/**
  * @param OrmResultBefore $event
  */
 public function onResultBefore(OrmResultBefore $event)
 {
     // listener logic is applied only to frontend part of application
     if ($this->securityFacade->getLoggedUser() instanceof User) {
         return;
     }
     $config = $event->getDatagrid()->getConfig();
     $query = $event->getQuery();
     /** @var Subselect|SelectStatement $select */
     $select = $query->getAST();
     $fromClause = $select instanceof SelectStatement ? $select->fromClause : $select->subselectFromClause;
     $skipAclCheck = true;
     /** @var IdentificationVariableDeclaration $identificationVariableDeclaration */
     foreach ($fromClause->identificationVariableDeclarations as $identificationVariableDeclaration) {
         $entityName = $identificationVariableDeclaration->rangeVariableDeclaration->abstractSchemaName;
         $metadata = $this->metadataProvider->getMetadata($entityName);
         if ($metadata->hasOwner()) {
             $skipAclCheck = false;
             break;
         }
     }
     if ($skipAclCheck) {
         $config->offsetSetByPath(Builder::DATASOURCE_SKIP_ACL_CHECK, true);
     }
 }
 /**
  * Gets organization of the given entity
  *
  * @param mixed $object
  * @return mixed
  * @throws InvalidEntityException     If entity is not an object
  * @throws \InvalidArgumentException  If owner property path is not defined
  */
 public function getOrganization($object)
 {
     if (!is_object($object)) {
         throw new InvalidEntityException('$object must be an object.');
     }
     $metadata = $this->metadataProvider->getMetadata(ClassUtils::getRealClass($object));
     if ($metadata->getGlobalOwnerFieldName()) {
         return $this->getValue($object, $metadata->getGlobalOwnerFieldName());
     }
     return null;
 }
 /**
  * Gets organization of the given entity
  *
  * @param $object
  * @return object|null
  * @throws InvalidEntityException
  */
 public function getOrganization($object)
 {
     if (!is_object($object)) {
         throw new InvalidEntityException('$object must be an object.');
     }
     $result = null;
     $metadata = $this->metadataProvider->getMetadata(ClassUtils::getRealClass($object));
     if ($metadata->getGlobalOwnerFieldName()) {
         $accessor = PropertyAccess::createPropertyAccessor();
         $result = $accessor->getValue($object, $metadata->getGlobalOwnerFieldName());
     }
     return $result;
 }
 /**
  * Get data for query acl access level check
  * Return null if entity has full access, empty array if user does't have access to the entity
  *  and array with entity field and field values which user have access.
  *
  * @param $entityClassName
  * @param $permissions
  *
  * @return null|array
  */
 public function getAclConditionData($entityClassName, $permissions = 'VIEW')
 {
     if ($this->aclVoter === null || !$this->getUserId() || !$this->entityMetadataProvider->isProtectedEntity($entityClassName)) {
         return [];
     }
     $condition = null;
     $observer = new OneShotIsGrantedObserver();
     $this->aclVoter->addOneShotIsGrantedObserver($observer);
     $isGranted = $this->getSecurityContext()->isGranted($permissions, 'entity:' . $entityClassName);
     if ($isGranted) {
         $condition = $this->buildConstraintIfAccessIsGranted($entityClassName, $observer->getAccessLevel(), $this->metadataProvider->getMetadata($entityClassName));
     }
     return $condition;
 }
 /**
  * Get data for query acl access level check
  *
  * @param $entityClassName
  * @param $permissions
  *
  * @return array Returns empty array if entity has full access,
  *               array with null values if user does't have access to the entity
  *               and array with entity field and field values which user has access to.
  *               Array structure:
  *               0 - owner field name
  *               1 - owner values
  *               2 - owner association type
  *               3 - organization field name
  *               4 - organization values
  *               5 - should owners be checked
  *                  (for example, in case of Organization ownership type, owners should not be checked)
  */
 public function getAclConditionData($entityClassName, $permissions = 'VIEW')
 {
     if ($this->aclVoter === null || !$this->getUserId() || !$this->entityMetadataProvider->isProtectedEntity($entityClassName)) {
         // return full access to the entity
         return [];
     }
     $observer = new OneShotIsGrantedObserver();
     $this->aclVoter->addOneShotIsGrantedObserver($observer);
     $groupedEntityClassName = $entityClassName;
     if ($this->aclGroupProvider) {
         $group = $this->aclGroupProvider->getGroup();
         if ($group) {
             $groupedEntityClassName = sprintf('%s@%s', $this->aclGroupProvider->getGroup(), $entityClassName);
         }
     }
     $isGranted = $this->getSecurityContext()->isGranted($permissions, new ObjectIdentity('entity', $groupedEntityClassName));
     if ($isGranted) {
         $condition = $this->buildConstraintIfAccessIsGranted($entityClassName, $observer->getAccessLevel(), $this->metadataProvider->getMetadata($entityClassName));
     } else {
         $condition = $this->getAccessDeniedCondition();
     }
     return $condition;
 }
 /**
  * Gets metadata for the given object
  *
  * @param mixed $object
  *
  * @return OwnershipMetadataInterface
  */
 protected function getMetadata($object)
 {
     return $this->metadataProvider->getMetadata($this->getObjectClassName($object));
 }