protected function updateUserRole(AclManager $manager)
{
$sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_ADMINISTRATOR));
$oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\Email');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM');
$manager->setPermission($sid, $oid, $maskBuilder->get());
}
protected function updateManagerRole(AclManager $manager)
{
$sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_MANAGER));
// grant to manage own calendar events
$oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarEvent');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM')->add('DELETE_SYSTEM');
$manager->setPermission($sid, $oid, $maskBuilder->get());
}
protected function updateUserRole(AclManager $manager)
{
$roles = ['ROLE_ONLINE_SALES_REP', 'ROLE_MARKETING_MANAGER', 'ROLE_LEADS_DEVELOPMENT_REP'];
foreach ($roles as $roleName) {
$sid = $manager->getSid($this->getRole($roleName));
$oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\EmailUser');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_BASIC')->add('CREATE_BASIC')->add('EDIT_BASIC');
$manager->setPermission($sid, $oid, $maskBuilder->get());
}
}
protected function updateUserRole(AclManager $manager)
{
$roles = [LoadRolesData::ROLE_USER, LoadRolesData::ROLE_MANAGER];
foreach ($roles as $roleName) {
$sid = $manager->getSid($this->getRole($roleName));
$oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\EmailUser');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_BASIC')->add('CREATE_BASIC')->add('EDIT_BASIC');
$manager->setPermission($sid, $oid, $maskBuilder->get());
}
}
/**
* Load the ACL per role
*
* @param AclManager $manager
* @param Role $role
*
* @see Oro\Bundle\SecurityBundle\DataFixtures\ORM\LoadAclRoles
*/
protected function loadAcls(AclManager $manager, Role $role)
{
$sid = $manager->getSid($role);
foreach ($manager->getAllExtensions() as $extension) {
$rootOid = $manager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
$fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL');
$manager->setPermission($sid, $rootOid, $fullAccessMask, true);
}
}
}
/**
* Load the ACL per role
*
* @param Role $role
*/
protected function loadAcls(Role $role)
{
if (User::ROLE_ANONYMOUS === $role->getRole()) {
return;
}
$sid = $this->aclManager->getSid($role);
foreach ($this->aclManager->getAllExtensions() as $extension) {
$rootOid = $this->aclManager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
$fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL');
$this->aclManager->setPermission($sid, $rootOid, $fullAccessMask, true);
}
}
}
/**
* @param AbstractRole $role
*/
protected function processPrivileges(AbstractRole $role)
{
$decodedPrivileges = json_decode($this->form->get('privileges')->getData(), true);
$formPrivileges = [];
foreach ($this->privilegeConfig as $fieldName => $config) {
$privilegesArray = $decodedPrivileges[$fieldName];
$privileges = [];
foreach ($privilegesArray as $privilege) {
$aclPrivilege = new AclPrivilege();
foreach ($privilege['permissions'] as $name => $permission) {
$aclPrivilege->addPermission(new AclPermission($permission['name'], $permission['accessLevel']));
}
$aclPrivilegeIdentity = new AclPrivilegeIdentity($privilege['identity']['id'], $privilege['identity']['name']);
$aclPrivilege->setIdentity($aclPrivilegeIdentity);
$privileges[] = $aclPrivilege;
}
if ($config['fix_values']) {
$this->fxPrivilegeValue($privileges, $config['default_value']);
}
$formPrivileges = array_merge($formPrivileges, $privileges);
}
array_walk($formPrivileges, function (AclPrivilege $privilege) {
$privilege->setGroup($this->getAclGroup());
});
$this->privilegeRepository->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges));
$this->aclCache->clearCache();
}
/**
* Gets all ACEs associated with given ACL and the given security identity
*
* @param SID $sid
* @param AclInterface $acl
* @param string $type The ACE type. Can be one of AclManager::*_ACE constants
* @param string|null $field The name of a field.
