public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
{
$secret = $token->getCredentials();
$userData = $this->session->getFlashBag()->get('arcanys_sso_auth.user_data');
if ($userData) {
// TODO create mapping config in the future
$username = reset($userData['uid']);
$email = reset($userData['email']);
$firstname = reset($userData['firstname']);
$lastname = reset($userData['lastname']);
$token = reset($userData['token']);
$roles = $userData['rights'];
if (!$roles) {
$roles = ['ROLE_USER'];
}
} else {
$this->saml2->login();
exit;
}
if (!$username) {
throw new AuthenticationException("Failed to authenticate from SSO");
}
$user = $userProvider->loadUserByUsername(['username' => $username, 'email' => $email, 'firstname' => $firstname, 'lastname' => $lastname, 'token' => $token, 'roles' => $roles]);
return new PreAuthenticatedToken($user, $secret, $providerKey, $user->getRoles($roles));
}
/**
* @var Ecedi\Donate\CoreBundle\Entity\User
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
// check if the voter is used correct, only allow one attribute
// this isn't a requirement, it's just one easy way for you to
// design your voter
if (1 !== count($attributes)) {
throw new \InvalidArgumentException('Only one attribute is allowed for VIEW, EDIT or DELETE');
}
// set the attribute to check against
$attribute = $attributes[0];
// check if the given attribute is covered by this voter
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
// get current logged in user
$currentUser = $token->getUser();
// make sure there is a user object (i.e. that the user is logged in)
if (!$currentUser instanceof UserInterface) {
return VoterInterface::ACCESS_DENIED;
}
switch ($attribute) {
case self::LIST_USERS:
if ($currentUser->hasRole('ROLE_ADMIN')) {
return VoterInterface::ACCESS_GRANTED;
}
//others cannot view others
break;
case self::CREATE_USERS:
if ($currentUser->hasRole('ROLE_ADMIN')) {
return VoterInterface::ACCESS_GRANTED;
}
break;
}
return VoterInterface::ACCESS_DENIED;
}
/**
* {@inheritdoc}
*/
protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
{
$user = $token->getUser();
$expires = time() + $this->options['lifetime'];
$value = $this->generateCookieValue(get_class($user), $user->getUsername(), $expires, $user->getPassword());
$response->headers->setCookie(new Cookie($this->options['name'], $value, $expires, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));
}
function it_returns_locale_of_currently_logged_admin_user(TokenStorageInterface $tokenStorage, TokenInterface $token, AdminUserInterface $admin)
{
$admin->getLocaleCode()->willReturn('en_US');
$token->getUser()->willreturn($admin);
$tokenStorage->getToken()->willReturn($token);
$this->getLocaleCode()->shouldReturn('en_US');
}
public function vote(TokenInterface $token, $object, array $attributes)
{
// check if the voter is used correct, only allow one attribute
// this isn't a requirement, it's just one easy way for you to
// design your voter
if (1 !== count($attributes)) {
throw new \InvalidArgumentException('Only one attribute is allowed for TicketVoter');
}
// set the attribute to check against
$attribute = $attributes[0];
// check if the given attribute is covered by this voter
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
// get current logged in user
$user = $token->getUser();
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof Netizen) {
return VoterInterface::ACCESS_DENIED;
}
if ($this->freeAccess || $this->hasFreeAccess($user)) {
return VoterInterface::ACCESS_GRANTED;
}
if ($user->hasValidTicket()) {
return VoterInterface::ACCESS_GRANTED;
}
// if everything else fails:
return VoterInterface::ACCESS_DENIED;
}
/**
* {@inheritDoc}
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token)
{
$session = $request->getSession();
$user = $token->getUser();
$session->registerAccount($user, $request, $this);
return parent::onAuthenticationSuccess($request, $token);
}
/**
* Returns the vote for the given parameters.
*
* This method must return one of the following constants:
* ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN.
