Issues in AccessRule.php (master) - Issues in master - yiisoft/yii2 - Measure and Improve Code Quality continuously with Scrutinizer

Issues (910)

framework/filters/AccessRule.php (1 issue)

Severity

Unknown 1

Bizley 1

<?php
/**
 * @link https://www.yiiframework.com/
 * @copyright Copyright (c) 2008 Yii Software LLC
 * @license https://www.yiiframework.com/license/
 */

namespace yii\filters;

use Closure;
use yii\base\Action;
use yii\base\Component;
use yii\base\Controller;
use yii\base\InvalidConfigException;
use yii\helpers\IpHelper;
use yii\helpers\StringHelper;
use yii\web\Request;
use yii\web\User;

/**
 * This class represents an access rule defined by the [[AccessControl]] action filter.
 *
 * @author Qiang Xue <[email protected]>
 * @since 2.0
 */
class AccessRule extends Component
{
    /**
     * @var bool whether this is an 'allow' rule or 'deny' rule.
     */
    public $allow = false;
    /**
     * @var array|null list of action IDs that this rule applies to. The comparison is case-sensitive.
     * If not set or empty, it means this rule applies to all actions.
     */
    public $actions;
    /**
     * @var array|null list of the controller IDs that this rule applies to.
     *
     * The comparison uses [[\yii\base\Controller::uniqueId]], so each controller ID is prefixed
     * with the module ID (if any). For a `product` controller in the application, you would specify
     * this property like `['product']` and if that controller is located in a `shop` module, this
     * would be `['shop/product']`.
     *
     * The comparison is case-sensitive.
     *
     * If not set or empty, it means this rule applies to all controllers.
     *
     * Since version 2.0.12 controller IDs can be specified as wildcards, e.g. `module/*`.
     */
    public $controllers;
    /**
     * @var array|null list of roles that this rule applies to (requires properly configured User component).
     * Two special roles are recognized, and they are checked via [[User::isGuest]]:
     *
     * - `?`: matches a guest user (not authenticated yet)
     * - `@`: matches an authenticated user
     *
     * If you are using RBAC (Role-Based Access Control), you may also specify role names.
     * In this case, [[User::can()]] will be called to check access.
     *
     * Note that it is preferred to check for permissions instead.
     *
     * If this property is not set or empty, it means this rule applies regardless of roles.
     * @see permissions
     * @see roleParams
     */
    public $roles;
    /**
     * @var array|null list of RBAC (Role-Based Access Control) permissions that this rules applies to.
     * [[User::can()]] will be called to check access.
     *
     * If this property is not set or empty, it means this rule applies regardless of permissions.
     * @since 2.0.12
     * @see roles
     * @see roleParams
     */
    public $permissions;
    /**
     * @var array|Closure parameters to pass to the [[User::can()]] function for evaluating
     * user permissions in [[$roles]].
     *
     * If this is an array, it will be passed directly to [[User::can()]]. For example for passing an
     * ID from the current request, you may use the following:
     *
     * ```php
     * ['postId' => Yii::$app->request->get('id')]
     * ```
     *
     * You may also specify a closure that returns an array. This can be used to
     * evaluate the array values only if they are needed, for example when a model needs to be
     * loaded like in the following code:
     *
     * ```php
     * 'rules' => [
     *     [
     *         'allow' => true,
     *         'actions' => ['update'],
     *         'roles' => ['updatePost'],
     *         'roleParams' => function($rule) {
     *             return ['post' => Post::findOne(Yii::$app->request->get('id'))];
     *         },
     *     ],
     * ],
     * ```
     *
     * A reference to the [[AccessRule]] instance will be passed to the closure as the first parameter.
     *
     * @see roles
     * @since 2.0.12
     */
    public $roleParams = [];
    /**
     * @var array|null list of user IP addresses that this rule applies to. An IP address
     * can contain the wildcard `*` at the end so that it matches IP addresses with the same prefix.
     * For example, '192.168.*' matches all IP addresses in the segment '192.168.'.
     * It may also contain a pattern/mask like '172.16.0.0/12' which would match all IPs from the
     * 20-bit private network block in RFC1918.
     * If not set or empty, it means this rule applies to all IP addresses.
     * @see Request::userIP
     * @see IpHelper::inRange
     */
    public $ips;
    /**
     * @var array|null list of request methods (e.g. `GET`, `POST`) that this rule applies to.
     * If not set or empty, it means this rule applies to all request methods.
     * @see \yii\web\Request::method
     */
    public $verbs;
    /**
     * @var callable a callback that will be called to determine if the rule should be applied.
     * The signature of the callback should be as follows:
     *
     * ```php
     * function ($rule, $action)
     * ```
     *
     * where `$rule` is this rule, and `$action` is the current [[Action|action]] object.
     * The callback should return a boolean value indicating whether this rule should be applied.
     */
    public $matchCallback;
    /**
     * @var callable|null a callback that will be called if this rule determines the access to
     * the current action should be denied. This is the case when this rule matches
     * and [[$allow]] is set to `false`.
     *
     * If not set, the behavior will be determined by [[AccessControl]],
     * either using [[AccessControl::denyAccess()]]
     * or [[AccessControl::$denyCallback]], if configured.
     *
     * The signature of the callback should be as follows:
     *
     * ```php
     * function ($rule, $action)
     * ```
     *
     * where `$rule` is this rule, and `$action` is the current [[Action|action]] object.
     * @see AccessControl::$denyCallback
     */
    public $denyCallback;


