pictcode / lib / Cake / Controller / Component / AuthComponent.php @ master
履歴 | 表示 | アノテート | ダウンロード (25.276 KB)
1 |
<?php
|
---|---|
2 |
/**
|
3 |
* Authentication component
|
4 |
*
|
5 |
* Manages user logins and permissions.
|
6 |
*
|
7 |
* CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
|
8 |
* Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
9 |
*
|
10 |
* Licensed under The MIT License
|
11 |
* For full copyright and license information, please see the LICENSE.txt
|
12 |
* Redistributions of files must retain the above copyright notice.
|
13 |
*
|
14 |
* @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
15 |
* @link http://cakephp.org CakePHP(tm) Project
|
16 |
* @package Cake.Controller.Component
|
17 |
* @since CakePHP(tm) v 0.10.0.1076
|
18 |
* @license http://www.opensource.org/licenses/mit-license.php MIT License
|
19 |
*/
|
20 |
|
21 |
App::uses('Component', 'Controller'); |
22 |
App::uses('Router', 'Routing'); |
23 |
App::uses('Security', 'Utility'); |
24 |
App::uses('Debugger', 'Utility'); |
25 |
App::uses('Hash', 'Utility'); |
26 |
App::uses('CakeSession', 'Model/Datasource'); |
27 |
App::uses('BaseAuthorize', 'Controller/Component/Auth'); |
28 |
App::uses('BaseAuthenticate', 'Controller/Component/Auth'); |
29 |
App::uses('CakeEvent', 'Event'); |
30 |
|
31 |
/**
|
32 |
* Authentication control component class
|
33 |
*
|
34 |
* Binds access control with user authentication and session management.
|
35 |
*
|
36 |
* @package Cake.Controller.Component
|
37 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html
|
38 |
*/
|
39 |
class AuthComponent extends Component { |
40 |
|
41 |
/**
|
42 |
* Constant for 'all'
|
43 |
*
|
44 |
* @var string
|
45 |
*/
|
46 |
const ALL = 'all'; |
47 |
|
48 |
/**
|
49 |
* Other components utilized by AuthComponent
|
50 |
*
|
51 |
* @var array
|
52 |
*/
|
53 |
public $components = array('Session', 'Flash', 'RequestHandler'); |
54 |
|
55 |
/**
|
56 |
* An array of authentication objects to use for authenticating users. You can configure
|
57 |
* multiple adapters and they will be checked sequentially when users are identified.
|
58 |
*
|
59 |
* ```
|
60 |
* $this->Auth->authenticate = array(
|
61 |
* 'Form' => array(
|
62 |
* 'userModel' => 'Users.User'
|
63 |
* )
|
64 |
* );
|
65 |
* ```
|
66 |
*
|
67 |
* Using the class name without 'Authenticate' as the key, you can pass in an array of settings for each
|
68 |
* authentication object. Additionally you can define settings that should be set to all authentications objects
|
69 |
* using the 'all' key:
|
70 |
*
|
71 |
* ```
|
72 |
* $this->Auth->authenticate = array(
|
73 |
* 'all' => array(
|
74 |
* 'userModel' => 'Users.User',
|
75 |
* 'scope' => array('User.active' => 1)
|
76 |
* ),
|
77 |
* 'Form',
|
78 |
* 'Basic'
|
79 |
* );
|
80 |
* ```
|
81 |
*
|
82 |
* You can also use AuthComponent::ALL instead of the string 'all'.
|
83 |
*
|
84 |
* @var array
|
85 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html
|
86 |
*/
|
87 |
public $authenticate = array('Form'); |
88 |
|
89 |
/**
|
90 |
* Objects that will be used for authentication checks.
|
91 |
*
|
92 |
* @var array
|
93 |
*/
|
94 |
protected $_authenticateObjects = array(); |
95 |
|
96 |
/**
|
97 |
* An array of authorization objects to use for authorizing users. You can configure
|
98 |
* multiple adapters and they will be checked sequentially when authorization checks are done.
