/**
* @param FilterResponseEvent $event
*/
public function onKernelResponse(FilterResponseEvent $event)
{
if (!$event->isMasterRequest()) {
return;
}
try {
if (!$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
return;
}
} catch (AuthenticationCredentialsNotFoundException $e) {
return;
}
$request = $event->getRequest();
if ($request->isXmlHttpRequest()) {
return;
}
$response = $event->getResponse();
if ($response->isRedirection() || false === strpos($response->headers->get('Content-Type', ''), 'text/html')) {
return;
}
$html = $this->editor->renderEditor($response);
if (!empty($html)) {
$this->injectEditor($response, $html);
}
}
public function onKernelRequest(GetResponseEvent $event, $eventName, EventDispatcherInterface $dispatcher)
{
if (HttpKernel::MASTER_REQUEST != $event->getRequestType()) {
// don't do anything if it's not the master request
return;
}
$token = $this->tokenStorage->getToken();
if (is_null($token) || $token instanceof OAuthToken || $this->authChecker->isGranted('IS_AUTHENTICATED_REMEMBERED') === false) {
return;
}
if (!$token->getUser() instanceof PersonInterface) {
// We don't have a PersonInterface... Nothing to do here.
return;
}
try {
$this->handleTargetPath($event);
$tasks = $this->checkTasks($event, $dispatcher);
if (!$tasks) {
$this->checkIntent($event);
}
$this->checkUnconfirmedEmail();
} catch (RedirectResponseException $e) {
$event->setResponse($e->getResponse());
}
}
/**
* {@inheritdoc}
*/
public function filter(QueryBuilder $qb, UserInterface $user = null)
{
if (!$this->isFilterable($qb)) {
throw new UserException('Query builder is not filterable.');
}
if (empty($user)) {
$user = $this->getUser();
if (empty($user)) {
return;
}
}
$userIds = $this->extendedMetadataFactory->getDoctrineMetadata($user)->getIdentifierValues($user);
$userId = reset($userIds);
if (empty($userId)) {
throw new UserException('User ID is empty.');
}
foreach (array_combine($qb->getRootAliases(), $qb->getRootEntities()) as $alias => $entity) {
$meta = $this->extendedMetadataFactory->getExtendedMetadata($entity)['user'];
if (empty($meta)) {
continue;
}
$filter = false;
foreach ($meta['roles'] as $role) {
if ($this->authorizationChecker->isGranted($role)) {
$filter = true;
break;
}
}
if (!$filter) {
continue;
}
$key = $meta['property'] . '_id';
$qb->innerJoin(sprintf('%s.%s', $alias, $meta['property']), $meta['property'])->andWhere(sprintf('%s = :%s', $meta['property'], $key))->setParameter($key, $userId);
}
}
public function checkIfUserIsGranted(FilterControllerEvent $event)
{
$request = $event->getRequest();
foreach ($request->attributes->get('_security', array()) as $rule) {
$roles = array();
if (isset($rule['roles']) && !empty($rule['roles'])) {
$roles = $rule['roles'];
} else {
throw new \RuntimeException('You should provide "roles" parameter.');
}
if (is_string($roles)) {
$roles = array($roles);
}
$subject = null;
$subjectName = isset($rule['subject']) ? $rule['subject'] : null;
if (!empty($subjectName)) {
if (!$request->attributes->has($subjectName)) {
throw new \RuntimeException(sprintf("Subject '%s' is not available in the request attributes.", $subjectName));
}
$subject = $request->attributes->get($subjectName);
}
if (!$this->checker->isGranted($roles, $subject)) {
throw new AccessDeniedException();
}
}
}
/**
* Renders the legacy website toolbar template.
