search

Luracast / Restler

Simple and effective multi-format Web API Server to host your PHP API as Pragmatic REST and/or RESTful API
http://luracast.com/products/restler/
GNU Lesser General Public License v2.1
1.36k stars 317 forks source link

Multiple roles and Swagger (API Explorer) access #528

Open nocodelab opened 8 years ago

nocodelab commented 8 years ago

Hi all, I'm experiencing a problem with Restler 3 RC5. I'm trying to set multiple user roles to my APIs access.

The API Endpoints are working properly in base of the authenticated user role. The problem is on the API Explorer: after adding the API key the protected methods are not available. Without using custom roles, everything is working fine.

<?php
use \Luracast\Restler\iAuthenticate;
use \Luracast\Restler\Resources;
use \Luracast\Restler\Defaults;
use \Luracast\Restler\User;

class AccessControl implements iAuthenticate
{
    public static $requires = '';
    public static $role = '';

    public function __isAllowed()
    {   

        $userClass = Defaults::$userIdentifierClass;

        $accessToken = md5($_GET['api_key'] . ADMIN_PASSWORD_SALT);
        $keyCheck = R::find( "accesstoken", "token = :accesstoken AND expire_at >= NOW();", [':accesstoken' => $accessToken]);

 // verify the access token
        if (!($keyCheck)) {
                $userClass::setCacheIdentifier($_GET['api_key']);
                return false;
        }

        $user_id = R::exportAll($keyCheck)[0]['admin_id'];

        $userDetails = R::getRow( 'SELECT admin.id, role.id, admin.role_id, role.name as role_name FROM admin LEFT JOIN role ON admin.role_id = role.id where admin.id = :id ', [':id' => $user_id ]);
        static::$role = $userDetails['role_name'];
        $userClass::setCacheIdentifier(static::$role);
        User::setUniqueIdentifier($user_id);

        Resources::$accessControlFunction = 'AccessControl::verifyAccess';

        if(is_array(static::$requires)){
            return in_array(static::$role,static::$requires);
        }else{
            return static::$role == static::$requires;
        }

    }

    public function __getWWWAuthenticateString()
    {
        return 'Query name="api_key"';
    }

     /**
     * @access private
     */
    public static function verifyAccess(array $m)
    {
        $requires =
            isset($m['class']['AccessControl']['properties']['requires'])
                ? $m['class']['AccessControl']['properties']['requires']
                : false;

        if(is_array($requires)){
            return in_array(static::$role,$requires);
        }else{
            return static::$role == $requires;
        }

    }
}

Anyone can help me? Thanks

igorsantos07 commented 8 years ago

This seems like a dup of #524

nocodelab commented 8 years ago

@igorsantos07 Not sure if is the same issue.. Basically I would like to show/hide methods according to the user role.

nocodelab commented 8 years ago

Hi all, No one has hints/suggestion on this?

Cheers

roynasser commented 8 years ago

I have posted some examples on how I did this using comments at the function/endpoint level to require one or more permissions, and then hide methods which the user doesnt have permission for. Let me know if that works