/** * Load the ACL per role * * @param Role $role */ protected function loadAcls(Role $role) { if (User::ROLE_ANONYMOUS === $role->getRole()) { return; } $sid = $this->aclManager->getSid($role); foreach ($this->aclManager->getAllExtensions() as $extension) { $rootOid = $this->aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $this->aclManager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * Load the ACL per role * * @param AclManager $manager * @param Role $role * * @see Oro\Bundle\SecurityBundle\DataFixtures\ORM\LoadAclRoles */ protected function loadAcls(AclManager $manager, Role $role) { $sid = $manager->getSid($role); foreach ($manager->getAllExtensions() as $extension) { $rootOid = $manager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $manager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * Prepares the context is used in savePrivileges method * * @param array $context * @param array $rootKeys * @param SID $sid * @param ArrayCollection|AclPrivilege[] $privileges */ protected function initSaveContext(array &$context, array $rootKeys, SID $sid, ArrayCollection $privileges) { foreach ($this->manager->getAllExtensions() as $extension) { $extensionKey = $extension->getExtensionKey(); /** @var MaskBuilder[] $maskBuilders */ $maskBuilders = array(); $this->prepareMaskBuilders($maskBuilders, $extension); $context[$extensionKey] = array('extension' => $extension, 'maskBuilders' => $maskBuilders); if (isset($rootKeys[$extensionKey])) { $privilege = $privileges[$rootKeys[$extensionKey]]; $rootMasks = $this->getPermissionMasks($privilege->getPermissions(), $extension, $maskBuilders); } else { $rootMasks = array(); $oid = $this->manager->getRootOid($extension->getExtensionKey()); foreach ($this->manager->getAces($sid, $oid) as $ace) { if (!$ace->isGranting()) { // denying ACE is not supported continue; } $rootMasks[] = $ace->getMask(); } // add missing masks foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $emptyMask = $maskBuilder->get(); $maskAlreadyExist = false; foreach ($rootMasks as $rootMask) { if ($extension->getServiceBits($emptyMask) === $extension->getServiceBits($rootMask)) { $maskAlreadyExist = true; break; } } if (!$maskAlreadyExist) { $rootMasks[] = $emptyMask; } } } $context[$extensionKey]['rootMasks'] = $rootMasks; } }
/** * @param ObjectManager $manager * @param AclManager $aclManager */ protected function setBuyerShoppingListPermissions(ObjectManager $manager, AclManager $aclManager) { $chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain'); $allowedAcls = ['VIEW_BASIC', 'CREATE_BASIC', 'EDIT_BASIC', 'DELETE_BASIC']; $role = $this->getBuyerRole($manager); if ($aclManager->isAclEnabled()) { $sid = $aclManager->getSid($role); $className = $this->container->getParameter('orob2b_shopping_list.entity.shopping_list.class'); foreach ($aclManager->getAllExtensions() as $extension) { if ($extension instanceof EntityAclExtension) { $chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS); $oid = $aclManager->getOid('entity:' . $className); $builder = $aclManager->getMaskBuilder($oid); $mask = $builder->reset()->get(); foreach ($allowedAcls as $acl) { $mask = $builder->add($acl)->get(); } $aclManager->setPermission($sid, $oid, $mask); $chainMetadataProvider->stopProviderEmulation(); } } } }
protected function loadUserRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_USER)); foreach ($manager->getAllExtensions() as $extension) { $rootOid = $manager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { if ($maskBuilder->hasConst('GROUP_BASIC')) { if ($maskBuilder->hasConst('MASK_VIEW_SYSTEM')) { $mask = $maskBuilder->getConst('MASK_VIEW_SYSTEM'); /* @todo now only SYSTEM level is supported | $maskBuilder->getConst('MASK_CREATE_BASIC') | $maskBuilder->getConst('MASK_EDIT_BASIC') | $maskBuilder->getConst('MASK_DELETE_BASIC') | $maskBuilder->getConst('MASK_ASSIGN_BASIC') | $maskBuilder->getConst('MASK_SHARE_BASIC'); */ } else { $mask = $maskBuilder->getConst('GROUP_BASIC'); } } else { $mask = $maskBuilder->getConst('GROUP_NONE'); } $manager->setPermission($sid, $rootOid, $mask, true); } } }
/** * @param AclManager $aclManager * @param AccountUserRole $role * @param string $className * @param array $allowedAcls */ protected function setRolePermissions(AclManager $aclManager, AccountUserRole $role, $className, array $allowedAcls) { /* @var $chainMetadataProvider ChainMetadataProvider */ $chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain'); if ($aclManager->isAclEnabled()) { $sid = $aclManager->getSid($role); foreach ($aclManager->getAllExtensions() as $extension) { if ($extension instanceof EntityAclExtension) { $chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS); $oid = $aclManager->getOid('entity:' . $className); $builder = $aclManager->getMaskBuilder($oid); $mask = $builder->reset()->get(); foreach ($allowedAcls as $acl) { $mask = $builder->add($acl)->get(); } $aclManager->setPermission($sid, $oid, $mask); $chainMetadataProvider->stopProviderEmulation(); } } } }
/** * @param AclManager $aclManager * @param SecurityIdentityInterface $sid */ protected function setPermissionGroup(AclManager $aclManager, SecurityIdentityInterface $sid) { foreach ($aclManager->getAllExtensions() as $extension) { $rootOid = $aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $aclManager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * @param ObjectManager $manager * @param AclManager $aclManager * @return AccountUserRole */ protected function createBuyerRole(ObjectManager $manager, AclManager $aclManager) { $role = $this->createEntity(self::BUYER, $this->defaultRoles[self::BUYER]); $this->setWebsiteDefaultRoles($manager, $role); if ($aclManager->isAclEnabled()) { $sid = $aclManager->getSid($role); foreach ($aclManager->getAllExtensions() as $extension) { $this->setPermissionGroup($aclManager, $extension, $sid, 'GROUP_NONE'); } } return $role; }