/**
* Assigns a role to the given user.
*
* @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to assign a role
* @throws \eZ\Publish\API\Repository\Exceptions\LimitationValidationException if $roleLimitation is not valid
* @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException If assignment already exists
*
* @param \eZ\Publish\API\Repository\Values\User\Role $role
* @param \eZ\Publish\API\Repository\Values\User\User $user
* @param \eZ\Publish\API\Repository\Values\User\Limitation\RoleLimitation $roleLimitation an optional role limitation (which is either a subtree limitation or section limitation)
*/
public function assignRoleToUser(APIRole $role, User $user, RoleLimitation $roleLimitation = null)
{
if ($this->repository->canUser('role', 'assign', $user, $role) !== true) {
throw new UnauthorizedException('role', 'assign');
}
if ($roleLimitation === null) {
$limitation = null;
} else {
$limitationValidationErrors = $this->limitationService->validateLimitation($roleLimitation);
if (!empty($limitationValidationErrors)) {
throw new LimitationValidationException($limitationValidationErrors);
}
$limitation = array($roleLimitation->getIdentifier() => $roleLimitation->limitationValues);
}
// Check if objects exists
$spiRole = $this->userHandler->loadRole($role->id);
$spiUser = $this->userHandler->load($user->id);
$limitation = $this->checkAssignmentAndFilterLimitationValues($spiUser->id, $spiRole, $limitation);
$this->repository->beginTransaction();
try {
$this->userHandler->assignRole($spiUser->id, $spiRole->id, $limitation);
$this->repository->commit();
} catch (Exception $e) {
$this->repository->rollback();
throw $e;
}
}
/**
* Loads a role for the given id
*
* @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to read this role
* @throws \eZ\Publish\API\Repository\Exceptions\NotFoundException if a role with the given id was not found
*
* @param mixed $id
*
* @return \eZ\Publish\API\Repository\Values\User\Role
*/
public function loadRole($id)
{
if ($this->repository->hasAccess('role', 'read') !== true) {
throw new UnauthorizedException('role', 'read');
}
$spiRole = $this->userHandler->loadRole($id);
return $this->buildDomainRoleObject($spiRole);
}
public function hasAccess($module, $function, APIUserReference $userReference = null)
{
// Full access if sudo nesting level is set by {@see sudo()}
if ($this->sudoNestingLevel > 0) {
return true;
}
if ($userReference === null) {
$userReference = $this->getCurrentUserReference();
}
// Uses SPI to avoid triggering permission checks in Role/User service
$permissionSets = array();
$spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userReference->getUserId(), true);
foreach ($spiRoleAssignments as $spiRoleAssignment) {
$permissionSet = array('limitation' => null, 'policies' => array());
$spiRole = $this->userHandler->loadRole($spiRoleAssignment->roleId);
foreach ($spiRole->policies as $spiPolicy) {
if ($spiPolicy->module === '*' && $spiRoleAssignment->limitationIdentifier === null) {
return true;
}
if ($spiPolicy->module !== $module && $spiPolicy->module !== '*') {
continue;
}
if ($spiPolicy->function === '*' && $spiRoleAssignment->limitationIdentifier === null) {
return true;
}
if ($spiPolicy->function !== $function && $spiPolicy->function !== '*') {
continue;
}
if ($spiPolicy->limitations === '*' && $spiRoleAssignment->limitationIdentifier === null) {
return true;
}
$permissionSet['policies'][] = $this->roleDomainMapper->buildDomainPolicyObject($spiPolicy);
}
if (!empty($permissionSet['policies'])) {
if ($spiRoleAssignment->limitationIdentifier !== null) {
$permissionSet['limitation'] = $this->limitationService->getLimitationType($spiRoleAssignment->limitationIdentifier)->buildValue($spiRoleAssignment->values);
}
$permissionSets[] = $permissionSet;
}
}
if (!empty($permissionSets)) {
return $permissionSets;
}
return false;
// No policies matching $module and $function, or they contained limitations
}
