/** * Creates the ACE for a user. * * @param UserInterface $user */ public function createUserAce(UserInterface $user) { if (!$this->aclProvider) { return; } $oid = ObjectIdentity::fromDomainObject($user); $acl = $this->aclProvider->createAcl($oid); $acl->insertObjectAce(UserSecurityIdentity::fromAccount($user), MaskBuilder::MASK_OWNER); $this->aclProvider->updateAcl($acl); }
/** * * @param object $object * @param mixed $identity */ public function revoke($object, $identity, $mask = null, $type = self::TYPE_OBJECT) { $acl = $this->getAcl($object); $aces = $acl->getObjectAces(); $securityIdentity = $this->getSecurityIdentity($identity); foreach ($aces as $i => $ace) { if ($securityIdentity->equals($ace->getSecurityIdentity()) && (null === $mask || $mask == $ace->getMask())) { if ($type == 'object') { $acl->deleteObjectAce($i); } elseif ($type == 'class') { $acl->deleteClassAce($i); } } } $this->aclProvider->updateAcl($acl); }
/** * @param ObjectIdentityInterface $objectIdentity * @param SecurityIdentityInterface $securityIdentity * @param string|string[] $permissions * @param string $type * @param null|string $field */ protected function revoke(ObjectIdentityInterface $objectIdentity, SecurityIdentityInterface $securityIdentity, $permissions, $type, $field = null) { if (null === ($acl = $this->findAcl($objectIdentity))) { return; } $index = false; $oldMask = 0; /** @var Entry $ace */ foreach ($acl->{$this->resolveAceMethod('get', $type, $field)}($field) as $k => $ace) { if ($securityIdentity->equals($ace->getSecurityIdentity())) { $index = $k; $oldMask = $ace->getMask(); continue; } } if (false !== $index) { $maskBuilder = $this->permissionMap->getMaskBuilder(); $maskBuilder->set($oldMask); foreach ((array) $permissions as $permission) { $maskBuilder->remove($permission); } if (null === $field) { $acl->{$this->resolveAceMethod('update', $type)}($index, $maskBuilder->get()); } else { $acl->{$this->resolveAceMethod('update', $type, $field)}($index, $field, $maskBuilder->get()); } } $this->aclProvider->updateAcl($acl); }
/** * @dataProvider provideObjectIdentifiers */ public function testPermissionUpdateEvent($objectId, $objectType, $objectIdentifier) { $this->aclProvider->findAcl(new ObjectIdentity($objectIdentifier, $objectType))->willThrow(AclNotFoundException::class); $this->aclProvider->createAcl(new ObjectIdentity($objectIdentifier, $objectType))->willReturn($this->acl->reveal())->shouldBeCalled(); $this->aclProvider->updateAcl($this->acl->reveal())->shouldBeCalled(); $this->acl->getObjectAces()->willReturn([]); $this->acl->insertObjectAce(Argument::cetera())->shouldBeCalled(); $this->accessControlManager->setPermissions($objectType, $objectId, [$this->securityIdentity->getRole() => ['view']]); }
/** * {@inheritDoc} */ public function installFallbackAcl() { try { $acl = $this->aclProvider->createAcl($this->oid); } catch (AclAlreadyExistsException $exists) { return; } $this->doInstallFallbackAcl($acl, new MaskBuilder()); $this->aclProvider->updateAcl($acl); }
/** * @dataProvider provideObjectIdentifiers */ public function testPermissionUpdateEvent($objectId, $objectType, $locale, $objectIdentifier) { $this->aclProvider->findAcl(new ObjectIdentity($objectIdentifier, $objectType))->willThrow(AclNotFoundException::class); $this->aclProvider->createAcl(new ObjectIdentity($objectIdentifier, $objectType))->willReturn($this->acl->reveal())->shouldBeCalled(); $this->aclProvider->updateAcl($this->acl->reveal())->shouldBeCalled(); $this->acl->getObjectAces()->willReturn([]); $this->acl->insertObjectAce(Argument::cetera())->shouldBeCalled(); $this->eventDispatcher->dispatch('sulu.security.permission.update', new PermissionUpdateEvent($objectType, $objectIdentifier, $this->securityIdentity, ['view']))->shouldBeCalled(); $this->accessControlManager->setPermissions($objectType, $objectId, $this->securityIdentity, ['view'], $locale); }
/** * Installs default Acl entries for the Comment class. * * This needs to be re-run whenever the Comment class changes or is subclassed. * * @return void */ public function installFallbackAcl() { $oid = new ObjectIdentity('class', $this->commentClass); try { $acl = $this->aclProvider->createAcl($oid); } catch (AclAlreadyExistsException $exists) { return; } $this->doInstallFallbackAcl($acl, new MaskBuilder()); $this->aclProvider->updateAcl($acl); }
/** * Apply the specified ACL changeset. * * @param AbstractEntity $entity The entity * @param array $changeset The changeset * @param bool $recursive The recursive */ public function applyAclChangeset(AbstractEntity $entity, $changeset, $recursive = true) { if ($recursive) { if (!method_exists($entity, 'getChildren')) { return; } // Iterate over children and apply recursively /** @noinspection PhpUndefinedMethodInspection */ foreach ($entity->getChildren() as $child) { $this->applyAclChangeset($child, $changeset); } } // Apply ACL modifications to node $objectIdentity = $this->oidRetrievalStrategy->getObjectIdentity($entity); try { /* @var $acl MutableAclInterface */ $acl = $this->aclProvider->findAcl($objectIdentity); } catch (AclNotFoundException $e) { /* @var $acl MutableAclInterface */ $acl = $this->aclProvider->createAcl($objectIdentity); } // Process permissions in changeset foreach ($changeset as $role => $roleChanges) { $index = $this->getObjectAceIndex($acl, $role); $mask = 0; if (false !== $index) { $mask = $this->getMaskAtIndex($acl, $index); } foreach ($roleChanges as $type => $permissions) { $maskChange = new MaskBuilder(); foreach ($permissions as $permission) { $maskChange->add($permission); } switch ($type) { case self::ADD: $mask = $mask | $maskChange->get(); break; case self::DELETE: $mask = $mask & ~$maskChange->get(); break; } } if (false !== $index) { $acl->updateObjectAce($index, $mask); } else { $securityIdentity = new RoleSecurityIdentity($role); $acl->insertObjectAce($securityIdentity, $mask); } } $this->aclProvider->updateAcl($acl); }
/** * {@inheritdoc} */ public function setPermissions($type, $identifier, $securityIdentity, $permissions) { $oid = new ObjectIdentity($identifier, $type); $sid = new RoleSecurityIdentity($securityIdentity); try { $acl = $this->aclProvider->findAcl($oid); } catch (AclNotFoundException $exc) { $acl = $this->aclProvider->createAcl($oid); } $updated = false; foreach ($acl->getObjectAces() as $id => $ace) { /** @var EntryInterface $ace */ if ($ace->getSecurityIdentity()->equals($sid)) { $acl->updateObjectAce($id, $this->maskConverter->convertPermissionsToNumber($permissions)); $updated = true; } } if (!$updated) { $acl->insertObjectAce($sid, $this->maskConverter->convertPermissionsToNumber($permissions), 0, true, 'any'); } $this->aclProvider->updateAcl($acl); $this->eventDispatcher->dispatch(SecurityEvents::PERMISSION_UPDATE, new PermissionUpdateEvent($type, $identifier, $securityIdentity, $permissions)); }
/** * {@inheritdoc} */ public function updateAcl(AclInterface $acl) { $this->aclProvider->updateAcl($acl); }