コード例 #1
0
 /**
  * Builds the API UserGroupRoleAssignment object from provided SPI RoleAssignment object.
  *
  * @param \eZ\Publish\SPI\Persistence\User\RoleAssignment $spiRoleAssignment
  * @param \eZ\Publish\API\Repository\Values\User\UserGroup $userGroup
  * @param \eZ\Publish\API\Repository\Values\User\Role $role
  *
  * @return \eZ\Publish\API\Repository\Values\User\UserGroupRoleAssignment
  */
 public function buildDomainUserGroupRoleAssignmentObject(SPIRoleAssignment $spiRoleAssignment, UserGroup $userGroup, APIRole $role)
 {
     $limitation = null;
     if (!empty($spiRoleAssignment->limitationIdentifier)) {
         $limitation = $this->limitationService->getLimitationType($spiRoleAssignment->limitationIdentifier)->buildValue($spiRoleAssignment->values);
     }
     return new UserGroupRoleAssignment(array('limitation' => $limitation, 'role' => $role, 'userGroup' => $userGroup));
 }
コード例 #2
0
ファイル: RoleService.php プロジェクト: Pixy/ezpublish-kernel
 /**
  * Validates Policy context: Limitations on a module and function.
  *
  * @throws \eZ\Publish\Core\Base\Exceptions\InvalidArgumentException If the same limitation is repeated or if
  *                                                                   limitation is not allowed on module/function
  *
  * @param string $module
  * @param string $function
  * @param \eZ\Publish\API\Repository\Values\User\Limitation[] $limitations
  *
  * @return \eZ\Publish\Core\FieldType\ValidationError[][]
  */
 protected function validatePolicy($module, $function, array $limitations)
 {
     if ($module !== '*' && $function !== '*' && !empty($limitations)) {
         $limitationSet = array();
         foreach ($limitations as $limitation) {
             if (isset($limitationSet[$limitation->getIdentifier()])) {
                 throw new InvalidArgumentException('limitations', "'{$limitation->getIdentifier()}' was found several times among the limitations");
             }
             if (!isset($this->settings['policyMap'][$module][$function][$limitation->getIdentifier()])) {
                 throw new InvalidArgumentException('policy', "The limitation '{$limitation->getIdentifier()}' is not applicable on '{$module}/{$function}'");
             }
             $limitationSet[$limitation->getIdentifier()] = true;
         }
     }
     return $this->limitationService->validateLimitations($limitations);
 }
コード例 #3
0
 /**
  * Get content-read Permission criteria if needed and return false if no access at all.
  *
  * @uses \eZ\Publish\API\Repository\PermissionResolver::hasAccess()
  *
  * @throws \RuntimeException If empty array of limitations are provided from hasAccess()
  *
  * @param string $module
  * @param string $function
  *
  * @return bool|\eZ\Publish\API\Repository\Values\Content\Query\Criterion
  */
 public function getPermissionsCriterion($module = 'content', $function = 'read')
 {
     $permissionSets = $this->permissionResolver->hasAccess($module, $function);
     if ($permissionSets === false || $permissionSets === true) {
         return $permissionSets;
     }
     if (empty($permissionSets)) {
         throw new RuntimeException("Got an empty array of limitations from hasAccess( '{$module}', '{$function}' )");
     }
     /*
      * RoleAssignment is a OR condition, so is policy, while limitations is a AND condition
      *
      * If RoleAssignment has limitation then policy OR conditions are wrapped in a AND condition with the
      * role limitation, otherwise it will be merged into RoleAssignment's OR condition.
      */
     $currentUserRef = $this->permissionResolver->getCurrentUserReference();
     $roleAssignmentOrCriteria = array();
     foreach ($permissionSets as $permissionSet) {
         // $permissionSet is a RoleAssignment, but in the form of role limitation & role policies hash
         $policyOrCriteria = array();
         /**
          * @var \eZ\Publish\API\Repository\Values\User\Policy
          */
         foreach ($permissionSet['policies'] as $policy) {
             $limitations = $policy->getLimitations();
             if ($limitations === '*' || empty($limitations)) {
                 // Given policy gives full access, optimize away all role policies (but not role limitation if any)
                 // This should be optimized on create/update of Roles, however we keep this here for bc with older data
                 $policyOrCriteria = [];
                 break;
             }
             $limitationsAndCriteria = array();
             foreach ($limitations as $limitation) {
                 $type = $this->limitationService->getLimitationType($limitation->getIdentifier());
                 $limitationsAndCriteria[] = $type->getCriterion($limitation, $currentUserRef);
             }
             $policyOrCriteria[] = isset($limitationsAndCriteria[1]) ? new LogicalAnd($limitationsAndCriteria) : $limitationsAndCriteria[0];
         }
         /**
          * Apply role limitations if there is one.