*
* @param TokenInterface $token A TokenInterface instance
* @param object|null $object The object to secure
* @param array $attributes An array of attributes associated with the method being invoked
*
* @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
$class = get_class($object);
if (!$this->supportsClass($class)) {
return self::ACCESS_ABSTAIN;
}
$user = $token->getUser();
if ($user === 'anon.') {
return self::ACCESS_ABSTAIN;
} else {
if (in_array('ADMINISTRATE_BLOG', $attributes) || in_array('SWITCH_ARTICLE_AUTHOR', $attributes)) {
if ($user->hasRole('ROLE_BLOG_ADMIN')) {
return self::ACCESS_GRANTED;
} else {
return self::ACCESS_DENIED;
}
} elseif (in_array('ADMINISTRATE_COMMENTS', $attributes)) {
if ($user->hasRole('ROLE_BLOG_ADMIN') || $user->hasRole('ROLE_BLOG_EDITOR')) {
return self::ACCESS_GRANTED;
} else {
return self::ACCESS_DENIED;
}
}
return self::ACCESS_ABSTAIN;
}
}
/**
* {@inheritDoc}
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
if (!$object || !is_object($object)) {
return self::ACCESS_ABSTAIN;
}
$objectClass = ClassUtils::getClass($object);
if (!$this->supportsClass($objectClass)) {
return self::ACCESS_ABSTAIN;
}
foreach ($attributes as $attribute) {
if (!$this->supportsAttribute($attribute)) {
return self::ACCESS_ABSTAIN;
}
}
$object = $this->convertToSupportedObject($object, $objectClass);
/** @var EmailUser[] $emailUsers */
$emailUsers = $object->getEmailUsers();
foreach ($attributes as $attribute) {
foreach ($emailUsers as $emailUser) {
if ($this->container->get('oro_security.security_facade')->isGranted($attribute, $emailUser)) {
return self::ACCESS_GRANTED;
}
if ($mailbox = $emailUser->getMailboxOwner() !== null && $token instanceof UsernamePasswordOrganizationToken) {
$repo = $this->container->get('doctrine')->getRepository('OroEmailBundle:Mailbox');
$mailboxes = $repo->findAvailableMailboxes($token->getUser(), $token->getOrganizationContext());
if (in_array($mailbox, $mailboxes)) {
return self::ACCESS_GRANTED;
}
}
}
}
return self::ACCESS_DENIED;
}
public function vote(TokenInterface $token, $transition, array $attributes)
{
if (in_array('WORKFLOW_TRANSITION', $attributes)) {
//check if the current user is allowed to use the transition
$user = $token->getUser();
$userGroupsCol = $user->getGroups();
//make array of collection
$userGroups = array();
foreach ($userGroupsCol as $userGroup) {
$userGroups[] = $userGroup;
}
$transitionGroupsCol = $transition->getGroups();
//make array of collection
$transitionGroups = array();
foreach ($transitionGroupsCol as $transitionGroup) {
$transitionGroups[] = $transitionGroup;
}
foreach ($userGroups as $userGroup) {
if (in_array($userGroup, $transitionGroups)) {
return self::ACCESS_GRANTED;
}
}
return self::ACCESS_DENIED;
}
return self::ACCESS_ABSTAIN;
}
/**
* @param string $attribute
* @param CourseLearningMaterialInterface $material
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $material, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
$course = $material->getCourse();
if (!$course) {
return false;
}
switch ($attribute) {
case self::VIEW:
$granted = $this->isViewGranted($course->getId(), $course->getSchool()->getId(), $user);
// prevent access if associated LM is in draft, and the current user has no elevated privileges.
if ($granted) {
$granted = $this->userHasRole($token->getUser(), ['Faculty', 'Course Director', 'Developer']) || LearningMaterialStatusInterface::IN_DRAFT !== $material->getLearningMaterial()->getStatus()->getId();
}
return $granted;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// prevent any sort of write operation (create/edit/delete) if the parent course is locked or archived.
