Congegni/sintonia
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Moved REST authorization boilerplate to Zend Acl_plugin

Browse source
This commit is contained in:
Duncan Sommerville 2015-01-21 17:20:04 -05:00
parent 2c2f7ebc5f
commit a40067ca55
2 changed files with 50 additions and 109 deletions
Download patch file Download diff file Expand all files Collapse all files

105
airtime_mvc/application/modules/rest/controllers/MediaController.php
View file

@ -30,11 +30,6 @@ class Rest_MediaController extends Zend_Rest_Controller
public function indexAction()
{
if (!$this->verifyAuth(true, true))
{
return;
}
$files_array = array();
foreach (CcFilesQuery::create()->find() as $file)
{
@ -54,11 +49,6 @@ class Rest_MediaController extends Zend_Rest_Controller
public function downloadAction()
{
if (!$this->verifyAuth(true, true))
{
return;
}
$id = $this->getId();
if (!$id) {
return;
@ -80,11 +70,6 @@ class Rest_MediaController extends Zend_Rest_Controller
public function getAction()
{
if (!$this->verifyAuth(true, true))
{
return;
}
$id = $this->getId();
if (!$id) {
return;
@ -103,11 +88,6 @@ class Rest_MediaController extends Zend_Rest_Controller
public function postAction()
{
if (!$this->verifyAuth(true, true))
{
return;
}
//If we do get an ID on a POST, then that doesn't make any sense
//since POST is only for creating.
if ($id = $this->_getParam('id', false)) {
@ -168,11 +148,6 @@ class Rest_MediaController extends Zend_Rest_Controller
public function putAction()
{
if (!$this->verifyAuth(true, true))
{
return;
}
$id = $this->getId();
if (!$id) {
return;
@ -236,11 +211,6 @@ class Rest_MediaController extends Zend_Rest_Controller
public function deleteAction()
{
if (!$this->verifyAuth(true, true))
{
return;
}
$id = $this->getId();
if (!$id) {
return;
@ -271,81 +241,6 @@ class Rest_MediaController extends Zend_Rest_Controller
return $id;
}
private function verifyAuth($checkApiKey, $checkSession)
{
// Session takes precedence over API key for now:
if ($checkSession && $this->verifySession()) {
// CSRF token validation only applies to session based authorization.
if(!$this->verifyCSRFToken($this->_getParam('csrf_token'))){
$resp = $this->getResponse();
$resp->setHttpResponseCode(401);
$resp->appendBody("ERROR: Token Missmatch.");
return false;
}
return true;
}
if ($checkApiKey && $this->verifyAPIKey())
{
return true;
}
$resp = $this->getResponse();
$resp->setHttpResponseCode(401);
$resp->appendBody("ERROR: Incorrect API key.");
return false;
}
private function verifyCSRFToken($token){
$current_namespace = new Zend_Session_Namespace('csrf_namespace');
$observed_csrf_token = $token;
$expected_csrf_token = $current_namespace->authtoken;
if($observed_csrf_token == $expected_csrf_token){
return true;
}else{
return false;
}
}
private function verifyAPIKey()
{
//The API key is passed in via HTTP "basic authentication":
// http://en.wikipedia.org/wiki/Basic_access_authentication
$CC_CONFIG = Config::getConfig();
//Decode the API key that was passed to us in the HTTP request.
$authHeader = $this->getRequest()->getHeader("Authorization");
$encodedRequestApiKey = substr($authHeader, strlen("Basic "));
$encodedStoredApiKey = base64_encode($CC_CONFIG["apiKey"][0] . ":");
if ($encodedRequestApiKey === $encodedStoredApiKey)
{
return true;
} else {
return false;
}
return false;
}
private function verifySession()
{
$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity())
{
return true;
}
return false;
//Token checking stub code. We'd need to change LoginController.php to generate a token too, but
//but luckily all the token code already exists and works.
//$auth = new Application_Model_Auth();
//$auth->checkToken(Application_Model_Preference::getUserId(), $token);
}
private function fileNotFoundResponse()
{
$resp = $this->getResponse();