Restler
Restler copied to clipboard
Multiple roles and Swagger (API Explorer) access
Hi all, I'm experiencing a problem with Restler 3 RC5. I'm trying to set multiple user roles to my APIs access.
The API Endpoints are working properly in base of the authenticated user role. The problem is on the API Explorer: after adding the API key the protected methods are not available. Without using custom roles, everything is working fine.
<?php
use \Luracast\Restler\iAuthenticate;
use \Luracast\Restler\Resources;
use \Luracast\Restler\Defaults;
use \Luracast\Restler\User;
class AccessControl implements iAuthenticate
{
public static $requires = '';
public static $role = '';
public function __isAllowed()
{
$userClass = Defaults::$userIdentifierClass;
$accessToken = md5($_GET['api_key'] . ADMIN_PASSWORD_SALT);
$keyCheck = R::find( "accesstoken", "token = :accesstoken AND expire_at >= NOW();", [':accesstoken' => $accessToken]);
// verify the access token
if (!($keyCheck)) {
$userClass::setCacheIdentifier($_GET['api_key']);
return false;
}
$user_id = R::exportAll($keyCheck)[0]['admin_id'];
$userDetails = R::getRow( 'SELECT admin.id, role.id, admin.role_id, role.name as role_name FROM admin LEFT JOIN role ON admin.role_id = role.id where admin.id = :id ', [':id' => $user_id ]);
static::$role = $userDetails['role_name'];
$userClass::setCacheIdentifier(static::$role);
User::setUniqueIdentifier($user_id);
Resources::$accessControlFunction = 'AccessControl::verifyAccess';
if(is_array(static::$requires)){
return in_array(static::$role,static::$requires);
}else{
return static::$role == static::$requires;
}
}
public function __getWWWAuthenticateString()
{
return 'Query name="api_key"';
}
/**
* @access private
*/
public static function verifyAccess(array $m)
{
$requires =
isset($m['class']['AccessControl']['properties']['requires'])
? $m['class']['AccessControl']['properties']['requires']
: false;
if(is_array($requires)){
return in_array(static::$role,$requires);
}else{
return static::$role == $requires;
}
}
}
Anyone can help me? Thanks
This seems like a dup of #524
@igorsantos07 Not sure if is the same issue.. Basically I would like to show/hide methods according to the user role.
Hi all, No one has hints/suggestion on this?
Cheers
I have posted some examples on how I did this using comments at the function/endpoint level to require one or more permissions, and then hide methods which the user doesnt have permission for. Let me know if that works