protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); /** @var Estate */ $estate = $subject; if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MANAGER'))) { return true; } break; case self::CREATE: if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MANAGER'))) { return true; } break; case self::EDIT: if ($user->getUsername() === $estate->getCreatedBy() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; case self::REMOVE: if ($user->getUsername() === $estate->getCreatedBy() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; } return false; }
protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); /** @var Post */ $post = $subject; // $subject must be a Post instance, thanks to the supports method if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::CREATE: // if the user is an admin, allow them to create new posts if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; case self::EDIT: // if the user is the author of the post, allow them to edit the posts if ($user->getEmail() === $post->getAuthorEmail() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; case self::REMOVE: // if the user is the author of the post, allow them to edit the posts if ($user->getEmail() === $post->getAuthorEmail() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; } return false; }
protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); /** @var Post */ $post = $subject; // $subject must be a Post instance, thanks to the supports method if (!$user instanceof Users) { // the user must be logged in; if not, deny access return false; } // you know $subject is a Post object, thanks to supports /** @var Post $post */ $post = $subject; switch ($attribute) { case self::DELETE: if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } else { return $this->canDelete($post, $user); } break; case self::EDIT: if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } else { return $this->canEdit($post, $user); } break; } throw new \LogicException('This code should not be reached!'); }
protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); /** @var Comment */ $comment = $subject; // $subject must be a Comment instance, thanks to the supports method if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::CREATE: // if the user is an admin, allow them to create new comments if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MODERATOR', 'ROLE_USER'))) { return true; } break; case self::EDIT || self::DELETE: // if the user is the author of the comment or admin or moderator, allow them to edit the comments if ($comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_ADMIN')) || $this->decisionManager->decide($token, array('ROLE_MODERATOR')) && $this->canYouDoIt($comment, $user)) { return true; } break; } return false; }
protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } if (!$user instanceof Users) { // the user must be logged in; if not, deny access return false; } // you know $subject is a Post object, thanks to supports /** @var Users $edit_user */ $edit_user = $subject; switch ($attribute) { case self::EDIT: return $this->canEdit($edit_user, $user); } throw new \LogicException('This code should not be reached!'); }
/** * @param MethodInvocation $method * @return mixed * @throws \Exception * @throws RuntimeException * @throws AuthenticationCredentialsNotFoundException * @throws AccessDeniedException */ public function intercept(MethodInvocation $method) { $metadata = $this->metadataFactory->getMetadataForClass($method->reflection->class); // no security metadata, proceed if (empty($metadata) || !isset($metadata->methodMetadata[$method->reflection->name])) { return $method->proceed(); } $metadata = $metadata->methodMetadata[$method->reflection->name]; if (null === ($token = $this->tokenStorage->getToken())) { throw new AuthenticationCredentialsNotFoundException('The TokenStorage was not populated with a Token.'); } if ($this->alwaysAuthenticate || !$token->isAuthenticated()) { $token = $this->authenticationManager->authenticate($token); $this->tokenStorage->setToken($token); } if (!empty($metadata->roles) && false === $this->accessDecisionManager->decide($token, $metadata->roles, $method)) { throw new AccessDeniedException('Token does not have the required roles.'); } if (!empty($metadata->paramPermissions)) { foreach ($method->arguments as $index => $argument) { if (null !== $argument && isset($metadata->paramPermissions[$index]) && false === $this->accessDecisionManager->decide($token, $metadata->paramPermissions[$index], $argument)) { throw new AccessDeniedException(sprintf('Token does not have the required permissions for method "%s::%s".', $method->reflection->class, $method->reflection->name)); } } } $runAsToken = null; if (!empty($metadata->runAsRoles)) { $runAsToken = $this->runAsManager->buildRunAs($token, $method, $metadata->runAsRoles); if (null !