if ($course->isLocked() || $course->isArchived()) {
return false;
}
return $this->isWriteGranted($course->getId(), $course->getSchool()->getId(), $user);
break;
}
return false;
}
/**
* Get valid UserApi for given token
*
* @param TokenInterface $token
* @param PersistentCollection $secrets
* @param User $user
*
* @return bool|UserApi
*/
protected function getValidUserApi(TokenInterface $token, PersistentCollection $secrets, User $user)
{
$currentIteration = 0;
$nonce = $token->getAttribute('nonce');
$secretsCount = $secrets->count();
/** @var UserApi $userApi */
foreach ($secrets as $userApi) {
$currentIteration++;
$isSecretValid = $this->validateDigest($token->getAttribute('digest'), $nonce, $token->getAttribute('created'), $userApi->getApiKey(), $this->getSalt($user));
if ($isSecretValid && !$userApi->getUser()->getOrganizations()->contains($userApi->getOrganization())) {
throw new BadCredentialsException('Wrong API key.');
}
if ($isSecretValid && !$userApi->getOrganization()->isEnabled()) {
throw new BadCredentialsException('Organization is not active.');
}
// delete nonce from cache because user have another api keys
if (!$isSecretValid && $secretsCount !== $currentIteration) {
$this->getNonceCache()->delete($nonce);
}
if ($isSecretValid) {
return $userApi;
}
}
return false;
}
function vote(TokenInterface $token, $node, array $attributes)
{
if (!$node instanceof Node) {
return self::ACCESS_ABSTAIN;
}
if (!in_array($attributes[0], array_keys($this->roles))) {
return self::ACCESS_ABSTAIN;
}
$user = $token->getUser();
$parent = $node->getParent();
if (!is_null($parent) && !$this->container->get('security.authorization_checker')->isGranted($attributes, $parent)) {
return self::ACCESS_DENIED;
}
if (method_exists($node, 'getInherit') && $node->getInherit()) {
return self::ACCESS_GRANTED;
}
if ($node->getOwner() == $user) {
return self::ACCESS_GRANTED;
}
foreach ($node->getUsers() as $nodeUser) {
if ($nodeUser->getUser() == $user && $this->roles[$nodeUser->getRole()] >= $this->roles[$attributes[0]]) {
return self::ACCESS_GRANTED;
}
}
foreach ($user->getAssocTeams() as $team) {
foreach ($node->getTeams() as $nodeTeam) {
if ($nodeTeam->getTeam() == $team->getTeam() && $this->roles[$nodeTeam->getRole()] >= $this->roles[$attributes[0]]) {
return self::ACCESS_GRANTED;
}
}
}
return self::ACCESS_DENIED;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Estate */
$estate = $subject;
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MANAGER'))) {
return true;
}
break;
case self::CREATE:
if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MANAGER'))) {
return true;
}
break;
case self::EDIT:
if ($user->getUsername() === $estate->getCreatedBy() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
case self::REMOVE:
if ($user->getUsername() === $estate->getCreatedBy() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
}
return false;
}
/**
* @param string $attribute
* @param ObjectiveInterface $objective
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $objective, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// Any authenticated user can see all objectives.
return true;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// Well...poop.
// The rules for granting access hinge on the ownership context of the given objective.
// Is this a course objective? or a program year object? perhaps a session objective?
// No easy way of telling.
// So really, this is three voters in one.
