/** * Check whether given role has access to give id * * @param string $roleId * @param string $resourceId * @param string $privilege * @return bool */ public function isAllowed($roleId, $resourceId, $privilege = null) { try { return $this->_aclBuilder->getAcl()->isAllowed($roleId, $resourceId, $privilege); } catch (\Exception $e) { try { if (!$this->_aclBuilder->getAcl()->has($resourceId)) { return $this->_aclBuilder->getAcl()->isAllowed($roleId, null, $privilege); } } catch (\Exception $e) { } } return false; }
/** * Process of configuring of current auth storage when login was performed * * @return \Magento\Backend\Model\Auth\Session */ public function processLogin() { if ($this->getUser()) { $this->regenerateId(); if ($this->_backendUrl->useSecretKey()) { $this->_backendUrl->renewSecretUrls(); } $this->setIsFirstPageAfterLogin(true); $this->setAcl($this->_aclBuilder->getAcl()); $this->setUpdatedAt(time()); } return $this; }
/** * Save ACL resources * * @param \Magento\Authorization\Model\Rules $rule * @return void * @throws \Magento\Framework\Exception\LocalizedException */ public function saveRel(\Magento\Authorization\Model\Rules $rule) { try { $connection = $this->getConnection(); $connection->beginTransaction(); $roleId = $rule->getRoleId(); $condition = ['role_id = ?' => (int) $roleId]; $connection->delete($this->getMainTable(), $condition); $postedResources = $rule->getResources(); if ($postedResources) { $row = ['resource_id' => $this->_rootResource->getId(), 'privileges' => '', 'role_id' => $roleId, 'permission' => 'allow']; // If all was selected save it only and nothing else. if ($postedResources === [$this->_rootResource->getId()]) { $insertData = $this->_prepareDataForTable(new \Magento\Framework\DataObject($row), $this->getMainTable()); $connection->insert($this->getMainTable(), $insertData); } else { /** Give basic admin permissions to any admin */ $postedResources[] = \Magento\Backend\App\AbstractAction::ADMIN_RESOURCE; $acl = $this->_aclBuilder->getAcl(); /** @var $resource \Magento\Framework\Acl\AclResource */ foreach ($acl->getResources() as $resourceId) { $row['permission'] = in_array($resourceId, $postedResources) ? 'allow' : 'deny'; $row['resource_id'] = $resourceId; $insertData = $this->_prepareDataForTable(new \Magento\Framework\DataObject($row), $this->getMainTable()); $connection->insert($this->getMainTable(), $insertData); } } } $connection->commit(); $this->_aclCache->clean(); } catch (\Magento\Framework\Exception\LocalizedException $e) { $connection->rollBack(); throw $e; } catch (\Exception $e) { $connection->rollBack(); $this->_logger->critical($e); } }
/** * Get a list of available resource using user role id * * @param string $roleId * @return string[] */ public function getAllowedResourcesByRole($roleId) { $allowedResources = []; $rulesCollection = $this->rulesCollectionFactory->create(); $rulesCollection->getByRoles($roleId)->load(); $acl = $this->aclBuilder->getAcl(); /** @var \Magento\Authorization\Model\Rules $ruleItem */ foreach ($rulesCollection->getItems() as $ruleItem) { $resourceId = $ruleItem->getResourceId(); if ($acl->has($resourceId) && $acl->isAllowed($roleId, $resourceId)) { $allowedResources[] = $resourceId; } } return $allowedResources; }
/** * Class constructor * * @return void */ protected function _construct() { parent::_construct(); $rid = $this->_request->getParam('rid', false); $acl = $this->_aclBuilder->getAcl(); $rulesSet = $this->_rulesCollectionFactory->create()->getByRoles($rid)->load(); $selectedResourceIds = array(); foreach ($rulesSet->getItems() as $item) { $itemResourceId = $item->getResource_id(); if ($acl->has($itemResourceId) && $item->getPermission() == 'allow') { $selectedResourceIds[] = $itemResourceId; } } $this->setSelectedResources($selectedResourceIds); }
/** * Check if user who has role is allowed to access requested resources. * * @param string[] $resources * @param UserIdentifier $userIdentifier * @return bool */ protected function _isUserWithRoleAllowed($resources, UserIdentifier $userIdentifier) { try { $role = $this->_getUserRole($userIdentifier); if (!$role) { throw NoSuchEntityException::doubleField('userId', $userIdentifier->getUserId(), 'userType', $userIdentifier->getUserType()); } foreach ($resources as $resource) { if (!$this->_aclBuilder->getAcl()->isAllowed($role->getId(), $resource)) { return false; } } return true; } catch (\Exception $e) { $this->_logger->logException($e); return false; } }
/** * Save ACL resources * * @param \Magento\User\Model\Rules $rule * @return void * @throws \Magento\Framework\Model\Exception */ public function saveRel(\Magento\User\Model\Rules $rule) { try { $adapter = $this->_getWriteAdapter(); $adapter->beginTransaction(); $roleId = $rule->getRoleId(); $condition = array('role_id = ?' => (int) $roleId); $adapter->delete($this->getMainTable(), $condition); $postedResources = $rule->getResources(); if ($postedResources) { $row = array('resource_id' => $this->_rootResource->getId(), 'privileges' => '', 'role_id' => $roleId, 'permission' => 'allow'); // If all was selected save it only and nothing else. if ($postedResources === array($this->_rootResource->getId())) { $insertData = $this->_prepareDataForTable(new \Magento\Framework\Object($row), $this->getMainTable()); $adapter->insert($this->getMainTable(), $insertData); } else { $acl = $this->_aclBuilder->getAcl(); /** @var $resource \Magento\Framework\Acl\Resource */ foreach ($acl->getResources() as $resourceId) { $row['permission'] = in_array($resourceId, $postedResources) ? 'allow' : 'deny'; $row['resource_id'] = $resourceId; $insertData = $this->_prepareDataForTable(new \Magento\Framework\Object($row), $this->getMainTable()); $adapter->insert($this->getMainTable(), $insertData); } } } $adapter->commit(); $this->_aclCache->clean(); } catch (\Magento\Framework\Model\Exception $e) { $adapter->rollBack(); throw $e; } catch (\Exception $e) { $adapter->rollBack(); $this->_logger->logException($e); } }
/** * @expectedException \LogicException */ public function testGetAclRethrowsException() { $this->_aclCacheMock->expects($this->once())->method('has')->will($this->throwException(new \InvalidArgumentException())); $this->_model->getAcl(); }