== $this->logger) { $this->logger->debug('Populating TokenStorage with RunAsToken'); } if (null === $runAsToken) { throw new RuntimeException('RunAsManager must not return null from buildRunAs().'); } $this->tokenStorage->setToken($runAsToken); } try { $returnValue = $method->proceed(); if (null !== $runAsToken) { $this->restoreOriginalToken($runAsToken); } if (empty($metadata->returnPermissions)) { return $returnValue; } return $this->afterInvocationManager->decide($this->tokenStorage->getToken(), $method, $metadata->returnPermissions, $returnValue); } catch (\Exception $failed) { if (null !== $runAsToken) { $this->restoreOriginalToken($runAsToken); } throw $failed; } }
protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); /** @var Article */ $article = $subject; // $subject must be a Comment instance, thanks to the supports method if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::CREATE: if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MODERATOR'))) { return true; } break; case self::EDIT || self::DELETE: // if the user is an admin or author, allow them edit or delete an article if ($this->decisionManager->decide($token, array('ROLE_ADMIN')) || $user->getEmail() === $article->getAuthorEmail()) { return true; } } return false; }
/** * {@inheritdoc} */ public function isGranted($attributes, $object = null) { if (!is_array($attributes)) { $attributes = array($attributes); } if (1 === count($attributes) && self::VIEW_ATTRIBUTE === reset($attributes) && null !== $this->tokenStorage->getToken() && $this->authorizationChecker->isGranted($this->bypassingRole)) { return true; } $token = $this->tokenStorage->getToken(); // not logged in, just check with a dummy token if (null === $token) { $token = new AnonymousToken('', ''); } return $this->accessDecisionManager->decide($token, $attributes, $object); }
/** * * @param $attribute * @param $subject * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); /** @var Lotissement */ $lotissement = $subject; // $subject must be a Lotissement instance, thanks to the supports method if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::CREATE: // if the user is an admin, allow them to create if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; case self::EDIT: if ($user->getBloc() === $lotissement->getBloc()) { return true; } break; } return false; }
/** * {@inheritDoc} */ public function isGranted($attributes, $object = null) { if (!is_array($attributes)) { $attributes = array($attributes); } if (count($attributes) === 1 && self::VIEW_ATTRIBUTE === reset($attributes) && $this->container->has('security.context') && null !== $this->container->get('security.context')->getToken() && $this->container->get('security.context')->isGranted($this->bypassingRole)) { return true; } $token = $this->getToken(); // not logged in, just check with a dummy token if (null === $token) { $token = new AnonymousToken('', ''); } return $this->accessDecisionManager->decide($token, $attributes, $object); }
/** * {@inheritDoc} */ public function isGranted($attributes, $object = null) { if (!is_array($attributes)) { $attributes = array($attributes); } $tokenStorage = $authorizationChecker = null; if ($this->container->has('security.token_storage')) { $tokenStorage = $this->container->get('security.token_storage'); $authorizationChecker = $this->container->get('security.authorization_checker'); } elseif ($this->container->has('security.context')) { // to be BC with Symfony <2.6 $authorizationChecker = $tokenStorage = $this->container->get('security.context'); } if (count($attributes) === 1 && self::VIEW_ATTRIBUTE === reset($attributes) && null !== $tokenStorage && null !== $tokenStorage->getToken() && $authorizationChecker->isGranted($this->bypassingRole)) { return true; } $token = $this->getToken(); // not logged in, just check with a dummy token if (null === $token) { $token = new AnonymousToken('', ''); } return $this->accessDecisionManager->decide($token, $attributes, $object); }
/** * {@inheritDoc} */ public function isGrantedRoles(array $roles, UserInterface $user) { $token = new UsernamePasswordToken($user, 'none', 'none', $user->getRoles()); return $this->decisionManager->decide($token, $roles); }
/** * @param TokenInterface $token * @param array $role * * @return bool */ protected function isGranted(TokenInterface $token, array $roles) : bool { return $this->decisionManager->decide($token, $roles); }
/** * {@inheritdoc} */ public function userIsGrantedOnObject($user, $attributes, $object, $field = null) { return $this->accessDecisionManager->decide($this->getUserToken($user), (array) $attributes, $this->getObjectToSecure(AclIdentifierInterface::OID_TYPE_OBJECT, $object, $field)); }