Using authentication on different method parameters (Restler 3)

StackOverflow https://stackoverflow.com/questions/21445356

Question

I want to restrict access to a method if a parameter has a specific value. Lets take for example this class:

Simple.php: 

class Simple
{
    function item($name)
    {
        if($name == "somerestricted")
        {
            // Here should be an authentication check (or somewhere else), hopefully, using an iAuthenticate class
            // Later, there will be a check using a database to determine if authentication will be required
            // So user/password may vary
            if($authenticated)
            {
                // Proceed
            }
            else
            {
                // ???
            }
        }
        else
        {
            echo "Hi!";
        }
    }
}

Using this authentication class:

BasicAuthentication.php: 

class BasicAuthentication implements iAuthenticate
{
    const REALM = 'Restricted API';
    function __isAllowed()
    {
        if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
        {
            $user = $_SERVER['PHP_AUTH_USER'];
            $pass = $_SERVER['PHP_AUTH_PW'];
            if($user == 'laterfetched' && $pass == 'fromdatabase')
            {
                return true;
            }
        }
        header('WWW-Authenticate: Basic realm="'.self::REALM.'"');
        throw new RestException(401, 'Basic Authentication Required');
    }
}

Index.php (gateway): addAuthenticationClass('BasicAuthentication'); $r->addAPIClass('Simple'); $r->handle();

The simple/item method is now publicly accessible. However, if I turn item it into a protected function, every request needs authentication. This is not what i want to do. Only simple/item/somerestricted should require authentication.

So is there a way to restrict the iAuthenticate to a specific parameter value? If not, how can I solve this issue anyway?

User name and password will be varying in production use (depending on the given parameter).

I found these relevant questions: Restler 3.0 Basic Authentication and Luracast Restler Authentication

I am using Restler rc4.

Was it helpful?

Solution

You have make yours a hybrid api, which is public and will enhance the results if the user is authenticated

One way to do it is as given below. It is using a hidden property in Restler

class Simple
{
    /**
     * @var \Luracast\Restler\Restler
     */
    public $restler;
    /**
     * @access hybrid
     */
    function item($name)
    {
        if ($name == "somerestricted") {
            if ($this->restler->_authenticated) {
                // Proceed
            } else {
                // ???
            }
        } else {
            echo "Hi!";
        }
    }
}

Another (recommended) way is to use iUseAuthentication Interface

use Luracast\Restler\iUseAuthentication;

class Simple implements iUseAuthentication
{
    protected $authenticated;

    /**
     * @access hybrid
     */
    function item($name)
    {
        if ($name == "somerestricted") {
            if ($this->authenticated) {
                // Proceed
            } else {
                // ???
            }
        } else {
            echo "Hi!";
        }
    }

    public function __setAuthenticationStatus($isAuthenticated = false)
    {
        $this->authenticated = $isAuthenticated;
    }
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top