File: BjyAuthorize\Provider\Role\ZendDb.php
Method: getRoles()

service to instantiate the class TableGateway should not be 'zfcuser_zend_db_adapter' like ZendDb indentity provider or not?

Fatal error: Declaration of BjyAuthorize\Module::onBootstrap() must be compatible with that of Zend\ModuleManager\Feature\BootstrapListenerInterface::onBootstrap() in vendor\bjyoungblood\BjyAuthorize\Module.php on line 13

Meanwhile Zfc-ACL name is not available, and in order to add this module to the Zfc family :)
PD.- due is just a suggestion to discuss I will submit/close it.

Looks like the composer package does not point to the latest commit. I' ve been told that is because the packagist hook isn't set up (or isn't set up properly?).

Is it possible to redirect to a given Route (zfcuser/login) instead of Showing a 403? Usually this is a better way for the Usability of a Page.

Hi,

When I enable BjyAuthorize on my hosting provider I get random "Internal Server Errors". The log is not too specific:

[Sun Oct 07 01:42:32 2012] [warn] client xxx.xxx.xxx.xxxConnection reset by peer: mod_fcgid: error reading data from FastCGI server, referer: http://myserver.com/en/
[Sun Oct 07 01:42:32 2012] [error] [client xxx.xxx.xxx.xxx] Premature end of script headers: index.php, referer: http://myserver.com/en/

Any idea on how to solve this?

EDIT

I've commented out all lines in "onRoute" in file src/BjyAuthorize/Guard/Route.php... The problem seems to start at:

$allowed = $service->isAllowed('route/' . $routeName);

??

At the momment there is no support in this module for role based access control (rbac).
This is a Feature request to cover that topic.
I think these are some posibilities:

• Make two different services AuthorizeAcl and AuthorizeRbac (with an instance of Zend\Rbac\Rbac instead of zend\Acl) and depending on config create one or the other in factory AuthorizeFactory.
• Use the service from ZfcRbac (ZfcRbac\Service\Rbac)
  I could submit a PR if we agree on a strategy ;)

This is more a question than an issue.

In this file: https://github.com/bjyoungblood/BjyAuthorize/blob/master/src/BjyAuthorize/Service/Authorize.php

From line 120 - line 141, the code are as below:

   public function getIdentity()
    {
        return 'bjyauthorize-identity';
    }

    public function getAcl()
    {
        return $this->acl;
    }

    public function isAllowed($resource, $privilege = null)
    {
        if (!$this->loaded) {
            $this->load();
        }

        try {
            return $this->acl->isAllowed($this->getIdentity(), $resource, $privilege);
        } catch (\Zend\Permissions\Acl\Exception\InvalidArgumentException $e) {
            return false;
        }
    }

I am puzzled by this function:

   public function getIdentity()
    {
        return 'bjyauthorize-identity';
    }

It always return the identity as a constant string. However shouldn't the identity be a role fetched through the identity provider? It seems I can't not change the identity anyhow. Maybe I just still haven't found it yet. Anybody can help?

Requires a successful build, which depends on zendframework/zend-developer-tools#63 and eventually zendframework/zend-developer-tools#53

config/services.config.php needs the following:

'BjyAuthorize\View\RedirectionStrategy' => function (ServiceLocatorInterface $serviceLocator) {
return new View\RedirectionStrategy();
},

Currently, interfaces define setters/getters also where not needed (like the identity provider interface). They should be removed.

The previous logic using the providers based on an EntityManager's connection should be removed. The newly implemented ones should be considered default

Hi there,
I think it should be useful to display BjyAuthorize informations (like identity roles) into Zend Developer Tools like DoctrineOrmModule do (https://github.com/doctrine/DoctrineORMModule/blob/master/docs/developer-tools.md).
What do you think about it ?

Fatal error: Class 'BjyAuthorize\Provider\Role\Doctrine' not found in vendor\bjyoungblood\bjy-authorize\src\BjyAuthorize\Service\Authorize.php on line 359

Currently, tags are following the release-x.y naming. Should move to semver for better composer compatibility

Old tags should also be re-tagged.

"vendor/bjyoungblood/bjy-authorize/.git" folder exists if I install via composer, ["bjyoungblood/bjy-authorize": "dev-master",].

This doesn't happen on other modules like zfcuser or zfcbase. Is it expected?

