/**
* Performs some checks if logging was requested.
*
* @param bool $granted
* @param EntryInterface $ace
*/
public function logIfNeeded($granted, EntryInterface $ace)
{
if (!$ace instanceof AuditableEntryInterface) {
return;
}
if ($granted && $ace->isAuditSuccess()) {
$this->doLog($granted, $ace);
} elseif (!$granted && $ace->isAuditFailure()) {
$this->doLog($granted, $ace);
}
}
/**
* Transform a given ACL entry into a Entry model.
*
* The entry will not be persisted!
*
* @param \Symfony\Component\Security\Acl\Model\EntryInterface $aclEntry
*
* @return \Propel\Bundle\PropelBundle\Model\Acl\Entry
*/
public static function fromAclEntry(EntryInterface $aclEntry)
{
$entry = new self();
// Already persisted before?
if ($aclEntry->getId()) {
$entry->setId($aclEntry->getId());
}
$entry->setMask($aclEntry->getMask())->setGranting($aclEntry->isGranting())->setGrantingStrategy($aclEntry->getStrategy())->setSecurityIdentity(SecurityIdentity::fromAclIdentity($aclEntry->getSecurityIdentity()));
if ($aclEntry instanceof FieldEntryInterface) {
$entry->setFieldName($aclEntry->getField());
}
if ($aclEntry instanceof AuditableEntryInterface) {
$entry->setAuditFailure($aclEntry->isAuditFailure())->setAuditSuccess($aclEntry->isAuditSuccess());
}
return $entry;
}
/**
* Determines whether the ACE is applicable to the given permission/security
* identity combination.
*
* Per default, we support three different comparison strategies.
*
* Strategy ALL:
* The ACE will be considered applicable when all the turned-on bits in the
* required mask are also turned-on in the ACE mask.
*
* Strategy ANY:
* The ACE will be considered applicable when any of the turned-on bits in
* the required mask is also turned-on the in the ACE mask.
*
* Strategy EQUAL:
* The ACE will be considered applicable when the bitmasks are equal.
*
* @param integer $requiredMask
* @param EntryInterface $ace
* @return Boolean
*/
protected function isAceApplicable($requiredMask, EntryInterface $ace)
{
$strategy = $ace->getStrategy();
if (self::ALL === $strategy) {
return $requiredMask === ($ace->getMask() & $requiredMask);
} else {
if (self::ANY === $strategy) {
return 0 !== ($ace->getMask() & $requiredMask);
} else {
if (self::EQUAL === $strategy) {
return $requiredMask === $ace->getMask();
}
}
}
throw new \RuntimeException(sprintf('The strategy "%s" is not supported.', $strategy));
}
/**
* Retrieve the persisted model for the given ACE.
*
* If none is given, null is returned.
*
* @param \Symfony\Component\Security\Acl\Model\EntryInterface $ace
*
* @return \Propel\Bundle\PropelBundle\Model\Acl\Entry|null
*/
protected function getPersistedAce(EntryInterface $ace, ObjectIdentity $objectIdentity, $object = false)
{
if (null !== $ace->getId() and null !== ($entry = EntryQuery::create()->findPk($ace->getId(), $this->connection))) {
$entry->reload(true, $this->connection);
return $entry;
}
/*
* The id is not set, but there may be an ACE in the database.
*
* This happens if the ACL has created new ACEs, but was not reloaded.
* We try to retrieve one by the unique key.
*/
$ukQuery = EntryQuery::create()->filterByAclClass($objectIdentity->getAclClass($this->connection))->filterBySecurityIdentity(SecurityIdentity::fromAclIdentity($ace->getSecurityIdentity(), $this->connection));
if (true === $object) {
$ukQuery->filterByObjectIdentity($objectIdentity);
} else {
$ukQuery->filterByObjectIdentityId(null, Criteria::ISNULL);
}
if ($ace instanceof FieldEntryInterface) {
$ukQuery->filterByFieldName($ace->getField());
} else {
$ukQuery->filterByFieldName(null, Criteria::ISNULL);
}
return $ukQuery->findOne($this->connection);
}
/**
* Determines whether the ACE is applicable to the given permission/security identity combination.