|
99 |
*
|
100 |
* ```
|
101 |
* $this->Auth->authorize = array(
|
102 |
* 'Crud' => array(
|
103 |
* 'actionPath' => 'controllers/'
|
104 |
* )
|
105 |
* );
|
106 |
* ```
|
107 |
*
|
108 |
* Using the class name without 'Authorize' as the key, you can pass in an array of settings for each
|
109 |
* authorization object. Additionally you can define settings that should be set to all authorization objects
|
110 |
* using the 'all' key:
|
111 |
*
|
112 |
* ```
|
113 |
* $this->Auth->authorize = array(
|
114 |
* 'all' => array(
|
115 |
* 'actionPath' => 'controllers/'
|
116 |
* ),
|
117 |
* 'Crud',
|
118 |
* 'CustomAuth'
|
119 |
* );
|
120 |
* ```
|
121 |
*
|
122 |
* You can also use AuthComponent::ALL instead of the string 'all'
|
123 |
*
|
124 |
* @var mixed
|
125 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#authorization
|
126 |
*/
|
127 |
public $authorize = false; |
128 |
|
129 |
/**
|
130 |
* Objects that will be used for authorization checks.
|
131 |
*
|
132 |
* @var array
|
133 |
*/
|
134 |
protected $_authorizeObjects = array(); |
135 |
|
136 |
/**
|
137 |
* The name of an optional view element to render when an Ajax request is made
|
138 |
* with an invalid or expired session
|
139 |
*
|
140 |
* @var string
|
141 |
*/
|
142 |
public $ajaxLogin = null; |
143 |
|
144 |
/**
|
145 |
* Settings to use when Auth needs to do a flash message with SessionComponent::setFlash().
|
146 |
* Available keys are:
|
147 |
*
|
148 |
* - `element` - The element to use, defaults to 'default'.
|
149 |
* - `key` - The key to use, defaults to 'auth'
|
150 |
* - `params` - The array of additional params to use, defaults to array()
|
151 |
*
|
152 |
* @var array
|
153 |
*/
|
154 |
public $flash = array( |
155 |
'element' => 'default', |
156 |
'key' => 'auth', |
157 |
'params' => array() |
158 |
); |
159 |
|
160 |
/**
|
161 |
* The session key name where the record of the current user is stored. Default
|
162 |
* key is "Auth.User". If you are using only stateless authenticators set this
|
163 |
* to false to ensure session is not started.
|
164 |
*
|
165 |
* @var string
|
166 |
*/
|
167 |
public static $sessionKey = 'Auth.User'; |
168 |
|
169 |
/**
|
170 |
* The current user, used for stateless authentication when
|
171 |
* sessions are not available.
|
172 |
*
|
173 |
* @var array
|
174 |
*/
|
175 |
protected static $_user = array(); |
176 |
|
177 |
/**
|
178 |
* A URL (defined as a string or array) to the controller action that handles
|
179 |
* logins. Defaults to `/users/login`.
|
180 |
*
|
181 |
* @var mixed
|
182 |
*/
|
183 |
public $loginAction = array( |
184 |
'controller' => 'users', |
185 |
'action' => 'login', |
186 |
'plugin' => null |
187 |
); |
188 |
|
189 |
/**
|
190 |
* Normally, if a user is redirected to the $loginAction page, the location they
|
191 |
* were redirected from will be stored in the session so that they can be
|
192 |
* redirected back after a successful login. If this session value is not
|
193 |
* set, redirectUrl() method will return the URL specified in $loginRedirect.
|
194 |
*
|
195 |
* @var mixed
|
196 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#AuthComponent::$loginRedirect
|
197 |
*/
|
198 |
public $loginRedirect = null; |
199 |
|
200 |
/**
|
201 |
* The default action to redirect to after the user is logged out. While AuthComponent does
|
202 |
* not handle post-logout redirection, a redirect URL will be returned from AuthComponent::logout().
|
203 |
* Defaults to AuthComponent::$loginAction.
|
204 |
*
|
205 |
* @var mixed
|
206 |
* @see AuthComponent::$loginAction
|
207 |
* @see AuthComponent::logout()
|
208 |
*/
|
209 |
public $logoutRedirect = null; |
210 |
|
211 |
/**
|
212 |
* Error to display when user attempts to access an object or action to which they do not have
|
213 |
* access.
|
214 |
*
|
215 |
* @var string|bool
|
216 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#AuthComponent::$authError
|
217 |
*/
|
218 |
public $authError = null; |
219 |
|
220 |
/**
|
221 |
* Controls handling of unauthorized access.
|
222 |
* - For default value `true` unauthorized user is redirected to the referrer URL
|
223 |
* or AuthComponent::$loginRedirect or '/'.
