public function testGetOrganization()
{
$metadataProvider = new OwnershipMetadataProviderStub($this);
$accessor = new EntityOwnerAccessor($metadataProvider);
$org = new \stdClass();
$obj = new TestEntity(1, null, $org);
$metadataProvider->setMetadata(get_class($obj), new OwnershipMetadata(null, null, null, 'organization'));
$this->assertSame($org, $accessor->getOrganization($obj));
}
/**
* Check organization. If user try to access entity what was created in organization this user do not have access -
* deny access. We should check organization for all the entities what have ownership
* (USER, BUSINESS_UNIT, ORGANIZATION ownership types)
*
* @param mixed $object
* @param OrganizationContextTokenInterface $securityToken
* @return bool
*/
protected function isAccessDeniedByOrganizationContext($object, OrganizationContextTokenInterface $securityToken)
{
try {
// try to get entity organization value
$objectOrganization = $this->entityOwnerAccessor->getOrganization($object);
// check entity organization with current organization
if ($objectOrganization && $objectOrganization->getId() !== $securityToken->getOrganizationContext()->getId()) {
return true;
}
} catch (InvalidEntityException $e) {
// in case if entity has no organization field (none ownership type)
}
return false;
}
/**
* Check organization. If user try to access entity what was created in organization this user do not have access -
* deny access. We should check organization for all the entities what have ownership
* (USER, BUSINESS_UNIT, ORGANIZATION ownership types)
*
* @param int $result
* @return int
*/
protected function checkOrganizationContext($result)
{
$object = $this->object;
$token = $this->securityToken;
if ($token instanceof OrganizationContextTokenInterface && $result === self::ACCESS_GRANTED && $this->extension instanceof EntityAclExtension && is_object($object) && !$object instanceof ObjectIdentity) {
try {
// try to get entity organization value
$objectOrganization = $this->entityOwnerAccessor->getOrganization($object);
// check entity organization with current organization
if ($objectOrganization && $objectOrganization->getId() !== $token->getOrganizationContext()->getId()) {
$result = self::ACCESS_DENIED;
}
} catch (InvalidEntityException $e) {
// in case if entity has no organization field (none ownership type)
return $result;
}
}
return $result;
}
/**
* {@inheritdoc}
*
* @SuppressWarnings(PHPMD.NPathComplexity)
*/
public function isAssociatedWithOrganization($user, $domainObject, $organization = null)
{
$tree = $this->treeProvider->getTree();
$this->validateUserObject($user);
$this->validateObject($domainObject);
$organizationId = null;
if ($organization) {
$organizationId = $this->getOrganizationId($organization);
}
$userOrganizationIds = $tree->getUserOrganizationIds($this->getObjectId($user));
if (empty($userOrganizationIds) || $organizationId && !in_array($organizationId, $userOrganizationIds)) {
return false;
}
$allowedOrganizationIds = $organizationId ? [$organizationId] : $userOrganizationIds;
if ($this->isOrganization($domainObject)) {
return in_array($this->getObjectId($domainObject), $allowedOrganizationIds);
}
if ($this->isBusinessUnit($domainObject)) {
return in_array($tree->getBusinessUnitOrganizationId($this->getObjectId($domainObject)), $allowedOrganizationIds);
}
if ($this->isUser($domainObject)) {
$userId = $this->getObjectId($user);
$objId = $this->getObjectId($domainObject);
if ($userId === $objId) {
$userOrganizationId = $tree->getUserOrganizationId($userId);
$objOrganizationId = $tree->getUserOrganizationId($objId);
return $userOrganizationId !== null && $userOrganizationId === $objOrganizationId;
}
}
$metadata = $this->getObjectMetadata($domainObject);
if (!$metadata->hasOwner()) {
return false;
}
$ownerId = $this->getObjectIdIgnoreNull($this->getOwner($domainObject));
if ($metadata->isOrganizationOwned()) {
return $organizationId ? $ownerId === $organizationId : in_array($ownerId, $userOrganizationIds);
} else {
return in_array($this->getObjectId($this->entityOwnerAccessor->getOrganization($domainObject)), $allowedOrganizationIds);
}
return false;
}
