0

我想创建一个简单的权限系统,并能够控制用户是否可以在目录中读取和/或写入 a。为此,我创建了一个插件。如果用户没有正确的权限,则会引发 Forbidden 异常。让我们想象以下具有当前用户相应权限的目录结构:

Folder 1 (read & write)
    Subfolder 1 (no read nor write)
        ...
Folder 2 (read & write)
....

当用户尝试访问文件夹 2 或子文件夹 1 时,一切正常。他要么获得预期的文件夹数据(文件夹 2),要么获得禁止的异常(子文件夹 1)。但是,如果他尝试访问文件夹 1,则会引发 Forbidden 异常。我怎样才能以某种方式实现这个系统,用户仍然可以访问文件夹 1 但不能访问子文件夹 1? 这是我当前的(简化的)代码:

    class SabreServerPlugin extends \Sabre\DAV\ServerPlugin
    {
        public const BEFORE_CREATE_FILE = 'beforeCreateFile';
        public const BEFORE_FILE_UPDATE = 'beforeWriteContent';
        public const BEFORE_CREATION_DUE_TO_UPDATE = 'beforeBind';
        public const BEFORE_DELETION_DUE_TO_UPDATE = 'beforeUnbind';
        public const BEFORE_LOCK = 'beforeLock';
        public const BEFORE_UNLOCK = 'beforeUnlock';
        public const BEFORE_PROPERTY_REQUEST = 'propFind';
    
        private Server $server;
        private Security $security;
    
        public function __construct(Security $security)
        {
            $this->security = $security;
        }
    
        public function initialize(Server $server): void
        {
            $this->server = $server;
            $this->server->on(self::BEFORE_CREATE_FILE, [$this, 'beforeCreateFile']);
            $this->server->on(self::BEFORE_FILE_UPDATE, [$this, 'beforeFileUpdate']);
            $this->server->on(self::BEFORE_CREATION_DUE_TO_UPDATE, [$this, 'beforeCreationDueToUpdate']);
            $this->server->on(self::BEFORE_DELETION_DUE_TO_UPDATE, [$this, 'beforeDeletionDueToUpdate']);
            $this->server->on(self::BEFORE_LOCK, [$this, 'beforeLock']);
            $this->server->on(self::BEFORE_UNLOCK, [$this, 'beforeUnlock']);
            $this->server->on(self::BEFORE_PROPERTY_REQUEST, [$this, 'beforePropertyRequest']);
        }
    
        public function beforeCreateFile(string $path, &$data, \Sabre\DAV\ICollection $parent, &$modified): void
        {
            if (!$this->security->isGranted(FileVoter::CREATE, $path)) {
                throw new Forbidden();
            }
        }
    
        public function beforeFileUpdate($path, \Sabre\DAV\IFile $node, &$data, &$modified): void
        {
            if (!$this->security->isGranted(FileVoter::UPDATE, $path)) {
                throw new Forbidden();
            }
        }
    
        public function beforeCreationDueToUpdate($path): bool
        {
            if (!$this->security->isGranted(FileVoter::CREATE, $path)) {
                throw new Forbidden();
            }
    
            return true;
        }
    
        public function beforeDeletionDueToUpdate($path): bool
        {
            if (!$this->security->isGranted(FileVoter::DELETE, $path)) {
                throw new Forbidden();
            }
    
            return true;
        }
    
        public function beforeLock($path, \Sabre\DAV\Locks\LockInfo $lock): bool
        {
            if (!$this->security->isGranted(FileVoter::UPDATE, $path)) {
                throw new Forbidden();
            }
    
            return true;
        }
    
        public function beforeUnlock($path, \Sabre\DAV\Locks\LockInfo $lock): bool
        {
            if (!$this->security->isGranted(FileVoter::UPDATE, $path)) {
                throw new Forbidden();
            }
    
            return true;
        }
    
        public function beforePropertyRequest(\Sabre\DAV\PropFind $propfind, \Sabre\Dav\INode $node): void
        {
            if (!$this->security->isGranted(FileVoter::VIEW, $path)) {
                throw new Forbidden();
            }
        }
    }

据我了解,只有在处理路径“子文件夹 2”的 profind 时才会引发异常,这是正确的,但异常不包含在此节点内,因此不会仅标记文件夹/节点“子文件夹 2 “作为禁止。

4

0 回答 0