/** * @param ACLRequest $aclRequest * * @return bool */ public function check(ACLRequest $aclRequest) { $objectKey = Objects::normalizeObjectKey($aclRequest->getObjectKey()); $targetType = $aclRequest->getTargetType(); $targetId = $aclRequest->getTargetId(); $pk = $aclRequest->getPrimaryKey(); $field = $aclRequest->getField(); $pk = $this->objects->normalizePkString($objectKey, $pk); if (ACL::TARGET_TYPE_USER === $targetType && null === $targetId) { //0 means guest $targetId = $this->pageStack->getUser() ? $this->pageStack->getUser()->getId() : 0; } $user = $this->pageStack->getUser(); if ($user) { $groupIds = $user->getGroupIds(); if (false !== strpos(',' . $groupIds . ',', ',1,')) { //user is in the admin group, so he has always access. return true; } } if (ACL::TARGET_TYPE_USER === $targetType && 1 === $targetId) { //user admin has always access return true; } if (ACL::TARGET_TYPE_GROUP === $targetType && 1 === $targetId) { //group admin has always access return true; } if (0 === $targetId) { //guests do always have no access return false; } if (ACL::TARGET_TYPE_GROUP === $targetType && !$targetId) { throw new \InvalidArgumentException('For type TARGET_TYPE_GROUP a targetId is required.'); } $cacheKey = null; if ($pk && $this->getCaching()) { $pkString = $this->objects->getObjectUrlId($objectKey, $pk); $cacheKey = md5($targetType . '.' . $targetId . '.' . $objectKey . '/' . $pkString . '/' . json_encode($field)); $cached = $this->cacher->getDistributedCache('core/acl/' . $cacheKey); if (null !== $cached) { return $cached; } } $rules = self::getRules($objectKey, $aclRequest->getMode(), $targetType, $targetId); if (count($rules) === 0) { //no rules found, so we have no access return false; } $access = null; $currentObjectPk = $pk; $definition = $this->objects->getDefinition($objectKey); $not_found = true; //starts directly as if we were in the parent checking. $parent_acl = $aclRequest->isAsParent(); $fCount = null; $fKey = null; $fValue = null; $fIsArray = is_array($field); if ($fIsArray) { $fCount = count($field); $fKey = key($field); $fValue = current($field); if (is_int($fKey)) { $fKey = $fValue; $fValue = null; } } $depth = 0; $match = false; $originObjectItemPk = $currentObjectPk; while ($not_found) { $currentObjectPkString = null; if ($currentObjectPk) { $currentObjectPkString = $this->objects->getObjectUrlId($objectKey, $currentObjectPk); } $depth++; if ($depth > 50) { $not_found = false; break; } foreach ($rules as $aclRule) { if ($parent_acl && !$aclRule['sub']) { //as soon we enter the parent_acl mode we only take acl rules into consideration //that are also valid for children (sub=true) continue; } $match = false; /* * CUSTOM CONSTRAINT */ if ($aclRule['constraint_type'] === ACL::CONSTRAINT_CONDITION) { $objectItem = null; if ($originObjectItemPk === $currentObjectPk && null !== $aclRequest->getPrimaryObjectItem()) { $objectItem = $aclRequest->getPrimaryObjectItem(); } else { if ($originObjectItemPk) { $objectItem = $this->objects->get($objectKey, $currentObjectPk); } } if ($objectItem && $this->conditionOperator->satisfy($aclRule['constraint_code'], $objectItem, $objectKey)) { $match = true; } /* * EXACT */ } else { if ($aclRule['constraint_type'] === ACL::CONSTRAINT_EXACT) { if ($currentObjectPk && $aclRule['constraint_code'] === $currentObjectPkString) { $match = true; } /** * ALL */ } else { $match = true; } } if (!