/**
* Creates the ACE for a user.
*
* @param UserInterface $user
*/
public function createUserAce(UserInterface $user)
{
if (!$this->aclProvider) {
return;
}
$oid = ObjectIdentity::fromDomainObject($user);
$acl = $this->aclProvider->createAcl($oid);
$acl->insertObjectAce(UserSecurityIdentity::fromAccount($user), MaskBuilder::MASK_OWNER);
$this->aclProvider->updateAcl($acl);
}
/**
* @param ObjectIdentityInterface $objectIdentity
*
* @return AclInterface|MutableAclInterface
*/
protected function findOrCreateAcl(ObjectIdentityInterface $objectIdentity)
{
try {
return $this->aclProvider->findAcl($objectIdentity);
} catch (AclNotFoundException $e) {
return $this->aclProvider->createAcl($objectIdentity);
}
}
/**
* @dataProvider provideObjectIdentifiers
*/
public function testPermissionUpdateEvent($objectId, $objectType, $objectIdentifier)
{
$this->aclProvider->findAcl(new ObjectIdentity($objectIdentifier, $objectType))->willThrow(AclNotFoundException::class);
$this->aclProvider->createAcl(new ObjectIdentity($objectIdentifier, $objectType))->willReturn($this->acl->reveal())->shouldBeCalled();
$this->aclProvider->updateAcl($this->acl->reveal())->shouldBeCalled();
$this->acl->getObjectAces()->willReturn([]);
$this->acl->insertObjectAce(Argument::cetera())->shouldBeCalled();
$this->accessControlManager->setPermissions($objectType, $objectId, [$this->securityIdentity->getRole() => ['view']]);
}
/**
* {@inheritDoc}
*/
public function installFallbackAcl()
{
try {
$acl = $this->aclProvider->createAcl($this->oid);
} catch (AclAlreadyExistsException $exists) {
return;
}
$this->doInstallFallbackAcl($acl, new MaskBuilder());
$this->aclProvider->updateAcl($acl);
}
/**
* @dataProvider provideObjectIdentifiers
*/
public function testPermissionUpdateEvent($objectId, $objectType, $locale, $objectIdentifier)
{
$this->aclProvider->findAcl(new ObjectIdentity($objectIdentifier, $objectType))->willThrow(AclNotFoundException::class);
$this->aclProvider->createAcl(new ObjectIdentity($objectIdentifier, $objectType))->willReturn($this->acl->reveal())->shouldBeCalled();
$this->aclProvider->updateAcl($this->acl->reveal())->shouldBeCalled();
$this->acl->getObjectAces()->willReturn([]);
$this->acl->insertObjectAce(Argument::cetera())->shouldBeCalled();
$this->eventDispatcher->dispatch('sulu.security.permission.update', new PermissionUpdateEvent($objectType, $objectIdentifier, $this->securityIdentity, ['view']))->shouldBeCalled();
$this->accessControlManager->setPermissions($objectType, $objectId, $this->securityIdentity, ['view'], $locale);
}
/**
* Installs default Acl entries for the Comment class.
*
* This needs to be re-run whenever the Comment class changes or is subclassed.
*
* @return void
*/
public function installFallbackAcl()
{
$oid = new ObjectIdentity('class', $this->commentClass);
try {
$acl = $this->aclProvider->createAcl($oid);
} catch (AclAlreadyExistsException $exists) {
return;
}
$this->doInstallFallbackAcl($acl, new MaskBuilder());
$this->aclProvider->updateAcl($acl);
}
/**
*
* @param type $object
* @return Symfony\Component\Security\Acl\Domain\Acl
*/
protected function getAcl($object)
{
// creating the ACL
$objectIdentity = $this->getNoProxyIdentityObject($object);
try {
$acl = $this->aclProvider->createAcl($objectIdentity);
} catch (\Exception $e) {
$acl = $this->aclProvider->findAcl($objectIdentity);
}
return $acl;
}
/**
* Sets the permission for a single security identity.
*
* @param string $type The type of the object to protect
* @param string $identifier The identifier of the object to protect
* @param string $securityIdentity The security identity for which the permissions are set
* @param array $permissions The permissions to set
*/
private function setPermission($type, $identifier, $securityIdentity, $permissions)
{
$oid = new ObjectIdentity($identifier, $type);
$sid = new RoleSecurityIdentity($securityIdentity);
try {
$acl = $this->aclProvider->findAcl($oid);
} catch (AclNotFoundException $exc) {
$acl = $this->aclProvider->createAcl($oid);
}
$updated = false;
foreach ($acl->getObjectAces() as $id => $ace) {
/** @var EntryInterface $ace */
if ($ace->getSecurityIdentity()->equals($sid)) {
$acl->updateObjectAce($id, $this->maskConverter->convertPermissionsToNumber($permissions));
$updated = true;
}
}
if (!$updated) {
$acl->insertObjectAce($sid, $this->maskConverter->convertPermissionsToNumber($permissions), 0, true, 'any');
}
$this->aclProvider->updateAcl($acl);
}
/**
* Apply the specified ACL changeset.
*
* @param AbstractEntity $entity The entity
* @param array $changeset The changeset
* @param bool $recursive The recursive
*/
public function applyAclChangeset(AbstractEntity $entity, $changeset, $recursive = true)
{
if ($recursive) {
if (!method_exists($entity, 'getChildren')) {
return;
}
// Iterate over children and apply recursively
/** @noinspection PhpUndefinedMethodInspection */
foreach ($entity->getChildren() as $child) {
$this->applyAclChangeset($child, $changeset);
}
}
// Apply ACL modifications to node
$objectIdentity = $this->oidRetrievalStrategy->getObjectIdentity($entity);
try {
/* @var $acl MutableAclInterface */
$acl = $this->aclProvider->findAcl($objectIdentity);
} catch (AclNotFoundException $e) {
/* @var $acl MutableAclInterface */
$acl = $this->aclProvider->createAcl($objectIdentity);
}
// Process permissions in changeset
foreach ($changeset as $role => $roleChanges) {
$index = $this->getObjectAceIndex($acl, $role);
$mask = 0;
if (false !== $index) {
$mask = $this->getMaskAtIndex($acl, $index);
}
foreach ($roleChanges as $type => $permissions) {
$maskChange = new MaskBuilder();
foreach ($permissions as $permission) {
$maskChange->add($permission);
}
switch ($type) {
case self::ADD:
$mask = $mask | $maskChange->get();
break;
case self::DELETE:
$mask = $mask & ~$maskChange->get();
break;
}
}
if (false !== $index) {
$acl->updateObjectAce($index, $mask);
} else {
$securityIdentity = new RoleSecurityIdentity($role);
$acl->insertObjectAce($securityIdentity, $mask);
}
}
$this->aclProvider->updateAcl($acl);
}
/**
* {@inheritdoc}
*/
public function createAcl(ObjectIdentityInterface $objectIdentity)
{
return $this->aclProvider->createAcl($objectIdentity);
}