    /**
     * Checks whether the Web user is allowed to perform the specified action.
     * @param Action $action the action to be performed
     * @param User|false $user the user object or `false` in case of detached User component
     * @param Request $request
     * @return bool|null `true` if the user is allowed, `false` if the user is denied, `null` if the rule does not apply to the user
     */
    public function allows($action, $user, $request)
    {
        if (
            $this->matchAction($action)
            && $this->matchRole($user)
            && $this->matchIP($request->getUserIP())
            && $this->matchVerb($request->getMethod())
            && $this->matchController($action->controller)
            && $this->matchCustom($action)
        ) {
            return $this->allow ? true : false;
        }

        return null;
    }

    /**
     * @param Action $action the action
     * @return bool whether the rule applies to the action
     */
    protected function matchAction($action)
    {
        return empty($this->actions) || in_array($action->id, $this->actions, true);
    }

    /**
     * @param Controller $controller the controller
     * @return bool whether the rule applies to the controller
     */
    protected function matchController($controller)
    {
        if (empty($this->controllers)) {
            return true;
        }

        $id = $controller->getUniqueId();
        foreach ($this->controllers as $pattern) {
            if (StringHelper::matchWildcard($pattern, $id)) {
                return true;
            }
        }

        return false;
    }

    /**
     * @param User $user the user object
     * @return bool whether the rule applies to the role
     * @throws InvalidConfigException if User component is detached
     */
    protected function matchRole($user)
    {
        $items = empty($this->roles) ? [] : $this->roles;

        if (!empty($this->permissions)) {
            $items = array_merge($items, $this->permissions);
        }

        if (empty($items)) {
            return true;
        }

        if ($user === false) {

            throw new InvalidConfigException('The user application component must be available to specify roles in AccessRule.');
        }

        foreach ($items as $item) {
            if ($item === '?') {
                if ($user->getIsGuest()) {
                    return true;
                }
            } elseif ($item === '@') {
                if (!$user->getIsGuest()) {
                    return true;
                }
            } else {
                if (!isset($roleParams)) {
                    $roleParams = !is_array($this->roleParams) && is_callable($this->roleParams) ? call_user_func($this->roleParams, $this) : $this->roleParams;
                }
                if ($user->can($item, $roleParams)) {
                    return true;
                }
            }
        }

        return false;
    }

    /**
     * @param string|null $ip the IP address
     * @return bool whether the rule applies to the IP address
     */
    protected function matchIP($ip)
    {
        if (empty($this->ips)) {
            return true;
        }
        foreach ($this->ips as $rule) {
            if (
                $rule === '*'
                || $rule === $ip
                || (
                    $ip !== null
                    && ($pos = strpos($rule, '*')) !== false
                    && strncmp($ip, $rule, $pos) === 0
                )
                || (
                    strpos($rule, '/') !== false
                    && IpHelper::inRange($ip, $rule) === true
                )
            ) {
                return true;
            }
        }

        return false;
    }

    /**
     * @param string $verb the request method.
     * @return bool whether the rule applies to the request
     */
    protected function matchVerb($verb)
    {
        return empty($this->verbs) || in_array(strtoupper($verb), array_map('strtoupper', $this->verbs), true);
    }

    /**
     * @param Action $action the action to be performed
     * @return bool whether the rule should be applied
     */
    protected function matchCustom($action)
    {
        return empty($this->matchCallback) || call_user_func($this->matchCallback, $this, $action);
    }
}


