/**
* This is the default Policy voter, it votes for the access privilege for the given resource
*
* @param \TYPO3\FLOW3\Security\Context $securityContext The current securit context
* @param string $resource The resource to vote for
* @return integer One of: VOTE_GRANT, VOTE_ABSTAIN, VOTE_DENY
*/
public function voteForResource(\TYPO3\FLOW3\Security\Context $securityContext, $resource)
{
$accessGrants = 0;
$accessDenies = 0;
foreach ($securityContext->getRoles() as $role) {
try {
$privilege = $this->policyService->getPrivilegeForResource($role, $resource);
} catch (\TYPO3\FLOW3\Security\Exception\NoEntryInPolicyException $e) {
return self::VOTE_ABSTAIN;
}
if ($privilege === NULL) {
continue;
}
if ($privilege === \TYPO3\FLOW3\Security\Policy\PolicyService::PRIVILEGE_GRANT) {
$accessGrants++;
} elseif ($privilege === \TYPO3\FLOW3\Security\Policy\PolicyService::PRIVILEGE_DENY) {
$accessDenies++;
}
}
if ($accessDenies > 0) {
return self::VOTE_DENY;
}
if ($accessGrants > 0) {
return self::VOTE_GRANT;
}
return self::VOTE_ABSTAIN;
}
/**
* Checks, if the current policy allows the retrieval of the object fetched by getObjectDataByIdentifier()
*
* @FLOW3\Around("within(TYPO3\FLOW3\Persistence\PersistenceManagerInterface) && method(.*->getObjectByIdentifier()) && setting(TYPO3.FLOW3.security.enable)")
* @param \TYPO3\FLOW3\Aop\JoinPointInterface $joinPoint The current joinpoint
* @return array The object data of the original object, or NULL if access is not permitted
*/
public function checkAccessAfterFetchingAnObjectByIdentifier(\TYPO3\FLOW3\Aop\JoinPointInterface $joinPoint)
{
$result = $joinPoint->getAdviceChain()->proceed($joinPoint);
if ($this->securityContext->isInitialized() === FALSE) {
return $result;
}
$authenticatedRoles = $this->securityContext->getRoles();
if ($result instanceof \Doctrine\ORM\Proxy\Proxy) {
$entityType = get_parent_class($result);
} else {
$entityType = get_class($result);
}
if ($this->policyService->hasPolicyEntryForEntityType($entityType, $authenticatedRoles)) {
if ($this->policyService->isGeneralAccessForEntityTypeGranted($entityType, $authenticatedRoles) === FALSE) {
return NULL;
}
$policyConstraintsDefinition = $this->policyService->getResourcesConstraintsForEntityTypeAndRoles($entityType, $authenticatedRoles);
if ($this->checkConstraintDefinitionsOnResultObject($policyConstraintsDefinition, $result) === FALSE) {
return NULL;
}
}
return $result;
}
/**
* Returns the publish path and filename to be used to publish the specified persistent resource
*
* @FLOW3\Around("method(TYPO3\FLOW3\Resource\Publishing\FileSystemPublishingTarget->buildPersistentResourcePublishPathAndFilename()) && setting(TYPO3.FLOW3.security.enable)")
* @param \TYPO3\FLOW3\Aop\JoinPointInterface $joinPoint The current join point
* @return mixed Result of the target method
*/
public function rewritePersistentResourcePublishPathAndFilenameForPrivateResources(\TYPO3\FLOW3\Aop\JoinPointInterface $joinPoint)
{
$resource = $joinPoint->getMethodArgument('resource');
$configuration = $resource->getPublishingConfiguration();
$returnFilename = $joinPoint->getMethodArgument('returnFilename');
if ($configuration === NULL || $configuration instanceof \TYPO3\FLOW3\Security\Authorization\Resource\SecurityPublishingConfiguration === FALSE) {
return $joinPoint->getAdviceChain()->proceed($joinPoint);
}
$publishingPath = FALSE;
$allowedRoles = $configuration->getAllowedRoles();
if (count(array_intersect($allowedRoles, $this->securityContext->getRoles())) > 0) {
$publishingPath = \TYPO3\FLOW3\Utility\Files::concatenatePaths(array($joinPoint->getProxy()->getResourcesPublishingPath(), 'Persistent/', $this->session->getID())) . '/';
$filename = $resource->getResourcePointer()->getHash() . '.' . $resource->getFileExtension();
\TYPO3\FLOW3\Utility\Files::createDirectoryRecursively($publishingPath);
$this->accessRestrictionPublisher->publishAccessRestrictionsForPath($publishingPath);
if ($this->settings['resource']['publishing']['fileSystem']['mirrorMode'] === 'link') {
foreach ($allowedRoles as $role) {
$roleDirectory = \TYPO3\FLOW3\Utility\Files::concatenatePaths(array($this->environment->getPathToTemporaryDirectory(), 'PrivateResourcePublishing/', $role));
\TYPO3\FLOW3\Utility\Files::createDirectoryRecursively($roleDirectory);
if (file_exists($publishingPath . $role)) {
if (\TYPO3\FLOW3\Utility\Files::is_link(\TYPO3\FLOW3\Utility\Files::concatenatePaths(array($publishingPath, $role))) && realpath(\TYPO3\FLOW3\Utility\Files::concatenatePaths(array($publishingPath, $role))) === $roleDirectory) {
continue;
}
unlink($publishingPath . $role);
symlink($roleDirectory, \TYPO3\FLOW3\Utility\Files::concatenatePaths(array($publishingPath, $role)));
} else {
symlink($roleDirectory, \TYPO3\FLOW3\Utility\Files::concatenatePaths(array($publishingPath, $role)));
}
}
$publishingPath = \TYPO3\FLOW3\Utility\Files::concatenatePaths(array($publishingPath, $allowedRoles[0])) . '/';
}
if ($returnFilename === TRUE) {
$publishingPath = \TYPO3\FLOW3\Utility\Files::concatenatePaths(array($publishingPath, $filename));
}
}
return $publishingPath;
}