$match && $aclRule['sub'] && $currentObjectPk) { // we need to check if a parent matches this $acl as we have sub=true $parentItem = $this->objects->normalizePkString($objectKey, $currentObjectPk); $parentCondition = Condition::create($aclRule['constraint_code']); $parentOptions['fields'] = $this->conditionOperator->extractFields($parentCondition); while ($parentItem = $this->objects->getParent($objectKey, $this->objects->getObjectPk($objectKey, $parentItem), $parentOptions)) { if ($aclRule['constraint_type'] === ACL::CONSTRAINT_CONDITION && $this->conditionOperator->satisfy($parentCondition, $parentItem)) { $match = true; break; } else { if ($aclRule['constraint_type'] === ACL::CONSTRAINT_EXACT && $aclRule['constraint_code'] === $this->objects->getObjectUrlId($objectKey, $parentItem)) { $match = true; break; } } } } if ($match) { //match, check all $field $field2Key = $field; if ($field) { if ($fIsArray && $fCount === 1) { if (is_string($fKey) && is_array($aclRule['fields'][$fKey])) { //this field has limits if (($field2Acl = $aclRule['fields'][$fKey]) !== null) { if (is_array($field2Acl[0])) { //complex field rule, $field2Acl = ([{access: no, condition: [['id', '>', 2], ..]}, {}, ..]) foreach ($field2Acl as $fRule) { $satisfy = false; if (($f = $definition->getField($fKey)) && $f->getType() === 'object') { $uri = $f->getObject() . '/' . $fValue; $uriObject = $this->objects->getFromUrl($uri); $satisfy = $this->conditionOperator->satisfy($fRule['condition'], $uriObject); } else { if (null !== $fValue) { $satisfy = $this->conditionOperator->satisfy($fRule['condition'], $field); } } if ($satisfy) { return $fRule['access'] === 1 ? true : false; } } //if no field rules fits, we consider the whole rule if ($aclRule['access'] !== 2) { return $aclRule['access'] === 1 ? true : false; } } else { //simple field rule $field2Acl = ({"value1": yes, "value2": no} if ($field2Acl[$fKey] !== null) { return $field2Acl[$fKey] === 1 ? true : false; } else { //current($field) is not exactly defined in $field2Acl, so we set $access to $acl['access'] // //if access = 2 then wo do not know it, cause 2 means 'inherited', so maybe //a other rule has more detailed rule if ($aclRule['access'] !== 2) { $access = $aclRule['access'] === 1 ? true : false; break; } } } } } else { //this field has only true or false $field2Key = $fKey; } } if (!is_array($field2Key)) { if ($aclRule['fields'] && ($field2Acl = $aclRule['fields'][$field2Key]) !== null && !is_array($aclRule['fields'][$field2Key])) { $access = $field2Acl === 1 ? true : false; break; } else { //$field is not exactly defined, so we set $access to $acl['access'] //and maybe a rule with the same code has the field defined // if access = 2 then this rule is only for exactly define fields if ($aclRule['access'] !== 2) { $access = $aclRule['access'] === 1 ? true : false; break; } } } } else { $access = $aclRule['access'] === 1 ? true : false; break; } } } //foreach if (null === $access && $definition->isNested() && $pk) { //$access has not defined yet (no rule matched yet). Check if nested and $pk is given //load its root and check again if (null === ($currentObjectPk = $this->objects->getParentPk($objectKey, $currentObjectPk))) { $access = $aclRequest->isRootHasAccess() ? true : $access; break; } $parent_acl = true; } else { break; } } $access = (bool) $access; if ($pk && $this->getCaching()) { $this->cacher->setDistributedCache('core/acl/' . $cacheKey, $access); } return $access; }
/** * * array( * 'items' => $items, * 'count' => $maxItems, * 'pages' => $maxPages * ); * * @param array $filter * @param integer $limit * @param integer $offset * @param string $query * @param string $fields * @param array $orderBy * * @param bool $withAcl * @param array $primaryKeys * * @return array * @throws ObjectNotFoundException * @throws \Exception */ public function getItems($filter = null, $limit = null, $offset = null, $query = '', $fields = null, $orderBy = [], $withAcl = false, array $primaryKeys = []) { $options = array(); $storageController = $this->objects->getStorageController($this->getObject()); $options['offset'] = $offset; $options['limit'] = $limit ? $limit : $this->defaultLimit; $condition = $this->getCondition(); if ($extraCondition = $this->getCustomListingCondition()) { $condition->mergeAnd($extraCondition); } $options['order'] = $orderBy ?: $this->getOrder(); $options['fields'] = $this->getItemsSelection($fields); $options['permissionCheck'] = $this->getPermissionCheck(); $aclRequest = ACLRequest::create($this->getObject())->onlyListingMode(); if ($this->getPermissionCheck() && !