/**
* Check ACL based on acl_resource_id, route or uri.
*
* @param array $options
*/
protected function processAcl(array &$options = array())
{
if (isset($options['check_access']) && $options['check_access'] == false) {
$needCheck = false;
} else {
$needCheck = true;
}
$isAllowed = self::DEFAULT_ACL_POLICY;
if (array_key_exists(self::ACL_RESOURCE_ID_KEY, $options)) {
if (array_key_exists($options[self::ACL_RESOURCE_ID_KEY], $this->aclCache)) {
$isAllowed = $this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]];
} else {
if ($needCheck) {
$isAllowed = $this->securityFacade->isGranted($options[self::ACL_RESOURCE_ID_KEY]);
}
$this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]] = $isAllowed;
}
} else {
$routeInfo = $this->getRouteInfo($options);
if ($routeInfo) {
if (array_key_exists($routeInfo['key'], $this->aclCache)) {
$isAllowed = $this->aclCache[$routeInfo['key']];
} else {
if ($needCheck) {
$isAllowed = $this->securityFacade->isClassMethodGranted($routeInfo['controller'], $routeInfo['action']);
}
$this->aclCache[$routeInfo['key']] = $isAllowed;
}
}
}
$options['extras']['isAllowed'] = $isAllowed;
}
/**
* Checks if an access to a controller action is granted or not.
*
* This method is executed just before any controller action.
*
* @param FilterControllerEvent $event
* @throws AccessDeniedException
*/
public function onKernelController(FilterControllerEvent $event)
{
$controller = $event->getController();
/*
* $controller passed can be either a class or a Closure. This is not usual in Symfony2 but it may happen.
* If it is a class, it comes in array format
*/
if (is_array($controller)) {
list($object, $method) = $controller;
$className = ClassUtils::getClass($object);
$this->logger->debug(sprintf('Invoked controller "%s::%s". (%s)', $className, $method, $event->getRequestType() === HttpKernelInterface::MASTER_REQUEST ? 'MASTER_REQUEST' : 'SUB_REQUEST'));
if (!$this->securityFacade->isClassMethodGranted($className, $method)) {
if ($event->getRequestType() === HttpKernelInterface::MASTER_REQUEST) {
throw new AccessDeniedException(sprintf('Access denied to %s::%s.', $className, $method));
}
}
}
}
public function testIsClassMethodGrantedGrantingByMethodAndClassAcls()
{
$oid = new ObjectIdentity('1', 'TestType');
$annotation = $this->getMockBuilder('Oro\\Bundle\\SecurityBundle\\Annotation\\Acl')->disableOriginalConstructor()->getMock();
$annotation->expects($this->once())->method('getId')->will($this->returnValue('method_annotation'));
$annotation->expects($this->once())->method('getPermission')->will($this->returnValue('TEST_PERMISSION'));
$annotation->expects($this->once())->method('getIgnoreClassAcl')->will($this->returnValue(false));
$classOid = new ObjectIdentity('2', 'TestType');
$classAnnotation = $this->getMockBuilder('Oro\\Bundle\\SecurityBundle\\Annotation\\Acl')->disableOriginalConstructor()->getMock();
$classAnnotation->expects($this->once())->method('getId')->will($this->returnValue('class_annotation'));
$classAnnotation->expects($this->once())->method('getPermission')->will($this->returnValue('TEST_PERMISSION_CLASS'));
$this->annotationProvider->expects($this->at(0))->method('findAnnotation')->with('TestClass', 'TestMethod')->will($this->returnValue($annotation));
$this->annotationProvider->expects($this->at(1))->method('findAnnotation')->with('TestClass')->will($this->returnValue($classAnnotation));
$this->logger->expects($this->exactly(2))->method('debug');
$this->objectIdentityFactory->expects($this->at(0))->method('get')->with($this->identicalTo($annotation))->will($this->returnValue($oid));
$this->objectIdentityFactory->expects($this->at(1))->method('get')->with($this->identicalTo($classAnnotation))->will($this->returnValue($classOid));
$this->tokenStorage->expects($this->at(0))->method('isGranted')->with($this->equalTo('TEST_PERMISSION'), $this->identicalTo($oid))->will($this->returnValue(true));
$this->tokenStorage->expects($this->at(1))->method('isGranted')->with($this->equalTo('TEST_PERMISSION_CLASS'), $this->identicalTo($classOid))->will($this->returnValue(true));
$result = $this->facade->isClassMethodGranted('TestClass', 'TestMethod');
$this->assertTrue($result);
}
/**
* Check ACL based on acl_resource_id, route or uri.
*
* @param array $options
*
* @return void
*/
protected function processAcl(array &$options = array())
{
$isAllowed = self::DEFAULT_ACL_POLICY;
$options['extras']['isAllowed'] = self::DEFAULT_ACL_POLICY;
if (isset($options['check_access']) && $options['check_access'] === false) {
return;
}
if ($this->hideAllForNotLoggedInUsers && !$this->securityFacade->hasLoggedUser()) {
if (isset($options['extras']) && array_key_exists('showNonAuthorized', $options['extras']) && $options['extras']['showNonAuthorized']) {
return;
}
$isAllowed = false;
} elseif ($this->securityFacade->getToken() !== null) {
// don't check access if it's CLI
if (array_key_exists('extras', $options) && array_key_exists(self::ACL_POLICY_KEY, $options['extras'])) {
$isAllowed = $options['extras'][self::ACL_POLICY_KEY];
}
if (array_key_exists(self::ACL_RESOURCE_ID_KEY, $options)) {
if (array_key_exists($options[self::ACL_RESOURCE_ID_KEY], $this->aclCache)) {
$isAllowed = $this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]];
} else {
$isAllowed = $this->securityFacade->isGranted($options[self::ACL_RESOURCE_ID_KEY]);
$this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]] = $isAllowed;
}
} else {
$routeInfo = $this->getRouteInfo($options);
if ($routeInfo) {
if (array_key_exists($routeInfo['key'], $this->aclCache)) {
$isAllowed = $this->aclCache[$routeInfo['key']];
} else {
$isAllowed = $this->securityFacade->isClassMethodGranted($routeInfo['controller'], $routeInfo['action']);
$this->aclCache[$routeInfo['key']] = $isAllowed;
}
}
}
}
$options['extras']['isAllowed'] = $isAllowed;
}
