/**
* Check organization. If user try to access entity what was created in organization this user do not have access -
* deny access
*
* @param int $result
* @return int
*/
protected function checkOrganizationContext($result)
{
$object = $this->object;
$token = $this->securityToken;
if ($token instanceof OrganizationContextTokenInterface && $result === self::ACCESS_GRANTED && $this->extension instanceof EntityAclExtension && is_object($object) && !$object instanceof ObjectIdentity) {
$className = ClassUtils::getClass($object);
if ($this->configProvider->hasConfig($className)) {
$config = $this->configProvider->getConfig($className);
$accessLevel = $this->extension->getAccessLevel($this->triggeredMask);
// we need to check organization in case if Access level is not system,
// or then access level and owner type of test object is User or Business Unit (in this owner types we
// do not allow to use System access level)
// (do not allow to manipulate records from another organization)
if ($accessLevel < AccessLevel::SYSTEM_LEVEL || $accessLevel === AccessLevel::SYSTEM_LEVEL && in_array($config->get('owner_type'), ['USER', 'BUSINESS_UNIT'])) {
if ($config->has('organization_field_name')) {
$accessor = PropertyAccess::createPropertyAccessor();
/** @var Organization $objectOrganization */
$objectOrganization = $accessor->getValue($object, $config->get('organization_field_name'));
if ($objectOrganization && $objectOrganization->getId() !== $token->getOrganizationContext()->getId()) {
$result = self::ACCESS_DENIED;
}
}
}
}
}
return $result;
}
/**
* {@inheritdoc}
*/
public function setTriggeredMask($mask)
{
if ($this->oneShotIsGrantedObserver !== null) {
if (is_array($this->oneShotIsGrantedObserver)) {
/** @var OneShotIsGrantedObserver $observer */
foreach ($this->oneShotIsGrantedObserver as $observer) {
$observer->setAccessLevel($this->extension->getAccessLevel($mask));
}
} else {
$this->oneShotIsGrantedObserver->setAccessLevel($this->extension->getAccessLevel($mask));
}
}
}
/**
* @param int $result
* @return int
*/
protected function checkOrganizationContext($result)
{
$object = $this->object;
$token = $this->securityToken;
if ($token instanceof OrganizationContextTokenInterface && $result === self::ACCESS_GRANTED && $this->extension instanceof EntityAclExtension && is_object($object) && !$object instanceof ObjectIdentity) {
$className = ClassUtils::getClass($object);
if ($this->configProvider->hasConfig($className)) {
$config = $this->configProvider->getConfig($className);
$accessLevel = $this->extension->getAccessLevel($this->triggeredMask);
if ($accessLevel < AccessLevel::SYSTEM_LEVEL || $accessLevel === AccessLevel::SYSTEM_LEVEL && in_array($config->get('owner_type'), ['USER', 'BUSINESS_UNIT'])) {
if ($config->has('organization_field_name')) {
$accessor = PropertyAccess::createPropertyAccessor();
/** @var Organization $objectOrganization */
$objectOrganization = $accessor->getValue($object, $config->get('organization_field_name'));
if ($objectOrganization && $objectOrganization->getId() !== $token->getOrganizationContext()->getId()) {
$result = self::ACCESS_DENIED;
}
}
}
}
}
return $result;
}
/**
* Return AclPermission object for given permission, ACL mask and ACL privilege
*
* @param AclExtensionInterface $extension
* @param string $permission
* @param string $mask
* @param AclPrivilege $privilege
* @return AclPermission
*/
protected function getAclPermission(AclExtensionInterface $extension, $permission, $mask, AclPrivilege $privilege)
{
return new AclPermission($permission, $extension->getAccessLevel($mask, $permission, $privilege->getIdentity()->getId()));
}
/**
* Adds permissions to the given $privilege based on the given ACEs.
* The $permissions argument is used to filter privileges for the given permissions only.
*
* @param AclPrivilege $privilege
* @param string[] $permissions
* @param EntryInterface[] $aces
* @param AclExtensionInterface $extension
* @param bool $itIsRootAcl
*/
protected function addAcesPermissions(AclPrivilege $privilege, array $permissions, array $aces, AclExtensionInterface $extension, $itIsRootAcl = false)
{
if (empty($aces)) {
return;
}
foreach ($aces as $ace) {
if (!$ace->isGranting()) {
// denying ACE is not supported
continue;
}
$mask = $ace->getMask();
if ($itIsRootAcl) {
$mask = $extension->adaptRootMask($mask, $privilege->getIdentity()->getId());
}
if ($extension->removeServiceBits($mask) === 0) {
foreach ($permissions as $permission) {
if (!$privilege->hasPermission($permission)) {
$privilege->addPermission(new AclPermission($permission, AccessLevel::NONE_LEVEL));
}
}
} else {
foreach ($extension->getPermissions($mask) as $permission) {
if (!$privilege->hasPermission($permission) && in_array($permission, $permissions)) {
$privilege->addPermission(new AclPermission($permission, $extension->getAccessLevel($mask, $permission)));
}
}
}
}
}
