To be able to initialize, there needs to be an ActionRequest available, usually that is
provided by the MVC router.
| public canBeInitialized ( ) : boolean | ||
| return | boolean | |
/**
* Try to set the current account identifier emitting the events, if possible
*
* @return void
*/
protected function initializeAccountIdentifier()
{
if ($this->securityContext->canBeInitialized()) {
$account = $this->securityContext->getAccount();
if ($account !== null) {
$this->eventEmittingService->setCurrentAccountIdentifier($account->getAccountIdentifier());
}
}
}
/**
* Returns TRUE, if at least one of the currently authenticated accounts holds
* a role with the given identifier, also recursively.
*
* @param string $roleIdentifier The string representation of the role to search for
* @return boolean TRUE, if a role with the given string representation was found
*/
public function hasRole($roleIdentifier)
{
if ($roleIdentifier === 'Neos.Flow:Everybody') {
return true;
}
if ($this->securityContext->canBeInitialized()) {
return $this->securityContext->hasRole($roleIdentifier);
}
return false;
}
/**
* Gets the SQL query part to add to a query.
*
* @param ClassMetaData $targetEntity Metadata object for the target entity to be filtered
* @param string $targetTableAlias The target table alias used in the current query
* @return string The constraint SQL if there is available, empty string otherwise
*/
public function addFilterConstraint(ClassMetadata $targetEntity, $targetTableAlias)
{
$this->initializeDependencies();
/*
* TODO: Instead of checking for class account we could introduce some interface for white listing entities from entity security checks
* Problem with checking the Account is, that this filter calls getRoles() on the security context while accounts are not
* yet fully initialized. By this we get a half built account object that will end up in access denied exception,
* as it has no roles (and other properties) set
*/
if ($this->securityContext->areAuthorizationChecksDisabled() || $targetEntity->getName() === Account::class) {
return '';
}
if (!$this->securityContext->isInitialized()) {
if (!$this->securityContext->canBeInitialized()) {
return '';
}
$this->securityContext->initialize();
}
// This is needed to include the current context of roles into query cache identifier
$this->setParameter('__contextHash', $this->securityContext->getContextHash(), 'string');
$sqlConstraints = [];
$grantedConstraints = [];
$deniedConstraints = [];
foreach ($this->securityContext->getRoles() as $role) {
$entityPrivileges = $role->getPrivilegesByType(EntityPrivilegeInterface::class);
/** @var EntityPrivilegeInterface $privilege */
foreach ($entityPrivileges as $privilege) {
if (!$privilege->matchesEntityType($targetEntity->getName())) {
continue;
}
$sqlConstraint = $privilege->getSqlConstraint($targetEntity, $targetTableAlias);
if ($sqlConstraint === null) {
continue;
}
$sqlConstraints[] = ' NOT (' . $sqlConstraint . ')';
if ($privilege->isGranted()) {
$grantedConstraints[] = ' NOT (' . $sqlConstraint . ')';
} elseif ($privilege->isDenied()) {
$deniedConstraints[] = ' NOT (' . $sqlConstraint . ')';
}
}
}
$grantedConstraints = array_diff($grantedConstraints, $deniedConstraints);
$effectiveConstraints = array_diff($sqlConstraints, $grantedConstraints);
if (count($effectiveConstraints) > 0) {
return ' (' . implode(') AND (', $effectiveConstraints) . ') ';
}
return '';
}
/**
* Tells if this node may be accessed according to the current security context.
*
* @return boolean
*/
public function isAccessible()
{
if ($this->hasAccessRestrictions() === false) {
return true;
}
if ($this->securityContext->canBeInitialized() === false) {
return true;
}
foreach ($this->accessRoles as $roleName) {
if ($this->securityContext->hasRole($roleName)) {
return true;
}
}
return false;
}
/**
* Returns the currently logged in user, if any
*
* @return User The currently logged in user, or null
* @api
*/
public function getCurrentUser()
{
if ($this->securityContext->canBeInitialized() === true) {
$account = $this->securityContext->getAccount();
if ($account !== null) {
return $this->getUser($account->getAccountIdentifier());
}
}
return null;
}
