/**
* Load the ACL per role
*
* @param Role $role
*/
protected function loadAcls(Role $role)
{
if (User::ROLE_ANONYMOUS === $role->getRole()) {
return;
}
$sid = $this->aclManager->getSid($role);
foreach ($this->aclManager->getAllExtensions() as $extension) {
$rootOid = $this->aclManager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
$fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL');
$this->aclManager->setPermission($sid, $rootOid, $fullAccessMask, true);
}
}
}
/**
* Load the ACL per role
*
* @param AclManager $manager
* @param Role $role
*
* @see Oro\Bundle\SecurityBundle\DataFixtures\ORM\LoadAclRoles
*/
protected function loadAcls(AclManager $manager, Role $role)
{
$sid = $manager->getSid($role);
foreach ($manager->getAllExtensions() as $extension) {
$rootOid = $manager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
$fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL');
$manager->setPermission($sid, $rootOid, $fullAccessMask, true);
}
}
}
/**
* Prepares the context is used in savePrivileges method
*
* @param array $context
* @param array $rootKeys
* @param SID $sid
* @param ArrayCollection|AclPrivilege[] $privileges
*/
protected function initSaveContext(array &$context, array $rootKeys, SID $sid, ArrayCollection $privileges)
{
foreach ($this->manager->getAllExtensions() as $extension) {
$extensionKey = $extension->getExtensionKey();
/** @var MaskBuilder[] $maskBuilders */
$maskBuilders = array();
$this->prepareMaskBuilders($maskBuilders, $extension);
$context[$extensionKey] = array('extension' => $extension, 'maskBuilders' => $maskBuilders);
if (isset($rootKeys[$extensionKey])) {
$privilege = $privileges[$rootKeys[$extensionKey]];
$rootMasks = $this->getPermissionMasks($privilege->getPermissions(), $extension, $maskBuilders);
} else {
$rootMasks = array();
$oid = $this->manager->getRootOid($extension->getExtensionKey());
foreach ($this->manager->getAces($sid, $oid) as $ace) {
if (!$ace->isGranting()) {
// denying ACE is not supported
continue;
}
$rootMasks[] = $ace->getMask();
}
// add missing masks
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
$emptyMask = $maskBuilder->get();
$maskAlreadyExist = false;
foreach ($rootMasks as $rootMask) {
if ($extension->getServiceBits($emptyMask) === $extension->getServiceBits($rootMask)) {
$maskAlreadyExist = true;
break;
}
}
if (!$maskAlreadyExist) {
$rootMasks[] = $emptyMask;
}
}
}
$context[$extensionKey]['rootMasks'] = $rootMasks;
}
}
/**
* @param ObjectManager $manager
* @param AclManager $aclManager
*/
protected function setBuyerShoppingListPermissions(ObjectManager $manager, AclManager $aclManager)
{
$chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain');
$allowedAcls = ['VIEW_BASIC', 'CREATE_BASIC', 'EDIT_BASIC', 'DELETE_BASIC'];
$role = $this->getBuyerRole($manager);
if ($aclManager->isAclEnabled()) {
$sid = $aclManager->getSid($role);
$className = $this->container->getParameter('orob2b_shopping_list.entity.shopping_list.class');
foreach ($aclManager->getAllExtensions() as $extension) {
if ($extension instanceof EntityAclExtension) {
$chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS);
$oid = $aclManager->getOid('entity:' . $className);
$builder = $aclManager->getMaskBuilder($oid);
$mask = $builder->reset()->get();
foreach ($allowedAcls as $acl) {
$mask = $builder->add($acl)->get();
}
$aclManager->setPermission($sid, $oid, $mask);
$chainMetadataProvider->stopProviderEmulation();
}
}
}
}
protected function loadUserRole(AclManager $manager)
{
$sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_USER));
foreach ($manager->getAllExtensions() as $extension) {
$rootOid = $manager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
if ($maskBuilder->hasConst('GROUP_BASIC')) {
if ($maskBuilder->hasConst('MASK_VIEW_SYSTEM')) {
$mask = $maskBuilder->getConst('MASK_VIEW_SYSTEM');
/* @todo now only SYSTEM level is supported
| $maskBuilder->getConst('MASK_CREATE_BASIC')
| $maskBuilder->getConst('MASK_EDIT_BASIC')
| $maskBuilder->getConst('MASK_DELETE_BASIC')
| $maskBuilder->getConst('MASK_ASSIGN_BASIC')
| $maskBuilder->getConst('MASK_SHARE_BASIC');
*/
} else {
$mask = $maskBuilder->getConst('GROUP_BASIC');
}
} else {
$mask = $maskBuilder->getConst('GROUP_NONE');
}
$manager->setPermission($sid, $rootOid, $mask, true);
}
}
}
/**
* @param AclManager $aclManager
* @param AccountUserRole $role
* @param string $className
* @param array $allowedAcls
*/
protected function setRolePermissions(AclManager $aclManager, AccountUserRole $role, $className, array $allowedAcls)
{
/* @var $chainMetadataProvider ChainMetadataProvider */
$chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain');
if ($aclManager->isAclEnabled()) {
$sid = $aclManager->getSid($role);
foreach ($aclManager->getAllExtensions() as $extension) {
if ($extension instanceof EntityAclExtension) {
$chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS);
$oid = $aclManager->getOid('entity:' . $className);
$builder = $aclManager->getMaskBuilder($oid);
$mask = $builder->reset()->get();
foreach ($allowedAcls as $acl) {
$mask = $builder->add($acl)->get();
}
$aclManager->setPermission($sid, $oid, $mask);
$chainMetadataProvider->stopProviderEmulation();
}
}
}
}
/**
* @param AclManager $aclManager
* @param SecurityIdentityInterface $sid
*/
protected function setPermissionGroup(AclManager $aclManager, SecurityIdentityInterface $sid)
{
foreach ($aclManager->getAllExtensions() as $extension) {
$rootOid = $aclManager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
$fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL');
$aclManager->setPermission($sid, $rootOid, $fullAccessMask, true);
}
}
}
/**
* @param ObjectManager $manager
* @param AclManager $aclManager
* @return AccountUserRole
*/
protected function createBuyerRole(ObjectManager $manager, AclManager $aclManager)
{
$role = $this->createEntity(self::BUYER, $this->defaultRoles[self::BUYER]);
$this->setWebsiteDefaultRoles($manager, $role);
if ($aclManager->isAclEnabled()) {
$sid = $aclManager->getSid($role);
foreach ($aclManager->getAllExtensions() as $extension) {
$this->setPermissionGroup($aclManager, $extension, $sid, 'GROUP_NONE');
}
}
return $role;
}
