public function testGetOrganization() { $metadataProvider = new OwnershipMetadataProviderStub($this); $accessor = new EntityOwnerAccessor($metadataProvider); $org = new \stdClass(); $obj = new TestEntity(1, null, $org); $metadataProvider->setMetadata(get_class($obj), new OwnershipMetadata(null, null, null, 'organization')); $this->assertSame($org, $accessor->getOrganization($obj)); }
/** * Check organization. If user try to access entity what was created in organization this user do not have access - * deny access. We should check organization for all the entities what have ownership * (USER, BUSINESS_UNIT, ORGANIZATION ownership types) * * @param mixed $object * @param OrganizationContextTokenInterface $securityToken * @return bool */ protected function isAccessDeniedByOrganizationContext($object, OrganizationContextTokenInterface $securityToken) { try { // try to get entity organization value $objectOrganization = $this->entityOwnerAccessor->getOrganization($object); // check entity organization with current organization if ($objectOrganization && $objectOrganization->getId() !== $securityToken->getOrganizationContext()->getId()) { return true; } } catch (InvalidEntityException $e) { // in case if entity has no organization field (none ownership type) } return false; }
/** * Check organization. If user try to access entity what was created in organization this user do not have access - * deny access. We should check organization for all the entities what have ownership * (USER, BUSINESS_UNIT, ORGANIZATION ownership types) * * @param int $result * @return int */ protected function checkOrganizationContext($result) { $object = $this->object; $token = $this->securityToken; if ($token instanceof OrganizationContextTokenInterface && $result === self::ACCESS_GRANTED && $this->extension instanceof EntityAclExtension && is_object($object) && !$object instanceof ObjectIdentity) { try { // try to get entity organization value $objectOrganization = $this->entityOwnerAccessor->getOrganization($object); // check entity organization with current organization if ($objectOrganization && $objectOrganization->getId() !== $token->getOrganizationContext()->getId()) { $result = self::ACCESS_DENIED; } } catch (InvalidEntityException $e) { // in case if entity has no organization field (none ownership type) return $result; } } return $result; }
/** * {@inheritdoc} * * @SuppressWarnings(PHPMD.NPathComplexity) */ public function isAssociatedWithOrganization($user, $domainObject, $organization = null) { $tree = $this->treeProvider->getTree(); $this->validateUserObject($user); $this->validateObject($domainObject); $organizationId = null; if ($organization) { $organizationId = $this->getOrganizationId($organization); } $userOrganizationIds = $tree->getUserOrganizationIds($this->getObjectId($user)); if (empty($userOrganizationIds) || $organizationId && !in_array($organizationId, $userOrganizationIds)) { return false; } $allowedOrganizationIds = $organizationId ? [$organizationId] : $userOrganizationIds; if ($this->isOrganization($domainObject)) { return in_array($this->getObjectId($domainObject), $allowedOrganizationIds); } if ($this->isBusinessUnit($domainObject)) { return in_array($tree->getBusinessUnitOrganizationId($this->getObjectId($domainObject)), $allowedOrganizationIds); } if ($this->isUser($domainObject)) { $userId = $this->getObjectId($user); $objId = $this->getObjectId($domainObject); if ($userId === $objId) { $userOrganizationId = $tree->getUserOrganizationId($userId); $objOrganizationId = $tree->getUserOrganizationId($objId); return $userOrganizationId !== null && $userOrganizationId === $objOrganizationId; } } $metadata = $this->getObjectMetadata($domainObject); if (!$metadata->hasOwner()) { return false; } $ownerId = $this->getObjectIdIgnoreNull($this->getOwner($domainObject)); if ($metadata->isOrganizationOwned()) { return $organizationId ? $ownerId === $organizationId : in_array($ownerId, $userOrganizationIds); } else { return in_array($this->getObjectId($this->entityOwnerAccessor->getOrganization($domainObject)), $allowedOrganizationIds); } return false; }