Search code examples
zend-frameworkzend-authzend-application

Redirecting requests form a catch-all controller in Zend Application without looping forever


There are plenty of related posts to what I'm asking, but after some lengthy searches couldn't quite find what I was looking for, my apologies if it exists somewhere.

My goal -- ALL requests to my Zend App must go through a preDispatch plugin, then pass to a custom Auth controller that will decide whether existing auth credentials are sufficient for the requested operation. 'Sufficient' depends on the logic of the app, hence why I want to do this at the controller+model level. If they suffice, they send the original request along to the specified controller+action, if not they default to a 'get lost' action.

At present I'm using an auth custom plugin set in the preDispatch to simply check for POST'ed auth credentials (if we are logging in), then in all cases the plugin stores the original request and redirects everyone (auth'd or not) to my auth controller, a-la:

$request->setModuleName('default')
            ->setControllerName('auth')
            ->setActionName('check')
            ->setParam('oreq',$request->getParams());

My problem/question is that within my auth->check action, how should I perform the redirect after a decision is made? If I use:

$this->_helper->redirector($or['action'], $oreq['controller']);

then I obviously get an infinite loop as these requests pass through the preDispatch plugin again. Sure I could pass something with the redirect so that the Auth plugin ignores such requests, but this is clearly a security hole. I had thought about maybe generating and storing an md5 hash, storing it to session and passing that as an escape param, but that seems a little sketchy.

Any better ideas out there? Perhaps a redirect method that does not go through the standard predispatch routine in Zend App? Thanks in advance!


Solution

  • This is not how it is done usually in Zend Framework. Not all requests go to a common place and gets redirected to the original requested place authentication.

    For access control, use Zend_Acl. Through that, you could easily determine whether the current user has the necessary auth to access the content, else redirect to 'get lost' action.

    If you are still adamant on using your technique, use _forward method instead of redirect method.

    Since _forward is an internal redirect, you could pass additional arguments and check that in preDispath to avoid a loop.

    $this->_forward($action, $controller, $module, $params)