/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof EyeWorkgroupFile && !$object instanceof EyeWorkgroupConfFile) { throw new EyeInvalidArgumentException('$object must be an EyeWorkgroupFile or EyeWorkgroupConfFile.'); } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } $workgroup = $object->getWorkgroup(); // The current user is the owner of the workgroup => access granted if ($workgroup->getOwnerId() == $eyeosUser->getId()) { return true; } // Retrieve the role of the current user inside the workgroup (if member) $assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance(); $assignation->setUserId($eyeosUser->getId()); $assignation->setWorkgroupId($workgroup->getId()); $assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation)); if ($assignation === false || $assignation->getStatus() == WorkgroupConstants::STATUS_INVITED) { throw new EyeAccessControlException('Access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (not member of the workgroup).'); } $refPermissionActions = array(); // Check access to a workgroup:// file if ($object instanceof EyeWorkgroupFile) { // The workgroup has its activity locked => write access denied if (in_array('write', $permission->getActions()) && $workgroup->getStatus() & AbstractEyeosWorkgroup::STATUS_ACTIVITY_LOCKED) { throw new EyeAccessControlException('Access denied to the specified file: the activity of the workgroup ' . $workgroup->getName() . ' is currently locked.'); } switch ($assignation->getRole()) { case WorkgroupConstants::ROLE_ADMIN: return true; case WorkgroupConstants::ROLE_EDITOR: $refPermissionActions = array('read', 'write'); break; case WorkgroupConstants::ROLE_VIEWER: $refPermissionActions = array('read'); break; } } elseif ($object instanceof EyeWorkgroupConfFile) { switch ($assignation->getRole()) { case WorkgroupConstants::ROLE_ADMIN: return true; default: $refPermissionActions = array('read'); break; } } else { $this->failureException = new EyeHandlerFailureException('Unknown $object class.'); return false; } $refPermission = new VirtualFilePermission('', $refPermissionActions); if ($refPermission->implies($permission)) { return true; } throw new EyeAccessControlException('Access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).'); }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof IFile) { throw new EyeInvalidArgumentException('$object must be an IFile.'); } $url = $object->getAbsolutePath(); $allowed = !$this->defaultDeny; $denyUrlRule = 'DENY by default'; $refPermission = new VirtualFilePermission('', $this->actions); if (!$this->defaultDeny) { foreach ($this->deniedUrls as $deniedUrl) { if (self::impliesUrl($deniedUrl, $url) && $refPermission->implies($permission)) { $allowed = false; $denyUrlRule = 'DENY on "' . $deniedUrl . '"'; break; } } } foreach ($this->allowedUrls as $allowedUrl) { if (self::impliesUrl($allowedUrl, $url) && $refPermission->implies($permission)) { $allowed = true; } } if (!$allowed) { throw new EyeAccessControlException('Access denied to file ' . $object->getPath() . ' (security rule: ' . $denyUrlRule . ').'); } return true; }