Merge pull request #4 from vufind-org/ebsco-permissions

Switched guest detection to standard permission system.

config/vufind/EDS.ini

@@ -1,3 +1,8 @@
+; IMPORTANT NOTE: By default, VuFind will block access to certain EDS content
+; unless it knows which users are authorized (by IP, etc.). Please configure the
+; access.EDSExtendedResults permission in permissions.ini to allow users to
+; see this content. You are responsible for complying with your license.
+
 ; This section contains global settings affecting search behavior.
 [General]
 ; This setting controls the default sort order of search results; the selected
@@ -184,6 +189,3 @@ user_name = [USERNAME]
 password  = [PASSWORD]
 profile   = [PROFILE]
 organization_id = "VuFind 2.x from MyUniversity"
-; IP authentication for the users of Springfield University
-; List of ip addresses of Springfield University
-local_ip_addresses = "127.0.0.1, 192.168.11"

config/vufind/permissions.ini

@@ -61,6 +61,7 @@
 ; List of permissions that you may wish to configure:
 ;
 ; access.AdminModule - Controls access to the admin panel (if enabled in config.ini)
+; access.EDSExtendedResults - Controls visibility of protected EDS results
 ; access.EITModule - Controls access to the EBSCO EIT module (if active)
 ; access.StaffViewTab - Controls access to the staff view tab in record mode
 ; access.SummonExtendedResults - Controls visibility of protected Summon results
@@ -76,6 +77,12 @@ role[] = guest
 role[] = loggedin
 permission = access.StaffViewTab
 
+; Example for EDS
+;[default.EDSModule]
+;ipRange[] = "127.0.0.1"
+;ipRange[] = "192.168.11"
+;permission = access.EDSExtendedResults
+
 ; Examples for Shibboleth
 ;
 ; Only users that have either common-lib-terms and entityid from idp1 or 

module/VuFind/src/VuFind/Controller/EdsrecordController.php

@@ -26,6 +26,7 @@
  * @link     http://vufind.org   Main Site
  */
 namespace VuFind\Controller;
+use VuFind\Exception\Forbidden as ForbiddenException;
 
 /**
  * EDS Record Controller
@@ -60,11 +61,14 @@ public function pdfAction()
     {
         $driver = $this->loadRecord();
         //if the user is a guest, redirect them to the login screen.
-        if (!$this->isAuthenticationIP() && false == $this->getUser()) {
-            return $this->forceLogin();
-        } else {
-            return $this->redirect()->toUrl($driver->getPdfLink());
+        $auth = $this->getAuthorizationService();
+        if (!$auth->isGranted('access.EDSExtendedResults')) {
+            if (!$this->getUser()) {
+                return $this->forceLogin();
+            }
+            throw new ForbiddenException('Access denied.');
         }
+        return $this->redirect()->toUrl($driver->getPdfLink());
     }
 
     /**
@@ -78,16 +82,4 @@ protected function resultScrollerActive()
         return (isset($config->Record->next_prev_navigation)
             && $config->Record->next_prev_navigation);
     }
-
-     /**
-     * Is IP Authentication being used?
-     *
-     * @return bool
-     */
-    protected function isAuthenticationIP()
-    {
-        $config = $this->getServiceLocator()->get('VuFind\Config')->get('EDS');
-        return (isset($config->EBSCO_Account->ip_auth)
-            && 'true' ==  $config->EBSCO_Account->ip_auth);
-    }
 }

module/VuFind/src/VuFind/Search/Factory/EdsBackendFactory.php

@@ -103,10 +103,12 @@ public function createService(ServiceLocatorInterface $serviceLocator)
      */
     protected function createBackend(Connector $connector)
     {
+        $auth = $this->serviceLocator->get('ZfcRbac\Service\AuthorizationService');
+        $isGuest = !$auth->isGranted('access.EDSExtendedResults');
         $backend = new Backend(
             $connector, $this->createRecordCollectionFactory(),
             $this->serviceLocator->get('VuFind\CacheManager')->getCache('object'),
-            new \Zend\Session\Container('EBSCO'), $this->edsConfig
+            new \Zend\Session\Container('EBSCO'), $this->edsConfig, $isGuest
         );
         $backend->setAuthManager($this->serviceLocator->get('VuFind\AuthManager'));
         $backend->setLogger($this->logger);

module/VuFindSearch/src/VuFindSearch/Backend/EDS/Backend.php

@@ -141,6 +141,13 @@ class Backend extends AbstractBackend
      */
     protected $localIps = '';
 
+    /**
+     * Is the current user a guest?
+     *
+     * @var bool
+     */
+    protected $isGuest;
+
     /**
      * Constructor.
      *
@@ -149,10 +156,11 @@ class Backend extends AbstractBackend
      * @param CacheAdapter                     $cache   Object cache
      * @param SessionContainer                 $session Session container
      * @param Config                           $config  Object representing EDS.ini
+     * @param bool                             $isGuest Is the current user a guest?
      */
     public function __construct(ApiClient $client,
         RecordCollectionFactoryInterface $factory, CacheAdapter $cache,
-        SessionContainer $session, Config $config = null
+        SessionContainer $session, Config $config = null, $isGuest = true
     ) {
         // Save dependencies:
         $this->client = $client;
@@ -180,6 +188,8 @@ public function __construct(ApiClient $client,
             $this->localIps = $config->EBSCO_Account->local_ip_addresses;
         }
 
+        $this->isGuest = $isGuest;
+
         // Save default profile value, since profile property may be overriden:
         $this->defaultProfile = $this->profile;
     }
@@ -309,7 +319,7 @@ public function retrieve($id, ParamBag $params = null)
                         $sessionToken = $this->getSessionToken(true);
                     }
                     $response = $this->client->retrieve(
-                        $an, $dbId,  $authenticationToken, $sessionToken, $hlTerms
+                        $an, $dbId, $authenticationToken, $sessionToken, $hlTerms
                     );
                 } catch(Exception $e) {
                     throw new BackendException($e->getMessage(), $e->getCode(), $e);
@@ -555,21 +565,7 @@ protected function validAuthIP($listIPs)
      */
     protected function isGuest()
     {
-        // If the user is not logged in, then treat them as a guest. Unless they are
-        // using IP Authentication.
-        // If IP Authentication is used, then don't treat them as a guest.
-
-        //RF : 2015/05/01 - deactivated
-        //if ($this->ipAuth) {
-        //    return 'n';
-        //}
-
-        if ($this->validAuthIP($this->localIps)
-            || (isset($this->authManager) && $this->authManager->isLoggedIn())
-        ) {
-            return 'n';
-        }
-        return 'y';
+        return $this->isGuest ? 'y' : 'n';
     }
 
     /**
@@ -586,7 +582,7 @@ public function createSession($isGuest, $profile = '')
     {
         try {
             $authToken = $this->getAuthenticationToken();
-            $results = $this->client->createSession($profile,  $isGuest, $authToken);
+            $results = $this->client->createSession($profile, $isGuest, $authToken);
         } catch(\EbscoEdsApiException $e) {
             $errorCode = $e->getApiErrorCode();
             $desc = $e->getApiErrorDescription();
@@ -598,7 +594,7 @@ public function createSession($isGuest, $profile = '')
                 try {
                     $authToken = $this->getAuthenticationToken(true);
                     $results = $this->client
-                        ->createSession($this->profile,  $isGuest, $authToken);
+                        ->createSession($this->profile, $isGuest, $authToken);
                 } catch(Exception $e) {
                     throw new BackendException(
                         $e->getMessage(),