AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rewrite of the authentication and authorization system

Browse Source
This commit is contained in:
Frederic Guillot
2015-12-05 20:31:27 -05:00
parent 346b8312e5
commit e9fedf3e5c
255 changed files with 14114 additions and 9820 deletions
Download Patch File Download Diff File Expand all files Collapse all files

149
app/ServiceProvider/AuthenticationProvider.php Normal file
View File

@@ -0,0 +1,149 @@
<?php
namespace Kanboard\ServiceProvider;
use Pimple\Container;
use Pimple\ServiceProviderInterface;
use Kanboard\Core\Security\AuthenticationManager;
use Kanboard\Core\Security\AccessMap;
use Kanboard\Core\Security\Authorization;
use Kanboard\Core\Security\Role;
use Kanboard\Auth\RememberMeAuth;
use Kanboard\Auth\DatabaseAuth;
use Kanboard\Auth\LdapAuth;
use Kanboard\Auth\GitlabAuth;
use Kanboard\Auth\GithubAuth;
use Kanboard\Auth\GoogleAuth;
use Kanboard\Auth\TotpAuth;
use Kanboard\Auth\ReverseProxyAuth;
/**
* Authentication Provider
*
* @package serviceProvider
* @author Frederic Guillot
*/
class AuthenticationProvider implements ServiceProviderInterface
{
/**
* Register providers
*
* @access public
* @param \Pimple\Container $container
* @return \Pimple\Container
*/
public function register(Container $container)
{
$container['authenticationManager'] = new AuthenticationManager($container);
$container['authenticationManager']->register(new TotpAuth($container));
$container['authenticationManager']->register(new RememberMeAuth($container));
$container['authenticationManager']->register(new DatabaseAuth($container));
if (REVERSE_PROXY_AUTH) {
$container['authenticationManager']->register(new ReverseProxyAuth($container));
}
if (LDAP_AUTH) {
$container['authenticationManager']->register(new LdapAuth($container));
}
if (GITLAB_AUTH) {
$container['authenticationManager']->register(new GitlabAuth($container));
}
if (GITHUB_AUTH) {
$container['authenticationManager']->register(new GithubAuth($container));
}
if (GOOGLE_AUTH) {
$container['authenticationManager']->register(new GoogleAuth($container));
}
$container['projectAccessMap'] = $this->getProjectAccessMap();
$container['applicationAccessMap'] = $this->getApplicationAccessMap();
$container['projectAuthorization'] = new Authorization($container['projectAccessMap']);
$container['applicationAuthorization'] = new Authorization($container['applicationAccessMap']);
return $container;
}
/**
* Get ACL for projects
*
* @access public
* @return AccessMap
*/
public function getProjectAccessMap()
{
$acl = new AccessMap;
$acl->setDefaultRole(Role::PROJECT_VIEWER);
$acl->setRoleHierarchy(Role::PROJECT_MANAGER, array(Role::PROJECT_MEMBER, Role::PROJECT_VIEWER));
$acl->setRoleHierarchy(Role::PROJECT_MEMBER, array(Role::PROJECT_VIEWER));
$acl->add('Action', '*', Role::PROJECT_MANAGER);
$acl->add('Analytic', '*', Role::PROJECT_MANAGER);
$acl->add('Board', 'save', Role::PROJECT_MEMBER);
$acl->add('BoardPopover', '*', Role::PROJECT_MEMBER);
$acl->add('Calendar', 'save', Role::PROJECT_MEMBER);
$acl->add('Category', '*', Role::PROJECT_MANAGER);
$acl->add('Column', '*', Role::PROJECT_MANAGER);
$acl->add('Comment', '*', Role::PROJECT_MEMBER);
$acl->add('Customfilter', '*', Role::PROJECT_MEMBER);
$acl->add('Export', '*', Role::PROJECT_MANAGER);
$acl->add('File', array('screenshot', 'create', 'save', 'remove', 'confirm'), Role::PROJECT_MEMBER);
$acl->add('Gantt', '*', Role::PROJECT_MANAGER);
$acl->add('Project', array('share', 'integrations', 'notifications', 'edit', 'update', 'duplicate', 'disable', 'enable', 'remove'), Role::PROJECT_MANAGER);
$acl->add('ProjectPermission', '*', Role::PROJECT_MANAGER);
$acl->add('Projectuser', '*', Role::PROJECT_MANAGER);
$acl->add('Subtask', '*', Role::PROJECT_MEMBER);
$acl->add('Swimlane', '*', Role::PROJECT_MANAGER);
$acl->add('Task', 'remove', Role::PROJECT_MEMBER);
$acl->add('Taskcreation', '*', Role::PROJECT_MEMBER);
$acl->add('Taskduplication', '*', Role::PROJECT_MEMBER);
$acl->add('TaskImport', '*', Role::PROJECT_MANAGER);
$acl->add('Tasklink', '*', Role::PROJECT_MEMBER);
$acl->add('Taskmodification', '*', Role::PROJECT_MEMBER);
$acl->add('Taskstatus', '*', Role::PROJECT_MEMBER);
$acl->add('Timer', '*', Role::PROJECT_MEMBER);
return $acl;
}
/**
* Get ACL for the application
*
* @access public
* @return AccessMap
*/
public function getApplicationAccessMap()
{
$acl = new AccessMap;
$acl->setDefaultRole(Role::APP_USER);
$acl->setRoleHierarchy(Role::APP_ADMIN, array(Role::APP_MANAGER, Role::APP_USER, Role::APP_PUBLIC));
$acl->setRoleHierarchy(Role::APP_MANAGER, array(Role::APP_USER, Role::APP_PUBLIC));
$acl->setRoleHierarchy(Role::APP_USER, array(Role::APP_PUBLIC));
$acl->add('Oauth', array('google', 'github', 'gitlab'), Role::APP_PUBLIC);
$acl->add('Auth', array('login', 'check', 'captcha'), Role::APP_PUBLIC);
$acl->add('Webhook', '*', Role::APP_PUBLIC);
$acl->add('Task', 'readonly', Role::APP_PUBLIC);
$acl->add('Board', 'readonly', Role::APP_PUBLIC);
$acl->add('Ical', '*', Role::APP_PUBLIC);
$acl->add('Feed', '*', Role::APP_PUBLIC);
$acl->add('Config', '*', Role::APP_ADMIN);
$acl->add('Currency', '*', Role::APP_ADMIN);
$acl->add('Gantt', '*', Role::APP_MANAGER);
$acl->add('Group', '*', Role::APP_ADMIN);
$acl->add('Link', '*', Role::APP_ADMIN);
$acl->add('Project', array('users', 'allowEverybody', 'allow', 'role', 'revoke', 'create'), Role::APP_MANAGER);
$acl->add('ProjectPermission', '*', Role::APP_MANAGER);
$acl->add('Projectuser', '*', Role::APP_MANAGER);
$acl->add('Twofactor', 'disable', Role::APP_ADMIN);
$acl->add('UserImport', '*', Role::APP_ADMIN);
$acl->add('User', array('index', 'create', 'save', 'authentication', 'remove'), Role::APP_ADMIN);
return $acl;
}
}