/**
* Returns an array of common actions and whether they are allowed for current user
*
* This should NOT be used in our own code, because it is suboptimal,
* instead a direct, single call to Authorization service is preferred. It exists here
* only for ease of use for REST API.
* @param AbstractModel $object
* @return array
*/
private function getPermissions(AbstractModel $object)
{
$identity = $this->authentification->getIdentity();
$resourceId = $this->getResourceId($object);
$resource = new \Application\Authorization\ModelResource($resourceId, $object);
$result = [];
$result['read'] = $this->authorization->isAuthorized($identity, $resource, Request::METHOD_GET);
$result['update'] = $this->authorization->isAuthorized($identity, $resource, Request::METHOD_PUT);
$result['delete'] = $this->authorization->isAuthorized($identity, $resource, Request::METHOD_DELETE);
return $result;
}
public function __construct(AclAuthorization $authorization)
{
$authorization->addRole('member');
$authorization->addRole('admin');
$restrictedPrivileges = [Request::METHOD_PUT, Request::METHOD_PATCH, Request::METHOD_DELETE];
$hasNoRelation = new HasNoRelation();
$authorization->deny('member', 'Theodia\\V1\\Rest\\Calendar\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\Event\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\Place\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\User\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\PlaceType\\Controller::entity', $restrictedPrivileges);
$authorization->deny('member', 'Theodia\\V1\\Rest\\Rite\\Controller::entity', $restrictedPrivileges);
$authorization->deny('member', 'Theodia\\V1\\Rest\\Tag\\Controller::entity', $restrictedPrivileges);
$relationRestrictedPrivileges = [Request::METHOD_PUT, Request::METHOD_PATCH];
$lastRelation = new LastRelation();
$hasNoRelationOrLastRelation = new AssertionAggregate();
$hasNoRelationOrLastRelation->addAssertion($hasNoRelation);
$hasNoRelationOrLastRelation->addAssertion($lastRelation);
$hasNoRelationOrLastRelation->setMode(AssertionAggregate::MODE_AT_LEAST_ONE);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', $relationRestrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', $relationRestrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', [Request::METHOD_DELETE], $hasNoRelationOrLastRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', [Request::METHOD_DELETE], $hasNoRelationOrLastRelation);
$authorization->deny('admin', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', [Request::METHOD_DELETE], $lastRelation);
$authorization->deny('admin', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', [Request::METHOD_DELETE], $lastRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::collection', [Request::METHOD_POST], $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::collection', [Request::METHOD_POST], $hasNoRelation);
}