*
* If the logged in user doesn't have the required permission, an empty response is returned
*
* @param mixed $locationId
* @param Request $request
*
* @return Response
*/
public function websiteToolbarAction($locationId, Request $request)
{
$response = new Response();
if (isset($this->csrfProvider)) {
$parameters['form_token'] = $this->csrfProvider->generateCsrfToken('legacy');
}
if ($this->previewHelper->isPreviewActive()) {
$template = 'design:parts/website_toolbar_versionview.tpl';
$previewedContent = $authValueObject = $this->previewHelper->getPreviewedContent();
$previewedVersionInfo = $previewedContent->versionInfo;
$parameters = array('object' => $previewedContent, 'version' => $previewedVersionInfo, 'language' => $previewedVersionInfo->initialLanguageCode, 'is_creator' => $previewedVersionInfo->creatorId === $this->getRepository()->getCurrentUser()->id);
} elseif ($locationId === null) {
return $response;
} else {
$authValueObject = $this->loadContentByLocationId($locationId);
$template = 'design:parts/website_toolbar.tpl';
$parameters = array('current_node_id' => $locationId, 'redirect_uri' => $request->attributes->get('semanticPathinfo'));
}
$authorizationAttribute = new AuthorizationAttribute('websitetoolbar', 'use', array('valueObject' => $authValueObject));
if (!$this->authChecker->isGranted($authorizationAttribute)) {
return $response;
}
$response->setContent($this->legacyTemplateEngine->render($template, $parameters));
return $response;
}
/**
* Determines if a node should be skipped from rendering based on the current
* user's role
*
* @param CreateMenuItemFromNodeEvent $event
*/
public function onCreateMenuItemFromNode(CreateMenuItemFromNodeEvent $event)
{
$node = $event->getNode();
if ($node instanceof MenuNode) {
$addRole = $node->getAddWhenGranted();
$removeRole = $node->getRemoveWhenGranted();
//This avoids issue when rendering error pages with menus
//Defaults all menu items with any role requirements to no be displayed
if ($this->token->getToken() === null) {
if ($addRole !== null || $removeRole !== null) {
$event->setSkipNode(true);
}
return;
}
if ($addRole !== null) {
if (!$this->security->isGranted($addRole)) {
$event->setSkipNode(true);
}
}
if ($removeRole !== null) {
if ($this->security->isGranted($removeRole)) {
$event->setSkipNode(true);
}
}
}
}
/**
* @throws NotImplementedException If Content is missing location as this is not supported in current version
*/
public function previewContentAction(Request $request, $contentId, $versionNo, $language, $siteAccessName = null)
{
$this->previewHelper->setPreviewActive(true);
try {
$content = $this->contentService->loadContent($contentId, array($language), $versionNo);
$location = $this->locationProvider->loadMainLocation($contentId);
if (!$location instanceof Location) {
throw new NotImplementedException("Preview for content without locations");
}
$this->previewHelper->setPreviewedContent($content);
$this->previewHelper->setPreviewedLocation($location);
} catch (UnauthorizedException $e) {
throw new AccessDeniedException();
}
if (!$this->authorizationChecker->isGranted(new AuthorizationAttribute('content', 'versionread', array('valueObject' => $content)))) {
throw new AccessDeniedException();
}
$siteAccess = $this->previewHelper->getOriginalSiteAccess();
// Only switch if $siteAccessName is set and different from original
if ($siteAccessName !== null && $siteAccessName !== $siteAccess->name) {
$siteAccess = $this->previewHelper->changeConfigScope($siteAccessName);
}
$response = $this->kernel->handle($this->getForwardRequest($location, $content, $siteAccess, $request), HttpKernelInterface::SUB_REQUEST);
$response->headers->remove('cache-control');
$response->headers->remove('expires');
$this->previewHelper->restoreConfigScope();
$this->previewHelper->setPreviewActive(false);
return $response;
}
/**
* {@inheritdoc}
*/
public function isGranted($action, $object)
{
if (!$this->parameterResolver->resolveVoter()) {
return true;
}
return $this->authorizationChecker->isGranted('lug.' . $action, $object);
}
public function onKernelResponse(FilterResponseEvent $event)
{
if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
return;
}
$response = $event->getResponse();
$request = $event->getRequest();
// do not capture redirects or modify XML HTTP Requests
if ($request->isXmlHttpRequest()) {
return;
}
// do not capture admin cms urls
if (preg_match('/.*\\/admin\\/.*/', $request->getRequestUri())) {
return;
}
try {
$isGranted = $this->authorizationChecker->isGranted('ROLE_ADMIN');
} catch (AuthenticationCredentialsNotFoundException $e) {
$isGranted = false;
}
if (self::DISABLED === $this->mode || $response->isRedirection() || $response->headers->has('Content-Type') && false === strpos($response->headers->get('Content-Type'), 'html') || 'html' !== $request->getRequestFormat()) {
