/**
* Gets permissions of the given user
*
* @param User $user
* @param Criteria|null $filters
*
* @return array
*/
public function getUserPermissions(User $user, Criteria $filters = null)
{
$entityAclExtension = $this->aclSelector->select($user);
$resources = array_map(function (AclClassInfo $class) use($entityAclExtension) {
return ['type' => $entityAclExtension->getExtensionKey(), 'resource' => $class->getClassName()];
}, $entityAclExtension->getClasses());
if ($filters) {
$collection = new ArrayCollection($resources);
$resources = $collection->matching($filters)->toArray();
}
$result = [];
$originalToken = $this->impersonateUser($user);
try {
foreach ($resources as $resource) {
$oid = new ObjectIdentity($resource['type'], $resource['resource']);
$permissions = [];
foreach ($entityAclExtension->getAllowedPermissions($oid) as $permission) {
if ($this->securityContext->isGranted($permission, $oid)) {
$permissions[] = $permission;
}
}
$result[] = array_merge($resource, ['permissions' => $permissions]);
}
$this->undoImpersonation($originalToken);
} catch (\Exception $e) {
$this->undoImpersonation($originalToken);
throw $e;
}
return $result;
}
/**
* {@inheritDoc}
*/
public function contains($permission)
{
foreach ($this->extensionSelector->all() as $extension) {
if ($extension->hasMasks(empty($permission) ? $extension->getDefaultPermission() : $permission)) {
return true;
}
}
return false;
}
/**
* @param OwnershipMetadataProvider $metadataProvider
* @param OwnerTree $ownerTree
* @return AclExtensionSelector
*/
public function createAclExtensionSelector(OwnershipMetadataProvider $metadataProvider = null, OwnerTree $ownerTree = null)
{
$idAccessor = new ObjectIdAccessor();
$selector = new AclExtensionSelector($idAccessor);
$actionMetadataProvider = $this->testCase->getMockBuilder('Oro\\Bundle\\SecurityBundle\\Metadata\\ActionMetadataProvider')->disableOriginalConstructor()->getMock();
$actionMetadataProvider->expects($this->testCase->any())->method('isKnownAction')->will($this->testCase->returnValue(true));
$selector->addAclExtension(new ActionAclExtension($actionMetadataProvider));
$selector->addAclExtension($this->createEntityAclExtension($metadataProvider, $ownerTree, $idAccessor));
return $selector;
}
/**
* Constructs an ObjectIdentity for the given domain object or based on the given descriptor.
*
* The descriptor is a string in the following format: "ExtensionKey:Class"
*
* Examples:
* get($object)
* get('Entity:AcmeBundle\SomeClass')
* get('Entity:AcmeBundle:SomeEntity')
* get('Action:Some Action')
*
* @param mixed $val An domain object, object identity descriptor (id:type) or ACL annotation
* @return ObjectIdentity
* @throws InvalidDomainObjectException
*/
public function get($val)
{
try {
$result = $this->extensionSelector->select($val)->getObjectIdentity($val);
if ($result === null) {
$objInfo = is_object($val) ? get_class($val) : (string) $val;
throw new \InvalidArgumentException(sprintf('Cannot create ObjectIdentity for: %s.', $objInfo));
}
} catch (\InvalidArgumentException $ex) {
throw new InvalidDomainObjectException($ex->getMessage(), 0, $ex);
}
return $result;
}
/**
* {@inheritdoc}
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
$this->securityToken = $token;
$this->object = $object instanceof FieldVote ? $object->getDomainObject() : $object;
list($this->object, $group) = $this->separateAclGroupFromObject($this->object);
try {
$this->extension = $this->extensionSelector->select($this->object);
} catch (InvalidDomainObjectException $e) {
return self::ACCESS_ABSTAIN;
}
// replace empty permissions with default ones
$attributesCount = count($attributes);
for ($i = 0; $i < $attributesCount; $i++) {
if (empty($attributes[$i])) {
$attributes[$i] = $this->extension->getDefaultPermission();
}
}
//check acl group
$result = $this->checkAclGroup($group);
if ($result !== self::ACCESS_DENIED) {
$result = parent::vote($token, $this->object, $attributes);
//check organization context
$result = $this->checkOrganizationContext($result);
}
$this->extension = null;
$this->object = null;
$this->securityToken = null;
$this->triggeredMask = null;
if ($this->oneShotIsGrantedObserver) {
$this->oneShotIsGrantedObserver = null;
}
return $result;
}
/**
* {@inheritdoc}
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
$this->securityToken = $token;
$this->object = $object instanceof FieldVote ? $object->getDomainObject() : $object;
$this->extension = $this->extensionSelector->select($object);
// replace empty permissions with default ones
for ($i = 0; $i < count($attributes); $i++) {
if (empty($attributes[$i])) {
$attributes[$i] = $this->extension->getDefaultPermission();
}
}
$result = parent::vote($token, $object, $attributes);
$this->extension = null;
$this->object = null;
$this->securityToken = null;
return $result;
}
/**
* Updates or creates ACE with the given attributes
*
* @param SID $sid
* @param OID $oid
* @param bool $replace If true the mask and strategy of the existing ACE should be replaced with the given ones
* @param string $type The ACE type. Can be one of self::*_ACE constants
* @param string|null $field The name of a field.
* Set to null for class-based or object-based ACE
* Set to not null class-field-based or object-field-based ACE
* @param int $mask
* @param bool $granting
* @param string|null $strategy If null the strategy should not be changed for existing ACE
* or the appropriate strategy should be selected automatically for new ACE
* ALL strategy is used for $granting = true
* ANY strategy is used for $granting = false
* @throws InvalidAclMaskException
*/
protected function doSetPermission(SID $sid, OID $oid, $replace, $type, $field, $mask, $granting, $strategy = null)
{
$acl = $this->getAcl($oid, true);
$key = $this->getKey($oid);
if ($this->items[$key]->getState() !== BatchItem::STATE_DELETE) {
$extension = $this->extensionSelector->select($oid);
$extension->validateMask($mask, $oid);
if ($acl === null && $this->items[$key]->getState() === BatchItem::STATE_CREATE) {
$this->items[$key]->addAce($type, $field, $sid, $granting, $mask, $strategy);
} else {
$hasChanges = $this->aceProvider->setPermission($acl, $extension, $replace, $type, $field, $sid, $granting, $mask, $strategy);
if ($hasChanges) {
$this->items[$key]->setState(BatchItem::STATE_UPDATE);
}
}
}
}
public function getAclExtension()
{
return $this->extensionSelector->select($this->object);
}
/**
* @param string $permission
* @param mixed $object
* @return MaskBuilder
*/
private function getMaskBuilder($permission, $object)
{
return $this->selector->select($object)->getMaskBuilder($permission);
}