* Set to null for class-based or object-based ACE
* Set to not null class-field-based or object-field-based ACE
* @return EntryInterface[]
*/
protected function getAces(SID $sid, AclInterface $acl, $type, $field)
{
return array_filter($this->manager->getAceProvider()->getAces($acl, $type, $field), function ($ace) use(&$sid) {
/** @var EntryInterface $ace */
return $sid->equals($ace->getSecurityIdentity());
});
}
/**
* @param Role $role
*/
protected function processPrivileges(Role $role)
{
$formPrivileges = array();
foreach ($this->privilegeConfig as $fieldName => $config) {
$privileges = $this->form->get($fieldName)->getData();
$formPrivileges = array_merge($formPrivileges, $privileges);
}
$this->aclManager->getPrivilegeRepository()->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges));
}
protected function updateManagerRole(AclManager $manager)
{
$sid = $manager->getSid($this->getReference('manager_role'));
// grant to view other user's calendar for the same business unit
$oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarConnection');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM');
$manager->setPermission($sid, $oid, $maskBuilder->get());
// grant to manage own calendar events
$oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarEvent');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM')->add('DELETE_SYSTEM');
$manager->setPermission($sid, $oid, $maskBuilder->get());
}
/**
* @param Role $role
*/
protected function processPrivileges(Role $role)
{
$formPrivileges = array();
foreach ($this->privilegeConfig as $fieldName => $config) {
$privileges = $this->form->get($fieldName)->getData();
if ($config['fix_values']) {
$this->fxPrivilegeValue($privileges, $config['default_value']);
}
$formPrivileges = array_merge($formPrivileges, $privileges);
}
$this->privilegeRepository->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges));
}
public function testProcessPrivileges()
{
$request = new Request();
$request->setMethod('POST');
$role = new AccountUserRole('TEST');
$roleSecurityIdentity = new RoleSecurityIdentity($role);
$appendForm = $this->getMock('Symfony\\Component\\Form\\FormInterface');
$appendForm->expects($this->once())->method('getData')->willReturn([]);
$removeForm = $this->getMock('Symfony\\Component\\Form\\FormInterface');
$removeForm->expects($this->once())->method('getData')->willReturn([]);
$firstEntityPrivilege = $this->createPrivilege('entity', 'entity:FirstClass', 'VIEW');
$secondEntityPrivilege = $this->createPrivilege('entity', 'entity:SecondClass', 'VIEW');
$entityForm = $this->getMock('Symfony\\Component\\Form\\FormInterface');
$entityForm->expects($this->once())->method('getData')->willReturn([$firstEntityPrivilege, $secondEntityPrivilege]);
$actionPrivilege = $this->createPrivilege('action', 'action', 'random_action');
$actionForm = $this->getMock('Symfony\\Component\\Form\\FormInterface');
$actionForm->expects($this->once())->method('getData')->willReturn([$actionPrivilege]);
$form = $this->getMock('Symfony\\Component\\Form\\FormInterface');
$form->expects($this->once())->method('submit')->with($request);
$form->expects($this->once())->method('isValid')->willReturn(true);
$form->expects($this->any())->method('get')->willReturnMap([['appendUsers', $appendForm], ['removeUsers', $removeForm], ['entity', $entityForm], ['action', $actionForm]]);
$this->formFactory->expects($this->once())->method('create')->willReturn($form);
$objectManager = $this->getMock('Doctrine\\Common\\Persistence\\ObjectManager');
$this->managerRegistry->expects($this->any())->method('getManagerForClass')->with(get_class($role))->willReturn($objectManager);
$expectedFirstEntityPrivilege = $this->createPrivilege('entity', 'entity:FirstClass', 'VIEW');
$expectedFirstEntityPrivilege->setGroup(AccountUser::SECURITY_GROUP);
$expectedSecondEntityPrivilege = $this->createPrivilege('entity', 'entity:SecondClass', 'VIEW');
$expectedSecondEntityPrivilege->setGroup(AccountUser::SECURITY_GROUP);
$expectedActionPrivilege = $this->createPrivilege('action', 'action', 'random_action');
