/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof EyeWorkgroupFile && !$object instanceof EyeWorkgroupConfFile) {
throw new EyeInvalidArgumentException('$object must be an EyeWorkgroupFile or EyeWorkgroupConfFile.');
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
$workgroup = $object->getWorkgroup();
// The current user is the owner of the workgroup => access granted
if ($workgroup->getOwnerId() == $eyeosUser->getId()) {
return true;
}
// Retrieve the role of the current user inside the workgroup (if member)
$assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance();
$assignation->setUserId($eyeosUser->getId());
$assignation->setWorkgroupId($workgroup->getId());
$assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation));
if ($assignation === false || $assignation->getStatus() == WorkgroupConstants::STATUS_INVITED) {
throw new EyeAccessControlException('Access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (not member of the workgroup).');
}
$refPermissionActions = array();
// Check access to a workgroup:// file
if ($object instanceof EyeWorkgroupFile) {
// The workgroup has its activity locked => write access denied
if (in_array('write', $permission->getActions()) && $workgroup->getStatus() & AbstractEyeosWorkgroup::STATUS_ACTIVITY_LOCKED) {
throw new EyeAccessControlException('Access denied to the specified file: the activity of the workgroup ' . $workgroup->getName() . ' is currently locked.');
}
switch ($assignation->getRole()) {
case WorkgroupConstants::ROLE_ADMIN:
return true;
case WorkgroupConstants::ROLE_EDITOR:
$refPermissionActions = array('read', 'write');
break;
case WorkgroupConstants::ROLE_VIEWER:
$refPermissionActions = array('read');
break;
}
} elseif ($object instanceof EyeWorkgroupConfFile) {
switch ($assignation->getRole()) {
case WorkgroupConstants::ROLE_ADMIN:
return true;
default:
$refPermissionActions = array('read');
break;
}
} else {
$this->failureException = new EyeHandlerFailureException('Unknown $object class.');
return false;
}
$refPermission = new VirtualFilePermission('', $refPermissionActions);
if ($refPermission->implies($permission)) {
return true;
}
throw new EyeAccessControlException('Access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).');
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof IFile) {
throw new EyeInvalidArgumentException('$object must be an IFile.');
}
$url = $object->getAbsolutePath();
$allowed = !$this->defaultDeny;
$denyUrlRule = 'DENY by default';
$refPermission = new VirtualFilePermission('', $this->actions);
if (!$this->defaultDeny) {
foreach ($this->deniedUrls as $deniedUrl) {
if (self::impliesUrl($deniedUrl, $url) && $refPermission->implies($permission)) {
$allowed = false;
$denyUrlRule = 'DENY on "' . $deniedUrl . '"';
break;
}
}
}
foreach ($this->allowedUrls as $allowedUrl) {
if (self::impliesUrl($allowedUrl, $url) && $refPermission->implies($permission)) {
$allowed = true;
}
}
if (!$allowed) {
throw new EyeAccessControlException('Access denied to file ' . $object->getPath() . ' (security rule: ' . $denyUrlRule . ').');
}
return true;
}
