public function configureACL(OutputInterface $output, AclInterface $acl, MaskBuilder $builder, array $aclInformations = array())
{
foreach ($aclInformations as $name => $masks) {
foreach ($masks as $mask) {
$builder->add($mask);
}
$acl->insertClassAce(new RoleSecurityIdentity($name), $builder->get());
$output->writeln(sprintf(' - add role: %s, ACL: %s', $name, json_encode($masks)));
$builder->reset();
}
}
public function testGetPattern()
{
$builder = new MaskBuilder;
$this->assertEquals(MaskBuilder::ALL_OFF, $builder->getPattern());
$builder->add('view');
$this->assertEquals(str_repeat('.', 31).'V', $builder->getPattern());
$builder->add('owner');
$this->assertEquals(str_repeat('.', 24).'N......V', $builder->getPattern());
$builder->add('list');
$this->assertEquals(str_repeat('.', 19).'L....N......V', $builder->getPattern());
$builder->add(1 << 10);
$this->assertEquals(str_repeat('.', 19).'L.'.MaskBuilder::ON.'..N......V', $builder->getPattern());
}
public function createTskAcl(Contact $contact)
{
$aclProvider = $this->getContainer()->get('security.acl.provider');
$objectIdentity = ObjectIdentity::fromDomainObject($contact);
$orgIdentity = 'ROLE_ORG_' . $contact->getOrganization()->getId();
$orgSecurityIdentity = new RoleSecurityIdentity($orgIdentity);
$builder = new MaskBuilder();
$builder->add('VIEW');
$builder->add('EDIT');
$builder->add('CREATE');
$builder->add('MASTER');
try {
try {
$acl = $aclProvider->createAcl($objectIdentity);
$acl->insertObjectAce($orgSecurityIdentity, $builder->get());
foreach ($contact->getSchools() as $school) {
$schoolIdentity = 'ROLE_SCHOOL_' . $school->getId();
$schoolSecurityIdentity = new RoleSecurityIdentity($schoolIdentity);
$acl->insertObjectAce($schoolSecurityIdentity, $builder->get());
}
$aclProvider->updateAcl($acl);
} catch (AclAlreadyExistsException $e) {
// keep going ...
}
} catch (AclException $e) {
throw $e;
}
}
public function postPersist(LifecycleEventArgs $args)
{
$org = $this->session->get($this->orgSessionKey);
if (!$org) {
return false;
}
$entity = $args->getEntity();
$className = get_class($entity);
if ($className == 'TSK\\UserBundle\\Entity\\Contact') {
$org = $this->session->get($this->orgSessionKey);
$school = $this->session->get($this->schoolSessionKey);
$orgRole = sprintf('ROLE_TSK_ORG_%d', $org);
$schoolRole = sprintf('ROLE_TSK_SCHOOL_%d', $school);
$conn = $args->getEntityManager()->getConnection();
$builder = new MaskBuilder();
$builder->add('OWNER');
// $builder->add('EDIT');
// $builder->add('LIST');
// $builder->add('LIST');
$mask = $builder->get();
try {
$conn->beginTransaction();
$this->saveAcl($conn, $entity, $orgRole, $className, $mask, 0);
$this->saveAcl($conn, $entity, $schoolRole, $className, $mask, 1);
// $securityIdentityID = $this->createSecurityIdentity($conn, $schoolRole);
// $classID = $this->createClassEntry($conn, $className);
// $objectIdentityID = $this->createObjectIdentity($conn, $classID, $entity->getId());
// $this->createAclEntry($conn, $classID, $objectIdentityID, $securityIdentityID, $mask);
// $this->createObjectIdentityAncestor($conn, $objectIdentityID, $objectIdentityID);
$conn->commit();
} catch (\Exception $e) {
$conn->rollback();
throw $e;
}
}
}
/**
* savePermissionsForIdentity
*
* @param mixed $identity
* @param mixed $identityType
* @param mixed $permissions
* @access public
* @return void
*/
public function savePermissionsForIdentity($identity, $identityType, $permissions)
{
// delete all permissions for identity
switch (strtolower($identityType)) {
case 'users':
$securityIdentity = new UserSecurityIdentity($identity, 'TSK\\UserBundle\\Entity\\User');
break;
case 'roles':
$securityIdentity = new RoleSecurityIdentity($identity);
break;
default:
throw new \Exception("Invalid identity_type {$identity_type}");
break;
}
$aclProvider = $this->aclProvider;
foreach ($permissions as $idx => $perm) {
$objectIdentity = new ObjectIdentity($perm->getClassName(), $perm->getClassType());
$builder = new MaskBuilder();
$builder->add(0);
foreach ($perm->getBits() as $idx => $permission) {
if ($permission) {
$builder->add($permission);
}
}
try {
$acl = $aclProvider->findAcl($objectIdentity);
} catch (AclException $e) {
$acl = $aclProvider->createAcl($objectIdentity);
}
// If we already have Access Control Entries for this object AND user
// We do an update, otherwise insert.
$classAces = $acl->getClassAces();
$classAces = $acl->getObjectAces();
if (count($classAces)) {
$doClassUpdate = 0;
foreach ($classAces as $idx => $ca) {
if ($ca->getSecurityIdentity() instanceof UserSecurityIdentity && $ca->getSecurityIdentity()->getUsername() === $identity && $ca->getAcl()->getObjectIdentity()->getIdentifier() == $acl->getObjectIdentity()->getIdentifier()) {
$doClassUpdate = 1;
break;
}
if ($ca->getSecurityIdentity() instanceof RoleSecurityIdentity && $ca->getSecurityIdentity()->getRole() === $identity && $ca->getAcl()->getObjectIdentity()->getIdentifier() == $acl->getObjectIdentity()->getIdentifier()) {
$doClassUpdate = 1;
break;
}
}
if ($doClassUpdate) {
$acl->updateObjectAce($idx, $builder->get());
} else {
$acl->insertObjectAce($securityIdentity, $builder->get());
}
} else {
$acl->insertObjectAce($securityIdentity, $builder->get());
}
$aclProvider->updateAcl($acl);
}
}
