Documentation
Auth attribute
Table of Contents ▼
Presentation
This attribute is used to manage how a controller or action can be accessed, depending on user authentication, the roles assigned to them and the services for which they have access rights.
$currentUser template variable
This attribute is based on the existence of a $currentUser template variable, which contains information about the user from the moment he/she logs in. This variable is usually set by a pre-plugin.
The $currentUser variable must be an associative array containing the following keys:
- id: (int) User identifier. Must be set when the user is authenticated.
- roles: (array) Associative array whose keys are the user's roles (associated with the value true).
- services: (array) Associative array whose keys are the services to which the user has access (associated with the value true).
Parameters
The attribute offers several parameters:
- $role: (string) Role the user must have, or list of roles (the user must have at least one).
- $service: (string) Service to which the user must have access, or list of services (the user must have access to at least one of them).
-
$authenticated: (null|bool)
The effect of this parameter depends on its value:
- true: (default value) The user must be authenticated to access the controller or action.
- false: The user must not be authenticated.
- null: The user may or may not be authenticated.
- $redirect: (string) URL to redirect to if the user is not authorized to access the controller or action.
- $redirectVar: (string) Name of the template variable containing the URL to redirect the user to.
- $storeUrl: (bool) Set to true so that the requested URL is stored in the authRequestedUrl session variable, when the user is redirected because he is not authorized. This variable can be used after authentication to take users back to the page they wished to access.
Redirection priority
If access is denied, the user can be redirected. To determine the redirection URL, the attribute applies the following order of priority:
- If the $redirect parameter is set, it is used.
- If the $redirectVar parameter is defined, and it contains the name of an existing, non-empty template variable, its content is used.
- If the temma.json file contains an x-security extended configuration, and this contains an authRedirect key, its content is used.
- If the temma.json file contains an x-security extended configuration, and this contains a redirect key, its content is used.
If no redirection URL is found, a 401 error is returned.
Configuration
To ensure that all Auth attributes redirect to the same URL, simply set the authRedirect key in the x-security extended configuration of the temma.json file:
{
"x-security": {
"authRedirect": "/login"
}
}
To ensure that the redirection URL is the same for the Auth, Method, Referer and Redirect attributes, simply define the redirect key in the x-security extended configuration in the temma.json file:
{
"x-security": {
"redirect": "/login"
}
}
Examples
use \Temma\Attributes\Auth as TµAuth;
/*
* The actions of this controller are accessible
* only to authenticated users.
*/
#[TµAuth]
class Account extends \Temma\Web\Controller {
// ...
}
use \Temma\Attributes\Auth as TµAuth;
/*
* Actions are accessible only to unauthenticated
* users, with a redirection to the logout page.
*/
#[TµAuth(authenticated: false, redirect: '/logout')]
class Login extends \Temma\Web\Controller {
// ...
}
use \Temma\Attributes\Auth as TµAuth;
class Login extends \Temma\Web\Controller {
// authorized for users with the "manager" role
#[TµAuth('manager')]
public function action1() { }
// same as previous
#[TµAuth(role: 'manager')]
public function action1bis() { }
// authorized for users with the "manager" or "writer" role
#[TµAuth(['manager', 'writer'])]
public function action2() { }
// same as previous
#[TµAuth(role: ['manager', 'writer'])]
public function action2bis() { }
// authorized for users with access to the "images" service
#[TµAuth(service: 'images')]
public function action3() { }
// authorized for users with access to the "images" or "text" service
#[TµAuth(service: ['images', 'text'])]
public function action4() { }
// authorized for users who have the "manager"
// and "writer" roles at the same time
#[TµAuth('manager')]
#[TµAuth('writer')]
public function action5() { }
// redirects non-administrator users
#[TµAuth('admin', redirect: '/login')]
public function action6() { }
}
Previous: | Language plugin helper |
Next: | Method attribute helper |
Table of Contents
- Migration : How to upgrade from Temma 1.x to version 2
- Installation : Download Temma and install it to start your web project
- Configuration : All the configuration directives of the etc/temma.json file and the optional environment variables
- External libraries : How to use external function libraries
- Routing : Temma's default routing system, and advanced routing
- Log : Use of the log system, management by criticality levels
- Controllers : Essential parts of your web application
- Views : Smarty templates or JSON/CSV/RSS/iCal/INI exports
- Dependency injection : The backbone of your application developments
- Sessions : Extension of user sessions managed by PHP
- Data sources : Unified data access management
- Model : How to use DAOs to access databases
- Execution flow : How to manage the execution flow, between plugins and the controller
- Plugins : How to use plugins, and create your own plugins to modularize your code
- Attributes : How to filter access to controllers and actions
- Tests : To write automated integration tests.
- Command-line interface : To create executable scripts on the command line, automatically initialized by Temma
-
Helpers :
Items offered by Temma to help you in various circumstances
- Command-line scripts
-
Controller + plugin
- Auth : Controller and plugin to manage user authentication
- Plugins
- Attributes
-
Smarty plugins
- urlize : Modifier to transform a text into an URL
- filenamize : Modifier to transform a text into a file name
- nbsp : Modifier to transform spaces into non-breakable spaces
-
Utility objects
- ANSI : To format texts written to standard output
- BaseConvert : To do digital base conversions
- DataFilter : To filter and validate data
- Email : To send emails
- HTMLCleaner : To clean up an HTML stream coming from a WYSIWYG editor
- IniExport : To export data in INI format
- Json : To read JSON streams that may contain comments
- Lock : To lock access to a file, or the execution of the current PHP script
- Registry : To properly store global variables
- Smarty : To process Smarty templates outside the view
- Term : Terminal management (TTY)
- Text : Different treatments on character strings
- Timer : To manage stopwatches