$expectedActionPrivilege->setGroup(AccountUser::SECURITY_GROUP);
$this->privilegeRepository->expects($this->once())->method('savePrivileges')->with($roleSecurityIdentity, new ArrayCollection([$expectedFirstEntityPrivilege, $expectedSecondEntityPrivilege, $expectedActionPrivilege]));
$this->aclManager->expects($this->any())->method('getSid')->with($role)->willReturn($roleSecurityIdentity);
$this->chainMetadataProvider->expects($this->once())->method('startProviderEmulation')->with(FrontendOwnershipMetadataProvider::ALIAS);
$this->chainMetadataProvider->expects($this->once())->method('stopProviderEmulation');
$handler = new AccountUserRoleHandler($this->formFactory, $this->privilegeConfig);
$handler->setManagerRegistry($this->managerRegistry);
$handler->setAclPrivilegeRepository($this->privilegeRepository);
$handler->setAclManager($this->aclManager);
$handler->setChainMetadataProvider($this->chainMetadataProvider);
$handler->setRequest($request);
$handler->createForm($role);
$handler->process($role);
}
public function testFlush()
{
$oid1 = new ObjectIdentity('Acme\\Test1', 'entity');
$oid2 = new ObjectIdentity('Acme\\Test2', 'entity');
$oid3 = new ObjectIdentity('Acme\\Test3', 'entity');
$oid4 = new ObjectIdentity('Acme\\Test4', 'entity');
$newItemSid = $this->getMock('Symfony\\Component\\Security\\Acl\\Model\\SecurityIdentityInterface');
$newItem = new BatchItem($oid2, BatchItem::STATE_CREATE);
$newItem->addAce(AclManager::OBJECT_ACE, 'TestField', $newItemSid, true, 123, 'all', true);
$updateItemAcl = $this->getMock('Symfony\\Component\\Security\\Acl\\Model\\MutableAclInterface');
$deleteItemAcl = $this->getMock('Symfony\\Component\\Security\\Acl\\Model\\MutableAclInterface');
$this->setItems(array(new BatchItem($oid1, BatchItem::STATE_NONE), $newItem, new BatchItem($oid3, BatchItem::STATE_UPDATE, $updateItemAcl), new BatchItem($oid4, BatchItem::STATE_DELETE, $deleteItemAcl)));
$this->aclProvider->expects($this->once())->method('beginTransaction');
$this->aclProvider->expects($this->once())->method('commit');
$acl = $this->getMock('Symfony\\Component\\Security\\Acl\\Model\\MutableAclInterface');
$this->aclProvider->expects($this->once())->method('createAcl')->with($this->identicalTo($oid2))->will($this->returnValue($acl));
$this->aceProvider->expects($this->once())->method('setPermission')->with($this->identicalTo($acl), $this->identicalTo($this->extension), $this->equalTo(true), $this->equalTo(AclManager::OBJECT_ACE), $this->equalTo('TestField'), $this->identicalTo($newItemSid), $this->equalTo(true), $this->equalTo(123), $this->equalTo('all'))->will($this->returnValue(true));
$this->aclProvider->expects($this->exactly(2))->method('updateAcl');
$this->aclProvider->expects($this->once())->method('deleteAcl')->with($this->identicalTo($oid4));
$this->manager->flush();
}
/**
* @param ObjectIdentity $oid
* @param string $class
* @param int $requiredMask
* @return bool
*
* @see \Oro\Bundle\SecurityBundle\Acl\Domain\PermissionGrantingStrategy::isAceApplicable
* @SuppressWarnings(PHPMD.CyclomaticComplexity)
* @SuppressWarnings(PHPMD.NPathComplexity)
*/
private function isGrantedOidMask(ObjectIdentity $oid, $class, $requiredMask)
{
if (null === ($loggedUser = $this->getLoggedUser())) {
return false;
}
$extension = $this->aclManager->getExtensionSelector()->select($oid);
foreach ($loggedUser->getRoles() as $role) {
$sid = $this->aclManager->getSid($role);
$aces = $this->aclManager->getAces($sid, $oid);
if (!$aces && $oid->getType() !== ObjectIdentityFactory::ROOT_IDENTITY_TYPE) {
$rootOid = $this->aclManager->getRootOid($oid);
return $this->isGrantedOidMask($rootOid, $class, EntityMaskBuilder::GROUP_SYSTEM);
}
foreach ($aces as $ace) {
if ($ace->getAcl()->getObjectIdentity()->getIdentifier() !== $extension->getExtensionKey()) {
continue;
}
$aceMask = $ace->getMask();
if ($oid->getType() === ObjectIdentityFactory::ROOT_IDENTITY_TYPE) {
$aceMask = $extension->adaptRootMask($aceMask, new $class());
}
if ($extension->getServiceBits($requiredMask) !== $extension->getServiceBits($aceMask)) {
continue;
}
$requiredMask = $extension->removeServiceBits($requiredMask);
