PermissionAwareConfirmationMiddleware
class PermissionAwareConfirmationMiddleware extends ConfirmationMiddleware (View source)
Extends the ConfirmationMiddleware with checks for user permissions
Respects users who don't have enough access and does not ask them for confirmation
By default it enforces authentication by redirecting users to a login page.
How it works:
- if user can bypass the middleware, then pass request further
- if there are no confirmation items, then pass request further
- if user is not authenticated and enforceAuthentication is false, then pass request further
- if user does not have at least one of the affected permissions, then pass request further
- otherwise, pass handling to the parent (ConfirmationMiddleware)
Methods
Extract the confirmation items from the request and return
Override the confirmation storage ID
Override the confirmation form url
Returns the list of permissions that are affected
Set the list of affected permissions
Returns flag whether we want to enforce authentication or not
Set whether we want to enforce authentication
Check whether the user has permissions to perform the target operation Otherwise we may want to skip the confirmation dialog.
Details
__construct(Rule[] ...$rules)
Init the middleware with the rules
$this
setDeclineUrl(string $url)
Override the default decline url
bool
canBypass(HTTPRequest $request)
Check whether the rules can be bypassed without user confirmation
Item[]
getConfirmationItems(HTTPRequest $request)
Extract the confirmation items from the request and return
HTTPResponse
process(HTTPRequest $request, callable $delegate)
Generate response for the given request
$this
setConfirmationStorageId(string $id)
Override the confirmation storage ID
$this
setConfirmationFormUrl(string $url)
Override the confirmation form url
$this
setBypasses(Bypass[] $bypasses)
Set the list of bypasses for the confirmation
string[]
getAffectedPermissions()
Returns the list of permissions that are affected
$this
setAffectedPermissions(string[] $permissions)
Set the list of affected permissions
If the user doesn't have at least one of these, we assume they don't have access to the protected action, so we don't ask for a confirmation
bool
getEnforceAuthentication()
Returns flag whether we want to enforce authentication or not
$this
setEnforceAuthentication(bool $enforce)
Set whether we want to enforce authentication
We either enforce authentication (redirect to a login form) or silently assume the user does not have permissions and so we don't have to ask for a confirmation
bool
hasAccess(HTTPRequest $request)
Check whether the user has permissions to perform the target operation Otherwise we may want to skip the confirmation dialog.
WARNING! The user has to be authenticated beforehand