Every time I want to access an route defined with type segment
I get an 403 error.
At this time it's not to bad for me because im in develeopment but
later I need it working with iteral and segment.

As of #37, the unauthorized strategy does not work with console application because of obvious incompatibilities between the request/response object APIs.

Well upgrading to the latest master solves the current error, but introduces a new one for me.
Uncaught exception 'Zend\Di\Exception\MissingPropertyException' with message 'Missing instance/object for parameter rules for BjyAuthorize\Guard\Controller::__construct'

It might be related to my own config, but disabling my own modules doesn't resolve the issue though

@japaveh yes, that's basically because you got Zend\Di crunching behind your locator. As soon as you enable a guard, $serviceLocator->has('BjyAuthorize\Guard\Controller') will return true even if no service by that name is defined (because Zend\Di can initialize it without service definition).

So that's basically the problem. The fact is that my latest patch puts the guard coming from the locator as prioritized. A solution may be to check if (!empty($guardOptions)) { /* construct / } else { / attempt to use locator */}.

This anyway is not optimal, since the maximum degree of flexibility is anyway provided by the locator.

For your specific case, the solution is to have following service definition:

return array(
    'factories' => function (\Zend\ServiceManager\ServiceLocatorInterface $sl) {
        return new \BjyAuthorize\Guard\Controller(
            array(
                array('controller' => 'admin', 'roles' => array(1)),
            ),
            $sl
        );
    },
);

@Ocramius Well, with that definition I don't have any error anymore of course, but also no guards are loaded.

A second, more fundamental problem I have with that is I need to decouple the guard configuration between the service configuration and the rest of the rules. In version 1.0 I have the possibility to have a dedicated file for authorization (per module) and a small service configuration.

Besides that, is my specific case so different compared to the default example (shouldn't we split this issue into a new one?)

Which is the best method to add an user to the user_role_linker table?

I updated my config following:
https://github.com/bjyoungblood/BjyAuthorize/blob/master/docs/doctrine.md

But i get:

Fatal error</b>:  Uncaught exception 'BjyAuthorize\Exception\InvalidArgumentException' with message 'Config for &quot;BjyAuthorize\Provider\Role\Doctrine&quot; not set' in vendor\bjyoungblood\bjy-authorize\src\BjyAuthorize\Service\ObjectRepositoryRoleProviderFactory.php:35
Stack trace:
#0 [internal function]: BjyAuthorize\Service\ObjectRepositoryRoleProviderFactory-&gt;createService(Object(Zend\ServiceManager\ServiceManager), 'bjyauthorizepro...', 'BjyAuthorize\Pr...')
#1 vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php(737): call_user_func(Array, Object(Zend\ServiceManager\ServiceManager), 'bjyauthorizepro...', 'BjyAuthorize\Pr...')
#2 vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php(867): Zend\ServiceManager\ServiceManager-&gt;createServiceViaCallback(Array, 'bjyauthorizepro...', 'BjyAuthorize\Pr...')
#3 vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php( in <b>vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php</b> on line <b>744</b><br />

Hey there,

I'm trying to integrate BjyAuthorize into my setup.
It's working quite fine so far, thank you for your effort of providing a nice ACL Layer for ZF2

What I'm wondering about are the Doctrine Entities Role.php.dist and User.php.dist.
The schema they are using is differnt from the one provided in schema.sql.

I tried to integrate a Role entity and was not able to do this with an extra auto increment id field. I changed the table and parent columen through options for BjyAuthorize/Provider/Role/Doctrine like here: https://github.com/bjyoungblood/BjyAuthorize/blob/master/src/BjyAuthorize/Provider/Role/Doctrine.php#L47-L62

That works great and is easy to manage.

What seems not to be possible is changing the join table user_role_linker (https://github.com/bjyoungblood/BjyAuthorize/blob/master/src/BjyAuthorize/Provider/Identity/ZfcUserDoctrine.php#L41).

Would really like to have this being changeable like in Doctrine Role Provider.

I could prepare a pr for this, if nothing speaks against it.

Cheers

called in vendor\bjyoungblood\bjy-authorize\src\BjyAuthorize\Service\Authorize.php on line 82 and defined in vendor\bjyoungblood\bjy-authorize\src\BjyAuthorize\Provider\Role\Doctrine.php on line 45

Currently, naming of classes follows the schema

BjyAuthorize\Provider\Role\Config

I'm hereby suggesting that we use

BjyAuthorize\Provider\Role\ConfigRoleProvider

This will require some renaming work and to create "old" deprecated versions of the files to avoid major BC breaks.