          *
          * @var \eZ\Publish\API\Repository\Values\User\Limitation[]
          */
         if ($permissionSet['limitation'] instanceof Limitation) {
             // We need to match both the limitation AND *one* of the policies, aka; roleLimit AND policies(OR)
             $type = $this->limitationService->getLimitationType($permissionSet['limitation']->getIdentifier());
             if (!empty($policyOrCriteria)) {
                 $roleAssignmentOrCriteria[] = new LogicalAnd(array($type->getCriterion($permissionSet['limitation'], $currentUserRef), isset($policyOrCriteria[1]) ? new LogicalOr($policyOrCriteria) : $policyOrCriteria[0]));
             } else {
                 $roleAssignmentOrCriteria[] = $type->getCriterion($permissionSet['limitation'], $currentUserRef);
             }
         } elseif (!empty($policyOrCriteria)) {
             // Otherwise merge $policyOrCriteria into $roleAssignmentOrCriteria
             // There is no role limitation, so any of the policies can globally match in the returned OR criteria
             $roleAssignmentOrCriteria = empty($roleAssignmentOrCriteria) ? $policyOrCriteria : array_merge($roleAssignmentOrCriteria, $policyOrCriteria);
         }
     }
     if (empty($roleAssignmentOrCriteria)) {
         return false;
     }
     return isset($roleAssignmentOrCriteria[1]) ? new LogicalOr($roleAssignmentOrCriteria) : $roleAssignmentOrCriteria[0];
 }
コード例 #4
0
 public function canUser($module, $function, ValueObject $object, array $targets = [])
 {
     $permissionSets = $this->hasAccess($module, $function);
     if ($permissionSets === false || $permissionSets === true) {
         return $permissionSets;
     }
     if (empty($targets)) {
         $targets = null;
     }
     $currentUserRef = $this->getCurrentUserReference();
     foreach ($permissionSets as $permissionSet) {
         /**
          * First deal with Role limitation if any.
          *
          * Here we accept ACCESS_GRANTED and ACCESS_ABSTAIN, the latter in cases where $object and $targets
          * are not supported by limitation.
          *
          * @var \eZ\Publish\API\Repository\Values\User\Limitation[]
          */
         if ($permissionSet['limitation'] instanceof Limitation) {
             $type = $this->limitationService->getLimitationType($permissionSet['limitation']->getIdentifier());
             $accessVote = $type->evaluate($permissionSet['limitation'], $currentUserRef, $object, $targets);
             if ($accessVote === LimitationType::ACCESS_DENIED) {
                 continue;
             }
         }
         /**
          * Loop over all policies.
          *
          * These are already filtered by hasAccess and given hasAccess did not return boolean
          * there must be some, so only return true if one of them says yes.
          *
          * @var \eZ\Publish\API\Repository\Values\User\Policy
          */
         foreach ($permissionSet['policies'] as $policy) {
             $limitations = $policy->getLimitations();
             /*
              * Return true if policy gives full access (aka no limitations)
              */
             if ($limitations === '*') {
                 return true;
             }
             /*
              * Loop over limitations, all must return ACCESS_GRANTED for policy to pass.
              * If limitations was empty array this means same as '*'
              */
             $limitationsPass = true;
             foreach ($limitations as $limitation) {
                 $type = $this->limitationService->getLimitationType($limitation->getIdentifier());
                 $accessVote = $type->evaluate($limitation, $currentUserRef, $object, $targets);
                 /*
                  * For policy limitation atm only support ACCESS_GRANTED
                  *
                  * Reasoning: Right now, use of a policy limitation not valid for a policy is per definition a
                  * BadState. To reach this you would have to configure the "policyMap" wrongly, like using
                  * Node (Location) limitation on state/assign. So in this case Role Limitations will return
                  * ACCESS_ABSTAIN (== no access here), and other limitations will throw InvalidArgument above,
                  * both cases forcing dev to investigate to find miss configuration. This might be relaxed in
                  * the future if valid use cases for ACCESS_ABSTAIN on policy limitations becomes known.
                  */
                 if ($accessVote !== LimitationType::ACCESS_GRANTED) {
                     $limitationsPass = false;
                     break;
                     // Break to next policy, all limitations must pass
                 }
             }
             if ($limitationsPass) {
                 return true;
             }
         }
     }
     return false;
     // None of the limitation sets wanted to let you in, sorry!
 }