|
224 |
* - If set to a string or array the value is used as a URL to redirect to.
|
225 |
* - If set to false a ForbiddenException exception is thrown instead of redirecting.
|
226 |
*
|
227 |
* @var mixed
|
228 |
*/
|
229 |
public $unauthorizedRedirect = true; |
230 |
|
231 |
/**
|
232 |
* Controller actions for which user validation is not required.
|
233 |
*
|
234 |
* @var array
|
235 |
* @see AuthComponent::allow()
|
236 |
*/
|
237 |
public $allowedActions = array(); |
238 |
|
239 |
/**
|
240 |
* Request object
|
241 |
*
|
242 |
* @var CakeRequest
|
243 |
*/
|
244 |
public $request; |
245 |
|
246 |
/**
|
247 |
* Response object
|
248 |
*
|
249 |
* @var CakeResponse
|
250 |
*/
|
251 |
public $response; |
252 |
|
253 |
/**
|
254 |
* Method list for bound controller.
|
255 |
*
|
256 |
* @var array
|
257 |
*/
|
258 |
protected $_methods = array(); |
259 |
|
260 |
/**
|
261 |
* Initializes AuthComponent for use in the controller.
|
262 |
*
|
263 |
* @param Controller $controller A reference to the instantiating controller object
|
264 |
* @return void
|
265 |
*/
|
266 |
public function initialize(Controller $controller) { |
267 |
$this->request = $controller->request; |
268 |
$this->response = $controller->response; |
269 |
$this->_methods = $controller->methods; |
270 |
|
271 |
if (Configure::read('debug') > 0) { |
272 |
Debugger::checkSecurityKeys();
|
273 |
} |
274 |
} |
275 |
|
276 |
/**
|
277 |
* Main execution method. Handles redirecting of invalid users, and processing
|
278 |
* of login form data.
|
279 |
*
|
280 |
* @param Controller $controller A reference to the instantiating controller object
|
281 |
* @return bool
|
282 |
*/
|
283 |
public function startup(Controller $controller) { |
284 |
$methods = array_flip(array_map('strtolower', $controller->methods)); |
285 |
$action = strtolower($controller->request->params['action']); |
286 |
|
287 |
$isMissingAction = (
|
288 |
$controller->scaffold === false && |
289 |
!isset($methods[$action]) |
290 |
); |
291 |
|
292 |
if ($isMissingAction) { |
293 |
return true; |
294 |
} |
295 |
|
296 |
if (!$this->_setDefaults()) { |
297 |
return false; |
298 |
} |
299 |
|
300 |
if ($this->_isAllowed($controller)) { |
301 |
return true; |
302 |
} |
303 |
|
304 |
if (!$this->_getUser()) { |
305 |
return $this->_unauthenticated($controller); |
306 |
} |
307 |
|
308 |
if ($this->_isLoginAction($controller) || |
309 |
empty($this->authorize) || |
310 |
$this->isAuthorized($this->user()) |
311 |
) { |
312 |
return true; |
313 |
} |
314 |
|
315 |
return $this->_unauthorized($controller); |
316 |
} |
317 |
|
318 |
/**
|
319 |
* Checks whether current action is accessible without authentication.
|
320 |
*
|
321 |
* @param Controller $controller A reference to the instantiating controller object
|
322 |
* @return bool True if action is accessible without authentication else false
|
323 |
*/
|
324 |
protected function _isAllowed(Controller $controller) { |
325 |
$action = strtolower($controller->request->params['action']); |
326 |
if (in_array($action, array_map('strtolower', $this->allowedActions))) { |
327 |
return true; |
328 |
} |
329 |
return false; |
330 |
} |
331 |
|
332 |
/**
|
333 |
* Handles unauthenticated access attempt. First the `unathenticated()` method
|
334 |
* of the last authenticator in the chain will be called. The authenticator can
|
335 |
* handle sending response or redirection as appropriate and return `true` to
|
336 |
* indicate no furthur action is necessary. If authenticator returns null this
|
337 |
* method redirects user to login action. If it's an ajax request and
|
338 |
* $ajaxLogin is specified that element is rendered else a 403 http status code
|
339 |
* is returned.
|
340 |
*
|
341 |
* @param Controller $controller A reference to the controller object.
|
342 |
* @return bool True if current action is login action else false.
