => 'Segment',
-                        'options' => array(
-                            'route' => '/:id',
-                            'constraints' => array(
-                                'id' => '[a-z0-9]+',
-                            ),
-                            'defaults' => array(
-                                'action' => 'detail',
-                            ),
-                        ),
-                    ),
                 ),
             ),
         ),
     ),
+    
+    
     'acl' => array(
         'rules' => array(
             'user' => array(
                 'allow' => array(
                     'route/lang/applications',
                     'Applications\Controller\Manage',
                     'Entity/Application' => array(
-                        'delete' => 'Applications/WriteAccess'
+                        '__ALL__' => 'Applications/Access',
+                        
                     ),
                 ),
             ),
         ),
         'assertions' => array(
             'invokables' => array(
-                'Applications/WriteAccess' => 'Applications\Acl\ApplicationWriteAccessAssertion',
+                'Applications/Access'      => 'Applications\Acl\ApplicationAccessAssertion',
             ),
         ),
     ),

module/Applications/src/Applications/Acl/ApplicationWriteAccessAssertion.php renamed to module/Applications/src/Applications/Acl/ApplicationAccessAssertion.php

@@ -17,7 +17,7 @@
 use Applications\Entity\ApplicationInterface;
 use Auth\Entity\UserInterface;
 
-class ApplicationWriteAccessAssertion implements AssertionInterface
+class ApplicationAccessAssertion implements AssertionInterface
 {
     /* (non-PHPdoc)
      * @see \Zend\Permissions\Acl\Assertion\AssertionInterface::assert()
@@ -30,7 +30,26 @@ public function assert(Acl $acl,
         if (!$role instanceOf UserInterface || !$resource instanceOf ApplicationInterface) {
             return false;
         }
+        
+        switch ($privilege) {
+            case 'read':
+                return $this->assertRead($role, $resource) 
+                       || $this->assertWrite($role, $resource);
+                break;
 
+            default:
+                return $this->assertWrite($role, $resource);
+                break;
+        }
+    }
+    
+    protected function assertRead($role, $resource)
+    {
+        return $resource->getUserId() == $role->getId();
+    }
+    
+    protected function assertWrite($role, $resource)
+    {
         $job = $resource->getJob();
         return ($job && $role->getId() == $job->getUserId());
     }

module/Applications/src/Applications/Controller/IndexController.php

@@ -88,7 +88,11 @@ public function indexAction()
                 }
                 //$form->populateValues($data);
             } else {
-                
+                $auth = $this->auth();
+            
+                if ($auth->isLoggedIn()) {
+                    $applicationEntity->setUserId($auth('id'));
+                }
                 $applicationEntity->setStatus(new Status());
                 //$applicationEntity->injectJob($job);
                 $imageData = $form->get('contact')->get('image')->getValue();

module/Applications/src/Applications/Controller/ManageController.php

@@ -27,7 +27,7 @@
 class ManageController extends AbstractActionController
 {
 
-     public function onDispatch(\Zend\Mvc\MvcEvent $e)
+    public function onDispatch(\Zend\Mvc\MvcEvent $e)
     {
         $routeMatch = $e->getRouteMatch();
         $action     = $this->params()->fromQuery('action');
@@ -100,10 +100,16 @@ public function indexAction()
 
     public function detailAction(){
 
+        $nav = $this->getServiceLocator()->get('main_navigation');
+        $page = $nav->findByRoute('lang/applications');
+        $page->setActive();
+        
     	$application = $this->getServiceLocator()
     						->get('repositories')
     						->get('application')->find($this->params('id'), 'EAGER');
 
+    	$this->acl($application, 'read');
+    	
     	$jsonFormat = 'json' == $this->params()->fromQuery('format');
     	if ($jsonFormat) {
     		$viewModel = new JsonModel();
@@ -116,41 +122,11 @@ public function detailAction(){
     		return $viewModel;
     	}
 
