将ActionBuilders添加到项目以在标识后检查权限

时间:2015-03-11 15:48:50

标签: playframework oauth-2.0 actionbuilder

首先,我是Play Framework的新手,所以也许这是非常基础的,但我找不到足够的文档来澄清。

目前,我有一个使用Oauth2识别和授权用户的项目。这是使用ActionBuilder完成的,并且运行良好。

我现在想要的是一个附加的“图层”,这意味着,在授权后,检查用户是否有足够的权限(权限表存储在数据库中)。

我已经阅读过Action Composition,但由于我正在使用ActionBuilder,我想我应该可以用它们来做。我有seen composeAction函数,但我不太清楚如何实现它。

我的代码,目前看起来像:

case class AuthenticatedRequest[A](user: User, request: Request[A]) extends WrappedRequest(request)

  def authenticate[A](block: AuthenticatedRequest[A] => Future[Result])(implicit request: Request[A]) = {
    authorize(new OauthDataHandler()) { authInfo =>
      block(AuthenticatedRequest(authInfo.user, request))
    }
  }

  object Authenticated extends api.mvc.ActionBuilder[AuthenticatedRequest]  {

    def invokeBlock[A](request: Request[A], block: AuthenticatedRequest[A] => Future[Result]) = {
      authenticate(block)(request)
    }
  }
}

我现在的尝试就是:

case class PermissionAuthenticatedRequest[A](user: User, zone: String, request: Request[A]) extends WrappedRequest(request)

  object PermissionAuthenticated extends api.mvc.ActionBuilder[PermissionAuthenticatedRequest] {
    def invokeBlock[A](request: Request[A], block: PermissionAuthenticatedRequest[A] => Future[Result]) = {

      checkPermissions(???/*user*/, ???/*zone*/,block)(request)
    }

    def checkPermissions[A](user: User, permission: String, block: PermissionAuthenticatedRequest[A] => Future[Result])(implicit request: Request[A]) = {
        if(user._id == 1) //silly check
          block(PermissionAuthenticatedRequest(user, permission, request)) 
        else 
          Future.successful(Forbidden)
    }
  }

但我仍然不知道如何检索用户(来自其他AuthenticatedAction)或特权(来自请求)。

提前谢谢。

1 个答案:

答案 0 :(得分:1)

w,scala-oauth2-provider 0.13.1有AuthorizedAction。 所以你可以按照以下方式进行身份验证

import scalaoauth2.provider.OAuth2ProviderActionBuilders._

object YourController extends Controller {
  def index = AuthorizedAction(new OauthDataHandler()) { req =>
    req.authInfo // you can take AuthInfo
    ...
  }
}

您只需创建权限检查ActionFilter

即可 
import scalaoauth2.provider._

object PermissionActionFilter extends ActionFilter[({type L[A] = AuthInfoRequest[User, A]})#L] {

  protected def filter[A](request: AuthInfoRequest[User, A]): Future[Option[Result]] = Future.successful {
     request.authInfo.user // you can take AuthInfo
     if (user._id == 1) //silly check {
       None
     } else {
       Some(Forbidden)
     }
  }
}

您可以使用PermissionActionFilter,如下所示

object YourController extends Controller {

  val MyAction = AuthorizedAction(new OauthDataHandler()) andThen PermissionActionFilter

  def index = MyAction { req =>
    req.authInfo // you can take AuthInfo
    ...
  }
}
相关问题
最新问题