senaduka/old-new-wiaas
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Enable login by role both on frontend and backend

Browse Source
This commit is contained in:
Almira Krdzic
2018-10-22 09:47:48 +02:00
parent 87f408125d
commit 21fafc5a43
20 changed files with 618 additions and 367 deletions
Download Patch File Download Diff File Expand all files Collapse all files

285
backend/app/plugins/wiaas/includes/class-wiaas-authentication.php
View File

@@ -9,192 +9,165 @@
*/
class Wiaas_Authentication {
const SUPER_ADMIN_USER_ID = 1;
const SUPER_ADMIN_USER_ID = 1;
public static function init() {
// authenticate current user
add_action('determine_current_user', array(__CLASS__, 'authenticate_current_user'), 999);
public static function init() {
// authenticate current user
add_action('determine_current_user', array(__CLASS__, 'authenticate_current_user'), 999);
// authenticates user on login
add_filter( 'authenticate', array( __CLASS__, 'authenticate_user_on_login' ), 999, 3);
// authenticates user on login
add_filter( 'authenticate', array( __CLASS__, 'authenticate_user_on_login' ), 999, 3);
// retrieve preferred user role for user
add_filter('get_user_metadata', array(__CLASS__, 'maybe_filter_user_roles'), 10, 3);
add_filter('jwt_auth_token_before_dispatch', array(__CLASS__, 'authenticate_rest_user_on_login'), 999, 2);
// redirect to dashboard after login
add_filter( 'login_redirect', array( __CLASS__, 'login_redirect' ) );
// redirect to dashboard after login
add_filter( 'login_redirect', array( __CLASS__, 'login_redirect' ) );
}
// add role selector to login form
add_action('login_form', array(__CLASS__, 'pick_role_on_login'));
}
/**
* Redirect admin user to dashboard
*
* @return string
*/
public static function login_redirect() {
return admin_url('index.php') ;
}
/**
* Add role selector to login form
*/
public static function pick_role_on_login() {
?>
<p>
<label for="user_role"><?php esc_html_e( 'Role' , 'wiaas'); ?><br />
<select id="user_role" class="input" name="role">
<option value="administrator"><?php esc_html_e('Administrator', 'wiaas') ?></option>
<option value="supplier"><?php esc_html_e('Supplier', 'wiaas') ?></option>
<option value="commercial_lead"><?php esc_html_e('Commercial Lead', 'wiaas') ?></option>
</select>
</p>
<?php
}
/**
* Redirect admin user to dashboard
*
* @return string
*/
public static function login_redirect() {
return admin_url('index.php') ;
}
/**
* Authenticate current user based on roles assigned to organization
*
* @param int|false $user_id
* @return int|false|WP_Error
*/
public static function authenticate_current_user($user_id) {
// do nothing if user not authenticated, user is super admin or this is REST API request
if (! $user_id || $user_id === self::SUPER_ADMIN_USER_ID) {
return $user_id;
}
/**
* Authenticate current user based on roles assigned to organization
*
* If this is non admin request successfully validate user if he can have customer role.
*
* If this is admin panel request successfully validate user if has admin panel role selected
* and also he still can have that role (role was not removed from his customer organization)
*
* @param int|false $user_id
* @return int|false|WP_Error
*/
public static function authenticate_current_user($user_id) {
// do nothing if user not authenticated, user is super admin or this is REST API request
if (! $user_id || $user_id === self::SUPER_ADMIN_USER_ID) {
return $user_id;
}
$is_rest_api = strpos($_SERVER['REQUEST_URI'], rest_get_url_prefix());
global $current_user;
$role = $is_rest_api ?
'customer' :
get_user_meta($user_id, '_wiaas_current_user_admin_role', true);
if (empty($current_user)) {
$result = self::_can_user_have_role($user_id, $role, $is_rest_api);
$current_user = new WP_User($user_id);
}
if (is_wp_error($result)) {
return false;
}
$rest_api_slug = rest_get_url_prefix();
$valid_api_uri = strpos($_SERVER['REQUEST_URI'], $rest_api_slug);
return $user_id;
}
if ($valid_api_uri) {
//for non admin request check if user has customer role
$role = 'customer';
} else {
// for admin panel request check if user has selected role
$role = get_user_meta($user_id, '_wiaas_admin_role', true);
}
/**
* Authenticate wiaas user on login based on roles assigned to organization
*
* @param WP_User $user
* @return WP_User|WP_Error
*/
public static function authenticate_user_on_login($user) {
// check if rest request
$is_rest_api = strpos($_SERVER['REQUEST_URI'], rest_get_url_prefix());
// do nothing if there is an error already,
// user is super admin or
// this is rest request
if (is_wp_error($user) || $user->ID === 1 || $is_rest_api) {
return $user;
}
if ( empty($role) || ! user_can($user_id, 'wiaas_' . $role)) {
// not available roles for user
$current_user->set_role('');
if (empty($_POST['role'])) {
return new WP_Error('error', 'You must selected role to login!');
