/**
* {@inheritDoc}
*/
public function isGranted(MvcEvent $event)
{
$routeMatch = $event->getRouteMatch();
$controller = strtolower($routeMatch->getParam('controller'));
$action = strtolower($routeMatch->getParam('action'));
// If no rules apply, it is considered as granted or not based on the protection policy
if (!isset($this->rules[$controller])) {
return $this->protectionPolicy === self::POLICY_ALLOW;
}
// Algorithm is as follow: we first check if there is an exact match (controller + action), if not
// we check if there are rules set globally for the whole controllers (see the index "0"), and finally
// if nothing is matched, we fallback to the protection policy logic
if (isset($this->rules[$controller][$action])) {
$allowedPermissions = $this->rules[$controller][$action];
} elseif (isset($this->rules[$controller][0])) {
$allowedPermissions = $this->rules[$controller][0];
} else {
return $this->protectionPolicy === self::POLICY_ALLOW;
}
// If no rules apply, it is considered as granted or not based on the protection policy
if (empty($allowedPermissions)) {
return $this->protectionPolicy === self::POLICY_ALLOW;
}
if (in_array('*', $allowedPermissions)) {
return true;
}
foreach ($allowedPermissions as $permission) {
if (!$this->authorizationService->isGranted($permission)) {
return false;
}
}
return true;
}
/**
* {@inheritDoc}
*/
public function isGranted(MvcEvent $event)
{
$matchedRouteName = $event->getRouteMatch()->getMatchedRouteName();
$allowedPermissions = null;
foreach (array_keys($this->rules) as $routeRule) {
if (fnmatch($routeRule, $matchedRouteName, FNM_CASEFOLD)) {
$allowedPermissions = $this->rules[$routeRule];
break;
}
}
// If no rules apply, it is considered as granted or not based on the protection policy
if (null === $allowedPermissions) {
return $this->protectionPolicy === self::POLICY_ALLOW;
}
if (in_array('*', $allowedPermissions)) {
return true;
}
$permissions = isset($allowedPermissions['permissions']) ? $allowedPermissions['permissions'] : $allowedPermissions;
$condition = isset($allowedPermissions['condition']) ? $allowedPermissions['condition'] : GuardInterface::CONDITION_AND;
if (GuardInterface::CONDITION_AND === $condition) {
foreach ($permissions as $permission) {
if (!$this->authorizationService->isGranted($permission)) {
return false;
}
}
return true;
}
if (GuardInterface::CONDITION_OR === $condition) {
foreach ($permissions as $permission) {
if ($this->authorizationService->isGranted($permission)) {
return true;
}
}
return false;
}
throw new InvalidArgumentException(sprintf('Condition must be either "AND" or "OR", %s given', is_object($condition) ? get_class($condition) : gettype($condition)));
}
/**
*
* @param MvcEvent $event
* @return bool
*/
public function isGranted(MvcEvent $event)
{
$rules = $this->getRules();
$routeMatch = $event->getRouteMatch();
$request = $event->getRequest();
if (!$request instanceof HttpRequest) {
return true;
}
$method = $request->getMethod();
$resource = $this->resourceResolver->buildResourceString($routeMatch, $request);
// If no resource could be identified, it is considered as granted (this guard does not apply).
if (!$resource) {
return true;
}
list($controller, $group) = explode('::', $resource);
// If it's an RPC call and not a REST controller, , it is considered as granted (this guard does not apply).
if (!in_array($group, ['entity', 'collection'])) {
return true;
}
// If no rules apply, it is considered as granted or not based on the protection policy.
if (!isset($rules[$controller][$group][$method])) {
return $this->getProtectionPolicy() === self::POLICY_ALLOW;
}
$actions = $rules[$controller][$group][$method];
if (is_string($actions)) {
$actions = [$actions];
}
if (is_array($actions)) {
$and = true;
foreach ($actions as $action) {
$and = $and && $this->authorizationService->isGranted($action);
}
$actions = $and;
}
return (bool) $actions;
}
/**
* {@inheritDoc}
*/
public function isGranted(MvcEvent $event)
{
$matchedRouteName = $event->getRouteMatch()->getMatchedRouteName();
$allowedPermissions = null;
foreach (array_keys($this->rules) as $routeRule) {
if (fnmatch($routeRule, $matchedRouteName, FNM_CASEFOLD)) {
$allowedPermissions = $this->rules[$routeRule];
break;
}
}
// If no rules apply, it is considered as granted or not based on the protection policy
if (null === $allowedPermissions) {
return $this->protectionPolicy === self::POLICY_ALLOW;
}
if (in_array('*', $allowedPermissions)) {
return true;
}
foreach ($allowedPermissions as $permission) {
if (!$this->authorizationService->isGranted($permission)) {
return false;
}
}
return true;
}
/**
* Check against the given permission
*
* @param string $permission
* @param mixed $context
* @return bool
*/
public function __invoke($permission, $context = null)
{
return $this->authorizationService->isGranted($permission, $context);
}
/**
* @param string $action
* @param mixed $context
* @return boolean
*/
public function isAllowed($action, $context = null)
{
return $this->rbacService->isGranted($action, $context);
}
/**
* Check if the permission is granted to the current identity
*
* @param string $messageName
* @param mixed $context
* @return bool
*/
public function isGranted($messageName, $context = null)
{
return $this->zfcRbacAuthorizationService->isGranted($messageName, $context);
}
