Skip to first unread message
Andrew Brookes
Nov 4, 2018, 9:37:44 AM11/4/18
to Fat-Free Framework
I decided to set up a new f3 project on my desktop using "composer require bcosca/fatfree" download failed by the way due to
"error:14090086:SSL " . i fixed this using by editing php.ini openssl.cafile=/etc/ssl/certs/cacert.pem
I put xfra35's access.php in lib
The Access class is being found but doesn't seem to block route. This is my index.php
<?php
require_once('vendor/autoload.php');
$f3 = Base::instance();
$access=Access::instance();
$access->deny('/test');
$f3->route('GET /test',function() {
echo 'hello from f3!';
});
$f3->run();
firing up dev directory called "art" php -S localhost:8000 -t art
http://localhost:8000/test //displays hello from f3
i'm obviously misunderstanding something
"error:14090086:SSL " . i fixed this using by editing php.ini openssl.cafile=/etc/ssl/certs/cacert.pem
I put xfra35's access.php in lib
The Access class is being found but doesn't seem to block route. This is my index.php
<?php
require_once('vendor/autoload.php');
$f3 = Base::instance();
$access=Access::instance();
$access->deny('/test');
$f3->route('GET /test',function() {
echo 'hello from f3!';
});
$f3->run();
firing up dev directory called "art" php -S localhost:8000 -t art
http://localhost:8000/test //displays hello from f3
i'm obviously misunderstanding something
xfra35
Nov 4, 2018, 2:38:50 PM11/4/18
to f3-fra...@googlegroups.com
Hi Andrew,
You're missing the following points:
1) The command $access->deny('/test') is a shortcut for $access->deny('/test','*'), meaning that you're denying everybody access to the resource /test.
Left alone, this rule is not very useful as you obviously intend to give somebody access to this resource, so it should be combined with at least one extra rule, such as $access->allow('/test','admin') which gives access to admin.
2) The plugin doesn't take care about authentication. It just provides you with an authorize() method which should be called once you're done with authentication, just before handling the request.
For example, let's say you're authenticating users through a session variable called SESSION.user, then your code could look something like:
$f3 = Base::instance();
$access=Access::instance();
$access->deny('/test');// deny all access to /test
$access->allow('/test','admin');// except "admin"
$f3->route('GET|POST|DELETE /login',function() {
// handle authentication here (login/logout form)
// authenticated user gets stored in SESSION.user
});
$f3->route('GET /test',function() use($access) {
$access->authorize($f3->get('SESSION.user'));// throws a 403 error if SESSION.user is not "admin"
echo 'hello from f3!';
});
$f3->run();When wrapping route handlers in classes, the beforeRoute hook is a good place for authorization:
class myController {
function get($f3) {
echo 'hello from f3';
}
function beforeRoute($f3) {
$access=Access::instance();
$access->authorize($f3->get('SESSION.user'));
}
}
Andrew Brookes
Nov 5, 2018, 6:53:22 AM11/5/18
to Fat-Free Framework
Hi xfra35 ,
thanks for that -
actually i'm ok on authentication , session captcha etc i'm using all 3 for daughters blogging site: https://www.beyourselfgirls.com/adminLogin
just wasn't sure how to use your access class in practice. Its now working on my dev project
2 lines made all the difference to me :
thanks for that -
actually i'm ok on authentication , session captcha etc i'm using all 3 for daughters blogging site: https://www.beyourselfgirls.com/adminLogin
just wasn't sure how to use your access class in practice. Its now working on my dev project
2 lines made all the difference to me :
$f3->route('GET /test',function() use($access) { // the use($access)
$access->authorize($f3->get('SESSION.user')); // making use of $access
anyway i can now see how to use it so on my way :)
Andrew Brookes
Jan 20, 2019, 8:17:16 AM1/20/19
to f3-fra...@googlegroups.com
url relaxed case sensitivity issue noted with access
// so i'm using in index.php
$access->deny('/adduser','*');
$access->allow('/adduser','admin');
//then in routes.ini
GET /adduser=admin->adduser
//in class admin :
function beforeRoute($f3)
{
$f3=Base::instance();
$access =Access::instance();
$access->authorize($f3->get('SESSION.role'));
if the url is : http://localhost:3000/adduser
access plugin works & access is denied if session.role is not set
however if the url is : http://localhost:3000/addUser
//ie one or more letters is different case, the function adduser of class admin i.e admin->adduser is evoked even if SESSION.role is not set?
I just used $f3->set('CASELESS',FALSE); to get around this
Yaroslav Beregovoy
Jan 20, 2019, 2:09:13 PM1/20/19
to Fat-Free Framework on behalf of Andrew Brookes
i just understood that url route and it handler is case insensitive :
GET /addUser=admin->addUser
GET /addUser=admin->adduser
GET /addUSer=admin->ADDUser
all my examples are the same thing, and they works fine
i don`t think that with out session the handler admin->addser will work...
--
-- You've received this message because you are subscribed to the Google Groups group. To post to this group, send an email to f3-fra...@googlegroups.com. To unsubscribe from this group, send an email to f3-framework...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/f3-framework?hl=en
---
You received this message because you are subscribed to the Google Groups "Fat-Free Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to f3-framework...@googlegroups.com.
To post to this group, send email to f3-fra...@googlegroups.com.
Visit this group at https://groups.google.com/group/f3-framework.
To view this discussion on the web visit https://groups.google.com/d/msgid/f3-framework/d7919b57-54fd-4748-a02e-c7811de18836%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages