protected function updateManagerRole(AclManager $manager)
{
$sid = $manager->getSid($this->getReference('manager_role'));
// grant to view other user's calendar for the same business unit
$oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarConnection');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM');
$manager->setPermission($sid, $oid, $maskBuilder->get());
// grant to manage own calendar events
$oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarEvent');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM')->add('DELETE_SYSTEM');
$manager->setPermission($sid, $oid, $maskBuilder->get());
}
/**
* Load the ACL per role
*
* @param Role $role
*/
protected function loadAcls(Role $role)
{
if (User::ROLE_ANONYMOUS === $role->getRole()) {
return;
}
$sid = $this->aclManager->getSid($role);
foreach ($this->aclManager->getAllExtensions() as $extension) {
$rootOid = $this->aclManager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
$fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL');
$this->aclManager->setPermission($sid, $rootOid, $fullAccessMask, true);
}
}
}
protected function updateUserRole(AclManager $manager)
{
$sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_ADMINISTRATOR));
$oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\Email');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM');
$manager->setPermission($sid, $oid, $maskBuilder->get());
}
/**
* Makes necessary modifications for existing ACE
*
* @param SID $sid
* @param OID $oid
* @param int $existingMask
* @param int[] $masks [input/output]
* @param int[] $rootMasks
* @param AclExtensionInterface $extension
* @return bool|int The mask if it was processed, otherwise, false
*/
protected function updateExistingPermissions(SID $sid, OID $oid, $existingMask, $masks, $rootMasks, AclExtensionInterface $extension)
{
$mask = $this->findSimilarMask($masks, $existingMask, $extension);
$rootMask = $this->findSimilarMask($rootMasks, $existingMask, $extension);
if ($mask === false && $rootMask === false) {
// keep existing ACE as is, because both $mask and $rootMask were not found
} elseif ($rootMask === false) {
// if $rootMask was not found, just update existing ACE using $mask
$this->manager->setPermission($sid, $oid, $mask);
} elseif ($mask === false) {
// if $mask was not found, use $rootMask to check
// whether existing ACE need to be removed or keep as is
if ($existingMask === $extension->adaptRootMask($rootMask, $oid)) {
// remove existing ACE because it provides the same permissions as the root ACE
$this->manager->deletePermission($sid, $oid, $existingMask);
}
} else {
// both $mask and $rootMask were found
if ($mask === $extension->adaptRootMask($rootMask, $oid)) {
// remove existing ACE, if $mask provides the same permissions as $rootMask
$this->manager->deletePermission($sid, $oid, $existingMask);
} else {
// update existing ACE using $mask, if permissions provide by $mask and $rootMask are different
$this->manager->setPermission($sid, $oid, $mask);
}
}
return $mask;
}
protected function updateManagerRole(AclManager $manager)
{
$sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_MANAGER));
// grant to manage own calendar events
$oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarEvent');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM')->add('DELETE_SYSTEM');
$manager->setPermission($sid, $oid, $maskBuilder->get());
}
protected function updateUserRole(AclManager $manager)
{
$roles = ['ROLE_ONLINE_SALES_REP', 'ROLE_MARKETING_MANAGER', 'ROLE_LEADS_DEVELOPMENT_REP'];
foreach ($roles as $roleName) {
$sid = $manager->getSid($this->getRole($roleName));
$oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\EmailUser');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_BASIC')->add('CREATE_BASIC')->add('EDIT_BASIC');
$manager->setPermission($sid, $oid, $maskBuilder->get());
}
}
protected function updateUserRole(AclManager $manager)
{
$roles = [LoadRolesData::ROLE_USER, LoadRolesData::ROLE_MANAGER];
foreach ($roles as $roleName) {
$sid = $manager->getSid($this->getRole($roleName));
$oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\EmailUser');
$maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_BASIC')->add('CREATE_BASIC')->add('EDIT_BASIC');
$manager->setPermission($sid, $oid, $maskBuilder->get());
}
}
public function testSetPermissionForEntityClassNoAcl()
{
$sid = $this->getMock('Symfony\\Component\\Security\\Acl\\Model\\SecurityIdentityInterface');
$oid = new ObjectIdentity('entity', 'Acme\\Test');
$granting = true;
$mask = 123;
$strategy = 'any';
$this->aclProvider->expects($this->once())->method('findAcl')->with($this->identicalTo($oid))->will($this->throwException(new AclNotFoundException()));
$this->extension->expects($this->once())->method('validateMask')->with($this->equalTo($mask), $this->identicalTo($oid));
$this->aceProvider->expects($this->never())->method('setPermission');
$this->manager->setPermission($sid, $oid, $mask, $granting, $strategy);
}
/**
* @param ObjectManager $manager
* @param AclManager $aclManager
*/
protected function setBuyerShoppingListPermissions(ObjectManager $manager, AclManager $aclManager)
{
$chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain');
$allowedAcls = ['VIEW_BASIC', 'CREATE_BASIC', 'EDIT_BASIC', 'DELETE_BASIC'];
$role = $this->getBuyerRole($manager);
if ($aclManager->isAclEnabled()) {
$sid = $aclManager->getSid($role);
$className = $this->container->getParameter('orob2b_shopping_list.entity.shopping_list.class');
foreach ($aclManager->getAllExtensions() as $extension) {
if ($extension instanceof EntityAclExtension) {
$chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS);
$oid = $aclManager->getOid('entity:' . $className);
$builder = $aclManager->getMaskBuilder($oid);
$mask = $builder->reset()->get();
foreach ($allowedAcls as $acl) {
$mask = $builder->add($acl)->get();
}
$aclManager->setPermission($sid, $oid, $mask);
$chainMetadataProvider->stopProviderEmulation();
}
}
}
}
protected function loadUserRole(AclManager $manager)
{
$sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_USER));
foreach ($manager->getAllExtensions() as $extension) {
$rootOid = $manager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
if ($maskBuilder->hasConst('GROUP_BASIC')) {
if ($maskBuilder->hasConst('MASK_VIEW_SYSTEM')) {
$mask = $maskBuilder->getConst('MASK_VIEW_SYSTEM');
/* @todo now only SYSTEM level is supported
| $maskBuilder->getConst('MASK_CREATE_BASIC')
| $maskBuilder->getConst('MASK_EDIT_BASIC')
| $maskBuilder->getConst('MASK_DELETE_BASIC')
| $maskBuilder->getConst('MASK_ASSIGN_BASIC')
| $maskBuilder->getConst('MASK_SHARE_BASIC');
*/
} else {
$mask = $maskBuilder->getConst('GROUP_BASIC');
}
} else {
$mask = $maskBuilder->getConst('GROUP_NONE');
}
$manager->setPermission($sid, $rootOid, $mask, true);
}
}
}
/**
* Load the ACL per role
*
* @param AclManager $manager
* @param Role $role
*
* @see Oro\Bundle\SecurityBundle\DataFixtures\ORM\LoadAclRoles
*/
protected function loadAcls(AclManager $manager, Role $role)
{
$sid = $manager->getSid($role);
foreach ($manager->getAllExtensions() as $extension) {
$rootOid = $manager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
$fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL');
$manager->setPermission($sid, $rootOid, $fullAccessMask, true);
}
}
}
/**
* @param AclManager $aclManager
* @param AccountUserRole $role
* @param string $className
* @param array $allowedAcls
*/
protected function setRolePermissions(AclManager $aclManager, AccountUserRole $role, $className, array $allowedAcls)
{
/* @var $chainMetadataProvider ChainMetadataProvider */
$chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain');
if ($aclManager->isAclEnabled()) {
$sid = $aclManager->getSid($role);
foreach ($aclManager->getAllExtensions() as $extension) {
if ($extension instanceof EntityAclExtension) {
$chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS);
$oid = $aclManager->getOid('entity:' . $className);
$builder = $aclManager->getMaskBuilder($oid);
$mask = $builder->reset()->get();
foreach ($allowedAcls as $acl) {
$mask = $builder->add($acl)->get();
}
$aclManager->setPermission($sid, $oid, $mask);
$chainMetadataProvider->stopProviderEmulation();
}
}
}
}
/**
* @param AclManager $aclManager
* @param SecurityIdentityInterface $sid
*/
protected function setPermissionGroup(AclManager $aclManager, SecurityIdentityInterface $sid)
{
foreach ($aclManager->getAllExtensions() as $extension) {
$rootOid = $aclManager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
$fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL');
$aclManager->setPermission($sid, $rootOid, $fullAccessMask, true);
}
}
}
/**
* @param AclManager $aclManager
* @param AclExtensionInterface $extension
* @param SecurityIdentityInterface $sid
* @param string $group
*/
protected function setPermissionGroup(AclManager $aclManager, AclExtensionInterface $extension, SecurityIdentityInterface $sid, $group)
{
$rootOid = $aclManager->getRootOid($extension->getExtensionKey());
foreach ($extension->getAllMaskBuilders() as $maskBuilder) {
if ($maskBuilder->hasConst($group)) {
$mask = $maskBuilder->getConst($group);
$aclManager->setPermission($sid, $rootOid, $mask, true);
break;
}
}
}
