/** * Guess organization to login into. Basically for single organization scenario it will be always the same * organization where user was created. * * @param OrganizationAwareUserInterface $user * @param TokenInterface $token * * @return null|Organization */ public function guess(OrganizationAwareUserInterface $user, TokenInterface $token) { if ($token instanceof OrganizationContextTokenInterface && $token->getOrganizationContext()) { return $token->getOrganizationContext(); } $activeOrganizations = $user->getOrganizations(true); $creatorOrganization = $user->getOrganization(); return $activeOrganizations->contains($creatorOrganization) ? $creatorOrganization : $activeOrganizations->first(); }
/** * {@inheritDoc} */ public function vote(TokenInterface $token, $object, array $attributes) { if (!$object || !is_object($object)) { return self::ACCESS_ABSTAIN; } $objectClass = ClassUtils::getClass($object); if (!$this->supportsClass($objectClass)) { return self::ACCESS_ABSTAIN; } foreach ($attributes as $attribute) { if (!$this->supportsAttribute($attribute)) { return self::ACCESS_ABSTAIN; } } $object = $this->convertToSupportedObject($object, $objectClass); /** @var EmailUser[] $emailUsers */ $emailUsers = $object->getEmailUsers(); foreach ($attributes as $attribute) { foreach ($emailUsers as $emailUser) { if ($this->container->get('oro_security.security_facade')->isGranted($attribute, $emailUser)) { return self::ACCESS_GRANTED; } if ($mailbox = $emailUser->getMailboxOwner() !== null && $token instanceof UsernamePasswordOrganizationToken) { $repo = $this->container->get('doctrine')->getRepository('OroEmailBundle:Mailbox'); $mailboxes = $repo->findAvailableMailboxes($token->getUser(), $token->getOrganizationContext()); if (in_array($mailbox, $mailboxes)) { return self::ACCESS_GRANTED; } } } } return self::ACCESS_DENIED; }
/** * @param EntityManager $entityManager * @param TokenInterface $token */ protected function assertTokenEntities(EntityManager $entityManager, TokenInterface $token) { $unitOfWork = $entityManager->getUnitOfWork(); $this->assertEquals(UnitOfWork::STATE_MANAGED, $unitOfWork->getEntityState($token->getUser())); if ($token instanceof OrganizationContextTokenInterface) { $this->assertEquals(UnitOfWork::STATE_MANAGED, $unitOfWork->getEntityState($token->getOrganizationContext())); } }
/** * @param TokenInterface $token * @param ConfigInterface $config * @param object $entity */ protected function setDefaultOrganization(TokenInterface $token, ConfigInterface $config, $entity) { if ($token instanceof OrganizationContextTokenInterface && $config->has('organization_field_name')) { $accessor = PropertyAccess::createPropertyAccessor(); $fieldName = $config->get('organization_field_name'); if (!$accessor->getValue($entity, $fieldName)) { $accessor->setValue($entity, $fieldName, $token->getOrganizationContext()); } } }
/** * @SuppressWarnings(PHPMD.NPathComplexity) * @SuppressWarnings(PHPMD.CyclomaticComplexity) * {@inheritdoc} */ public function decideIsGranting($triggeredMask, $object, TokenInterface $securityToken) { $accessLevel = $this->getAccessLevel($triggeredMask); if ($accessLevel === AccessLevel::SYSTEM_LEVEL) { return true; } // check whether we check permissions for a domain object if ($object === null || !is_object($object) || $object instanceof ObjectIdentityInterface) { return true; } $metadata = $this->getMetadata($object); if (!$metadata->hasOwner()) { return true; } $organization = null; if ($securityToken instanceof OrganizationContextTokenInterface) { $organization = $securityToken->getOrganizationContext(); } $result = false; if (AccessLevel::BASIC_LEVEL === $accessLevel) { $result = $this->decisionMaker->isAssociatedWithUser($securityToken->getUser(), $object, $organization); } else { if ($metadata->isUserOwned()) { $result = $this->decisionMaker->isAssociatedWithUser($securityToken->getUser(), $object, $organization); } if (!$result) { if (AccessLevel::LOCAL_LEVEL === $accessLevel) { $result = $this->decisionMaker->isAssociatedWithBusinessUnit($securityToken->getUser(), $object, false, $organization); } elseif (AccessLevel::DEEP_LEVEL === $accessLevel) { $result = $this->decisionMaker->isAssociatedWithBusinessUnit($securityToken->getUser(), $object, true, $organization); } elseif (AccessLevel::GLOBAL_LEVEL === $accessLevel) { $result = $this->decisionMaker->isAssociatedWithOrganization($securityToken->getUser(), $object, $organization); } } } return $result; }
/** * {@inheritdoc} */ public function loginSuccess(Request $request, Response $response, TokenInterface $token) { // Make sure any old remember-me cookies are cancelled $this->cancelCookie($request); if (!$token->getUser() instanceof UserInterface) { if (null !== $this->logger) { $this->logger->debug('Organization Remember-me ignores token since it does not contain a UserInterface implementation.'); } return; } if (!$this->isRememberMeRequested($request)) { if (null !== $this->logger) { $this->logger->debug('Organization Remember-me was not requested.'); } return; } if (null !== $this->logger) { $this->logger->debug('Organization Remember-me was requested; setting cookie.'); } $request->attributes->remove(self::COOKIE_ATTR_NAME); $user = $token->getUser(); $expires = time() + $this->options['lifetime']; $value = $this->generateCookieValue(get_class($user), $user->getUsername(), $expires, $user->getPassword(), $token->getOrganizationContext()->getId()); $response->headers->setCookie(new Cookie($this->options['name'], $value, $expires, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly'])); }