第二个ZfcRbac断言不起作用ZF2

时间:2016-08-01 16:59:45

标签: zend-framework2 zfcuser zfc-rbac

我在zfc_rbac.global.php内添加了以下代码:

return [
'zfc_rbac' => [
   'assertion_map' => [
        'isAuthorizedToAddUser' => 'Application\Assertions\WhoCanAddUser',
        'isBranchOrOrgIdPresentIfNotAdmin' => 'Application\Assertions\BranchOrOrgIdPresentIfNotAdmin'
    ]
]]

并在下面的控制器中使用它:

if (! $this->authorizationService->isGranted('isBranchOrOrgIdPresentIfNotAdmin')) {
    throw new UnauthorizedException('You are not authorized to add this aaa!');
}

但即使我从assert方法return true抛出异常也是如此。但是如果我用isBranchOrOrgIdPresentIfNotAdmin替换isAuthorizedToAddUser,它的工作正常。这可能有什么不对。第二个断言类BranchOrOrgIdPresentIfNotAdmin只是WhoCanAddUser类的复制品。下面是我的WhoCanAddUser断言类。

namespace Application\Assertions;

use ZfcRbac\Assertion\AssertionInterface;
use ZfcRbac\Service\AuthorizationService;
use ZfcRbac\Exception\UnauthorizedException;
use Zend\Session\Container;

class WhoCanAddUser implements AssertionInterface
{
    protected $notAuthorizedMessage = 'You are not authorized to add this user!';

    public function __construct()
    {
        $this->org_session = new Container('org');
    }

    /**
     * Check if this assertion is true
     *
     * @param AuthorizationService $authorization            
     * @param mixed $role            
     *
     * @return bool
     */
    public function assert(AuthorizationService $authorization, $role = null)
    {
        return true; //added this for testing if true is working and it worked, but second assertion is not working!
        switch($authorization->getIdentity()->getRole()->getName()){
            case 'admin':
                return true;
            break;
            case 'owner':
               if($role != 'member'){
                   throw new UnauthorizedException($this->notAuthorizedMessage);
               }
               return true;
            break;
            default:
                throw new UnauthorizedException($this->notAuthorizedMessage);
            break;
        }

        if($authorization->getIdentity()->getRole()->getName() != 'admin' && !$this->org_session->offsetExists('branchId')){
            throw new \Zend\Session\Exception\RuntimeException('You need to be connected to an Organisation's branch before you can add members. Contact your Organisation Owner.');
        }
    }
}

我错过了第二个断言根本不起作用的东西。

1 个答案:

答案 0 :(得分:0)

刚发现,isBranchOrOrgIdPresentIfNotAdmin条目必须在权限表内,并且必须将该权限分配给hierarchicalrole_permission表中较低级别的角色(该权限也将授予角色的上层级别)以自动分层方式)它将适用于所有这些。