/**
* Guess organization to login into. Basically for single organization scenario it will be always the same
* organization where user was created.
*
* @param OrganizationAwareUserInterface $user
* @param TokenInterface $token
*
* @return null|Organization
*/
public function guess(OrganizationAwareUserInterface $user, TokenInterface $token)
{
if ($token instanceof OrganizationContextTokenInterface && $token->getOrganizationContext()) {
return $token->getOrganizationContext();
}
$activeOrganizations = $user->getOrganizations(true);
$creatorOrganization = $user->getOrganization();
return $activeOrganizations->contains($creatorOrganization) ? $creatorOrganization : $activeOrganizations->first();
}
/**
* {@inheritDoc}
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
if (!$object || !is_object($object)) {
return self::ACCESS_ABSTAIN;
}
$objectClass = ClassUtils::getClass($object);
if (!$this->supportsClass($objectClass)) {
return self::ACCESS_ABSTAIN;
}
foreach ($attributes as $attribute) {
if (!$this->supportsAttribute($attribute)) {
return self::ACCESS_ABSTAIN;
}
}
$object = $this->convertToSupportedObject($object, $objectClass);
/** @var EmailUser[] $emailUsers */
$emailUsers = $object->getEmailUsers();
foreach ($attributes as $attribute) {
foreach ($emailUsers as $emailUser) {
if ($this->container->get('oro_security.security_facade')->isGranted($attribute, $emailUser)) {
return self::ACCESS_GRANTED;
}
if ($mailbox = $emailUser->getMailboxOwner() !== null && $token instanceof UsernamePasswordOrganizationToken) {
$repo = $this->container->get('doctrine')->getRepository('OroEmailBundle:Mailbox');
$mailboxes = $repo->findAvailableMailboxes($token->getUser(), $token->getOrganizationContext());
if (in_array($mailbox, $mailboxes)) {
return self::ACCESS_GRANTED;
}
}
}
}
return self::ACCESS_DENIED;
}
/**
* @param EntityManager $entityManager
* @param TokenInterface $token
*/
protected function assertTokenEntities(EntityManager $entityManager, TokenInterface $token)
{
$unitOfWork = $entityManager->getUnitOfWork();
$this->assertEquals(UnitOfWork::STATE_MANAGED, $unitOfWork->getEntityState($token->getUser()));
if ($token instanceof OrganizationContextTokenInterface) {
$this->assertEquals(UnitOfWork::STATE_MANAGED, $unitOfWork->getEntityState($token->getOrganizationContext()));
}
}
/**
* @param TokenInterface $token
* @param ConfigInterface $config
* @param object $entity
*/
protected function setDefaultOrganization(TokenInterface $token, ConfigInterface $config, $entity)
{
if ($token instanceof OrganizationContextTokenInterface && $config->has('organization_field_name')) {
$accessor = PropertyAccess::createPropertyAccessor();
$fieldName = $config->get('organization_field_name');
if (!$accessor->getValue($entity, $fieldName)) {
$accessor->setValue($entity, $fieldName, $token->getOrganizationContext());
}
}
}
/**
* @SuppressWarnings(PHPMD.NPathComplexity)
* @SuppressWarnings(PHPMD.CyclomaticComplexity)
* {@inheritdoc}
*/
public function decideIsGranting($triggeredMask, $object, TokenInterface $securityToken)
{
$accessLevel = $this->getAccessLevel($triggeredMask);
if ($accessLevel === AccessLevel::SYSTEM_LEVEL) {
return true;
}
// check whether we check permissions for a domain object
if ($object === null || !is_object($object) || $object instanceof ObjectIdentityInterface) {
return true;
}
$metadata = $this->getMetadata($object);
if (!$metadata->hasOwner()) {
return true;
}
$organization = null;
if ($securityToken instanceof OrganizationContextTokenInterface) {
$organization = $securityToken->getOrganizationContext();
}
$result = false;
if (AccessLevel::BASIC_LEVEL === $accessLevel) {
$result = $this->decisionMaker->isAssociatedWithUser($securityToken->getUser(), $object, $organization);
} else {
if ($metadata->isUserOwned()) {
$result = $this->decisionMaker->isAssociatedWithUser($securityToken->getUser(), $object, $organization);
}
if (!$result) {
if (AccessLevel::LOCAL_LEVEL === $accessLevel) {
$result = $this->decisionMaker->isAssociatedWithBusinessUnit($securityToken->getUser(), $object, false, $organization);
} elseif (AccessLevel::DEEP_LEVEL === $accessLevel) {
$result = $this->decisionMaker->isAssociatedWithBusinessUnit($securityToken->getUser(), $object, true, $organization);
} elseif (AccessLevel::GLOBAL_LEVEL === $accessLevel) {
$result = $this->decisionMaker->isAssociatedWithOrganization($securityToken->getUser(), $object, $organization);
}
}
}
return $result;
}
/**
* {@inheritdoc}
*/
public function loginSuccess(Request $request, Response $response, TokenInterface $token)
{
// Make sure any old remember-me cookies are cancelled
$this->cancelCookie($request);
if (!$token->getUser() instanceof UserInterface) {
if (null !== $this->logger) {
$this->logger->debug('Organization Remember-me ignores token since it does not contain a UserInterface implementation.');
}
return;
}
if (!$this->isRememberMeRequested($request)) {
if (null !== $this->logger) {
$this->logger->debug('Organization Remember-me was not requested.');
}
return;
}
if (null !== $this->logger) {
$this->logger->debug('Organization Remember-me was requested; setting cookie.');
}
$request->attributes->remove(self::COOKIE_ATTR_NAME);
$user = $token->getUser();
$expires = time() + $this->options['lifetime'];
$value = $this->generateCookieValue(get_class($user), $user->getUsername(), $expires, $user->getPassword(), $token->getOrganizationContext()->getId());
$response->headers->setCookie(new Cookie($this->options['name'], $value, $expires, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));
}