$this->acl->check($aclRequest)) { return null; } if ($limit = $this->getObjectDefinition()->getLimitDataSets()) { $condition->mergeAnd($limit); } if ($this->getMultiLanguage() && $this->getLanguage()) { if ($this->getObjectDefinition()->getNestedRootAsObject() && ($rootObjectKey = $this->getObjectDefinition()->getNestedRootObject())) { $rootObjects = $this->objects->getList($rootObjectKey, null, ['lang' => $this->getLanguage(), 'fields' => 'id']); $langConditions = new Condition(); foreach ($rootObjects as $item) { $langConditions->addOr(['domain', '=', $item['id']]); } $condition->addAnd($langConditions); } else { //does the object have a lang field? if ($this->objectDefinition->hasField('lang') && !isset($filter['lang'])) { $filter['lang'] = $this->getLanguage(); } } } if ($query) { if ($queryCondition = $this->getQueryCondition($query, $options['fields'])) { $condition->mergeAnd($queryCondition); } } if ($primaryKeys) { $primaryKeyCondition = Condition::create(); foreach ($primaryKeys as $pk) { $primaryKeyConditionItem = Condition::create(); foreach ($this->getObjectDefinition()->getPrimaryKeyNames() as $primaryKeyName) { if (!isset($pk[$primaryKeyName])) { throw new \LogicException(sprintf('Field %s not found in primaryKey parameter (%s)', $primaryKeyName, json_encode($pk))); } $primaryKeyConditionItem->addAnd([$primaryKeyName, '=', $pk[$primaryKeyName]]); } $primaryKeyCondition->mergeOr($primaryKeyConditionItem); } $condition->mergeAndBegin($primaryKeyCondition); } if ($this->getPermissionCheck() && ($aclCondition = $this->acl->getListingCondition($this->getObject()))) { $condition->mergeAndBegin($aclCondition); } $items = $storageController->getItems($filter, $condition, $options); if ($withAcl && is_array($items)) { foreach ($items as &$item) { if ($item) { $this->prepareRow($item); } } } return $items ?: null; }
public function testExtractFields() { $condition = Condition::create(['title', '=', 'test title']); $fields = $this->getConditionOperator()->extractFields($condition); $this->assertEquals(['title'], $fields); }
/** * @param Condition|array $condition * @param array $objectItem * @param string $objectKey * * @return bool|null */ public function satisfy($condition, $objectItem, $objectKey = null) { if (is_array($condition)) { $condition = Condition::create($condition, $this->jarves); } $complied = null; $lastOperator = 'and'; $rules = $condition->getRules(); if (!$rules) { return null; } /* * [ * ['id', '=', 5], * 'or', * ['id', '=', 6] * ] * * [ * Condition, * 'and', * [Condition] * ] * * */ foreach ($rules as $conditionRule) { if (is_string($conditionRule)) { $lastOperator = strtolower($conditionRule); continue; } $res = false; if (is_array($conditionRule) && is_string($conditionRule[0]) && is_string($conditionRule[1])) { $res = $this->checkRule($objectItem, $conditionRule, $objectKey); } else { if ($conditionRule instanceof Condition) { $res = $this->satisfy($conditionRule, $objectItem, $objectKey); } else { if (is_array($conditionRule)) { //group $res = $this->satisfy(Condition::create($conditionRule, $this->jarves), $objectItem, $objectKey); } } } if (is_null($complied)) { $complied = $res; } else { if ($lastOperator == 'and') { $complied = $complied && $res; } if ($lastOperator == 'and not') { $complied = $complied && !$res; } if ($lastOperator == 'or') { $complied = $complied || $res; } } } return $complied === null ? true : ($complied ? true : false); }