// TODO: Clean this mess up. [ST 2015/08/05]
if (!$objective->getCourses()->isEmpty()) {
// got courses? if so, it's a course objective.
return $this->isCreateEditDeleteGrantedForCourseObjective($objective, $user);
} elseif (!$objective->getSessions()->isEmpty()) {
// and so on..
return $this->isCreateEditDeleteGrantedForSessionObjective($objective, $user);
} elseif (!$objective->getProgramYears()->isEmpty()) {
// and so on ..
return $this->isCreateEditDeleteGrantedForProgramYearObjective($objective, $user);
}
break;
}
return false;
}
/**
* @param TokenInterface $post
* @param mixed $post
* @param array $attributes
* @return integer
*/
public function vote(TokenInterface $token, $post, array $attributes)
{
if (!$this->supportsClass(get_class($post))) {
return VoterInterface::ACCESS_ABSTAIN;
}
if (1 !== count($attributes)) {
throw new \InvalidArgumentException('Only one attribute is allowed for VIEW or EDIT');
}
$attribute = $attributes[0];
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return VoterInterface::ACCESS_DENIED;
}
switch ($attribute) {
case self::VIEW:
return VoterInterface::ACCESS_GRANTED;
break;
case self::EDIT:
case self::DELETE:
if ($user->getId() === $post->getOwner()->getId()) {
return VoterInterface::ACCESS_GRANTED;
}
break;
}
return VoterInterface::ACCESS_DENIED;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Comment */
$comment = $subject;
// $subject must be a Comment instance, thanks to the supports method
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::CREATE:
// if the user is an admin, allow them to create new comments
if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MODERATOR', 'ROLE_USER'))) {
return true;
}
break;
case self::EDIT:
// if the user is the author of the comment or admin or moderator, allow them to edit the comments
if ($comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_ADMIN')) && $comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_MODERATOR')) && $this->canYouDoIt($comment, $user)) {
return true;
}
break;
case self::REMOVE:
// if the user is the author of the comment or admin or moderator, allow them to remove the posts in the some order
if ($comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_ADMIN')) && $comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_MODERATOR')) && $this->canYouDoIt($comment, $user)) {
return true;
}
break;
}
return false;
}
/**
* @return boolean
*/
public function supportsToken(TokenInterface $token, $providerKey)
{
if (!$token instanceof PreAuthenticatedToken) {
return false;
}
return $token->getProviderKey() === $providerKey;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Post */
$post = $subject;
// $subject must be a Post instance, thanks to the supports method
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::CREATE:
// if the user is an admin, allow them to create new posts
if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
case self::EDIT:
// if the user is the author of the post, allow them to edit the posts
if ($user->getEmail() === $post->getAuthorEmail() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
case self::REMOVE:
// if the user is the author of the post, allow them to edit the posts
if ($user->getEmail() === $post->getAuthorEmail() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
}
return false;
}
public function vote(TokenInterface $token, Location $object, array $attributes)
{
if (in_array('ROLE_LOCATION_MODERATOR', $token->getRoles())) {
return VoterInterface::ACCESS_GRANTED;
}
return VoterInterface::ACCESS_ABSTAIN;
}
/**
* @param string $attribute
* @param ProgramInterface $program
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $program, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// do not enforce special views permissions on programs.
return true;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// the given user is granted CREATE, EDIT and DELETE permissions on the given program
// when at least one of the following statements is true
// 1. The user's primary school is the same as the program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 2. The user has WRITE permissions on the program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 3. The user has WRITE permissions on the program.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($program->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $program->getSchool()->getId())) || $this->permissionManager->userHasWritePermissionToProgram($user, $program);
break;
}
return false;
}
public function vote(TokenInterface $token, $object, array $attributes)
{
$user = $token->getUser();
$type = ProjectGitAccess::WRITE_PERMISSION;
foreach ($attributes as $attribute) {
switch ($attribute) {
case 'GIT_DELETE':
case 'GIT_FORCE':
$type = ProjectGitAccess::ADMIN_PERMISSION;
break 2;
}
}
if (is_array($object) && isset($object[0]) && $object[0] instanceof Project) {
$object = new PushTarget($object[0], $object[1]);
}
if (!$object instanceof PushTarget) {
return VoterInterface::ACCESS_ABSTAIN;
}
foreach ($object->getProject()->getGitAccesses() as $access) {
if ($access->isGranted($user, $object->getReference(), $type)) {
return self::ACCESS_GRANTED;
}
}
return self::ACCESS_DENIED;
}
/**
* {@inheritdoc}
*/
public function vote(TokenInterface $token, $subject, array $attributes)
{
if (!$subject instanceof NodeInterface) {
return VoterInterface::ACCESS_ABSTAIN;
}
$user = $token->getUser();
if (!$user instanceof DrupalUser) {
return VoterInterface::ACCESS_ABSTAIN;
}
$account = $user->getDrupalAccount();
$vote = VoterInterface::ACCESS_ABSTAIN;
// Let non-Drupal core permission pass, this will allows event-driven
// modules to handle something else than core permissions, way better!
