public function configureACL(OutputInterface $output, AclInterface $acl, MaskBuilder $builder, array $aclInformations = array()) { foreach ($aclInformations as $name => $masks) { foreach ($masks as $mask) { $builder->add($mask); } $acl->insertClassAce(new RoleSecurityIdentity($name), $builder->get()); $output->writeln(sprintf(' - add role: %s, ACL: %s', $name, json_encode($masks))); $builder->reset(); } }
public function testGetPattern() { $builder = new MaskBuilder; $this->assertEquals(MaskBuilder::ALL_OFF, $builder->getPattern()); $builder->add('view'); $this->assertEquals(str_repeat('.', 31).'V', $builder->getPattern()); $builder->add('owner'); $this->assertEquals(str_repeat('.', 24).'N......V', $builder->getPattern()); $builder->add('list'); $this->assertEquals(str_repeat('.', 19).'L....N......V', $builder->getPattern()); $builder->add(1 << 10); $this->assertEquals(str_repeat('.', 19).'L.'.MaskBuilder::ON.'..N......V', $builder->getPattern()); }
public function createTskAcl(Contact $contact) { $aclProvider = $this->getContainer()->get('security.acl.provider'); $objectIdentity = ObjectIdentity::fromDomainObject($contact); $orgIdentity = 'ROLE_ORG_' . $contact->getOrganization()->getId(); $orgSecurityIdentity = new RoleSecurityIdentity($orgIdentity); $builder = new MaskBuilder(); $builder->add('VIEW'); $builder->add('EDIT'); $builder->add('CREATE'); $builder->add('MASTER'); try { try { $acl = $aclProvider->createAcl($objectIdentity); $acl->insertObjectAce($orgSecurityIdentity, $builder->get()); foreach ($contact->getSchools() as $school) { $schoolIdentity = 'ROLE_SCHOOL_' . $school->getId(); $schoolSecurityIdentity = new RoleSecurityIdentity($schoolIdentity); $acl->insertObjectAce($schoolSecurityIdentity, $builder->get()); } $aclProvider->updateAcl($acl); } catch (AclAlreadyExistsException $e) { // keep going ... } } catch (AclException $e) { throw $e; } }
public function postPersist(LifecycleEventArgs $args) { $org = $this->session->get($this->orgSessionKey); if (!$org) { return false; } $entity = $args->getEntity(); $className = get_class($entity); if ($className == 'TSK\\UserBundle\\Entity\\Contact') { $org = $this->session->get($this->orgSessionKey); $school = $this->session->get($this->schoolSessionKey); $orgRole = sprintf('ROLE_TSK_ORG_%d', $org); $schoolRole = sprintf('ROLE_TSK_SCHOOL_%d', $school); $conn = $args->getEntityManager()->getConnection(); $builder = new MaskBuilder(); $builder->add('OWNER'); // $builder->add('EDIT'); // $builder->add('LIST'); // $builder->add('LIST'); $mask = $builder->get(); try { $conn->beginTransaction(); $this->saveAcl($conn, $entity, $orgRole, $className, $mask, 0); $this->saveAcl($conn, $entity, $schoolRole, $className, $mask, 1); // $securityIdentityID = $this->createSecurityIdentity($conn, $schoolRole); // $classID = $this->createClassEntry($conn, $className); // $objectIdentityID = $this->createObjectIdentity($conn, $classID, $entity->getId()); // $this->createAclEntry($conn, $classID, $objectIdentityID, $securityIdentityID, $mask); // $this->createObjectIdentityAncestor($conn, $objectIdentityID, $objectIdentityID); $conn->commit(); } catch (\Exception $e) { $conn->rollback(); throw $e; } } }
/** * savePermissionsForIdentity * * @param mixed $identity * @param mixed $identityType * @param mixed $permissions * @access public * @return void */ public function savePermissionsForIdentity($identity, $identityType, $permissions) { // delete all permissions for identity switch (strtolower($identityType)) { case 'users': $securityIdentity = new UserSecurityIdentity($identity, 'TSK\\UserBundle\\Entity\\User'); break; case 'roles': $securityIdentity = new RoleSecurityIdentity($identity); break; default: throw new \Exception("Invalid identity_type {$identity_type}"); break; } $aclProvider = $this->aclProvider; foreach ($permissions as $idx => $perm) { $objectIdentity = new ObjectIdentity($perm->getClassName(), $perm->getClassType()); $builder = new MaskBuilder(); $builder->add(0); foreach ($perm->getBits() as $idx => $permission) { if ($permission) { $builder->add($permission); } } try { $acl = $aclProvider->findAcl($objectIdentity); } catch (AclException $e) { $acl = $aclProvider->createAcl($objectIdentity); } // If we already have Access Control Entries for this object AND user // We do an update, otherwise insert. $classAces = $acl->getClassAces(); $classAces = $acl->getObjectAces(); if (count($classAces)) { $doClassUpdate = 0; foreach ($classAces as $idx => $ca) { if ($ca->getSecurityIdentity() instanceof UserSecurityIdentity && $ca->getSecurityIdentity()->getUsername() === $identity && $ca->getAcl()->getObjectIdentity()->getIdentifier() == $acl->getObjectIdentity()->getIdentifier()) { $doClassUpdate = 1; break; } if ($ca->getSecurityIdentity() instanceof RoleSecurityIdentity && $ca->getSecurityIdentity()->getRole() === $identity && $ca->getAcl()->getObjectIdentity()->getIdentifier() == $acl->getObjectIdentity()->getIdentifier()) { $doClassUpdate = 1; break; } } if ($doClassUpdate) { $acl->updateObjectAce($idx, $builder->get()); } else { $acl->insertObjectAce($securityIdentity, $builder->get()); } } else { $acl->insertObjectAce($securityIdentity, $builder->get()); } $aclProvider->updateAcl($acl); } }