When using a route guard, the routes for Console are not taken into account. Running a script now result in a fatal PHP error:
PHP Fatal error: Call to undefined method Zend\Console\Response::setStatusCode() in /home/www/noa/vendor/bjyoungblood/bjy-authorize/src/BjyAuthorize/View/UnauthorizedStrategy.php on line 92

Will console routes be supported in the future?

I take the answer from @bjyoungblood #55 (comment) .
I implement my own UnauthorizedStrategy like this :

<?php

namespace NovAuthorize\View;

use Zend\EventManager\EventManagerInterface;
use Zend\EventManager\ListenerAggregateInterface;
use Zend\Http\Response as HttpResponse;
use Zend\Mvc\Application;
use Zend\Mvc\MvcEvent;
use Zend\Stdlib\ResponseInterface as Response;
use Zend\View\Model\ViewModel;
use BjyAuthorize\Exception\UnAuthorizedException;

class UnauthorizedStrategy implements ListenerAggregateInterface
{
    protected $listeners = array();

    public function attach(EventManagerInterface $events)
    {
        $this->listeners[] = $events->attach(MvcEvent::EVENT_DISPATCH_ERROR, array($this, 'onDispatchError'), -5000);
    }

    public function detach(EventManagerInterface $events)
    {
        foreach ($this->listeners as $index => $listener) {
            if ($events->detach($listener)) {
                unset($this->listeners[$index]);
            }
        }
    }

    public function onDispatchError(MvcEvent $e)
    {
      $response = $e->getResponse();

      $headers = $response->getHeaders();
      $headers->addHeaderLine('Content-Type', 'application/json');
      $response->setStatusCode(403);
      $response->setHeaders($headers);
      $e->stopPropagation();
    }
}

Everything goes through fine, but there still is html content there. Maybe it comes from another controller, but I have no idea where it is. I try to getBody() and getContent() from the $response but I cannot get anything.
I only want to return http status code since I try to implement the json api above this plugin :)

Thanks for reading

I couldn't decide where to open this issue as it concerns both modules, but i finally chose to create it here, sorry :)

Before i explain a bit more what the problem is, here are the different BjyAuthorize configurations i've been using. They all led to the same error. Following @Ocramius advice on IRC, i also commented out both event manager attachments in the Module onBootstrap method (#1 and #2) but it didn't remove the error either.

The error i'm getting is thrown as soon as i have both modules in the modules list in application.config.php (BjyAuthorize or ScnSocialAuth alone works) it says : Request URI has not been set. Please set your correct home route key in the scn-social-auth.local.php config file. It's thrown here in ScnSocialAuth module. It seems that the ZF2 router can't find the home route key anymore.

It's getting to this part of ScnSocialAuth because AuthenticationDoctrineEntityFactory calls zfcuser_auth_service wich starts up the whole authentication chain, including ScnSocialAuth's.

Thanks for your help.

Pinging @SocalNick in case he has any idea.

As BjyAuthorize\Provider\Role\Doctrine is already known by the SL it will not create an new service and hence the $options are ignored.

/**
     * @param string $class
     * @param array  $options
     *
     * @return object
     */
    private function getOrCreateService($class, $options)
    {
        if ($this->serviceLocator->has($class)) {
            return $this->serviceLocator->get($class);
        }
        return new $class($options, $this->serviceLocator);
    }

I configured it, but always return error 403, with exception indexcontroller, all return error 403. What is this?

My configuration :

<?php

return array(
  'bjyauthorize' => array(

    // set the 'guest' role as default (must be defined in a role provider)
    'default_role' => 'guest',

    /* this module uses a meta-role that inherits from any roles that should
     * be applied to the active user. the identity provider tells us which
     * roles the "identity role" should inherit from.
     *
     * for ZfcUser, this will be your default identity provider
     */
    'identity_provider' => 'BjyAuthorize\Provider\Identity\ZfcUserZendDb',

    /* role providers simply provide a list of roles that should be inserted
     * into the Zend\Acl instance. the module comes with two providers, one
     * to specify roles in a config file and one to load roles using a
     * Zend\Db adapter.
     */
    'role_providers' => array(

