/** * Performs some checks if logging was requested. * * @param bool $granted * @param EntryInterface $ace */ public function logIfNeeded($granted, EntryInterface $ace) { if (!$ace instanceof AuditableEntryInterface) { return; } if ($granted && $ace->isAuditSuccess()) { $this->doLog($granted, $ace); } elseif (!$granted && $ace->isAuditFailure()) { $this->doLog($granted, $ace); } }
/** * Transform a given ACL entry into a Entry model. * * The entry will not be persisted! * * @param \Symfony\Component\Security\Acl\Model\EntryInterface $aclEntry * * @return \Propel\Bundle\PropelBundle\Model\Acl\Entry */ public static function fromAclEntry(EntryInterface $aclEntry) { $entry = new self(); // Already persisted before? if ($aclEntry->getId()) { $entry->setId($aclEntry->getId()); } $entry->setMask($aclEntry->getMask())->setGranting($aclEntry->isGranting())->setGrantingStrategy($aclEntry->getStrategy())->setSecurityIdentity(SecurityIdentity::fromAclIdentity($aclEntry->getSecurityIdentity())); if ($aclEntry instanceof FieldEntryInterface) { $entry->setFieldName($aclEntry->getField()); } if ($aclEntry instanceof AuditableEntryInterface) { $entry->setAuditFailure($aclEntry->isAuditFailure())->setAuditSuccess($aclEntry->isAuditSuccess()); } return $entry; }
/** * Determines whether the ACE is applicable to the given permission/security * identity combination. * * Per default, we support three different comparison strategies. * * Strategy ALL: * The ACE will be considered applicable when all the turned-on bits in the * required mask are also turned-on in the ACE mask. * * Strategy ANY: * The ACE will be considered applicable when any of the turned-on bits in * the required mask is also turned-on the in the ACE mask. * * Strategy EQUAL: * The ACE will be considered applicable when the bitmasks are equal. * * @param integer $requiredMask * @param EntryInterface $ace * @return Boolean */ protected function isAceApplicable($requiredMask, EntryInterface $ace) { $strategy = $ace->getStrategy(); if (self::ALL === $strategy) { return $requiredMask === ($ace->getMask() & $requiredMask); } else { if (self::ANY === $strategy) { return 0 !== ($ace->getMask() & $requiredMask); } else { if (self::EQUAL === $strategy) { return $requiredMask === $ace->getMask(); } } } throw new \RuntimeException(sprintf('The strategy "%s" is not supported.', $strategy)); }
/** * Retrieve the persisted model for the given ACE. * * If none is given, null is returned. * * @param \Symfony\Component\Security\Acl\Model\EntryInterface $ace * * @return \Propel\Bundle\PropelBundle\Model\Acl\Entry|null */ protected function getPersistedAce(EntryInterface $ace, ObjectIdentity $objectIdentity, $object = false) { if (null !== $ace->getId() and null !== ($entry = EntryQuery::create()->findPk($ace->getId(), $this->connection))) { $entry->reload(true, $this->connection); return $entry; } /* * The id is not set, but there may be an ACE in the database. * * This happens if the ACL has created new ACEs, but was not reloaded. * We try to retrieve one by the unique key. */ $ukQuery = EntryQuery::create()->filterByAclClass($objectIdentity->getAclClass($this->connection))->filterBySecurityIdentity(SecurityIdentity::fromAclIdentity($ace->getSecurityIdentity(), $this->connection)); if (true === $object) { $ukQuery->filterByObjectIdentity($objectIdentity); } else { $ukQuery->filterByObjectIdentityId(null, Criteria::ISNULL); } if ($ace instanceof FieldEntryInterface) { $ukQuery->filterByFieldName($ace->getField()); } else { $ukQuery->filterByFieldName(null, Criteria::ISNULL); } return $ukQuery->findOne($this->connection); }
/** * Determines whether the ACE is applicable to the given permission/security identity combination. * * Strategy ALL: * The ACE will be considered applicable when all the turned-on bits in the * required mask are also turned-on in the ACE mask. * * Strategy ANY: * The ACE will be considered applicable when any of the turned-on bits in * the required mask is also turned-on the in the ACE mask. * * Strategy EQUAL: * The ACE will be considered applicable when the bitmasks are equal. * * @param integer $requiredMask * @param EntryInterface $ace * @param AclInterface $acl * @throws \RuntimeException if the ACE strategy is not supported * @return bool */ protected function isAceApplicable($requiredMask, EntryInterface $ace, AclInterface $acl) { $extension = $this->getContext()->getAclExtension(); $aceMask = $ace->getMask(); if ($acl->getObjectIdentity()->getType() === ObjectIdentityFactory::ROOT_IDENTITY_TYPE) { if ($acl->getObjectIdentity()->getIdentifier() !== $extension->getExtensionKey()) { return false; } $aceMask = $extension->adaptRootMask($aceMask, $this->getContext()->getObject()); } if ($extension->getServiceBits($requiredMask) !== $extension->getServiceBits($aceMask)) { return false; } $requiredMask = $extension->removeServiceBits($requiredMask); $aceMask = $extension->removeServiceBits($aceMask); $strategy = $ace->getStrategy(); switch ($strategy) { case self::ALL: return $requiredMask === ($aceMask & $requiredMask); case self::ANY: return 0 !== ($aceMask & $requiredMask); case self::EQUAL: return $requiredMask === $aceMask; default: throw new \RuntimeException(sprintf('The strategy "%s" is not supported.', $strategy)); } }
/** * Determines whether the ACE is applicable to the given permission/security * identity combination. * * Per default, we support three different comparison strategies. * * Strategy ALL: * The ACE will be considered applicable when all the turned-on bits in the * required mask are also turned-on in the ACE mask. * * Strategy ANY: * The ACE will be considered applicable when any of the turned-on bits in * the required mask is also turned-on the in the ACE mask. * * Strategy EQUAL: * The ACE will be considered applicable when the bitmasks are equal. * * @param SecurityIdentityInterface $sid * @param EntryInterface $ace * @param int $requiredMask * @return Boolean */ protected function isAceApplicable($requiredMask, SecurityIdentityInterface $sid, EntryInterface $ace) { if (false === $ace->getSecurityIdentity()->equals($sid)) { return false; } $strategy = $ace->getStrategy(); if (self::ALL === $strategy) { return $requiredMask === ($ace->getMask() & $requiredMask); } else { if (self::ANY === $strategy) { return 0 !== ($ace->getMask() & $requiredMask); } else { if (self::EQUAL === $strategy) { return $requiredMask === $ace->getMask(); } else { throw new \RuntimeException(sprintf('The strategy "%s" is not supported.', $strategy)); } } } }
/** * Resolve ACE itentity to User or Role * * @param EntryInterface $ace * @return mixed */ protected function resolveIdentity(EntryInterface $ace) { $securityIdentity = $ace->getSecurityIdentity(); if ($securityIdentity instanceof UserSecurityIdentity) { $userProvider = $this->userProvider; try { return $userProvider->loadUserByUsername($securityIdentity->getUsername()); } catch (UsernameNotFoundException $e) { } } elseif ($securityIdentity instanceof RoleSecurityIdentity) { return $securityIdentity->getRole(); } return null; }