-    	$nav = $this->getServiceLocator()->get('main_navigation');
-    	$page = $nav->findByRoute('lang/applications');
-    	$page->setActive();
+    	
 
     	return array('application'=> $application);
     }
 
-    public function restAction() {
-        $method = $this->params('method');
-        $value = $this->params()->fromPost('value','');
-        $key = $this->params('key');
-        $user = $this->auth()->getUser();
-        $result = array();   
-        if (strcasecmp($key, 'mailtext') == 0) {
-            $settingsJobAuth = $this->settings('auth', $user);
-            if (strcasecmp($method, 'get') == 0) {
-                $mailtext = $settingsJobAuth->getMailText();
-                $result = array('result' => isset($mailtext)?$mailtext:'');
-            }
-            if (strcasecmp($method, 'set') == 0) {
-                $settingsJobAuth->setAccessWrite(True);
-                $settingsJobAuth->setMailText($value);
-                $result = array('result' => $settingsJobAuth->getMailText());
-                //$result['old'] = $value;
-                //$result['post'] = $_POST;
-                //$result['get'] = $_GET;
-                //$result['server'] = $_SERVER;
-                //$result['request'] = $_REQUEST;
-            }
-        }
-        $viewModel = new JsonModel();
-        $viewModel->setVariables($result);
-        return $viewModel;
-    }
-
     public function statusAction()
     {
         $applicationId = $this->params('id');
@@ -252,6 +228,8 @@ public function forwardAction()
         $application  = $services->get('repositories')->get('application')
                                  ->find($this->params('id'), 'EAGER');
 
+        $this->acl($application, 'forward');
+        
         $translator   = $services->get('translator');
 
         if (!$emailAddress) {

module/Applications/src/Applications/Entity/Application.php

@@ -17,6 +17,9 @@ class Application extends AbstractIdentifiableEntity implements ApplicationInter
     protected $jobId;
     protected $job;
 
+    protected $userId;
+    protected $user;
+    
     /*
      * new
      */
@@ -82,6 +85,28 @@ public function injectJob(EntityInterface $job)
         $this->setJobId($job->getId());
         return $this;
     }
+    
+    public function setUserId($userId)
+    {
+        $this->userId = $userId;
+        return $this;
+    }
+    
+    public function getUserId()
+    {
+        return $this->userId;
+    }
+    
+    public function injectUser(EntityInterface $user)
+    {
+        $this->user = $user;
+        return $this;
+    }
+    
+    public function getUser()
+    {
+        return $this->user;
+    }
 
     public function setStatus($status)
     {

module/Applications/src/Applications/Entity/ApplicationInterface.php

@@ -15,6 +15,12 @@ public function getJobId();
     public function getJob();
     public function injectJob(EntityInterface $job);
 
+    public function setUserId($userId);
+    public function getUserId();
+    
+    public function injectUser(EntityInterface $user);
+    public function getUser();
+    
     public function setStatus($status);
     public function getStatus();
 

module/Applications/src/Applications/Repository/EntityBuilder/ApplicationBuilder.php

@@ -49,6 +49,17 @@ public function build($data = array())
             $entity->injectJob($job);
         }
 
+        if (!$entity->user) {
+            $userId = $entity->getUserId();
+            if ($userId) {
+                $user = new RelationEntity(
+                    array($this->repositories->get('user'), 'find'),
+                    array($userId)
+                );
+                $entity->injectUser($user);
+            }
+        }
+        
         $attachments = isset($data['refs']['applications-files'])
             ? new RelationCollection(
                 array($this->mappers->get('Applications/Files'), 'fetchByIds'),

module/Auth/src/Acl/Controller/Plugin/Acl.php

@@ -75,10 +75,19 @@ public function test($resource, $privilege=null)
     public function check($resource, $privilege=null)
     {
         if (!$this->test($resource, $privilege)) {
+            
+            $msg = null === $privilege
+                 ? sprintf('You are not allowed to access resource "%s"',
+                           is_object($resource) ? $resource->getResourceId() : $resource
+                   )
+                 : sprintf('You are not allowed to execute operation "%s" on resource "%s"',
+                           $privilege, is_object($resource) ? $resource->getResourceId() : $resource
+                   );
+            
             if ($resource instanceOf FileEntityInterface && 0 == strpos($resource->type, 'image/')) {
-                throw new UnauthorizedImageAccessException('User access denied');
+                throw new UnauthorizedImageAccessException(str_replace('resource', 'image', $msg));
             }
-            throw new UnauthorizedAccessException('User access denied');
+            throw new UnauthorizedAccessException($msg);
         }
     }
 

module/Auth/src/Auth/Controller/Plugin/Auth.php

@@ -30,6 +30,9 @@ public function __invoke($property=null)
         if (null === $property) {
             return $this;
         }
+        if (true === $property) {
+            return $this->isLoggedIn();
+        }
         return $this->get($property);
     }