private function initRoles()
{
if (!$this->policyService->hasRole('DLigo.Animaltool:Admin')) {
$this->policyService->createRole('DLigo.Animaltool:Admin');
}
if (!$this->policyService->hasRole('DLigo.Animaltool:Catcher')) {
$this->policyService->createRole('DLigo.Animaltool:Catcher');
}
if (!$this->policyService->hasRole('DLigo.Animaltool:Doctor')) {
$this->policyService->createRole('DLigo.Animaltool:Doctor');
}
}
/**
* Initializes the roles field by fetching the role objects referenced by the roleIdentifiers
*
* @return void
*/
protected function initializeRoles()
{
if ($this->roles !== null) {
return;
}
$this->roles = [];
foreach ($this->roleIdentifiers as $key => $roleIdentifier) {
// check for and clean up roles no longer available
if ($this->policyService->hasRole($roleIdentifier)) {
$this->roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier);
} else {
unset($this->roleIdentifiers[$key]);
}
}
}
/**
* @test
*/
public function hasRoleReturnsTrueIfTheSpecifiedRoleIsConfigured()
{
$this->mockPolicyConfiguration = ['roles' => ['Some.Package:SomeRole' => []]];
$this->assertTrue($this->policyService->hasRole('Some.Package:SomeRole'));
}
/**
* Replaces a role identifier not containing a "." into fully qualified role identifier from the TYPO3.Neos namespace.
*
* @param string $roleIdentifier
* @return string
* @throws NoSuchRoleException
*/
protected function normalizeRoleIdentifier($roleIdentifier)
{
if (strpos($roleIdentifier, ':') === false) {
$roleIdentifier = 'TYPO3.Neos:' . $roleIdentifier;
}
if (!$this->policyService->hasRole($roleIdentifier)) {
throw new NoSuchRoleException(sprintf('The role %s does not exist.', $roleIdentifier), 1422540184);
}
return $roleIdentifier;
}
/**
* Shows the effective policy rules currently active in the system
*
* @param boolean $grantsOnly Only list methods effectively granted to the given roles
* @return void
*/
public function showEffectivePolicyCommand($grantsOnly = FALSE)
{
$roles = array();
$roleIdentifiers = $this->request->getExceedingArguments();
if (empty($roleIdentifiers) === TRUE) {
$this->outputLine('Please specify at leas one role, to calculate the effective privileges for!');
$this->quit(1);
}
foreach ($roleIdentifiers as $roleIdentifier) {
if ($this->policyService->hasRole($roleIdentifier)) {
$currentRole = $this->policyService->getRole($roleIdentifier);
$roles[$roleIdentifier] = $currentRole;
foreach ($this->policyService->getAllParentRoles($currentRole) as $parentRoleIdentifier => $parentRole) {
if (!isset($roles[$parentRoleIdentifier])) {
$roles[$parentRoleIdentifier] = $parentRole;
}
}
}
}
if (count($roles) === 0) {
$this->outputLine('The specified role(s) do not exist.');
$this->quit(1);
}
$this->outputLine(PHP_EOL . 'The following roles will be used for calculating the effective privileges (retrieved from the configured roles hierarchy):' . PHP_EOL);
foreach ($roles as $roleIdentifier => $role) {
$this->outputLine($roleIdentifier);
}
$dummySecurityContext = new DummyContext();
$dummySecurityContext->setRoles($roles);
$accessDecisionManager = new AccessDecisionVoterManager($this->objectManager, $dummySecurityContext);
if ($this->policyCache->has('acls')) {
$classes = array();
$acls = $this->policyCache->get('acls');
foreach ($acls as $classAndMethodName => $aclEntry) {
if (strpos($classAndMethodName, '->') === FALSE) {
continue;
}
list($className, $methodName) = explode('->', $classAndMethodName);
$className = $this->objectManager->getCaseSensitiveObjectName($className);
$reflectionClass = new \ReflectionClass($className);
foreach ($reflectionClass->getMethods() as $casSensitiveMethodName) {
if ($methodName === strtolower($casSensitiveMethodName->getName())) {
$methodName = $casSensitiveMethodName->getName();
break;
}
}
$runtimeEvaluationsInPlace = FALSE;
foreach ($aclEntry as $role => $resources) {
if (in_array($role, $roles) === FALSE) {
continue;
}
if (!isset($classes[$className])) {
$classes[$className] = array();
}
if (!isset($classes[$className][$methodName])) {
$classes[$className][$methodName] = array();
$classes[$className][$methodName]['resources'] = array();
}
foreach ($resources as $resourceName => $privilege) {
$classes[$className][$methodName]['resources'][$resourceName] = $privilege;
if ($privilege['runtimeEvaluationsClosureCode'] !== FALSE) {
$runtimeEvaluationsInPlace = TRUE;
}
}
}
if ($runtimeEvaluationsInPlace === FALSE) {
try {
$accessDecisionManager->decideOnJoinPoint(new JoinPoint(NULL, $className, $methodName, array()));
} catch (AccessDeniedException $e) {
$classes[$className][$methodName]['effectivePrivilege'] = $e->getMessage();
}
if (!isset($classes[$className][$methodName]['effectivePrivilege'])) {
$classes[$className][$methodName]['effectivePrivilege'] = 'Access granted';
}
} else {
$classes[$className][$methodName]['effectivePrivilege'] = 'Could not be calculated. Runtime evaluations in place!';
}
}
foreach ($classes as $className => $methods) {
$classNamePrinted = FALSE;
foreach ($methods as $methodName => $resources) {
if ($grantsOnly === TRUE && $resources['effectivePrivilege'] !== 'Access granted') {
continue;
}
if ($classNamePrinted === FALSE) {
$this->outputLine(PHP_EOL . PHP_EOL . ' <b>' . $className . '</b>');
$classNamePrinted = TRUE;
}
$this->outputLine(PHP_EOL . ' ' . $methodName);
if (isset($resources['resources']) === TRUE && is_array($resources['resources']) === TRUE) {
foreach ($resources['resources'] as $resourceName => $privilege) {
switch ($privilege['privilege']) {
case PolicyService::PRIVILEGE_GRANT:
$this->outputLine(' Resource "<i>' . $resourceName . '</i>": Access granted');
break;
case PolicyService::PRIVILEGE_DENY:
$this->outputLine(' Resource "<i>' . $resourceName . '</i>": Access denied');
break;
case PolicyService::PRIVILEGE_ABSTAIN:
$this->outputLine(' Resource "<i>' . $resourceName . '</i>": Vote abstained (no acl entry for given roles)');
break;
}
}
}
$this->outputLine(' <b>Effective privilege for given roles: ' . $resources['effectivePrivilege'] . '</b>');
}
}
} else {
$this->outputLine('Could not find any policy entries, please warmup caches...');
}
}
