/**
* @param OrmResultBefore $event
*/
public function onResultBefore(OrmResultBefore $event)
{
// listener logic is applied only to frontend part of application
if ($this->securityFacade->getLoggedUser() instanceof User) {
return;
}
$config = $event->getDatagrid()->getConfig();
$query = $event->getQuery();
/** @var Subselect|SelectStatement $select */
$select = $query->getAST();
$fromClause = $select instanceof SelectStatement ? $select->fromClause : $select->subselectFromClause;
$skipAclCheck = true;
/** @var IdentificationVariableDeclaration $identificationVariableDeclaration */
foreach ($fromClause->identificationVariableDeclarations as $identificationVariableDeclaration) {
$entityName = $identificationVariableDeclaration->rangeVariableDeclaration->abstractSchemaName;
$metadata = $this->metadataProvider->getMetadata($entityName);
if ($metadata->hasOwner()) {
$skipAclCheck = false;
break;
}
}
if ($skipAclCheck) {
$config->offsetSetByPath(Builder::DATASOURCE_SKIP_ACL_CHECK, true);
}
}
/**
* Gets organization of the given entity
*
* @param mixed $object
* @return mixed
* @throws InvalidEntityException If entity is not an object
* @throws \InvalidArgumentException If owner property path is not defined
*/
public function getOrganization($object)
{
if (!is_object($object)) {
throw new InvalidEntityException('$object must be an object.');
}
$metadata = $this->metadataProvider->getMetadata(ClassUtils::getRealClass($object));
if ($metadata->getGlobalOwnerFieldName()) {
return $this->getValue($object, $metadata->getGlobalOwnerFieldName());
}
return null;
}
/**
* Gets organization of the given entity
*
* @param $object
* @return object|null
* @throws InvalidEntityException
*/
public function getOrganization($object)
{
if (!is_object($object)) {
throw new InvalidEntityException('$object must be an object.');
}
$result = null;
$metadata = $this->metadataProvider->getMetadata(ClassUtils::getRealClass($object));
if ($metadata->getGlobalOwnerFieldName()) {
$accessor = PropertyAccess::createPropertyAccessor();
$result = $accessor->getValue($object, $metadata->getGlobalOwnerFieldName());
}
return $result;
}
/**
* Get data for query acl access level check
* Return null if entity has full access, empty array if user does't have access to the entity
* and array with entity field and field values which user have access.
*
* @param $entityClassName
* @param $permissions
*
* @return null|array
*/
public function getAclConditionData($entityClassName, $permissions = 'VIEW')
{
if ($this->aclVoter === null || !$this->getUserId() || !$this->entityMetadataProvider->isProtectedEntity($entityClassName)) {
return [];
}
$condition = null;
$observer = new OneShotIsGrantedObserver();
$this->aclVoter->addOneShotIsGrantedObserver($observer);
$isGranted = $this->getSecurityContext()->isGranted($permissions, 'entity:' . $entityClassName);
if ($isGranted) {
$condition = $this->buildConstraintIfAccessIsGranted($entityClassName, $observer->getAccessLevel(), $this->metadataProvider->getMetadata($entityClassName));
}
return $condition;
}
/**
* Get data for query acl access level check
*
* @param $entityClassName
* @param $permissions
*
* @return array Returns empty array if entity has full access,
* array with null values if user does't have access to the entity
* and array with entity field and field values which user has access to.
* Array structure:
* 0 - owner field name
* 1 - owner values
* 2 - owner association type
* 3 - organization field name
* 4 - organization values
* 5 - should owners be checked
* (for example, in case of Organization ownership type, owners should not be checked)
*/
public function getAclConditionData($entityClassName, $permissions = 'VIEW')
{
if ($this->aclVoter === null || !$this->getUserId() || !$this->entityMetadataProvider->isProtectedEntity($entityClassName)) {
// return full access to the entity
return [];
}
$observer = new OneShotIsGrantedObserver();
$this->aclVoter->addOneShotIsGrantedObserver($observer);
$groupedEntityClassName = $entityClassName;
if ($this->aclGroupProvider) {
$group = $this->aclGroupProvider->getGroup();
if ($group) {
$groupedEntityClassName = sprintf('%s@%s', $this->aclGroupProvider->getGroup(), $entityClassName);
}
}
$isGranted = $this->getSecurityContext()->isGranted($permissions, new ObjectIdentity('entity', $groupedEntityClassName));
if ($isGranted) {
$condition = $this->buildConstraintIfAccessIsGranted($entityClassName, $observer->getAccessLevel(), $this->metadataProvider->getMetadata($entityClassName));
} else {
$condition = $this->getAccessDeniedCondition();
}
return $condition;
}
/**
* Gets metadata for the given object
*
* @param mixed $object
*
* @return OwnershipMetadataInterface
*/
protected function getMetadata($object)
{
return $this->metadataProvider->getMetadata($this->getObjectClassName($object));
}