|
343 |
*/
|
344 |
protected function _unauthenticated(Controller $controller) { |
345 |
if (empty($this->_authenticateObjects)) { |
346 |
$this->constructAuthenticate();
|
347 |
} |
348 |
$auth = $this->_authenticateObjects[count($this->_authenticateObjects) - 1]; |
349 |
if ($auth->unauthenticated($this->request, $this->response)) { |
350 |
return false; |
351 |
} |
352 |
|
353 |
if ($this->_isLoginAction($controller)) { |
354 |
if (empty($controller->request->data)) { |
355 |
if (!$this->Session->check('Auth.redirect') && env('HTTP_REFERER')) { |
356 |
$this->Session->write('Auth.redirect', $controller->referer(null, true)); |
357 |
} |
358 |
} |
359 |
return true; |
360 |
} |
361 |
|
362 |
if (!$controller->request->is('ajax')) { |
363 |
$this->flash($this->authError); |
364 |
$this->Session->write('Auth.redirect', $controller->request->here(false)); |
365 |
$controller->redirect($this->loginAction); |
366 |
return false; |
367 |
} |
368 |
if (!empty($this->ajaxLogin)) { |
369 |
$controller->response->statusCode(403); |
370 |
$controller->viewPath = 'Elements'; |
371 |
$response = $controller->render($this->ajaxLogin, $this->RequestHandler->ajaxLayout); |
372 |
$response->send();
|
373 |
$this->_stop();
|
374 |
return false; |
375 |
} |
376 |
$controller->response->statusCode(403); |
377 |
$controller->response->send();
|
378 |
$this->_stop();
|
379 |
return false; |
380 |
} |
381 |
|
382 |
/**
|
383 |
* Normalizes $loginAction and checks if current request URL is same as login action.
|
384 |
*
|
385 |
* @param Controller $controller A reference to the controller object.
|
386 |
* @return bool True if current action is login action else false.
|
387 |
*/
|
388 |
protected function _isLoginAction(Controller $controller) { |
389 |
$url = ''; |
390 |
if (isset($controller->request->url)) { |
391 |
$url = $controller->request->url; |
392 |
} |
393 |
$url = Router::normalize($url); |
394 |
$loginAction = Router::normalize($this->loginAction); |
395 |
|
396 |
return $loginAction === $url; |
397 |
} |
398 |
|
399 |
/**
|
400 |
* Handle unauthorized access attempt
|
401 |
*
|
402 |
* @param Controller $controller A reference to the controller object
|
403 |
* @return bool Returns false
|
404 |
* @throws ForbiddenException
|
405 |
* @see AuthComponent::$unauthorizedRedirect
|
406 |
*/
|
407 |
protected function _unauthorized(Controller $controller) { |
408 |
if ($this->unauthorizedRedirect === false) { |
409 |
throw new ForbiddenException($this->authError); |
410 |
} |
411 |
|
412 |
$this->flash($this->authError); |
413 |
if ($this->unauthorizedRedirect === true) { |
414 |
$default = '/'; |
415 |
if (!empty($this->loginRedirect)) { |
416 |
$default = $this->loginRedirect; |
417 |
} |
418 |
$url = $controller->referer($default, true); |
419 |
} else {
|
420 |
$url = $this->unauthorizedRedirect; |
421 |
} |
422 |
$controller->redirect($url); |
423 |
return false; |
424 |
} |
425 |
|
426 |
/**
|
427 |
* Attempts to introspect the correct values for object properties.
|
428 |
*
|
429 |
* @return bool True
|
430 |
*/
|
431 |
protected function _setDefaults() { |
432 |
$defaults = array( |
433 |
'logoutRedirect' => $this->loginAction, |
434 |
'authError' => __d('cake', 'You are not authorized to access that location.') |
435 |
); |
436 |
foreach ($defaults as $key => $value) { |
437 |
if (!isset($this->{$key}) || $this->{$key} === true) { |
438 |
$this->{$key} = $value; |
439 |
} |
440 |
} |
441 |
return true; |
442 |
} |
443 |
|
444 |
/**
|
445 |
* Check if the provided user is authorized for the request.
|
446 |
*
|
447 |
* Uses the configured Authorization adapters to check whether or not a user is authorized.
|
448 |
* Each adapter will be checked in sequence, if any of them return true, then the user will
|
449 |
* be authorized for the request.
