class PermissionAwareConfirmationMiddleware extends ConfirmationMiddleware (View source)

Extends the ConfirmationMiddleware with checks for user permissions

Respects users who don't have enough access and does not ask them for confirmation

By default it enforces authentication by redirecting users to a login page.

How it works:

  • if user can bypass the middleware, then pass request further
  • if there are no confirmation items, then pass request further
  • if user is not authenticated and enforceAuthentication is false, then pass request further
  • if user does not have at least one of the affected permissions, then pass request further
  • otherwise, pass handling to the parent (ConfirmationMiddleware)

Properties

protected string $confirmationId

The confirmation storage identifier

from  ConfirmationMiddleware
protected string $confirmationFormUrl

Confirmation form URL WARNING: excluding SS_BASE_URL

from  ConfirmationMiddleware
protected Rule[] $rules

The list of rules to check requests against

from  ConfirmationMiddleware
protected Bypass[] $bypasses

The list of bypasses

from  ConfirmationMiddleware

Methods

public
__construct(Rule[] ...$rules)

Init the middleware with the rules

protected
string
getConfirmationUrl(HTTPRequest $request, string $confirmationStorageId)

The URL of the confirmation form ("Security/confirm/middleware" by default)

protected
string
generateDeclineUrlForRequest(HTTPRequest $request)

Returns the URL where the user to be redirected when declining the action (on the confirmation form)

public
$this
setDeclineUrl(string $url)

Override the default decline url

public
bool
canBypass(HTTPRequest $request)

Check whether the rules can be bypassed without user confirmation

public
Item[]
getConfirmationItems(HTTPRequest $request)

Extract the confirmation items from the request and return

protected
buildConfirmationRedirect(HTTPRequest $request, Storage $storage, array $confirmationItems)

Initialize the confirmation session storage with the confirmation items and return an HTTPResponse redirecting to the according confirmation form.

protected
processItems(HTTPRequest $request, callable $delegate, Item[] $items)

Process the confirmation items and either perform the confirmedEffect and pass the request to the next middleware, or return a redirect to the confirmation form

protected
confirmedEffect(HTTPRequest $request)

The middleware own effects that should be performed on confirmation

public
process(HTTPRequest $request, callable $delegate)

Generate response for the given request

public
$this
setConfirmationStorageId(string $id)

Override the confirmation storage ID

public
$this
setConfirmationFormUrl(string $url)

Override the confirmation form url

public
$this
setBypasses(Bypass[] $bypasses)

Set the list of bypasses for the confirmation

public
string[]
getAffectedPermissions()

Returns the list of permissions that are affected

public
$this
setAffectedPermissions(string[] $permissions)

Set the list of affected permissions

public
bool
getEnforceAuthentication()

Returns flag whether we want to enforce authentication or not

public
$this
setEnforceAuthentication(bool $enforce)

Set whether we want to enforce authentication

public
bool
hasAccess(HTTPRequest $request)

Check whether the user has permissions to perform the target operation Otherwise we may want to skip the confirmation dialog.

protected
getAuthenticationRedirect(HTTPRequest $request)

Returns HTTPResponse with a redirect to a login page

Details

__construct(Rule[] ...$rules)

Init the middleware with the rules

Parameters

Rule[] ...$rules

Rules to check requests against

protected string getConfirmationUrl(HTTPRequest $request, string $confirmationStorageId)

The URL of the confirmation form ("Security/confirm/middleware" by default)

Parameters

HTTPRequest $request

Active request

string $confirmationStorageId

ID of the confirmation storage to be used

Return Value

string

URL of the confirmation form

protected string generateDeclineUrlForRequest(HTTPRequest $request)

Returns the URL where the user to be redirected when declining the action (on the confirmation form)

Parameters

HTTPRequest $request

Active request

Return Value

string URL

$this setDeclineUrl(string $url)

Override the default decline url

Parameters

string $url

Return Value

$this

bool canBypass(HTTPRequest $request)

Check whether the rules can be bypassed without user confirmation

Parameters

HTTPRequest $request

Return Value

bool

Item[] getConfirmationItems(HTTPRequest $request)

Extract the confirmation items from the request and return

Parameters

HTTPRequest $request

Return Value

Item[]

list of confirmation items

protected HTTPResponse buildConfirmationRedirect(HTTPRequest $request, Storage $storage, array $confirmationItems)

Initialize the confirmation session storage with the confirmation items and return an HTTPResponse redirecting to the according confirmation form.

Parameters

HTTPRequest $request
Storage $storage
array $confirmationItems

Return Value

HTTPResponse

protected HTTPResponse processItems(HTTPRequest $request, callable $delegate, Item[] $items)

Process the confirmation items and either perform the confirmedEffect and pass the request to the next middleware, or return a redirect to the confirmation form

Parameters

HTTPRequest $request
callable $delegate
Item[] $items

Return Value

HTTPResponse

protected null|HTTPResponse confirmedEffect(HTTPRequest $request)

The middleware own effects that should be performed on confirmation

This method is getting called before the confirmation storage cleanup so that any responses returned here don't trigger a new confirmtation for the same request traits

Parameters

HTTPRequest $request

Return Value

null|HTTPResponse

HTTPResponse process(HTTPRequest $request, callable $delegate)

Generate response for the given request

Parameters

HTTPRequest $request
callable $delegate

Return Value

HTTPResponse

$this setConfirmationStorageId(string $id)

Override the confirmation storage ID

Parameters

string $id

Return Value

$this

$this setConfirmationFormUrl(string $url)

Override the confirmation form url

Parameters

string $url

Return Value

$this

$this setBypasses(Bypass[] $bypasses)

Set the list of bypasses for the confirmation

Parameters

Bypass[] $bypasses

Return Value

$this

string[] getAffectedPermissions()

Returns the list of permissions that are affected

Return Value

string[]

$this setAffectedPermissions(string[] $permissions)

Set the list of affected permissions

If the user doesn't have at least one of these, we assume they don't have access to the protected action, so we don't ask for a confirmation

Parameters

string[] $permissions

list of affected permissions

Return Value

$this

bool getEnforceAuthentication()

Returns flag whether we want to enforce authentication or not

Return Value

bool

$this setEnforceAuthentication(bool $enforce)

Set whether we want to enforce authentication

We either enforce authentication (redirect to a login form) or silently assume the user does not have permissions and so we don't have to ask for a confirmation

Parameters

bool $enforce

Return Value

$this

bool hasAccess(HTTPRequest $request)

Check whether the user has permissions to perform the target operation Otherwise we may want to skip the confirmation dialog.

WARNING! The user has to be authenticated beforehand

Parameters

HTTPRequest $request

Return Value

bool

protected HTTPResponse getAuthenticationRedirect(HTTPRequest $request)

Returns HTTPResponse with a redirect to a login page

Parameters

HTTPRequest $request

Return Value

HTTPResponse

redirect to a login page