This repository was archived by the owner on May 1, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 117
Expand file tree
/
Copy pathFileBasedAccessController.php
More file actions
executable file
·321 lines (305 loc) · 12.7 KB
/
FileBasedAccessController.php
File metadata and controls
executable file
·321 lines (305 loc) · 12.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
<?php
/**
* OWASP Enterprise Security API (ESAPI)
*
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
*
* Copyright (c) 2007 - 2009 The OWASP Foundation
*
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
*
* @author
* @created 2008
* @since 1.4
* @package ESAPI_Reference
*/
require_once dirname(__FILE__).'/../AccessController.php';
/**
* Reference Implementation of the FileBasedAccessController interface.
*
* @category OWASP
* @package ESAPI_Reference
* @copyright 2009-2010 The OWASP Foundation
* @license http://www.opensource.org/licenses/bsd-license.php New BSD license
* @version Release: @package_version@
* @link http://www.owasp.org/index.php/ESAPI
*/
class FileBasedAccessController implements AccessController {
/**
* Checks if an account is authorized to access the referenced URL. Generally, this method should be invoked in the
* application's controller or a filter as follows:
* <PRE>ESAPI.accessController().isAuthorizedForURL(request.getRequestURI().toString());</PRE>
*
* The implementation of this method should call assertAuthorizedForURL($url), and if an AccessControlException is
* not thrown, this method should return true. This way, if the user is not authorized, false would be returned, and the
* exception would be logged.
*
* @param url
* the URL as returned by request.getRequestURI().toString()
*
* @return
* true, if is authorized for URL
*/
function isAuthorizedForURL($url)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if an account is authorized to access the referenced function.
*
* The implementation of this method should call assertAuthorizedForFunction($functionName), and if an
* AccessControlException is not thrown, this method should return true.
*
* @param functionName
* the name of the function
*
* @return
* true, if is authorized for function
*/
function isAuthorizedForFunction($functionName)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if an account is authorized to access the referenced data, represented as a String.
*
* The implementation of this method should call assertAuthorizedForData($key), and if an AccessControlException
* is not thrown, this method should return true.
*
* @param key
* the name of the referenced data object
*
* @return
* true, if is authorized for the data
*/
function isAuthorizedForDataByKey($key)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if an account is authorized to access the referenced data, represented as an Object.
*
* The implementation of this method should call assertAuthorizedForData($action, Object data), and if an
* AccessControlException is not thrown, this method should return true.
*
* @param action
* the action to check for in the configuration file in the resource directory
*
* @param data
* the data to check for in the configuration file in the resource directory
*
* @return
* true, if is authorized for the data
*/
function isAuthorizedForData($action, $data)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if an account is authorized to access the referenced file.
*
* The implementation of this method should call assertAuthorizedForFile($filepath), and if an AccessControlException
* is not thrown, this method should return true.
*
* @param filepath
* the path of the file to be checked, including filename
*
* @return
* true, if is authorized for the file
*/
function isAuthorizedForFile($filepath)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if an account is authorized to access the referenced service. This can be used in applications that
* provide access to a variety of back end services.
*
* The implementation of this method should call assertAuthorizedForService($serviceName), and if an
* AccessControlException is not thrown, this method should return true.
*
* @param serviceName
* the service name
*
* @return
* true, if is authorized for the service
*/
function isAuthorizedForService($serviceName)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if an account is authorized to access the referenced URL. The implementation should allow
* access to be granted to any part of the URL. Generally, this method should be invoked in the
* application's controller or a filter as follows:
* <PRE>ESAPI.accessController().assertAuthorizedForURL(request.getRequestURI().toString());</PRE>
*
* This method throws an AccessControlException if access is not authorized, or if the referenced URL does not exist.
* If the User is authorized, this method simply returns.
* <P>
* Specification: The implementation should do the following:
* <ol>
* <li>Check to see if the resource exists and if not, throw an AccessControlException</li>
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
* @param url
* the URL as returned by request.getRequestURI().toString()
*
* @throws AccessControlException
* if access is not permitted
*/
function assertAuthorizedForURL($url)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if an account is authorized to access the referenced function. The implementation should define the
* function "namespace" to be enforced. Choosing something simple like the class name of action classes or menu item
* names will make this implementation easier to use.
* <P>
* This method throws an AccessControlException if access is not authorized, or if the referenced function does not exist.
* If the User is authorized, this method simply returns.
* <P>
* Specification: The implementation should do the following:
* <ol>
* <li>Check to see if the function exists and if not, throw an AccessControlException</li>
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
*
* @param functionName
* the function name
*
* @throws AccessControlException
* if access is not permitted
*/
function assertAuthorizedForFunction($functionName)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if the current user is authorized to access the referenced data. This method simply returns if access is authorized.
* It throws an AccessControlException if access is not authorized, or if the referenced data does not exist.
* <P>
* Specification: The implementation should do the following:
* <ol>
* <li>Check to see if the resource exists and if not, throw an AccessControlException</li>
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
* @param key
* the name of the target data object
*
* @throws AccessControlException
* if access is not permitted
*/
function assertAuthorizedForDataByKey($key)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if the current user is authorized to access the referenced data. This method simply returns if access is authorized.
* It throws an AccessControlException if access is not authorized, or if the referenced data does not exist.
* <P>
* Specification: The implementation should do the following:
* <ol>
* <li>Check to see if the resource exists and if not, throw an AccessControlException</li>
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
*
* @param action
* the action to check for in the configuration file in the resource directory
*
* @param data
* the data to check for in the configuration file in the resource directory
*
* @throws AccessControlException
* if access is not permitted
*/
function assertAuthorizedForData($action, $data)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if an account is authorized to access the referenced file. The implementation should validate and canonicalize the
* input to be sure the filepath is not malicious.
* <P>
* This method throws an AccessControlException if access is not authorized, or if the referenced File does not exist.
* If the User is authorized, this method simply returns.
* <P>
* Specification: The implementation should do the following:
* <ol>
* <li>Check to see if the File exists and if not, throw an AccessControlException</li>
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
*
* @param filepath
* Path to the file to be checked
* @throws AccessControlException if access is denied
*/
function assertAuthorizedForFile($filepath)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
/**
* Checks if an account is authorized to access the referenced service. This can be used in applications that
* provide access to a variety of backend services.
* <P>
* This method throws an AccessControlException if access is not authorized, or if the referenced service does not exist.
* If the User is authorized, this method simply returns.
* <P>
* Specification: The implementation should do the following:
* <ol>
* <li>Check to see if the service exists and if not, throw an AccessControlException</li>
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
*
* @param serviceName
* the service name
*
* @throws AccessControlException
* if access is not permitted
*/
function assertAuthorizedForService($serviceName)
{
throw new EnterpriseSecurityException("Method Not implemented");
}
}
?>