$aceMask = $extension->removeServiceBits($aceMask);
$strategy = $ace->getStrategy();
if (PermissionGrantingStrategy::ALL === $strategy) {
return $requiredMask === ($aceMask & $requiredMask);
} elseif (PermissionGrantingStrategy::ANY === $strategy) {
return 0 !== ($aceMask & $requiredMask);
} elseif (PermissionGrantingStrategy::EQUAL === $strategy) {
return $requiredMask === $aceMask;
}
}
}
return false;
}
/**
* @param ObjectManager $manager
* @param AclManager $aclManager
*/
protected function setBuyerShoppingListPermissions(ObjectManager $manager, AclManager $aclManager)
{
$chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain');
$allowedAcls = ['VIEW_BASIC', 'CREATE_BASIC', 'EDIT_BASIC', 'DELETE_BASIC'];
$role = $this->getBuyerRole($manager);
if ($aclManager->isAclEnabled()) {
$sid = $aclManager->getSid($role);
$className = $this->container->getParameter('orob2b_shopping_list.entity.shopping_list.class');
foreach ($aclManager->getAllExtensions() as $extension) {
if ($extension instanceof EntityAclExtension) {
$chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS);
$oid = $aclManager->getOid('entity:' . $className);
$builder = $aclManager->getMaskBuilder($oid);
$mask = $builder->reset()->get();
foreach ($allowedAcls as $acl) {
$mask = $builder->add($acl)->get();
}
$aclManager->setPermission($sid, $oid, $mask);
$chainMetadataProvider->stopProviderEmulation();
}
}
}
}
/**
* @param AclManager $aclManager
* @param AclExtensionInterface $extension
* @param SecurityIdentityInterface $sid
* @param string $group
*/
protected function setPermissionGroup(AclManager $aclManager, AclExtensionInterface $extension, SecurityIdentityInterface $sid, $group)
{
$rootOid = $aclManager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
if ($maskBuilder->hasConst($group)) {
$mask = $maskBuilder->getConst($group);
$aclManager->setPermission($sid, $rootOid, $mask, true);
break;
}
}
}
/**
* @param AclManager $aclManager
* @param SecurityIdentityInterface $sid
*/
protected function setPermissionGroup(AclManager $aclManager, SecurityIdentityInterface $sid)
{
foreach ($aclManager->getAllExtensions() as $extension) {
$rootOid = $aclManager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
$fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL');
$aclManager->setPermission($sid, $rootOid, $fullAccessMask, true);
}
}
}
/**
* @param AclManager $aclManager
* @param AccountUserRole $role
* @param string $className
* @param array $allowedAcls
*/
protected function setRolePermissions(AclManager $aclManager, AccountUserRole $role, $className, array $allowedAcls)
{
/* @var $chainMetadataProvider ChainMetadataProvider */
$chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain');
if ($aclManager->isAclEnabled()) {
$sid = $aclManager->getSid($role);
foreach ($aclManager->getAllExtensions() as $extension) {
if ($extension instanceof EntityAclExtension) {
$chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS);
$oid = $aclManager->getOid('entity:' . $className);
$builder = $aclManager->getMaskBuilder($oid);
$mask = $builder->reset()->get();
foreach ($allowedAcls as $acl) {
$mask = $builder->add($acl)->get();
}
$aclManager->setPermission($sid, $oid, $mask);
$chainMetadataProvider->stopProviderEmulation();
}
}
}
}
protected function loadUserRole(AclManager $manager)
{
$sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_USER));
foreach ($manager->getAllExtensions() as $extension) {
$rootOid = $manager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
if ($maskBuilder->hasConst('GROUP_BASIC')) {
if ($maskBuilder->hasConst('MASK_VIEW_SYSTEM')) {
$mask = $maskBuilder->getConst('MASK_VIEW_SYSTEM');
/* @todo now only SYSTEM level is supported
| $maskBuilder->getConst('MASK_CREATE_BASIC')
| $maskBuilder->getConst('MASK_EDIT_BASIC')
| $maskBuilder->getConst('MASK_DELETE_BASIC')
| $maskBuilder->getConst('MASK_ASSIGN_BASIC')
| $maskBuilder->getConst('MASK_SHARE_BASIC');
*/
} else {
$mask = $maskBuilder->getConst('GROUP_BASIC');
}
} else {
$mask = $maskBuilder->getConst('GROUP_NONE');
}
$manager->setPermission($sid, $rootOid, $mask, true);
}
}
}