/**
* Builds a form with given fields.
*
* @param object $builder A Formbuilder interface object
* @param array $options An array of options
*/
public function buildForm(FormBuilderInterface $builder, array $options)
{
$dataArr = $builder->getData();
$config = $this->container->getParameter('opit_opit_hrm_user');
$builder->add('username', 'text', array('attr' => array('placeholder' => 'Username')));
$builder->add('email', 'text', array('attr' => array('placeholder' => 'Email')));
$builder->add('groups', 'entity', array('class' => 'OpitOpitHrmUserBundle:Groups', 'query_builder' => function (EntityRepository $er) {
$securityContext = $this->container->get('security.context');
$dq = $er->createQueryBuilder('g');
if (!$securityContext->isGranted('ROLE_ADMIN')) {
$roleHierarchy = new RoleHierarchy($this->container->getParameter('security.role_hierarchy.roles'));
$roles = $roleHierarchy->getReachableRoles($securityContext->getToken()->getRoles());
$allowedRoles = array();
foreach ($roles as $role) {
// Exclude ROLE_SYSTEM_ADMIN role
// As per definition, a system admin can only set roles lower than his highest role in the hierachy
if ('ROLE_SYSTEM_ADMIN' != $role->getRole()) {
$allowedRoles[] = $role->getRole();
}
}
$dq->where('g.role IN (:allowedRoles)');
$dq->setParameter(':allowedRoles', $allowedRoles);
}
return $dq->orderBy('g.name', 'ASC');
}, 'property' => 'name', 'multiple' => true, 'expanded' => true, 'label_attr' => array('id' => 'idGroups')));
$builder->add('isActive', 'choice', array('choices' => $this->container->getParameter('opithrm_user_status')));
// Display ldap feature related form inputs
if (isset($config['ldap']['enabled']) && true === $config['ldap']['enabled']) {
$builder->add('ldapEnabled', 'choice', array('choices' => array('No', 'Yes'), 'multiple' => false, 'expanded' => true, 'data' => $dataArr->isLdapEnabled() || 0));
}
$builder->add('employee', new EmployeeType($this->container, $dataArr->getEmployee()));
}
/**
* Returns the vote for the given parameters.
*
* This method must return one of the following constants:
* ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN.
*
* @param TokenInterface $token A TokenInterface instance
* @param object|null $object The object to secure
* @param array $attributes An array of attributes associated with the method being invoked
*
* @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
if ($token->getUser() instanceof UserInterface === false) {
return self::ACCESS_ABSTAIN;
}
if (!$object || !$this->supportsClass(get_class($object))) {
return self::ACCESS_ABSTAIN;
}
// abstain vote by default in case none of the attributes are supported
$vote = self::ACCESS_ABSTAIN;
foreach ($attributes as $attribute) {
if (!$this->supportsAttribute($attribute)) {
continue;
}
// as soon as at least one attribute is supported, default is to deny access
$vote = self::ACCESS_DENIED;
if ($token->getUser()->hasRole('ROLE_ADMIN')) {
return self::ACCESS_ABSTAIN;
}
foreach ($token->getUser()->getRoles() as $role) {
$roleHierarchy = $this->roleHierarchy->getReachableRoles([new Role($role)]);
foreach ($roleHierarchy as $node) {
if ($node->getRole() == $attribute) {
return self::ACCESS_GRANTED;
}
}
}
}
return $vote;
}
/**
* @param array $hierarchy
*/
public function __construct(EntityManager $em, $session = '', $sessionKey = '')
{
$this->em = $em;
$this->session = $session;
$this->sessionKey = $sessionKey;
$hierarchy = $this->buildRolesTree();
parent::__construct($hierarchy);
}
private function getUserRolesArray($user)
{
$userRoles = $user->getRoles();
array_walk($userRoles, function (&$value, $idx) {
$value = new Role($value);
});
return $this->roleHierarchy->getReachableRoles($userRoles);
}
/**
* Constructor.
*
* @param array $hierarchy An array defining the hierarchy
*/
public function __construct(array $hierarchy)
{
// Reverse the role hierarchy.