foreach ($attributes as $attribute) {
// Ignore non-Drupal core attributes
if ($attribute !== 'view' && $attribute !== 'update' && $attribute !== 'delete') {
time();
}
$access = $this->nodeAccess($subject, $attribute, $account);
// Order is DENY, ALLOW, default is IGNORE
if (VoterInterface::ACCESS_DENIED === $access) {
return $access;
}
if (VoterInterface::ACCESS_GRANTED === $access) {
$vote = $access;
}
}
return $vote;
}
public function authenticate(TokenInterface $token)
{
$ldapUserCredentials = $token->getLDAPUserCredentials();
$ldapConnection = $this->ldapService->getConnection();
if ($ldapConnection) {
$ldapBind = $this->ldapService->bind($ldapConnection, $ldapUserCredentials['username'], $ldapUserCredentials['password']);
if (true === $ldapBind) {
$ldapEntry = $this->ldapService->read($ldapConnection, "uid=" . $ldapUserCredentials['username'] . "," . $this->ldapService->getDn(), "(objectclass=*)", array('ou', 'sn', 'cn', 'mail'));
if (is_array($ldapEntry) && isset($ldapEntry['count']) && $ldapEntry['count']) {
$ldapUserObject = $ldapEntry[0];
$user = $this->entityLibrary->get('User')->findOneByUsername($ldapUserCredentials['username']);
if (!$user) {
$roleGeneral = $this->entityLibrary->get('Role')->findOneByName('ROLE_GENERAL');
$groupGeneral = $this->entityLibrary->get('UserGroup')->findOneByName('General');
$user = new User();
$user->setName($ldapUserObject['cn'][0] . ' ' . $ldapUserObject['sn'][0]);
$user->setEmail($ldapUserObject['mail'][0]);
$user->setUsername($ldapUserCredentials['username']);
$user->setSalt(uniqid());
$user->addRole($roleGeneral);
$user->addUserGroup($groupGeneral);
$this->entityLibrary->get('User')->save($user);
}
$authenticatedToken = new LDAPToken($user->getRoles());
$authenticatedToken->setUser($user);
$authenticatedToken->setLDAPUserCredentials($ldapUserCredentials);
return $authenticatedToken;
}
}
throw new AuthenticationException('The LDAP credentials are not found.');
}
throw new AuthenticationException('The LDAP authentication failed.');
}
/**
* Only SuperAdmin (Dev & Plaform admin) can manage Keywords & Api clients
*
* @param string $attribute
* @param mixed $subject
* @param TokenInterface $token
*
* @return bool
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
if ($this->isSuperAdmin($token->getUser())) {
return true;
}
return false;
}
/**
* @param TokenInterface $token
* @param mixed $object
* @param array $attributes
*
* @return int
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
if (!is_object($object)) {
return self::ACCESS_ABSTAIN;
}
if (!in_array(get_class($object), $this->classes)) {
return self::ACCESS_ABSTAIN;
}
if (!in_array($attributes[0], array_keys($this->roles))) {
return self::ACCESS_ABSTAIN;
}
/**
* @var User $user
*/
$user = $token->getUser();
foreach ($this->roles[$attributes[0]] as $role => $func) {
if (!$user->hasRole($role)) {
continue;
}
if ($func === true || method_exists($this, $func) && call_user_func([$this, $func], $user, $object)) {
return self::ACCESS_GRANTED;
}
}
return self::ACCESS_DENIED;
}
/**
* Returns the vote for the given parameters.
