Beispiel #1
0
 /**
  * Returns the roles assigned to the given user group.
  *
  * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to read a role
  *
  * @param \eZ\Publish\API\Repository\Values\User\UserGroup $userGroup
  *
  * @return \eZ\Publish\API\Repository\Values\User\UserGroupRoleAssignment[]
  */
 public function getRoleAssignmentsForUserGroup(UserGroup $userGroup)
 {
     if ($this->repository->hasAccess('role', 'read') !== true) {
         throw new UnauthorizedException('role', 'read');
     }
     $roleAssignments = array();
     $spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userGroup->id);
     foreach ($spiRoleAssignments as $spiRoleAssignment) {
         $role = $this->loadRole($spiRoleAssignment->roleId);
         $roleAssignments[] = $this->roleDomainMapper->buildDomainUserGroupRoleAssignmentObject($spiRoleAssignment, $userGroup, $role);
     }
     return $roleAssignments;
 }
 public function hasAccess($module, $function, APIUserReference $userReference = null)
 {
     // Full access if sudo nesting level is set by {@see sudo()}
     if ($this->sudoNestingLevel > 0) {
         return true;
     }
     if ($userReference === null) {
         $userReference = $this->getCurrentUserReference();
     }
     // Uses SPI to avoid triggering permission checks in Role/User service
     $permissionSets = array();
     $spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userReference->getUserId(), true);
     foreach ($spiRoleAssignments as $spiRoleAssignment) {
         $permissionSet = array('limitation' => null, 'policies' => array());
         $spiRole = $this->userHandler->loadRole($spiRoleAssignment->roleId);
         foreach ($spiRole->policies as $spiPolicy) {
             if ($spiPolicy->module === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                 return true;
             }
             if ($spiPolicy->module !== $module && $spiPolicy->module !== '*') {
                 continue;
             }
             if ($spiPolicy->function === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                 return true;
             }
             if ($spiPolicy->function !== $function && $spiPolicy->function !== '*') {
                 continue;
             }
             if ($spiPolicy->limitations === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                 return true;
             }
             $permissionSet['policies'][] = $this->roleDomainMapper->buildDomainPolicyObject($spiPolicy);
         }
         if (!empty($permissionSet['policies'])) {
             if ($spiRoleAssignment->limitationIdentifier !== null) {
                 $permissionSet['limitation'] = $this->limitationService->getLimitationType($spiRoleAssignment->limitationIdentifier)->buildValue($spiRoleAssignment->values);
             }
             $permissionSets[] = $permissionSet;
         }
     }
     if (!empty($permissionSets)) {
         return $permissionSets;
     }
     return false;
     // No policies matching $module and $function, or they contained limitations
 }