$reversed = [];
foreach ($hierarchy as $main => $roles) {
foreach ($roles as $role) {
$reversed[$role][] = $main;
}
}
// Use the original algorithm to build the role map.
parent::__construct($reversed);
}
/**
* Vote
*
* This function is automatically called by the framework
*
* You can call it manually within a Controller with an $object/$attributes as argument
*
* The default $attributes will be the roles required for the current URL
*
* @param TokenInterface $token
* @param object $object
* @param array $attributes
*
* @return int
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
$result = VoterInterface::ACCESS_ABSTAIN;
foreach ($attributes as $attribute) {
// Check if this Voter supports this Role
if (!$this->supportsAttribute($attribute)) {
continue;
}
// Get the Role Hierarchy
$roleHierarchy = new RoleHierarchy($this->container->getParameter('security.role_hierarchy.roles'));
// Get all the grantes roles from the Hierarchy
$grantedRoles = $roleHierarchy->getReachableRoles($token->getRoles());
// ROLE_ADMIN has full access
// Can't use ->isGranted because this method uses the Voters = (infinite loop)!
foreach ($grantedRoles as $grantedRole) {
if ($grantedRole->getRole() == 'ROLE_BACKEND_ADMIN') {
return VoterInterface::ACCESS_GRANTED;
}
}
// Get the current route
// Need to use a Try Catch because subrequests (_fragment) can be voted...
try {
$route = $this->container->get('router')->match($this->container->get('request')->getPathInfo());
} catch (ResourceNotFoundException $e) {
continue;
}
// If there is a section_id parameter in the Route
if (array_key_exists('sectionId', $route)) {
// Check is the user can access this Section
if ($this->container->get('unifik_system.section_filter')->canAccess($route['sectionId'])) {
return VoterInterface::ACCESS_GRANTED;
} else {
$result = VoterInterface::ACCESS_DENIED;
}
}
}
return $result;
}
public function testGetReachableRoles()
{
$role = new RoleHierarchy(array('ROLE_ADMIN' => array('ROLE_USER'), 'ROLE_SUPER_ADMIN' => array('ROLE_ADMIN', 'ROLE_FOO')));
$this->assertEquals(array(new Role('ROLE_USER')), $role->getReachableRoles(array(new Role('ROLE_USER'))));
$this->assertEquals(array(new Role('ROLE_FOO')), $role->getReachableRoles(array(new Role('ROLE_FOO'))));
$this->assertEquals(array(new Role('ROLE_ADMIN'), new Role('ROLE_USER')), $role->getReachableRoles(array(new Role('ROLE_ADMIN'))));
$this->assertEquals(array(new Role('ROLE_FOO'), new Role('ROLE_ADMIN'), new Role('ROLE_USER')), $role->getReachableRoles(array(new Role('ROLE_FOO'), new Role('ROLE_ADMIN'))));
$this->assertEquals(array(new Role('ROLE_SUPER_ADMIN'), new Role('ROLE_ADMIN'), new Role('ROLE_FOO'), new Role('ROLE_USER')), $role->getReachableRoles(array(new Role('ROLE_SUPER_ADMIN'))));
}
/**
*
* @param array $hierarchy
*/
public function __construct(Doctrine $doctrine)
{
$this->em = $doctrine->getManager();
parent::__construct($this->buildRolesTree());
}
public function __construct(array $hierarchy, EntityManagerInterface $em)
{
$this->em = $em;
parent::__construct($this->buildRolesTree($hierarchy));
}
/**
*
* @param RoleManagerInterface $rm
*/
public function __construct(RoleManagerInterface $rm)
{
$this->rm = $rm;
$map = $this->buildRolesTree();
parent::__construct($map);
}
/**
*
* @param array $hierarchy
* @param ObjectManager $objectManager
*/
public function __construct(array $staticHierarchy, ObjectManager $objectManager)
{
$this->objectManager = $objectManager;
parent::__construct($this->buildGroupTree($staticHierarchy));
}