*
* This method must return one of the following constants:
* ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN.
*
* @param TokenInterface $token A TokenInterface instance
* @param object|null $object The object to secure
* @param array $attributes An array of attributes associated with the method being invoked
*
* @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
if ($token->getUser() instanceof UserInterface === false) {
return self::ACCESS_ABSTAIN;
}
if (!$object || !$this->supportsClass(get_class($object))) {
return self::ACCESS_ABSTAIN;
}
// abstain vote by default in case none of the attributes are supported
$vote = self::ACCESS_ABSTAIN;
foreach ($attributes as $attribute) {
if (!$this->supportsAttribute($attribute)) {
continue;
}
// as soon as at least one attribute is supported, default is to deny access
// $vote = self::ACCESS_DENIED;
/** @var UserInterface $user */
$currentSite = $this->siteManager->getCurrentSite();
// $roles = $this->roleHierarchy->getReachableRoles($token->getRoles());
//
// if (in_array(new OrganizerRole($currentSite), $roles)) {
// return self::ACCESS_GRANTED;
// }
$organizerRole = new OrganizerRole($currentSite);
if ($token->getUser()->hasRole($organizerRole->getRole())) {
return self::ACCESS_GRANTED;
}
}
return $vote;
}
/**
* {@inheritdoc}
*/
protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
{
$series = base64_encode(random_bytes(64));
$tokenValue = base64_encode(random_bytes(64));
$this->tokenProvider->createNewToken(new PersistentToken(get_class($user = $token->getUser()), $user->getUsername(), $series, $tokenValue, new \DateTime()));
$response->headers->setCookie(new Cookie($this->options['name'], $this->encodeCookie(array($series, $tokenValue)), time() + $this->options['lifetime'], $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));
}
/**
* @param string $attribute
* @param InstructorGroupInterface $group
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $group, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// unlike instructor details, instructor groups
// should be visible to any authenticated user in the system.
// do not enforce any special permissions for viewing them.
return true;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// grant CREATE, EDIT and DELETE privileges if at least one of the following
// statements is true:
// 1. the user's primary school is the group's owning school
// and the user has at least one of the 'Course Director' and 'Developer' roles.
// 2. the user has WRITE rights on the group's owning school via the permissions system
// and the user has at least one of the 'Course Director' and 'Developer' roles.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $group->getSchool()->getId()));
break;
}
return false;
}
public function authenticate(TokenInterface $token)
{
if ($token->getRequestToken() === $token->getAuthToken()) {
return $token;
}
throw new AuthenticationException('The Authentication failed.');
}
public function vote(TokenInterface $token, $group, array $attributes)
{
// check if class of this object is supported by this voter
if (!$this->supportsClass(get_class($group))) {
return VoterInterface::ACCESS_ABSTAIN;
}
// check if the given attribute is covered by this voter
if (!$this->supportsAttribute($attributes[0])) {
return VoterInterface::ACCESS_ABSTAIN;
}
// get current logged in user
$user = $token->getUser();
//allow the token to have ROLE_SUPER_ADMIN before we check the user, for testing
if (in_array(new Role("ROLE_SUPER_ADMIN"), $token->getRoles())) {
return VoterInterface::ACCESS_GRANTED;
}
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof User) {
return VoterInterface::ACCESS_DENIED;
}
switch ($attributes[0]) {
case self::VIEW:
if ($user->hasGroup($group->getName())) {
return VoterInterface::ACCESS_GRANTED;
}
break;
case self::EDIT:
if ($user->hasGroup($group->getName()) && $user->hasRole("ROLE_ADMIN")) {
return VoterInterface::ACCESS_GRANTED;
}
break;
}
return VoterInterface::ACCESS_DENIED;
}