1		<?php
2		/**
3		* @link https://www.yiiframework.com/
4		* @copyright Copyright (c) 2008 Yii Software LLC
5		* @license https://www.yiiframework.com/license/
6		*/
7
8		namespace yii\filters;
9
10		use Closure;
11		use yii\base\Action;
12		use yii\base\Component;
13		use yii\base\Controller;
14		use yii\base\InvalidConfigException;
15		use yii\helpers\IpHelper;
16		use yii\helpers\StringHelper;
17		use yii\web\Request;
18		use yii\web\User;
19
20		/**
21		* This class represents an access rule defined by the [[AccessControl]] action filter.
22		*
23		* @author Qiang Xue <[email protected]>
24		* @since 2.0
25		*/
26		class AccessRule extends Component
27		{
28		/**
29		* @var bool whether this is an 'allow' rule or 'deny' rule.
30		*/
31		public $allow = false;
32		/**
33		* @var array\|null list of action IDs that this rule applies to. The comparison is case-sensitive.
34		* If not set or empty, it means this rule applies to all actions.
35		*/
36		public $actions;
37		/**
38		* @var array\|null list of the controller IDs that this rule applies to.
39		*
40		* The comparison uses [[\yii\base\Controller::uniqueId]], so each controller ID is prefixed
41		* with the module ID (if any). For a `product` controller in the application, you would specify
42		* this property like `['product']` and if that controller is located in a `shop` module, this
43		* would be `['shop/product']`.
44		*
45		* The comparison is case-sensitive.
46		*
47		* If not set or empty, it means this rule applies to all controllers.
48		*
49		* Since version 2.0.12 controller IDs can be specified as wildcards, e.g. `module/*`.
50		*/
51		public $controllers;
52		/**
53		* @var array\|null list of roles that this rule applies to (requires properly configured User component).
54		* Two special roles are recognized, and they are checked via [[User::isGuest]]:
55		*
56		* - `?`: matches a guest user (not authenticated yet)
57		* - `@`: matches an authenticated user
58		*
59		* If you are using RBAC (Role-Based Access Control), you may also specify role names.
60		* In this case, [[User::can()]] will be called to check access.
61		*
62		* Note that it is preferred to check for permissions instead.
63		*
64		* If this property is not set or empty, it means this rule applies regardless of roles.
65		* @see permissions
66		* @see roleParams
67		*/
68		public $roles;
69		/**
70		* @var array\|null list of RBAC (Role-Based Access Control) permissions that this rules applies to.
71		* [[User::can()]] will be called to check access.
72		*
73		* If this property is not set or empty, it means this rule applies regardless of permissions.
74		* @since 2.0.12
75		* @see roles
76		* @see roleParams
77		*/
78		public $permissions;
79		/**
80		* @var array\|Closure parameters to pass to the [[User::can()]] function for evaluating
81		* user permissions in [[$roles]].
82		*
83		* If this is an array, it will be passed directly to [[User::can()]]. For example for passing an
84		* ID from the current request, you may use the following:
85		*
86		* ```php
87		* ['postId' => Yii::$app->request->get('id')]
88		* ```
89		*
90		* You may also specify a closure that returns an array. This can be used to
91		* evaluate the array values only if they are needed, for example when a model needs to be
92		* loaded like in the following code:
93		*
94		* ```php
95		* 'rules' => [
96		* [
97		* 'allow' => true,
98		* 'actions' => ['update'],
99		* 'roles' => ['updatePost'],
100		* 'roleParams' => function($rule) {
101		* return ['post' => Post::findOne(Yii::$app->request->get('id'))];
102		* },
103		* ],
104		* ],
105		* ```
106		*
107		* A reference to the [[AccessRule]] instance will be passed to the closure as the first parameter.
108		*
109		* @see roles
110		* @since 2.0.12
111		*/
112		public $roleParams = [];
113		/**
114		* @var array\|null list of user IP addresses that this rule applies to. An IP address
115		* can contain the wildcard `*` at the end so that it matches IP addresses with the same prefix.
116		* For example, '192.168.*' matches all IP addresses in the segment '192.168.'.
117		* It may also contain a pattern/mask like '172.16.0.0/12' which would match all IPs from the
118		* 20-bit private network block in RFC1918.
119		* If not set or empty, it means this rule applies to all IP addresses.
120		* @see Request::userIP
121		* @see IpHelper::inRange
122		*/
123		public $ips;
124		/**
125		* @var array\|null list of request methods (e.g. `GET`, `POST`) that this rule applies to.
126		* If not set or empty, it means this rule applies to all request methods.
127		* @see \yii\web\Request::method
128		*/
129		public $verbs;
130		/**
131		* @var callable a callback that will be called to determine if the rule should be applied.
132		* The signature of the callback should be as follows:
133		*
134		* ```php
135		* function ($rule, $action)
136		* ```
137		*
138		* where `$rule` is this rule, and `$action` is the current [[Action\|action]] object.
139		* The callback should return a boolean value indicating whether this rule should be applied.