      /* here, 'guest' and 'user are defined as top-level roles, with
       * 'admin' inheriting from user
       */
      'BjyAuthorize\Provider\Role\Config' => array(
        'guest' => array(),
        'user'  => array('children' => array(
          'admin' => array(),
        )),
      ),

      // this will load roles from the user_role table in a database
      // format: user_role(role_id(varchar), parent(varchar))
      'BjyAuthorize\Provider\Role\ZendDb' => array(
        'table'             => 'user_role',
        'role_id_field'     => 'role_id',
        'parent_role_field' => 'parent',
      ),
    ),

    // resource providers provide a list of resources that will be tracked
    // in the ACL. like roles, they can be hierarchical
    'resource_providers' => array(
      'BjyAuthorize\Provider\Resource\Config' => array(
        'pants' => array(),
      ),
    ),

    'rule_providers' => array(
      'BjyAuthorize\Provider\Rule\Config' => array(
        'allow' => array(
          array(array('guest', 'user'), 'pants', 'wear')
        ),

        'deny' => array(
        ),
      ),
    ),

    'guards' => array(
      'BjyAuthorize\Guard\Controller' => array(
        array('controller' => 'Main\Controller\UserController', 'action' => 'get', 'roles' => array('user')),
      ),
    ),
  ),
);

The errors :

Fatal error: Uncaught exception 'Zend\Di\Exception\MissingPropertyException' with message 'Missing instance/object for parameter rules for BjyAuthorize\Guard\Controller::__construct' in /vagrant/gift_portal/backend/zf2/vendor/zendframework/zendframework/library/Zend/Di/Di.php:699
Stack trace:
#0 /vagrant/gift_portal/backend/zf2/vendor/zendframework/zendframework/library/Zend/Di/Di.php(393): Zend\Di\Di->resolveMethodParameters('BjyAuthorize\Gu...', '__construct', Array, NULL, true, true)
#1 /vagrant/gift_portal/backend/zf2/vendor/zendframework/zendframework/library/Zend/Di/Di.php(225): Zend\Di\Di->createInstanceViaConstructor('BjyAuthorize\Gu...', Array, NULL)
#2 /vagrant/gift_portal/backend/zf2/vendor/zendframework/zendframework/library/Zend/Di/Di.php(174): Zend\Di\Di->newInstance('BjyAuthorize\Gu...', Array, true)
#3 /vagrant/gift_portal/backend/zf2/vendor/zendframework/zendframework/library/Zend/ServiceManager/Di/DiServiceFactory.php(104): Zend\Di\Di->get('BjyAuthorize\Gu...', Array)
#4 /vagrant/gift_portal/backend/zf2/ in /vagrant/gift_portal/backend/zf2/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php on line 749

Hi,
I don't understand why but the following line :

https://github.com/bjyoungblood/BjyAuthorize/blob/master/src/BjyAuthorize/Provider/Role/Doctrine.php#L18

... generate error:

Fatal error: Uncaught exception 'InvalidArgumentException' with message 'Invalid event subscriber "Closure" given, must be a service name, class name or an instance implementing Doctrine\Common\EventSubscriber'
in vendor\doctrine\doctrine-module\src\DoctrineModule\Service\EventManagerFactory.php:58
Stack trace: #0 [internal function]: DoctrineModule\Service\EventManagerFactory->createService(Object(Zend\ServiceManager\ServiceManager), 'doctrine.eventm...', 'doctrine.eventm...')
#1 vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php(672): call_user_func(Array, Object(Zend\ServiceManager\ServiceManager), 'doctrine.eventm...', 'doctrine.eventm...')
#2 vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php(763): Zend\ServiceManager\ServiceManager->createServiceViaCallback(Array, 'doctrine.eventm...', 'doctrine.eventm...')
#3 vendor\zendframework\ze in vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php on line 679

Hello Ben.
Thank you for the module.
I learn Zend and do a first my project.
But I find it hard to understand the file README.md.

I use zftsuser & https://github.com/zendframework/zf2-tutorial.
For example:
After registration, the new user does not have access to the router "/user";
I do not understand how to add roles to the database.
How can I give the role "admin" for the selected user.

You can help any examples?
My repo https://github.com/mamont77/fcontrol

Baet respect,
Ruslan.

Hi there,
user_role_linker table name is hardcoded into BjyAuthorize\Provider\Identity\Doctrine and BjyAuthorize\Provider\IdentityZendDb classes.

