protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Estate */
$estate = $subject;
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MANAGER'))) {
return true;
}
break;
case self::CREATE:
if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MANAGER'))) {
return true;
}
break;
case self::EDIT:
if ($user->getUsername() === $estate->getCreatedBy() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
case self::REMOVE:
if ($user->getUsername() === $estate->getCreatedBy() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
}
return false;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Post */
$post = $subject;
// $subject must be a Post instance, thanks to the supports method
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::CREATE:
// if the user is an admin, allow them to create new posts
if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
case self::EDIT:
// if the user is the author of the post, allow them to edit the posts
if ($user->getEmail() === $post->getAuthorEmail() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
case self::REMOVE:
// if the user is the author of the post, allow them to edit the posts
if ($user->getEmail() === $post->getAuthorEmail() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
}
return false;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Post */
$post = $subject;
// $subject must be a Post instance, thanks to the supports method
if (!$user instanceof Users) {
// the user must be logged in; if not, deny access
return false;
}
// you know $subject is a Post object, thanks to supports
/** @var Post $post */
$post = $subject;
switch ($attribute) {
case self::DELETE:
if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
} else {
return $this->canDelete($post, $user);
}
break;
case self::EDIT:
if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
} else {
return $this->canEdit($post, $user);
}
break;
}
throw new \LogicException('This code should not be reached!');
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Comment */
$comment = $subject;
// $subject must be a Comment instance, thanks to the supports method
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::CREATE:
// if the user is an admin, allow them to create new comments
if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MODERATOR', 'ROLE_USER'))) {
return true;
}
break;
case self::EDIT || self::DELETE:
// if the user is the author of the comment or admin or moderator, allow them to edit the comments
if ($comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_ADMIN')) || $this->decisionManager->decide($token, array('ROLE_MODERATOR')) && $this->canYouDoIt($comment, $user)) {
return true;
}
break;
}
return false;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
if (!$user instanceof Users) {
// the user must be logged in; if not, deny access
return false;
}
// you know $subject is a Post object, thanks to supports
/** @var Users $edit_user */
$edit_user = $subject;
switch ($attribute) {
case self::EDIT:
return $this->canEdit($edit_user, $user);
}
throw new \LogicException('This code should not be reached!');
}
/**
* @param MethodInvocation $method
* @return mixed
* @throws \Exception
* @throws RuntimeException
* @throws AuthenticationCredentialsNotFoundException
* @throws AccessDeniedException
*/
public function intercept(MethodInvocation $method)
{
$metadata = $this->metadataFactory->getMetadataForClass($method->reflection->class);
// no security metadata, proceed
if (empty($metadata) || !isset($metadata->methodMetadata[$method->reflection->name])) {
return $method->proceed();
}
$metadata = $metadata->methodMetadata[$method->reflection->name];
if (null === ($token = $this->tokenStorage->getToken())) {
throw new AuthenticationCredentialsNotFoundException('The TokenStorage was not populated with a Token.');
}
if ($this->alwaysAuthenticate || !$token->isAuthenticated()) {
$token = $this->authenticationManager->authenticate($token);
$this->tokenStorage->setToken($token);
}
if (!empty($metadata->roles) && false === $this->accessDecisionManager->decide($token, $metadata->roles, $method)) {
throw new AccessDeniedException('Token does not have the required roles.');
}
if (!empty($metadata->paramPermissions)) {
foreach ($method->arguments as $index => $argument) {
if (null !== $argument && isset($metadata->paramPermissions[$index]) && false === $this->accessDecisionManager->decide($token, $metadata->paramPermissions[$index], $argument)) {
throw new AccessDeniedException(sprintf('Token does not have the required permissions for method "%s::%s".', $method->reflection->class, $method->reflection->name));
}
}
}
$runAsToken = null;
if (!empty($metadata->runAsRoles)) {