140		*/
141		public $matchCallback;
142		/**
143		* @var callable\|null a callback that will be called if this rule determines the access to
144		* the current action should be denied. This is the case when this rule matches
145		* and [[$allow]] is set to `false`.
146		*
147		* If not set, the behavior will be determined by [[AccessControl]],
148		* either using [[AccessControl::denyAccess()]]
149		* or [[AccessControl::$denyCallback]], if configured.
150		*
151		* The signature of the callback should be as follows:
152		*
153		* ```php
154		* function ($rule, $action)
155		* ```
156		*
157		* where `$rule` is this rule, and `$action` is the current [[Action\|action]] object.
158		* @see AccessControl::$denyCallback
159		*/
160		public $denyCallback;
161
162
163		/**
164		* Checks whether the Web user is allowed to perform the specified action.
165		* @param Action $action the action to be performed
166		* @param User\|false $user the user object or `false` in case of detached User component
167		* @param Request $request
168		* @return bool\|null `true` if the user is allowed, `false` if the user is denied, `null` if the rule does not apply to the user
169		*/
170	31	public function allows($action, $user, $request)
171		{
172		if (
173	31	$this->matchAction($action)
174	31	&& $this->matchRole($user)
175	30	&& $this->matchIP($request->getUserIP())
176	30	&& $this->matchVerb($request->getMethod())
177	30	&& $this->matchController($action->controller)
178	30	&& $this->matchCustom($action)
179		) {
180	20	return $this->allow ? true : false;
181		}
182
183	19	return null;
184		}
185
186		/**
187		* @param Action $action the action
188		* @return bool whether the rule applies to the action
189		*/
190	31	protected function matchAction($action)
191		{
192	31	return empty($this->actions) \|\| in_array($action->id, $this->actions, true);
193		}
194
195		/**
196		* @param Controller $controller the controller
197		* @return bool whether the rule applies to the controller
198		*/
199	20	protected function matchController($controller)
200		{
201	20	if (empty($this->controllers)) {
202	18	return true;
203		}
204
205	2	$id = $controller->getUniqueId();
206	2	foreach ($this->controllers as $pattern) {
207	2	if (StringHelper::matchWildcard($pattern, $id)) {
208	2	return true;
209		}
210		}
211
212	2	return false;
213		}
214
215		/**
216		* @param User $user the user object
217		* @return bool whether the rule applies to the role
218		* @throws InvalidConfigException if User component is detached
219		*/
220	31	protected function matchRole($user)
221		{
222	31	$items = empty($this->roles) ? [] : $this->roles;
223
224	31	if (!empty($this->permissions)) {
225	1	$items = array_merge($items, $this->permissions);
226		}
227
228	31	if (empty($items)) {
229	8	return true;
230		}
231
232	24	if ($user === false) {
		0 ignored issues – show introduced 2019-02-03 21:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `$user === false` is always `false`. Loading history...
233	1	throw new InvalidConfigException('The user application component must be available to specify roles in AccessRule.');
234		}
235
236	23	foreach ($items as $item) {
237	23	if ($item === '?') {
238	1	if ($user->getIsGuest()) {
239	1	return true;
240		}
241	23	} elseif ($item === '@') {
242	1	if (!$user->getIsGuest()) {
243	1	return true;
244		}
245		} else {
246	22	if (!isset($roleParams)) {
247	22	$roleParams = !is_array($this->roleParams) && is_callable($this->roleParams) ? call_user_func($this->roleParams, $this) : $this->roleParams;
248		}
249	22	if ($user->can($item, $roleParams)) {
250	12	return true;
251		}
252		}
253		}
254
255	12	return false;
256		}
257
258		/**
259		* @param string\|null $ip the IP address
260		* @return bool whether the rule applies to the IP address
261		*/
262	20	protected function matchIP($ip)
263		{
264	20	if (empty($this->ips)) {
265	18	return true;
266		}
267	3	foreach ($this->ips as $rule) {
268		if (
269	3	$rule === '*'
270	3	\|\| $rule === $ip
271		\|\| (
272	3	$ip !== null
273	3	&& ($pos = strpos($rule, '*')) !== false
274	3	&& strncmp($ip, $rule, $pos) === 0
275		)
276		\|\| (
277	3	strpos($rule, '/') !== false
278	3	&& IpHelper::inRange($ip, $rule) === true
279		)
280		) {
281	3	return true;
282		}
283		}
284
285	3	return false;
286		}
287
288		/**
289		* @param string $verb the request method.
290		* @return bool whether the rule applies to the request
291		*/
292	20	protected function matchVerb($verb)
293		{
294	20	return empty($this->verbs) \|\| in_array(strtoupper($verb), array_map('strtoupper', $this->verbs), true);
295		}
296
297		/**
298		* @param Action $action the action to be performed
299		* @return bool whether the rule should be applied
300		*/
301	20	protected function matchCustom($action)
302		{
303	20	return empty($this->matchCallback) \|\| call_user_func($this->matchCallback, $this, $action);
304		}
305		}
306

yiisoft / yii2

Issues (910)

framework/filters/AccessRule.php (1 issue)

Severity

Introduced By

Duplication Side-by-Side

Filter issues like