|
450 |
*
|
451 |
* @param array $user The user to check the authorization of. If empty the user in the session will be used.
|
452 |
* @param CakeRequest $request The request to authenticate for. If empty, the current request will be used.
|
453 |
* @return bool True if $user is authorized, otherwise false
|
454 |
*/
|
455 |
public function isAuthorized($user = null, CakeRequest $request = null) { |
456 |
if (empty($user) && !$this->user()) { |
457 |
return false; |
458 |
} |
459 |
if (empty($user)) { |
460 |
$user = $this->user(); |
461 |
} |
462 |
if (empty($request)) { |
463 |
$request = $this->request; |
464 |
} |
465 |
if (empty($this->_authorizeObjects)) { |
466 |
$this->constructAuthorize();
|
467 |
} |
468 |
foreach ($this->_authorizeObjects as $authorizer) { |
469 |
if ($authorizer->authorize($user, $request) === true) { |
470 |
return true; |
471 |
} |
472 |
} |
473 |
return false; |
474 |
} |
475 |
|
476 |
/**
|
477 |
* Loads the authorization objects configured.
|
478 |
*
|
479 |
* @return mixed Either null when authorize is empty, or the loaded authorization objects.
|
480 |
* @throws CakeException
|
481 |
*/
|
482 |
public function constructAuthorize() { |
483 |
if (empty($this->authorize)) { |
484 |
return null; |
485 |
} |
486 |
$this->_authorizeObjects = array(); |
487 |
$config = Hash::normalize((array)$this->authorize); |
488 |
$global = array(); |
489 |
if (isset($config[AuthComponent::ALL])) { |
490 |
$global = $config[AuthComponent::ALL]; |
491 |
unset($config[AuthComponent::ALL]); |
492 |
} |
493 |
foreach ($config as $class => $settings) { |
494 |
list($plugin, $class) = pluginSplit($class, true); |
495 |
$className = $class . 'Authorize'; |
496 |
App::uses($className, $plugin . 'Controller/Component/Auth'); |
497 |
if (!class_exists($className)) { |
498 |
throw new CakeException(__d('cake_dev', 'Authorization adapter "%s" was not found.', $class)); |
499 |
} |
500 |
if (!method_exists($className, 'authorize')) { |
501 |
throw new CakeException(__d('cake_dev', 'Authorization objects must implement an %s method.', 'authorize()')); |
502 |
} |
503 |
$settings = array_merge($global, (array)$settings); |
504 |
$this->_authorizeObjects[] = new $className($this->_Collection, $settings); |
505 |
} |
506 |
return $this->_authorizeObjects; |
507 |
} |
508 |
|
509 |
/**
|
510 |
* Takes a list of actions in the current controller for which authentication is not required, or
|
511 |
* no parameters to allow all actions.
|
512 |
*
|
513 |
* You can use allow with either an array, or var args.
|
514 |
*
|
515 |
* `$this->Auth->allow(array('edit', 'add'));` or
|
516 |
* `$this->Auth->allow('edit', 'add');` or
|
517 |
* `$this->Auth->allow();` to allow all actions
|
518 |
*
|
519 |
* @param string|array $action Controller action name or array of actions
|
520 |
* @return void
|
521 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#making-actions-public
|
522 |
*/
|
523 |
public function allow($action = null) { |
524 |
$args = func_get_args(); |
525 |
if (empty($args) || $action === null) { |
526 |
$this->allowedActions = $this->_methods; |
527 |
return;
|
528 |
} |
529 |
if (isset($args[0]) && is_array($args[0])) { |
530 |
$args = $args[0]; |
531 |
} |
532 |
$this->allowedActions = array_merge($this->allowedActions, $args); |
533 |
} |
534 |
|
535 |
/**
|
536 |
* Removes items from the list of allowed/no authentication required actions.
|
537 |
*
|
538 |
* You can use deny with either an array, or var args.
