Use ACL to block non-admins

utlib · Dec 20, 2023 · e5f5225 · e5f5225
1 parent 1bce932
commit e5f5225
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 7 deletions.
diff --git a/JobDiagnosticsPlugin.php b/JobDiagnosticsPlugin.php
@@ -13,6 +13,7 @@ class JobDiagnosticsPlugin extends Omeka_Plugin_AbstractPlugin
         'install',
         'uninstall',
         'upgrade',
+        'define_acl',
         'define_routes',
     );
 
@@ -85,6 +86,25 @@ public function hookUpgrade($args)
         }
     }
 
+    /**
+     * HOOK: Setting up ACL
+     * Allow only superusers and admins to use this plugin.
+     * 
+     * @param array $args
+     */
+    public function hookDefineAcl($args)
+    {
+        $acl = $args['acl'];
+
+        $acl->add(new Zend_Acl_Resource('Process'));
+        $acl->deny(null, 'Process');
+        $acl->allow(array('super', 'admin'), 'Process', array('browse', 'show'));
+
+        $acl->add(new Zend_Acl_Resource('JobDiagnostics_Test'));
+        $acl->deny(null, 'JobDiagnostics_Test');
+        $acl->allow(array('super', 'admin'), 'JobDiagnostics_Test', array('browse', 'show', 'add', 'clear'));
+    }
+
     /**
      * HOOK: Setting up routes
      * Add routes to the admin side only.
@@ -93,12 +113,7 @@ public function hookUpgrade($args)
      */
     public function hookDefineRoutes($args)
     {
-        if (is_admin_theme()) {
-            $user = current_user();
-            if (!empty($user) && ($user->role || 'superuser' || $user->role == 'admin')) {
-                $args['router']->addConfig(new Zend_Config_Ini(dirname(__FILE__) . '/routes.ini', 'routes'));
-            }
-        }
+        $args['router']->addConfig(new Zend_Config_Ini(dirname(__FILE__) . '/routes.ini', 'routes'));
     }
 
     /**
@@ -110,7 +125,8 @@ public function hookDefineRoutes($args)
     public function filterAdminNavigationMain($nav)
     {
         $user = current_user();
-        if ($user->role || 'superuser' || $user->role == 'admin') {
+        $acl = get_acl();
+        if ($acl->isAllowed($user->role, 'Process', 'browse')) {
             $nav[] = array(
                 'label' => __('Job Diagnostics'),
                 'uri' => url(array(), 'job_diagnostics_root'),

diff --git a/controllers/ProcessesController.php b/controllers/ProcessesController.php
@@ -25,6 +25,10 @@ public function init()
      */
     public function browseAction()
     {
+        if (!$this->_helper->acl->isAllowed('browse', 'Process'))
+        {
+            throw new Omeka_Controller_Exception_403;
+        }
         parent::browseAction();
     }
 
@@ -33,6 +37,10 @@ public function browseAction()
      */
     public function showAction()
     {
+        if (!$this->_helper->acl->isAllowed('show', 'Process'))
+        {
+            throw new Omeka_Controller_Exception_403;
+        }
         parent::showAction();
         $this->view->process = $this->view->proces; // Patch for bad inflector
     }

diff --git a/controllers/TestsController.php b/controllers/TestsController.php
@@ -52,6 +52,10 @@ public function homeAction()
      */
     public function addAction()
     {
+        if (!$this->_helper->acl->isAllowed('add', 'JobDiagnostics_Test'))
+        {
+            throw new Omeka_Controller_Exception_403;
+        }
         if ($this->getRequest()->isPost()) {
             $dispatchType = $this->getParam('dispatch_type');
             if (empty($dispatchType)) {
@@ -111,6 +115,10 @@ protected function _redirectAfterAdd($record)
      */
     public function indexAction()
     {
+        if (!$this->_helper->acl->isAllowed('browse', 'JobDiagnostics_Test'))
+        {
+            throw new Omeka_Controller_Exception_403;
+        }
         $this->view->short_running_result = $this->_resultForDispatchType(self::SHORT_DISPATCH, $test);
         $this->_killTestIfDead($test);
         $this->view->latest_short_running_test = $test;
@@ -183,6 +191,10 @@ private function _resultForDispatchType($dispatchType, &$test)
      */
     public function browseAction()
     {
+        if (!$this->_helper->acl->isAllowed('browse', 'JobDiagnostics_Test'))
+        {
+            throw new Omeka_Controller_Exception_403;
+        }
         parent::browseAction();
     }
 
@@ -201,6 +213,10 @@ protected function _getBrowseDefaultSort()
      */
     public function clearAction()
     {
+        if (!$this->_helper->acl->isAllowed('clear', 'JobDiagnostics_Test'))
+        {
+            throw new Omeka_Controller_Exception_403;
+        }
         if ($this->getRequest()->isPost()) {
             $dispatchType = $this->getParam('dispatch_type');
             $localizedDispatchType = __($dispatchType);
@@ -232,6 +248,10 @@ public function clearAction()
      */
     public function waitAction()
     {
+        if (!$this->_helper->acl->isAllowed('show', 'JobDiagnostics_Test'))
+        {
+            throw new Omeka_Controller_Exception_403;
+        }
         if (empty($testRecord = get_db()->getTable('JobDiagnostics_Test')->find($this->getParam('id')))) {
             throw new Omeka_Controller_Exception_404;
         }
@@ -248,6 +268,10 @@ public function waitAction()
      */
     public function waitAjaxAction()
     {
+        if (!$this->_helper->acl->isAllowed('show', 'JobDiagnostics_Test'))
+        {
+            throw new Omeka_Controller_Exception_403;
+        }
         $id = $this->getParam('id');
         if (empty($testRecord = get_db()->getTable('JobDiagnostics_Test')->find($this->getParam('id')))) {
             throw new Omeka_Controller_Exception_404;