return;
}
$this->injectToolbar($response, $request);
}
/**
* Returns callback for configuration of grid/actions visibility per row
*
* @return callable
*/
public function getActionConfigurationClosure()
{
return function (ResultRecordInterface $record) {
$role = $record->getRootEntity();
return ['update' => $this->authorizationChecker->isGranted('EDIT', $role), 'delete' => $this->authorizationChecker->isGranted('DELETE', $role)];
};
}
function it_gets_customer_from_currently_logged_user(TokenStorageInterface $tokenStorage, AuthorizationCheckerInterface $authorizationChecker, TokenInterface $token, ShopUserInterface $user, CustomerInterface $customer)
{
$tokenStorage->getToken()->willReturn($token);
$authorizationChecker->isGranted('IS_AUTHENTICATED_REMEMBERED')->willReturn(true);
$token->getUser()->willReturn($user);
$user->getCustomer()->willReturn($customer);
$this->getCustomer()->shouldReturn($customer);
}
/**
* {@inheritdoc}
*/
public function can($transition, array $parameters = array())
{
$transition = $transition instanceof TransitionInterface ? $transition : $this->getTransition($transition);
if (!$this->authorizationChecker->isGranted($transition->getName(), $this->getObject())) {
return false;
}
return parent::can($transition, $parameters);
}
/**
* @return mixed
* @throws AccessDeniedException
*/
private function getUser()
{
if (!$this->authorizationChecker->isGranted('IS_AUTHENTICATED_FULLY')) {
throw new AccessDeniedException();
} else {
return $this->tokenStorage->getToken()->getUser();
}
}
/**
* @param \BackBee\Event\Event $event
*/
public function onPostLoad(Event $event)
{
$page = $event->getTarget();
if (!$page instanceof Page) {
return;
}
$isBbSessionActive = $this->authorizationChecker->isGranted('IS_AUTHENTICATED_REMEMBERED') === false;
$page->setUseUrlRedirect($isBbSessionActive);
}
/**
* To know if an user is the creator of Simupoll.
*
*
* @param \CPASimUSante\SimupollBundle\Entity\Simupoll $simupoll
*
* @return bool
*/
public function isGrantedAccess($simupoll, $access)
{
$collection = new ResourceCollection(array($simupoll->getResourceNode()));
if ($this->securityAuth->isGranted($access, $collection)) {
return true;
} else {
return false;
}
}
/**
* {@inheritdoc}
*/
public function isGranted(MediaInterface $media, Request $request)
{
try {
return $this->security->isGranted($this->roles);
} catch (AuthenticationCredentialsNotFoundException $e) {
// The token is not set in an AuthorizationCheckerInterface object
return false;
}
}
/**
* The event listener, which handles all the logic of the service.
*
* @param GetResponseEvent $getResponseEvent
*/
public function onRequest(GetResponseEvent $getResponseEvent)
{
$route = $getResponseEvent->getRequest()->get('_route');
if (in_array($route, array('php_sanitizer_user_login', 'php_sanitizer_user_register')) && $this->authorizationChecker->isGranted('IS_AUTHENTICATED_FULLY')) {
// If the current request takes place on the login or on the register pages, redirect the user
// to the configured route.
$getResponseEvent->setResponse(new RedirectResponse($this->router->generate($this->redirectRoute)));
}
}
public function isGranted($attributes, $object = null, $fully_authenticated = true)
{
if ($fully_authenticated) {
if (!$this->authorizationChecker->isGranted('IS_AUTHENTICATED_FULLY')) {
return false;
}
}
return $this->authorizationChecker->isGranted($attributes, $object);
}
/**
* Check the permission's of a crud action
*
* @param ActionEvent $event
* @throws AccessDeniedHttpException
*/
public function onActionEvent(ActionEvent $event)
{
if (!in_array($event->getId(), $this->validIds)) {
return;
}
if (false === $this->authorizationChecker->isGranted(array('RESOURCE_VOTE'), $event)) {
throw new AccessDeniedHttpException(sprintf('Action %s is not allowed.', $event->getAction()), null, 403);
}
}
/**
* @param StatusableInterface $document
* @param StatusInterface $toStatus
*
* @return bool
*/
public function isGranted(StatusableInterface $document, StatusInterface $toStatus)
{
if ($document instanceof NodeInterface) {
if (!$this->authorizationChecker->isGranted(TreeNodesPanelStrategy::ROLE_ACCESS_UPDATE_NODE)) {
return false;
}
}
return true;
}
/**
* Get excludeRoles
*/
private function getExcludeRoles()
{
$excludeRoles = $this->excludeRoles;
foreach ($excludeRoles as $key => $role) {
if ($role == 'ROLE_SUPER_ADMIN' && $this->authorizationChecker->isGranted($role)) {
unset($excludeRoles[$key]);
}
}
return $excludeRoles;
}
public static function fetchByRole(AuthorizationCheckerInterface $authCheck)
{
$result = array();
foreach (self::$workspaces as $workspace) {
if ($authCheck->isGranted($workspace['role'])) {
$result[] = $workspace;
}
}
return $result;
}
/**
* Creates the admin sidebar menu.
