/** * Check organization. If user try to access entity what was created in organization this user do not have access - * deny access * * @param int $result * @return int */ protected function checkOrganizationContext($result) { $object = $this->object; $token = $this->securityToken; if ($token instanceof OrganizationContextTokenInterface && $result === self::ACCESS_GRANTED && $this->extension instanceof EntityAclExtension && is_object($object) && !$object instanceof ObjectIdentity) { $className = ClassUtils::getClass($object); if ($this->configProvider->hasConfig($className)) { $config = $this->configProvider->getConfig($className); $accessLevel = $this->extension->getAccessLevel($this->triggeredMask); // we need to check organization in case if Access level is not system, // or then access level and owner type of test object is User or Business Unit (in this owner types we // do not allow to use System access level) // (do not allow to manipulate records from another organization) if ($accessLevel < AccessLevel::SYSTEM_LEVEL || $accessLevel === AccessLevel::SYSTEM_LEVEL && in_array($config->get('owner_type'), ['USER', 'BUSINESS_UNIT'])) { if ($config->has('organization_field_name')) { $accessor = PropertyAccess::createPropertyAccessor(); /** @var Organization $objectOrganization */ $objectOrganization = $accessor->getValue($object, $config->get('organization_field_name')); if ($objectOrganization && $objectOrganization->getId() !== $token->getOrganizationContext()->getId()) { $result = self::ACCESS_DENIED; } } } } } return $result; }
/** * {@inheritdoc} */ public function setTriggeredMask($mask) { if ($this->oneShotIsGrantedObserver !== null) { if (is_array($this->oneShotIsGrantedObserver)) { /** @var OneShotIsGrantedObserver $observer */ foreach ($this->oneShotIsGrantedObserver as $observer) { $observer->setAccessLevel($this->extension->getAccessLevel($mask)); } } else { $this->oneShotIsGrantedObserver->setAccessLevel($this->extension->getAccessLevel($mask)); } } }
/** * @param int $result * @return int */ protected function checkOrganizationContext($result) { $object = $this->object; $token = $this->securityToken; if ($token instanceof OrganizationContextTokenInterface && $result === self::ACCESS_GRANTED && $this->extension instanceof EntityAclExtension && is_object($object) && !$object instanceof ObjectIdentity) { $className = ClassUtils::getClass($object); if ($this->configProvider->hasConfig($className)) { $config = $this->configProvider->getConfig($className); $accessLevel = $this->extension->getAccessLevel($this->triggeredMask); if ($accessLevel < AccessLevel::SYSTEM_LEVEL || $accessLevel === AccessLevel::SYSTEM_LEVEL && in_array($config->get('owner_type'), ['USER', 'BUSINESS_UNIT'])) { if ($config->has('organization_field_name')) { $accessor = PropertyAccess::createPropertyAccessor(); /** @var Organization $objectOrganization */ $objectOrganization = $accessor->getValue($object, $config->get('organization_field_name')); if ($objectOrganization && $objectOrganization->getId() !== $token->getOrganizationContext()->getId()) { $result = self::ACCESS_DENIED; } } } } } return $result; }
/** * Return AclPermission object for given permission, ACL mask and ACL privilege * * @param AclExtensionInterface $extension * @param string $permission * @param string $mask * @param AclPrivilege $privilege * @return AclPermission */ protected function getAclPermission(AclExtensionInterface $extension, $permission, $mask, AclPrivilege $privilege) { return new AclPermission($permission, $extension->getAccessLevel($mask, $permission, $privilege->getIdentity()->getId())); }
/** * Adds permissions to the given $privilege based on the given ACEs. * The $permissions argument is used to filter privileges for the given permissions only. * * @param AclPrivilege $privilege * @param string[] $permissions * @param EntryInterface[] $aces * @param AclExtensionInterface $extension * @param bool $itIsRootAcl */ protected function addAcesPermissions(AclPrivilege $privilege, array $permissions, array $aces, AclExtensionInterface $extension, $itIsRootAcl = false) { if (empty($aces)) { return; } foreach ($aces as $ace) { if (!$ace->isGranting()) { // denying ACE is not supported continue; } $mask = $ace->getMask(); if ($itIsRootAcl) { $mask = $extension->adaptRootMask($mask, $privilege->getIdentity()->getId()); } if ($extension->removeServiceBits($mask) === 0) { foreach ($permissions as $permission) { if (!$privilege->hasPermission($permission)) { $privilege->addPermission(new AclPermission($permission, AccessLevel::NONE_LEVEL)); } } } else { foreach ($extension->getPermissions($mask) as $permission) { if (!$privilege->hasPermission($permission) && in_array($permission, $permissions)) { $privilege->addPermission(new AclPermission($permission, $extension->getAccessLevel($mask, $permission))); } } } } }