Require authentication for certain routes

[Douglas Duhaime]

Hello, I'm working on an Omeka-based application in which my team wants to require users to be CAS-authenticated to access certain routes.

For instance, we want all users to be able to access omeka/collections/2, but we want to challenge anyone who requests omeka/collections/3 to authenticate before they can see the content on that page. 

I've taken a look into https://github.com/BGSU-LITS/omeka-plugin-CentralAuth, which does a nice job of using CAS for the log in / log out functionality on the site. 

I'm wondering others' thoughts on the best way to approach this task. My current thought is that I'll create a plugin that uses 

public function hookDefineRoutes($args)

to listen to all requests for /collection/:id . If id is an id we want to make public, I would route traffic to the Omeka collection controller, and if the id is one we want to keep hidden behind an auth layer, I would route the traffic to the CAS-ready controller. My question is: Is there a better way to approach this task? Any suggestions others can offer are welcome!

[Patrick Murray-John]

Another approach might be the to use a controller plugin. For an example that's much simpler than what it sounds like you need, look at the GuestUser plugin's ControllerPlugin. It does a very simple check on the user's role and whether they are trying to get to the admin side and redirects as needed.

It sounds like you are looking for more sophisticated check on the route, but you should be able to dig what you need out of the $request object that gets passed on.

I haven't looked at the BGSU-LITS plugin yet, but will check it out and see if that revises my thoughts

Patrick

--
You received this message because you are subscribed to the Google Groups "Omeka Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to omeka-dev+...@googlegroups.com.
To post to this group, send email to omek...@googlegroups.com.
Visit this group at https://groups.google.com/group/omeka-dev.
For more options, visit https://groups.google.com/d/optout.

[Douglas Duhaime]

Dear Patrick,

Thanks so much for this! The _preventAdminAccess function is very helpful. I have a quick follow-up looking at that function:

protected function _preventAdminAccess($request)

  {

    $user = current_user();

    // If we're logged in, then prevent access to the admin for guest users

    if ($user && $user->role == 'guest' && is_admin_theme()) {

      $this->_getRedirect()->gotoUrl(WEB_ROOT . '/guest-user/user/me');

    }

  }

If you wanted to check the controller and action being called within $request, how would you parse those values out? Another quick one: If you wanted to send the user onto their originally requested destination after running some logic, how would you send the user to that route?

[Douglas Duhaime]

So it looks like one can parse the controller, action, etc out of $request as follows:

$module = strtolower( $request->getModuleName( ) );
$controller = strtolower( $request->getControllerName( ) );
$action = strtolower( $request->getActionName( ) );

via http://stackoverflow.com/questions/4724783/how-get-zend-controller-plugin-abstract-redirect-worked-with-full-url-changeit

[Patrick Murray-John]

Yep, that should work. I think $request->getParams(); also returns all of it to you in an array, but whatever works.

To let a user continue on to the intended destination after some logic, it's really just a matter of _not_ redirecting them if the logic says that there's nothing to prohibit them from access.

Patrick

[Douglas Duhaime]

I have one quick query: when does _preventAdminAccess() get called? I added the following to the method:

error_log("Called the _preventAdminAccess function", 3, "/var/tmp/casifyControllerPlugin.log");

but that file isn't populated. My naive understanding was that that method was being called on each request, but if that were the case I'd expect the log file to get populated. Any advice you can offer on this question would be very helpful!

[Douglas Duhaime]

Excellent, thanks again Patrick! 

Am I crazy to think the setUp() method in GuestUserPlugin.php is being called on each route request? I added:

$requested_route = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";

error_log($requested_route, 3, "/var/tmp/my-errors.log");

then requested a few pages from the site and got a huge list of my requested routes:

http://ec2-52-40-96-18.us-west-2.compute.amazonaws.com/omeka/admin/plugins/installhttp://ec2-52-40-96-18.us-west-2.compute.amazonaws.com/omeka/admin/pluginshttp://ec2-52-40-96-18.us-west-2.compute.amazonaws.com/omeka/ [...]

If this method is being called on each request, can I just run my application logic and redirect if necessary in this function? If that checking logic belongs elsewhere (I feel like it should!), where should I put it? 

Sorry if these questions sound quite foolish--I'm quite new to both Omeka and Zend.

[Patrick Murray-John]

Yep, all the plugins' stuff will get loaded up on each request so that they can operate on what they need to.

You _might_ be able to just put the logic in setUp, but it sounds like you need to inspect the request info, which makes me think that the ControllerPlugin is the best approach.

Not sure why you aren't seeing logs from the _preventAdminAccess method off the top of my head.

Patrick