*
* @return ItemInterface A ItemInterface instance
*/
public function createSidebarMenu()
{
$menu = $this->factory->createItem('sidebar', ['childrenAttributes' => ['id' => 'sidebar-menu', 'class' => 'sidebar-nav nav']]);
$menu->addChild('dashboard', array('label' => 'Dashboard', 'route' => 'admin'));
if ($this->securityChecker->isGranted('SUPERADMIN')) {
$menu->addChild('adminuser', array('label' => 'Administradores', 'route' => 'admin_adminuser_list'))->setExtra('routes', array(array('pattern' => '/adminuser/')));
}
$this->dispatcher->dispatch(AdminMenuBuilderEvent::SIDEBAR, new AdminMenuBuilderEvent($this->factory, $menu, $this->securityChecker));
return $menu;
}
private function checkRole($roleSuffix, ResourceEvent $event)
{
$resource = $event->getResource();
$resourceName = $this->rm->getResourceName(get_class($resource));
$roleName = 'ROLE_' . strtoupper($resourceName) . '_' . $roleSuffix;
$isGranted = $this->authorizationChecker->isGranted($roleName);
if (!$isGranted) {
throw new AccessDeniedHttpException('User does not have role ' . $roleName);
}
}
public function configureOptions(OptionsResolver $resolver)
{
if (!$this->tokenStorage->getToken()) {
return;
}
if (!$this->authorizationChecker->isGranted($this->role)) {
return;
}
$resolver->setDefaults(array('csrf_protection' => false));
}
/**
* Gets customer based on currently logged user.
*
* @return CustomerInterface|null
*/
public function getCustomer()
{
if (null === ($token = $this->tokenStorage->getToken())) {
return null;
}
if ($this->authorizationChecker->isGranted('IS_AUTHENTICATED_REMEMBERED') && $token->getUser() instanceof ShopUserInterface) {
return $token->getUser()->getCustomer();
}
return null;
}
/**
* Return if a user has sufficient rights to execute action on Path
* @param string $actionName
* @param \Innova\PathBundle\Entity\Path\Path $path
* @param \Claroline\CoreBundle\Entity\Workspace\Workspace $workspace
* @return boolean
*/
public function isAllow($actionName, Path $path, Workspace $workspace = null)
{
if ($workspace && $actionName === 'CREATE') {
$toolRepo = $this->om->getRepository('ClarolineCoreBundle:Role');
$managerRole = $toolRepo->findManagerRole($workspace);
return $this->securityAuth->isGranted($managerRole->getName());
}
$collection = new ResourceCollection(array($path->getResourceNode()));
return $this->securityAuth->isGranted($actionName, $collection);
}
public function isGranted($role, $object = null, $field = null)
{
if (null === $this->authorizationChecker) {
return false;
}
if (null !== $field) {
$object = new FieldVote($object, $field);
}
return $this->authorizationChecker->isGranted($role, $object);
}
/**
* @dataProvider getRenderContentEditableTestData
*
* @param string $expectedText
* @param string $text
* @param string $name
* @param array $options
* @param bool $isAuthorized
* @param string $message
*/
public function testRenderContentEditable($expectedText, $text, $name, $options, $isAuthorized, $message)
{
$content = new Content();
$content->setId(1)->setName($name)->setText($text)->setLocale($options['locale']);
$this->manager->method('get')->with($name, $options['locale'], $text)->willReturn($content);
$this->authorizationChecker->method('isGranted')->with('ROLE_ADMIN')->willReturn($isAuthorized);
$this->editor->method('renderContent')->with($content, $options)->willReturn(sprintf('editable_%s', $text));
$rendered = $this->extension->render($text, $name, $options);
$this->assertSame($expectedText, $rendered, $message);
}
/**
* {@inheritdoc}
*/
public function initialize(Request $request, AuthorizationCheckerInterface $authChecker)
{
$settings = $this->get('dag.settings.manager')->load('activity');
if ($authChecker->isGranted('ROLE_ADMIN')) {
return;
}
if (!$settings['enabled']) {
throw $this->createNotFoundException('Activities have been disabled. Please contact your administrator to turn them back on.');
}
}
