galette/lib/Galette/Middleware/Authenticate.php

   1 <?php
   2
   3 /* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
   4
   5 /**
   6  * Galette Slim middleware for authentication
   7  *
   8  * PHP version 5
   9  *
  10  * Copyright © 2020 The Galette Team
  11  *
  12  * This file is part of Galette (http://galette.tuxfamily.org).
  13  *
  14  * Galette is free software: you can redistribute it and/or modify
  15  * it under the terms of the GNU General Public License as published by
  16  * the Free Software Foundation, either version 3 of the License, or
  17  * (at your option) any later version.
  18  *
  19  * Galette is distributed in the hope that it will be useful,
  20  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  22  *  GNU General Public License for more details.
  23  *
  24  * You should have received a copy of the GNU General Public License
  25  * along with Galette. If not, see <http://www.gnu.org/licenses/>.
  26  *
  27  * @category  Core
  28  * @package   Galette
  29  *
  30  * @author    Johan Cwiklinski <johan@x-tnd.be>
  31  * @copyright 2020 The Galette Team
  32  * @license   http://www.gnu.org/licenses/gpl-3.0.html GPL License 3.0 or (at your option) any later version
  33  * @link      http://galette.tuxfamily.org
  34  * @since     Available since 0.9.4dev - 2020-05-06
  35  */
  36
  37 namespace Galette\Middleware;
  38
  39 use Psr\Http\Message\ServerRequestInterface as Request;
  40 use Psr\Http\Message\ResponseInterface as Response;
  41 use Galette\Entity\Adherent;
  42 use Galette\Filters\MembersList;
  43 use Galette\Repository\Members;
  44 use Analog\Analog;
  45
  46 /**
  47  * Galette Slim middleware for authentication
  48  *
  49  * @category  Middleware
  50  * @name      Authenticate
  51  * @package   Galette
  52  * @author    Johan Cwiklinski <johan@x-tnd.be>
  53  * @copyright 2020 The Galette Team
  54  * @license   http://www.gnu.org/licenses/gpl-3.0.html GPL License 3.0 or (at your option) any later version
  55  * @link      http://galette.tuxfamily.org
  56  * @since     Available since 0.9.4dev - 2020-05-06
  57  */
  58 class Authenticate extends CheckAcls
  59 {
  60     /**
  61      * @var Galette\Core\Login
  62      */
  63     private $login;
  64
  65     /**
  66      * @var RKA\Session
  67      */
  68     private $session;
  69
  70     /**
  71      * Constructor
  72      *
  73      * @param Slim\Container $container Container instance
  74      */
  75     public function __construct(\Slim\Container $container)
  76     {
  77         parent::__construct($container);
  78         $this->login = $container->get('login');
  79         $this->session = $container->get('session');
  80     }
  81
  82     /**
  83      * Middleware invokable class
  84      *
  85      * @param  \Psr\Http\Message\ServerRequestInterface $request  PSR7 request
  86      * @param  \Psr\Http\Message\ResponseInterface      $response PSR7 response
  87      * @param  callable                                 $next     Next middleware
  88      *
  89      * @return \Psr\Http\Message\ResponseInterface
  90      */
  91     public function __invoke(Request $request, Response $response, $next): Response
  92     {
  93         if (!$this->login || !$this->login->isLogged()) {
  94             if ($request->isGet()) {
  95                 $this->session->urlRedirect = $request->getUri()->getPath();
  96             }
  97             Analog::log(
  98                 'Login required to access ' . $this->session->urlRedirect,
  99                 Analog::DEBUG
 100             );
 101             $this->flash->addMessage('error_detected', _T("Login required"));
 102             return $response
 103                 ->withHeader('Location', $this->router->pathFor('slash'));
 104         } else {
 105             //check for ACLs
 106             $cur_route = $request->getAttribute('route')->getName();
 107             $acl = $this->getAclFor($cur_route);
 108
 109             $go = false;
 110             switch ($acl) {
 111                 case 'superadmin':
 112                     if ($this->login->isSuperAdmin()) {
 113                         $go = true;
 114                     }
 115                     break;
 116                 case 'admin':
 117                     if (
 118                         $this->login->isSuperAdmin()
 119                         || $this->login->isAdmin()
 120                     ) {
 121                         $go = true;
 122                     }
 123                     break;
 124                 case 'staff':
 125                     if (
 126                         $this->login->isSuperAdmin()
 127                         || $this->login->isAdmin()
 128                         || $this->login->isStaff()
 129                     ) {
 130                         $go = true;
 131                     }
 132                     break;
 133                 case 'groupmanager':
 134                     if (
 135                         $this->login->isSuperAdmin()
 136                         || $this->login->isAdmin()
 137                         || $this->login->isStaff()
 138                         || $this->login->isGroupManager()
 139                     ) {
 140                         $go = true;
 141                     }
 142                     break;
 143                 case 'member':
 144                     if ($this->login->isLogged()) {
 145                         $go = true;
 146                     }
 147                     break;
 148                 default:
 149                     throw new \RuntimeException(
 150                         str_replace(
 151                             '%acl',
 152                             $acl,
 153                             _T("Unknown ACL rule '%acl'!")
 154                         )
 155                     );
 156                     break;
 157             }
 158             if (!$go) {
 159                 Analog::log(
 160                     'Permission denied for route ' . $cur_route . ' for user ' . $this->login->login,
 161                     Analog::DEBUG
 162                 );
 163                 $this->flash->addMessage(
 164                     'error_detected',
 165                     _T("You do not have permission for requested URL.")
 166                 );
 167                 return $response
 168                     ->withHeader('Location', $this->router->pathFor('slash'));
 169             }
 170         }
 171
 172         return $next($request, $response);
 173     }
 174 }