}
return new WP_Error('wiaas_authentication_error', 'No set permissions!');
}
// get selected role
$requested_role = sanitize_key($_POST['role']);
// authenticate valid admin panel user
$current_user->set_role($role);
// validate can user have requested role
$result = self::_can_user_have_role($user->ID, $requested_role, false);
return $user_id;
}
// if user organization has no requested role prevent access
if (is_wp_error($result)) {
return $result;
}
// remember role for user and continue
update_user_meta($user->ID, '_wiaas_current_user_admin_role', $requested_role);
return $user;
}
/**
* Authenticate wiaas user on login based on roles assigned to organization
*
* If this is non admin panel request authenticate user if he can be customer.
*
* If this is admin panel login request user will be authenticated with previously selected or first available role
* from his organization roles.
*
* @param WP_User $user
* @return WP_User|WP_Error
*/
public static function authenticate_user_on_login($user) {
// do nothing if there is an error already,
// user is super admin
if (is_wp_error($user) || $user->ID === self::SUPER_ADMIN_USER_ID ) {
return $user;
}
/**
*
* Filters user roles retrieval so that selected user role is retrieved for admin panel
* and customer role is retrieved for JSON API request
*
* @param $null
* @param int $user_id
* @param string $meta_key
* @return array|null
*/
public static function maybe_filter_user_roles($null, $user_id, $meta_key) {
global $wpdb;
if ($user_id !== 0 && $user_id !== self::SUPER_ADMIN_USER_ID && $meta_key === $wpdb->get_blog_prefix() . 'capabilities') {
$is_rest_api = strpos($_SERVER['REQUEST_URI'], rest_get_url_prefix());
$role = $is_rest_api ?
'customer' :
get_user_meta($user_id, '_wiaas_current_user_admin_role', true);
return array( array ( "$role" => true ));
}
return null;
}
$rest_api_slug = rest_get_url_prefix();
$valid_api_uri = strpos($_SERVER['REQUEST_URI'], $rest_api_slug);
/**
* CUSTOMER API AUTHENTICATION
*/
// validate customer user login
if ($valid_api_uri) {
// PRIVATE
$role = user_can($user->ID, 'wiaas_customer') ? 'customer' : '';
$user->set_role($role);
/**
* Determines if user can have requested role based on his organization roles
*
* @param int $user_id
* @param string $user_role
* @param bool $is_rest_api
* @return bool|WP_Error
*/
private static function _can_user_have_role($user_id, $user_role, $is_rest_api) {
// check if role valid for access
if (! wp_roles()->is_role($user_role)) {
return new WP_Error('error', 'Role is not valid!');
}
return empty($role) ?
new WP_Error('wiaas_authentication_error', 'No Customer permissions!') :
$user;
}
// only customer role can access API
if ($is_rest_api && $user_role !== 'customer') {
return new WP_Error('error', 'No access!');
}
/**
* ADMIN PANEL AUTHENTICATION
*/
// customer role cannot access admin backend
if (! $is_rest_api && $user_role === 'customer') {
return new WP_Error('error', 'No access!');
}
// retrieve selected role for user
$role = get_user_meta($user->ID, '_wiaas_admin_role', true);
// if user has selected role then use it
if (! empty($role) && user_can($user->ID, 'wiaas_' . $role)) {
return $user;
}
// import organization functions (during user authentication it is not yet loaded)
require_once dirname( __FILE__ ) . '/user/wiaas-organization-functions.php';
// user does not have selected role so try to assign one in order of access
if (user_can($user->ID, 'wiaas_administrator')) {
$role = 'administrator';
} else if (user_can($user->ID, 'wiaas_commercial_lead')) {
$role = 'commercial_lead';
} else if (user_can($user->ID, 'wiaas_supplier')) {
$role = 'supplier';
}
// get user organization
$organization_id = wiaas_get_user_organization_id($user_id);
if (empty($role)) {
return new WP_Error('wiaas_authentication_error', 'No permissions!');
}
// validate if user has organization
if (empty( $organization_id)) {
return new WP_Error('error', 'Account not completed!');
}
// get organization roles
$roles = wiaas_get_organization_roles($organization_id);
update_user_meta($user->ID, '_wiaas_admin_role', $role);
// validate if user has organization roles
if (!in_array($user_role, $roles)) {
return new WP_Error( 'error', 'Your account is not authorized for requested role. Please contact us for help.' );
}
$user->set_role($role);
return $user;
}
/**
* validate that successfully logged in rest api user can be customer
*
* @param array $data
* @param WP_User $user
* @return array | WP_Error
*
*/
public static function authenticate_rest_user_on_login($data, $user) {
$role = user_can($user->ID, 'wiaas_customer') ? 'customer' : '';
$user->set_role($role);
return empty($role) ?
new WP_Error('wiaas_authentication_error', 'No Customer permissions!') :
$data;
}
return true;
}
}
Wiaas_Authentication::init();