Hi Ben,
I forgot to write a Doctrine Role Provider.
Here is it:

http://pastebin.com/ydTELUUa

And the code to add to Module::getServiceConfiguration() :

'BjyAuthorize\Provider\Role\Doctrine' => function ($sm) {
$provider = new Provider\Role\Doctrine;
return $provider;
}

David

in \Provider\Identity\ZfcUserDoctrine.php

I beleive the query in the query builder is wrong. The alias is not consistant between the select/where parts and the from part.
Also i beleive it should use ->setParameter() to bind the parameter value. This seems to work;

Please get this verified from another source, because i could be wrong.

Ping @iwalz

Hi there,
I'm using Doctrine2 so i don't need zend_db_adapter.
Is it possible to use this module with Doctrine ?

David

Here we use name "guard", but in ZfcRbac they use "firewall". Can we come to a common agreement or no matter?

Currently, the authorization service manages both instantiation and usage of the Zend\Permissions\Acl\Acl instance. That's a bit messy and instantiation of the ACL instance should be moved to an own factory.

@bjyoungblood ping? Can you enable the hook for travis?

usually i do
./vendor/bin/doctrine-module orm:schema-tool:update --force
for updating the db with the specified entities of my module, but after installing BjyAuthorize and running that command, nothing was edited in the database.

I would like to be able to trigger 403 error and have your module render a page

in controler | viewscript
if (!$this->allowed()) {
trigger 'error-unauthorized';
}

switch($error)
{
case 'error-unauthorized-controller':
$viewVariables['controller'] = $e->getParam('controller');
$viewVariables['action'] = $e->getParam('action');
break;
case 'error-unauthorized-route':
$viewVariables['route'] = $e->getParam('route');
break;
default:
/*
* do nothing if there is no error in the event or the error
* does not match one of our predefined errors (we don't want
* our 403.phtml to handle other types of errors)
*/
return;
}

is that possible? or do you have any advise on how work around that? perhaps i do it incorrectly.

thank you

I don't get what is the resource in the configuration file.

For now i simply added ZfcBase, ZfcUser and BiyAuthorize to my Zend Installation. I did the Configuration steps and all i see is:

Zend\ModuleManager\Exception\RuntimeException: Module (biyauthorize) could not be initialized. in vendor/zf2/library/Zend/ModuleManager/ModuleManager.php on line 139

There is something really wrong, any Ideas?

No debug information. Console gives only this message:
ERROR: the server encountered an internal error and was unable to complete your request.
Tested on 889d090

I'm having issue with /Service/Authorize.php:

38: $this->addRoleProvider(new $class($options, $serviceLocator));
44: $this->addResourceProvider(new $class($options, $serviceLocator));
50: $this->addRuleProvider(new $class($options, $serviceLocator));
61: $this->addGuard(new $class($options, $this)); <-- $this here is the BjyAuthorize\Service\Authorize

Is there a specific reason for Guards being passed the Service instead of the Locator?
The two Guards bundled with the module make any use of the Authorize Service passed.
As the Authorize Service doesn't have a getServiceLocator() method and the 'sm' property is set to private, there is no way to access the Service Locator from within a Guard. That creates a problem when one wants to retrieve something (say, a router config) from the Service Locator.

I see two ways of fixing this:

1. Change addGuard() calls [line 61] to use $serviceLocator instead of $this and change Guard classes as appropriate (simply rename variables). This will not affect bundled code as the bundled Guards do not currently make use of the second argument anyway. It, however, can force custom Guards use $this->serviceLocator->get(''BjyAuthorize\Service\Authorize') instead of $this->securityService if they're currently using it. I favor this approach, as it introduces consistency.
2. Add getServiceLocator() method to the Service\Authorize class that simply returns $this->sm.

It's a simpel fix. I can attach a patch or make a pull request if you see this issue as valid.

I'm currently passing my custom Guard inside the bjyauthorize config twice - once as a resource provider and once as a rule provider. This gets me the Service Locator as the second argument when the constructor is called :)

Currently, the Route and the Controller guards are setting custom properties into the MvcEvent.

This should be changed by eventually directly throwing exceptions.

I'm finding a way to use this plugin with restful webservice but still don't know how. When I activate the plugin, the route configuration for restful webservice doesn't work anymore. I request the url, it returns html instead.

Looking forward to your reply @bjyoungblood