|
539 |
*
|
540 |
* `$this->Auth->deny(array('edit', 'add'));` or
|
541 |
* `$this->Auth->deny('edit', 'add');` or
|
542 |
* `$this->Auth->deny();` to remove all items from the allowed list
|
543 |
*
|
544 |
* @param string|array $action Controller action name or array of actions
|
545 |
* @return void
|
546 |
* @see AuthComponent::allow()
|
547 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#making-actions-require-authorization
|
548 |
*/
|
549 |
public function deny($action = null) { |
550 |
$args = func_get_args(); |
551 |
if (empty($args) || $action === null) { |
552 |
$this->allowedActions = array(); |
553 |
return;
|
554 |
} |
555 |
if (isset($args[0]) && is_array($args[0])) { |
556 |
$args = $args[0]; |
557 |
} |
558 |
foreach ($args as $arg) { |
559 |
$i = array_search($arg, $this->allowedActions); |
560 |
if (is_int($i)) { |
561 |
unset($this->allowedActions[$i]); |
562 |
} |
563 |
} |
564 |
$this->allowedActions = array_values($this->allowedActions); |
565 |
} |
566 |
|
567 |
/**
|
568 |
* Maps action names to CRUD operations.
|
569 |
*
|
570 |
* Used for controller-based authentication. Make sure
|
571 |
* to configure the authorize property before calling this method. As it delegates $map to all the
|
572 |
* attached authorize objects.
|
573 |
*
|
574 |
* @param array $map Actions to map
|
575 |
* @return void
|
576 |
* @see BaseAuthorize::mapActions()
|
577 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#mapping-actions-when-using-crudauthorize
|
578 |
* @deprecated 3.0.0 Map actions using `actionMap` config key on authorize objects instead
|
579 |
*/
|
580 |
public function mapActions($map = array()) { |
581 |
if (empty($this->_authorizeObjects)) { |
582 |
$this->constructAuthorize();
|
583 |
} |
584 |
$mappedActions = array(); |
585 |
foreach ($this->_authorizeObjects as $auth) { |
586 |
$mappedActions = Hash::merge($mappedActions, $auth->mapActions($map)); |
587 |
} |
588 |
if (empty($map)) { |
589 |
return $mappedActions; |
590 |
} |
591 |
} |
592 |
|
593 |
/**
|
594 |
* Log a user in.
|
595 |
*
|
596 |
* If a $user is provided that data will be stored as the logged in user. If `$user` is empty or not
|
597 |
* specified, the request will be used to identify a user. If the identification was successful,
|
598 |
* the user record is written to the session key specified in AuthComponent::$sessionKey. Logging in
|
599 |
* will also change the session id in order to help mitigate session replays.
|
600 |
*
|
601 |
* @param array $user Either an array of user data, or null to identify a user using the current request.
|
602 |
* @return bool True on login success, false on failure
|
603 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#identifying-users-and-logging-them-in
|
604 |
*/
|
605 |
public function login($user = null) { |
606 |
$this->_setDefaults();
|
607 |
|
608 |
if (empty($user)) { |
609 |
$user = $this->identify($this->request, $this->response); |
610 |
} |
611 |
if ($user) { |
612 |
$this->Session->renew(); |
613 |
$this->Session->write(static::$sessionKey, $user); |
614 |
$event = new CakeEvent('Auth.afterIdentify', $this, array('user' => $user)); |
615 |
$this->_Collection->getController()->getEventManager()->dispatch($event); |
616 |
} |
617 |
return (bool)$this->user(); |
618 |
} |
619 |
|
620 |
/**
|
621 |
* Log a user out.
|
622 |
*
|
623 |
* Returns the logout action to redirect to. Triggers the logout() method of
|
624 |
* all the authenticate objects, so they can perform custom logout logic.
|
625 |
* AuthComponent will remove the session data, so there is no need to do that
|
626 |
* in an authentication object. Logging out will also renew the session id.
|
627 |
* This helps mitigate issues with session replays.
|
628 |
*
|
629 |
* @return string AuthComponent::$logoutRedirect
|
630 |
* @see AuthComponent::$logoutRedirect
|
631 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#logging-users-out
|
632 |
*/
|
633 |
public function logout() { |
634 |
$this->_setDefaults();
|
635 |
if (empty($this->_authenticateObjects)) { |
636 |
$this->constructAuthenticate();
|
637 |
} |
638 |
$user = $this->user(); |
639 |
foreach ($this->_authenticateObjects as $auth) { |
640 |
$auth->logout($user); |
641 |
} |
642 |
$this->Session->delete(static::$sessionKey); |
643 |
$this->Session->delete('Auth.redirect'); |
644 |
$this->Session->renew(); |
645 |
return Router::normalize($this->logoutRedirect); |
646 |
} |
647 |
|
648 |
/**
|
649 |
* Get the current user.