*
* Strategy ALL:
* The ACE will be considered applicable when all the turned-on bits in the
* required mask are also turned-on in the ACE mask.
*
* Strategy ANY:
* The ACE will be considered applicable when any of the turned-on bits in
* the required mask is also turned-on the in the ACE mask.
*
* Strategy EQUAL:
* The ACE will be considered applicable when the bitmasks are equal.
*
* @param integer $requiredMask
* @param EntryInterface $ace
* @param AclInterface $acl
* @throws \RuntimeException if the ACE strategy is not supported
* @return bool
*/
protected function isAceApplicable($requiredMask, EntryInterface $ace, AclInterface $acl)
{
$extension = $this->getContext()->getAclExtension();
$aceMask = $ace->getMask();
if ($acl->getObjectIdentity()->getType() === ObjectIdentityFactory::ROOT_IDENTITY_TYPE) {
if ($acl->getObjectIdentity()->getIdentifier() !== $extension->getExtensionKey()) {
return false;
}
$aceMask = $extension->adaptRootMask($aceMask, $this->getContext()->getObject());
}
if ($extension->getServiceBits($requiredMask) !== $extension->getServiceBits($aceMask)) {
return false;
}
$requiredMask = $extension->removeServiceBits($requiredMask);
$aceMask = $extension->removeServiceBits($aceMask);
$strategy = $ace->getStrategy();
switch ($strategy) {
case self::ALL:
return $requiredMask === ($aceMask & $requiredMask);
case self::ANY:
return 0 !== ($aceMask & $requiredMask);
case self::EQUAL:
return $requiredMask === $aceMask;
default:
throw new \RuntimeException(sprintf('The strategy "%s" is not supported.', $strategy));
}
}
/**
* Determines whether the ACE is applicable to the given permission/security
* identity combination.
*
* Per default, we support three different comparison strategies.
*
* Strategy ALL:
* The ACE will be considered applicable when all the turned-on bits in the
* required mask are also turned-on in the ACE mask.
*
* Strategy ANY:
* The ACE will be considered applicable when any of the turned-on bits in
* the required mask is also turned-on the in the ACE mask.
*
* Strategy EQUAL:
* The ACE will be considered applicable when the bitmasks are equal.
*
* @param SecurityIdentityInterface $sid
* @param EntryInterface $ace
* @param int $requiredMask
* @return Boolean
*/
protected function isAceApplicable($requiredMask, SecurityIdentityInterface $sid, EntryInterface $ace)
{
if (false === $ace->getSecurityIdentity()->equals($sid)) {
return false;
}
$strategy = $ace->getStrategy();
if (self::ALL === $strategy) {
return $requiredMask === ($ace->getMask() & $requiredMask);
} else {
if (self::ANY === $strategy) {
return 0 !== ($ace->getMask() & $requiredMask);
} else {
if (self::EQUAL === $strategy) {
return $requiredMask === $ace->getMask();
} else {
throw new \RuntimeException(sprintf('The strategy "%s" is not supported.', $strategy));
}
}
}
}
/**
* Resolve ACE itentity to User or Role
*
* @param EntryInterface $ace
* @return mixed
*/
protected function resolveIdentity(EntryInterface $ace)
{
$securityIdentity = $ace->getSecurityIdentity();
if ($securityIdentity instanceof UserSecurityIdentity) {
$userProvider = $this->userProvider;
try {
return $userProvider->loadUserByUsername($securityIdentity->getUsername());
} catch (UsernameNotFoundException $e) {
}
} elseif ($securityIdentity instanceof RoleSecurityIdentity) {
return $securityIdentity->getRole();
}
return null;
}
