Restler icon indicating copy to clipboard operation
Restler copied to clipboard

Published 20 hours ago verified publisher icon Luracast

Multiple roles and Swagger (API Explorer) access

Open nocodelab opened this issue 8 years ago • 4 comments

Hi all, I'm experiencing a problem with Restler 3 RC5. I'm trying to set multiple user roles to my APIs access.

The API Endpoints are working properly in base of the authenticated user role. The problem is on the API Explorer: after adding the API key the protected methods are not available. Without using custom roles, everything is working fine.

<?php
use \Luracast\Restler\iAuthenticate;
use \Luracast\Restler\Resources;
use \Luracast\Restler\Defaults;
use \Luracast\Restler\User;

class AccessControl implements iAuthenticate
{
    public static $requires = '';
    public static $role = '';

    public function __isAllowed()
    {   

        $userClass = Defaults::$userIdentifierClass;

        $accessToken = md5($_GET['api_key'] . ADMIN_PASSWORD_SALT);
        $keyCheck = R::find( "accesstoken", "token = :accesstoken AND expire_at >= NOW();", [':accesstoken' => $accessToken]);

 // verify the access token
        if (!($keyCheck)) {
                $userClass::setCacheIdentifier($_GET['api_key']);
                return false;
        }

        $user_id = R::exportAll($keyCheck)[0]['admin_id'];

        $userDetails = R::getRow( 'SELECT admin.id, role.id, admin.role_id, role.name as role_name FROM admin LEFT JOIN role ON admin.role_id = role.id where admin.id = :id ', [':id' => $user_id ]);
        static::$role = $userDetails['role_name'];
        $userClass::setCacheIdentifier(static::$role);
        User::setUniqueIdentifier($user_id);

        Resources::$accessControlFunction = 'AccessControl::verifyAccess';


        if(is_array(static::$requires)){
            return in_array(static::$role,static::$requires);
        }else{
            return static::$role == static::$requires;
        }



    }

    public function __getWWWAuthenticateString()
    {
        return 'Query name="api_key"';
    }

     /**
     * @access private
     */
    public static function verifyAccess(array $m)
    {
        $requires =
            isset($m['class']['AccessControl']['properties']['requires'])
                ? $m['class']['AccessControl']['properties']['requires']
                : false;


        if(is_array($requires)){
            return in_array(static::$role,$requires);
        }else{
            return static::$role == $requires;
        }

    }
}

Anyone can help me? Thanks

nocodelab avatar Mar 06 '16 17:03 nocodelab

This seems like a dup of #524

igorsantos07 avatar Mar 10 '16 04:03 igorsantos07

@igorsantos07 Not sure if is the same issue.. Basically I would like to show/hide methods according to the user role.

nocodelab avatar Mar 10 '16 10:03 nocodelab

Hi all, No one has hints/suggestion on this?

Cheers

nocodelab avatar May 04 '16 07:05 nocodelab

I have posted some examples on how I did this using comments at the function/endpoint level to require one or more permissions, and then hide methods which the user doesnt have permission for. Let me know if that works

roynasser avatar Jul 27 '16 18:07 roynasser