|
650 |
*
|
651 |
* Will prefer the static user cache over sessions. The static user
|
652 |
* cache is primarily used for stateless authentication. For stateful authentication,
|
653 |
* cookies + sessions will be used.
|
654 |
*
|
655 |
* @param string $key field to retrieve. Leave null to get entire User record
|
656 |
* @return array|null User record. or null if no user is logged in.
|
657 |
* @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#accessing-the-logged-in-user
|
658 |
*/
|
659 |
public static function user($key = null) { |
660 |
if (!empty(static::$_user)) { |
661 |
$user = static::$_user; |
662 |
} elseif (static::$sessionKey && CakeSession::check(static::$sessionKey)) { |
663 |
$user = CakeSession::read(static::$sessionKey); |
664 |
} else {
|
665 |
return null; |
666 |
} |
667 |
if ($key === null) { |
668 |
return $user; |
669 |
} |
670 |
return Hash::get($user, $key); |
671 |
} |
672 |
|
673 |
/**
|
674 |
* Similar to AuthComponent::user() except if the session user cannot be found, connected authentication
|
675 |
* objects will have their getUser() methods called. This lets stateless authentication methods function correctly.
|
676 |
*
|
677 |
* @return bool true if a user can be found, false if one cannot.
|
678 |
*/
|
679 |
protected function _getUser() { |
680 |
$user = $this->user(); |
681 |
if ($user) { |
682 |
$this->Session->delete('Auth.redirect'); |
683 |
return true; |
684 |
} |
685 |
|
686 |
if (empty($this->_authenticateObjects)) { |
687 |
$this->constructAuthenticate();
|
688 |
} |
689 |
foreach ($this->_authenticateObjects as $auth) { |
690 |
$result = $auth->getUser($this->request); |
691 |
if (!empty($result) && is_array($result)) { |
692 |
static::$_user = $result; |
693 |
return true; |
694 |
} |
695 |
} |
696 |
|
697 |
return false; |
698 |
} |
699 |
|
700 |
/**
|
701 |
* Backwards compatible alias for AuthComponent::redirectUrl().
|
702 |
*
|
703 |
* @param string|array $url Optional URL to write as the login redirect URL.
|
704 |
* @return string Redirect URL
|
705 |
* @deprecated 3.0.0 Since 2.3.0, use AuthComponent::redirectUrl() instead
|
706 |
*/
|
707 |
public function redirect($url = null) { |
708 |
return $this->redirectUrl($url); |
709 |
} |
710 |
|
711 |
/**
|
712 |
* Get the URL a user should be redirected to upon login.
|
713 |
*
|
714 |
* Pass a URL in to set the destination a user should be redirected to upon
|
715 |
* logging in.
|
716 |
*
|
717 |
* If no parameter is passed, gets the authentication redirect URL. The URL
|
718 |
* returned is as per following rules:
|
719 |
*
|
720 |
* - Returns the normalized URL from session Auth.redirect value if it is
|
721 |
* present and for the same domain the current app is running on.
|
722 |
* - If there is no session value and there is a $loginRedirect, the $loginRedirect
|
723 |
* value is returned.
|
724 |
* - If there is no session and no $loginRedirect, / is returned.
|
725 |
*
|
726 |
* @param string|array $url Optional URL to write as the login redirect URL.
|
727 |
* @return string Redirect URL
|
728 |
*/
|
729 |
public function redirectUrl($url = null) { |
730 |
if ($url !== null) { |
731 |
$redir = $url; |
732 |
$this->Session->write('Auth.redirect', $redir); |
733 |
} elseif ($this->Session->check('Auth.redirect')) { |
734 |
$redir = $this->Session->read('Auth.redirect'); |
735 |
$this->Session->delete('Auth.redirect'); |
736 |
|
737 |
if (Router::normalize($redir) === Router::normalize($this->loginAction)) { |
738 |
$redir = $this->loginRedirect; |
739 |
} |
740 |
} elseif ($this->loginRedirect) { |
741 |
$redir = $this->loginRedirect; |
742 |
} else {
|
743 |
$redir = '/'; |
744 |
} |
745 |
if (is_array($redir)) { |
746 |
return Router::url($redir + array('base' => false)); |
747 |
} |
748 |
return $redir; |
749 |
} |
750 |
|
751 |
/**
|
752 |
* Use the configured authentication adapters, and attempt to identify the user
|
753 |
* by credentials contained in $request.