$runAsToken = $this->runAsManager->buildRunAs($token, $method, $metadata->runAsRoles);
if (null !== $this->logger) {
$this->logger->debug('Populating TokenStorage with RunAsToken');
}
if (null === $runAsToken) {
throw new RuntimeException('RunAsManager must not return null from buildRunAs().');
}
$this->tokenStorage->setToken($runAsToken);
}
try {
$returnValue = $method->proceed();
if (null !== $runAsToken) {
$this->restoreOriginalToken($runAsToken);
}
if (empty($metadata->returnPermissions)) {
return $returnValue;
}
return $this->afterInvocationManager->decide($this->tokenStorage->getToken(), $method, $metadata->returnPermissions, $returnValue);
} catch (\Exception $failed) {
if (null !== $runAsToken) {
$this->restoreOriginalToken($runAsToken);
}
throw $failed;
}
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Article */
$article = $subject;
// $subject must be a Comment instance, thanks to the supports method
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::CREATE:
if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MODERATOR'))) {
return true;
}
break;
case self::EDIT || self::DELETE:
// if the user is an admin or author, allow them edit or delete an article
if ($this->decisionManager->decide($token, array('ROLE_ADMIN')) || $user->getEmail() === $article->getAuthorEmail()) {
return true;
}
}
return false;
}
/**
* {@inheritdoc}
*/
public function isGranted($attributes, $object = null)
{
if (!is_array($attributes)) {
$attributes = array($attributes);
}
if (1 === count($attributes) && self::VIEW_ATTRIBUTE === reset($attributes) && null !== $this->tokenStorage->getToken() && $this->authorizationChecker->isGranted($this->bypassingRole)) {
return true;
}
$token = $this->tokenStorage->getToken();
// not logged in, just check with a dummy token
if (null === $token) {
$token = new AnonymousToken('', '');
}
return $this->accessDecisionManager->decide($token, $attributes, $object);
}
/**
*
* @param $attribute
* @param $subject
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Lotissement */
$lotissement = $subject;
// $subject must be a Lotissement instance, thanks to the supports method
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::CREATE:
// if the user is an admin, allow them to create
if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
case self::EDIT:
if ($user->getBloc() === $lotissement->getBloc()) {
return true;
}
break;
}
return false;
}
/**
* {@inheritDoc}
*/
public function isGranted($attributes, $object = null)
{
if (!is_array($attributes)) {
$attributes = array($attributes);
}
if (count($attributes) === 1 && self::VIEW_ATTRIBUTE === reset($attributes) && $this->container->has('security.context') && null !== $this->container->get('security.context')->getToken() && $this->container->get('security.context')->isGranted($this->bypassingRole)) {
return true;
}
$token = $this->getToken();
// not logged in, just check with a dummy token
if (null === $token) {
$token = new AnonymousToken('', '');
}
return $this->accessDecisionManager->decide($token, $attributes, $object);
}
/**
* {@inheritDoc}
*/
public function isGranted($attributes, $object = null)
{
if (!is_array($attributes)) {
$attributes = array($attributes);
}
$tokenStorage = $authorizationChecker = null;
if ($this->container->has('security.token_storage')) {
$tokenStorage = $this->container->get('security.token_storage');
$authorizationChecker = $this->container->get('security.authorization_checker');
} elseif ($this->container->has('security.context')) {
// to be BC with Symfony <2.6
$authorizationChecker = $tokenStorage = $this->container->get('security.context');
}
if (count($attributes) === 1 && self::VIEW_ATTRIBUTE === reset($attributes) && null !== $tokenStorage && null !== $tokenStorage->getToken() && $authorizationChecker->isGranted($this->bypassingRole)) {
return true;
}
$token = $this->getToken();
// not logged in, just check with a dummy token
if (null === $token) {
$token = new AnonymousToken('', '');
}
return $this->accessDecisionManager->decide($token, $attributes, $object);
}
/**
* {@inheritDoc}
*/
public function isGrantedRoles(array $roles, UserInterface $user)
{
$token = new UsernamePasswordToken($user, 'none', 'none', $user->getRoles());
return $this->decisionManager->decide($token, $roles);
}
/**
* @param TokenInterface $token
* @param array $role
*
* @return bool
*/
protected function isGranted(TokenInterface $token, array $roles) : bool
{
return $this->decisionManager->decide($token, $roles);
}
/**
* {@inheritdoc}
*/
public function userIsGrantedOnObject($user, $attributes, $object, $field = null)
{
return $this->accessDecisionManager->decide($this->getUserToken($user), (array) $attributes, $this->getObjectToSecure(AclIdentifierInterface::OID_TYPE_OBJECT, $object, $field));
}