Authentication

Added by Patrice Neff, last edited by Patrice Neff on Feb 24, 2008

Authentication is handled on a per-command basis using the isAllowed method.

isAllowed

The command's isAllowed method is called by the controller before the process method. The controller is supposed to redirect to a login page or throw an exception if the user does not have permission to see the current page.

Careful: If you want to do sensitive work such as saving data in the constructor, you must call isAllowed() manually from your constructor. This is necessary because the controller calls this method after the constructor.

PAM architecture

Okapi includes api_pam classes - a few helper classes for authentication and permission handling. It consists of two kinds of classes:

  • api_pam_auth_*: Handles logging in - just checks whether a given username / password is valid.
  • api_pam_perm_*: Handles permissions - checks whether a given user is actually allowed to access a specific object / page.

To use the pam architecture, you can write your isAllowed method like this:

public function isAllowed() {
    $pam = api_pam::getInstance();
    return $pam->isAllowed('acObject', 'acValue');
}

The actual behaviour is controlled with configuration. An example configuration file:

default:
    # Other config here
    
    pam:
        auth:
            class: pearwrapper
            options:
                container: Array
                users:
                    tester: demo
        perm:
            class: everything
                loginurl: http://login.mydomain.com/

For authentication the pearwrapper class is used. As the name implies it wraps the PEAR Auth containers - so make sure PEAR Auth is available in your application if you want to use that. In this example it wraps the Array container containing one user ("tester", identified by the password "demo").

Permission is done using a class api_pam_perm_everything (not part of Okapi as of now). That class always redirects to the login page if the user is not logged in.

api_pam_perm_everything

This is how api_pam_perm_everything can be implemented:

<?php
/**
 * Requires login for everything.
 */
class api_pam_perm_everything extends api_pam_perm implements api_pam_interface_perm {
    public function __construct($opts) {
        parent::__construct($opts);
        
        $request = api_request::getInstance();
        $this->loginurl = API_WEBROOT . 'login/';
        if (isset($opts['loginurl'])) {
            $this->loginUrl = str_replace(
                array('{$lang}', '{$tld}'),
                array($request->getLang(), $request->getTld()),
                $opts['loginurl']);
        }
        $this->loginUrl .= '?origpath=' . urlencode($request->getUrl());
    }
    
    public function isAllowed($uid, $acObject, $acValue) {
        if (empty($uid)) {
            api_helpers_http::redirectTo($this->loginUrl);
        }
        return false;
    }
}

Labels:

authentication authentication Delete
reference reference Delete
api_pam api_pam Delete
okapi okapi Delete
Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.
These projects are supported by Liip AG