|
754 |
*
|
755 |
* @param CakeRequest $request The request that contains authentication data.
|
756 |
* @param CakeResponse $response The response
|
757 |
* @return array User record data, or false, if the user could not be identified.
|
758 |
*/
|
759 |
public function identify(CakeRequest $request, CakeResponse $response) { |
760 |
if (empty($this->_authenticateObjects)) { |
761 |
$this->constructAuthenticate();
|
762 |
} |
763 |
foreach ($this->_authenticateObjects as $auth) { |
764 |
$result = $auth->authenticate($request, $response); |
765 |
if (!empty($result) && is_array($result)) { |
766 |
return $result; |
767 |
} |
768 |
} |
769 |
return false; |
770 |
} |
771 |
|
772 |
/**
|
773 |
* Loads the configured authentication objects.
|
774 |
*
|
775 |
* @return mixed Either null on empty authenticate value, or an array of loaded objects.
|
776 |
* @throws CakeException
|
777 |
*/
|
778 |
public function constructAuthenticate() { |
779 |
if (empty($this->authenticate)) { |
780 |
return null; |
781 |
} |
782 |
$this->_authenticateObjects = array(); |
783 |
$config = Hash::normalize((array)$this->authenticate); |
784 |
$global = array(); |
785 |
if (isset($config[AuthComponent::ALL])) { |
786 |
$global = $config[AuthComponent::ALL]; |
787 |
unset($config[AuthComponent::ALL]); |
788 |
} |
789 |
foreach ($config as $class => $settings) { |
790 |
if (!empty($settings['className'])) { |
791 |
$class = $settings['className']; |
792 |
unset($settings['className']); |
793 |
} |
794 |
list($plugin, $class) = pluginSplit($class, true); |
795 |
$className = $class . 'Authenticate'; |
796 |
App::uses($className, $plugin . 'Controller/Component/Auth'); |
797 |
if (!class_exists($className)) { |
798 |
throw new CakeException(__d('cake_dev', 'Authentication adapter "%s" was not found.', $class)); |
799 |
} |
800 |
if (!method_exists($className, 'authenticate')) { |
801 |
throw new CakeException(__d('cake_dev', 'Authentication objects must implement an %s method.', 'authenticate()')); |
802 |
} |
803 |
$settings = array_merge($global, (array)$settings); |
804 |
$auth = new $className($this->_Collection, $settings); |
805 |
$this->_Collection->getController()->getEventManager()->attach($auth); |
806 |
$this->_authenticateObjects[] = $auth; |
807 |
} |
808 |
return $this->_authenticateObjects; |
809 |
} |
810 |
|
811 |
/**
|
812 |
* Hash a password with the application's salt value (as defined with Configure::write('Security.salt');
|
813 |
*
|
814 |
* This method is intended as a convenience wrapper for Security::hash(). If you want to use
|
815 |
* a hashing/encryption system not supported by that method, do not use this method.
|
816 |
*
|
817 |
* @param string $password Password to hash
|
818 |
* @return string Hashed password
|
819 |
* @deprecated 3.0.0 Since 2.4. Use Security::hash() directly or a password hasher object.
|
820 |
*/
|
821 |
public static function password($password) { |
822 |
return Security::hash($password, null, true); |
823 |
} |
824 |
|
825 |
/**
|
826 |
* Check whether or not the current user has data in the session, and is considered logged in.
|
827 |
*
|
828 |
* @return bool true if the user is logged in, false otherwise
|
829 |
* @deprecated 3.0.0 Since 2.5. Use AuthComponent::user() directly.
|
830 |
*/
|
831 |
public function loggedIn() { |
832 |
return (bool)$this->user(); |
833 |
} |
834 |
|
835 |
/**
|
836 |
* Set a flash message. Uses the Session component, and values from AuthComponent::$flash.
|
837 |
*
|
838 |
* @param string $message The message to set.
|
839 |
* @return void
|
840 |
*/
|
841 |
public function flash($message) { |
842 |
if ($message === false) { |
843 |
return;
|
844 |
} |
845 |
$this->Flash->set($message, $this->flash); |
846 |
} |
847 |
|
848 |
} |