public function render()
{
$template = $this->getTemplate();
$template->setFile(__DIR__ . '/roleDefinition.latte');
$resultSet = $this->userFacade->fetchAccessDefinitions(new AccessDefinitionQuery());
$template->accessDefinitions = $this->sortAccessDefinitions($resultSet->toArray());
$permissionsResultSet = $this->userFacade->fetchPermissions((new PermissionQuery())->byRole($this->role->getId()));
$template->permissions = $this->sortRolePermissions($permissionsResultSet->toArray());
$template->role = $this->role->getName();
$template->render();
}
/**
* @param Role $role
* @throws ForeignKeyConstraintViolationException
*/
public function remove(Role $role)
{
try {
$roleID = $role->getId();
$this->em->remove($role);
$this->em->flush();
$this->onSuccessRoleRemoval($role, $roleID);
} catch (ForeignKeyConstraintViolationException $e) {
throw $e;
}
}
public function removeRole(SubmitButton $button)
{
if (!$this->authorizator->isAllowed($this->user, 'user_role', 'remove')) {
$this->flashMessage('authorization.noPermission', FlashMessage::WARNING);
$this->redirect('this');
}
try {
$this->userFacade->removeRole($this->role);
$this->onSuccessRoleRemoval($this->role);
} catch (ForeignKeyConstraintViolationException $e) {
$this->flashMessage('users.roleRemoval.messages.roleInUse', FlashMessage::WARNING, ['roleName' => $this->role->getName()]);
$this->redirect('this');
}
}
public function onSuccessRolePermissionsEditing(Role $role)
{
$this->appEventLogger->saveLog(sprintf('User [%s#%s] <b>has EDITED</b> permissions of Role [%s#%s]', $this->user->getId(), $this->user->getUsername(), $role->getId(), $role->getName()), 'user_role_editing', $this->user->getId());
}
/**
* @return string
*/
public function getParentRoleName()
{
return $this->role->getParentName();
}
public function onSuccessRoleRemoval(Role $role)
{
$this->flashMessage('users.roleRemoval.messages.success', FlashMessage::SUCCESS, ['roleName' => $role->getName()]);
$this->redirect('Users:roles');
}
/**
* @param Role $role
* @param array $permissionDefinitions
* @throws DBALException
* @throws \Exception
*/
public function save(Role $role, array $permissionDefinitions)
{
$resources = $this->em->createQuery('SELECT r FROM ' . Resource::class . ' r INDEX BY r.id')->execute();
$privileges = $this->em->createQuery('SELECT p FROM ' . Privilege::class . ' p INDEX BY p.id')->execute();
try {
$this->em->beginTransaction();
$this->em->createQuery('DELETE ' . Permission::class . ' p
WHERE p.role = :role')->execute(['role' => $role->getId()]);
$parentRole = null;
if ($role->hasParent()) {
/** @var Role $parentRole */
$parentRole = $this->em->find(Role::class, $role->getParentId());
}
foreach ($permissionDefinitions as $definition => $isAllowed) {
$isAllowed = (bool) $isAllowed;
$x = explode('-', $definition);
// eg. 1-3
/** @var \Users\Authorization\Resource $resource */
$resource = $resources[$x[0]];
/** @var Privilege $privilege */
$privilege = $privileges[$x[1]];
// check Users\Authorization\Authorizator ACL assembling
// Role without parent
// privilege: allowed -> must be in database
// privilege: denied -> does NOT have to be in database
// Role with parent (all depths)
/*
------------------------------------------------------------
parent | descendant | should be persisted?
------------------------------------------------------------
allowed allowed NO
allowed denied YES
denied denied NO
denied allowed YES
------------------------------------------------------------
We save records where permission and denial differ
*/
if ($parentRole !== null) {
// has parent
if ($this->authorizator->isAllowed($parentRole, $resource->getName(), $privilege->getName()) === $isAllowed) {
continue;
}
} else {
// doesn't have parent
if ($isAllowed === false) {
continue;
}
}
$permission = new Permission($role, $resource, $privilege, $isAllowed);
$this->em->persist($permission);
}
$this->em->flush();
$this->em->commit();
$this->cache->remove('acl');
$this->onSuccessRolePermissionsEditing($role);
} catch (\Exception $e) {
$this->em->rollback();
$this->em->close();
// todo log error
throw new $e();
}
}
