From 229f532ac02afe460a9a4b43555d3ffdb77dd03c Mon Sep 17 00:00:00 2001
From: Simon Vieille <simon@deblan.fr>
Date: Mon, 19 Sep 2016 15:12:53 +0200
Subject: [PATCH] Fix issue #5 - Enforce registration

---
 README.md                           | 14 +++++
 app/bootstrap.php.d/70-security.php | 83 +++++++++++++++++++----------
 2 files changed, 68 insertions(+), 29 deletions(-)

diff --git a/README.md b/README.md
index 73ec5dc..637fb82 100644
--- a/README.md
+++ b/README.md
@@ -225,6 +225,20 @@ Edit `app/bootstrap.php.d/70-security.php` and modify the value of `$app['enable
 
 Edit `app/bootstrap.php.d/70-security.php` and modify the value of `$app['enable_registration']` with `false`.
 
+#### Force registration/login
+
+##### Login required to edit a gist
+
+Edit `app/bootstrap.php.d/70-security.php` and modify the value of `$app['login_required_to_edit_gist']` with `true`.
+
+##### Login required to view a gist
+
+Edit `app/bootstrap.php.d/70-security.php` and modify the value of `$app['login_required_to_view_gist']` with `true`.
+
+##### Login required to view an embeded gist
+
+Edit `app/bootstrap.php.d/70-security.php` and modify the value of `$app['login_required_to_view_embeded_gist']` with `true`.
+
 ### Debug
 
 `app_dev.php` is the development router. Access is granted for an IP range defined in the same file.
diff --git a/app/bootstrap.php.d/70-security.php b/app/bootstrap.php.d/70-security.php
index 5853802..ad428d4 100644
--- a/app/bootstrap.php.d/70-security.php
+++ b/app/bootstrap.php.d/70-security.php
@@ -13,6 +13,10 @@ use Symfony\Component\Security\Http\HttpUtils;
 
 $app['enable_registration'] = true;
 $app['enable_login'] = true;
+$app['login_required_to_edit_gist'] = false;
+$app['login_required_to_view_gist'] = false;
+$app['login_required_to_view_embeded_gist'] = false;
+
 $app['token'] = 'ThisTokenIsNotSoSecretChangeIt';
 
 $app['salt_generator'] = $app->share(function($app) {
@@ -45,39 +49,60 @@ $app['security.authentication_listener.factory.form'] = $app->protect(function (
         'pre_auth'
     ];
 });
-     
-$app->register(
-    new SecurityServiceProvider(),
-    [
-        'security.firewalls' => [
-            'default' => [
-                'pattern' => '^/',
-                'anonymous' => true,
-                'form' => [
-                    'login_path' => '_login',
-                    'check_path' => '/login_check',
-                    'always_use_default_target_path' => false,
-                    'default_target_path' => '/',
-                ],
-                'logout' => [
-                    'path' => '/logout',
-                ],
-                'users' => $app->share(function () use ($app) {
-                    return $app['user.provider'];
-                }),
-                'remember_me' => [
-                    'key' => $app['token'],
-                    'path' => '/',
-                    'always_remember_me' => false,
-                ],
+
+$firewall = [
+    'security.firewalls' => [
+        'default' => [
+            'pattern' => '^/',
+            'anonymous' => true,
+            'form' => [
+                'login_path' => '_login',
+                'check_path' => '/login_check',
+                'always_use_default_target_path' => false,
+                'default_target_path' => '/',
+            ],
+            'logout' => [
+                'path' => '/logout',
+            ],
+            'users' => $app->share(function () use ($app) {
+                return $app['user.provider'];
+            }),
+            'remember_me' => [
+                'key' => $app['token'],
+                'path' => '/',
+                'always_remember_me' => false,
             ],
         ],
-        'security.access_rules' => [
-            ['^/[a-z]{2}/my.*$', 'ROLE_USER'],
-        ]
+    ],
+    'security.access_rules' => [
+        ['^/[a-z]{2}/my.*$', 'ROLE_USER'],
     ]
-);
+];
 
+if ($app['login_required_to_edit_gist'] || $app['login_required_to_view_gist'] || $app['login_required_to_view_embeded_gist']) {
+    $securityRegexp = '^/[a-z]{2}';
+    $exceptedUriPattern = ['login', 'register'];
+    
+    if ($app['login_required_to_view_gist'] === true) {
+        $firewall['security.access_rules'][] = ['^/[a-z]{2}/view.*$', 'ROLE_USER'];
+        $firewall['security.access_rules'][] = ['^/[a-z]{2}/revs.*$', 'ROLE_USER'];
+    } else {
+        $exceptedUriPattern[] = 'view';
+        $exceptedUriPattern[] = 'revs';
+    }
+    
+    if ($app['login_required_to_view_embeded_gist'] === true) {
+        $firewall['security.access_rules'][] = ['^/[a-z]{2}/embed.*$', 'ROLE_USER'];
+    } else {
+        $exceptedUriPattern[] = 'embed';
+    }
+
+    if ($app['login_required_to_edit_gist'] === true) {
+         $firewall['security.access_rules'][] = ['^/[a-z]{2}/(?!('.implode('|', $exceptedUriPattern).')).*$', 'ROLE_USER'];
+    }
+}
+ 
+$app->register(new SecurityServiceProvider(), $firewall);
 $app->register(new SessionServiceProvider());
 $app->register(new RememberMeServiceProvider());