/**
* Check organization. If user try to access entity what was created in organization this user do not have access -
* deny access. We should check organization for all the entities what have ownership
* (USER, BUSINESS_UNIT, ORGANIZATION ownership types)
*
* @param mixed $object
* @param OrganizationContextTokenInterface $securityToken
* @return bool
*/
protected function isAccessDeniedByOrganizationContext($object, OrganizationContextTokenInterface $securityToken)
{
try {
// try to get entity organization value
$objectOrganization = $this->entityOwnerAccessor->getOrganization($object);
// check entity organization with current organization
if ($objectOrganization && $objectOrganization->getId() !== $securityToken->getOrganizationContext()->getId()) {
return true;
}
} catch (InvalidEntityException $e) {
// in case if entity has no organization field (none ownership type)
}
return false;
}
/**
* @param OnClearEventArgs $event
* @param OrganizationContextTokenInterface $token
*/
protected function checkOrganization(OnClearEventArgs $event, OrganizationContextTokenInterface $token)
{
$organization = $token->getOrganizationContext();
if (!is_object($organization)) {
return;
}
$organizationClass = ClassUtils::getClass($organization);
if ($event->getEntityClass() && $event->getEntityClass() !== $organizationClass) {
return;
}
$em = $event->getEntityManager();
if ($em !== $this->doctrine->getManagerForClass($organizationClass)) {
return;
}
$organization = $this->refreshEntity($organization, $organizationClass, $em);
if (!$organization) {
return;
}
$token->setOrganizationContext($organization);
}
/**
* @param mixed $organization
* @param OrganizationContextTokenInterface $token
* @throws \InvalidArgumentException
*/
protected function setOrganization($organization, OrganizationContextTokenInterface $token)
{
if (!$organization) {
return;
}
$organizationRepository = $this->registry->getRepository('OroOrganizationBundle:Organization');
$organizationId = filter_var($organization, FILTER_VALIDATE_INT);
if ($organizationId) {
$organizationEntity = $organizationRepository->find($organizationId);
} else {
$organizationEntity = $organizationRepository->findOneBy(['name' => $organization]);
}
if ($organizationEntity) {
// organization must be enabled
if (!$organizationEntity->isEnabled()) {
throw new \InvalidArgumentException(sprintf('Organization %s is not enabled', $organizationEntity->getName()));
}
$user = $token->getUser();
if ($user && $user instanceof User && !$user->hasOrganization($organizationEntity)) {
throw new \InvalidArgumentException(sprintf('User %s is not in organization %s', $user->getUsername(), $organizationEntity->getName()));
}
$token->setOrganizationContext($organizationEntity);
} else {
throw new \InvalidArgumentException(sprintf('Can\'t find organization with identifier %s', $organization));
}
}
public function testSerialize()
{
$newToken = unserialize(serialize($this->token));
$this->assertEquals($newToken->getUser()->getId(), $this->token->getUser()->getId());
$this->assertEquals($newToken->getOrganizationContext()->getId(), $this->token->getOrganizationContext()->getId());
}
