/** * {@inheritDoc} */ public function equals(SecurityIdentityInterface $sid) { if (!$sid instanceof UserSecurityIdentity) { return false; } return $this->username === $sid->getUsername() && $this->class === $sid->getClass(); }
/** * {@inheritdoc} */ public function equals(SecurityIdentityInterface $sid) { if (!$sid instanceof JournalRoleSecurityIdentity) { return false; } return $this->role === $sid->getRole() && (int) $this->journal === (int) $sid->getJournal(); }
/** * {@inheritDoc} */ public function equals(SecurityIdentityInterface $sid) { if (!$sid instanceof RoleSecurityIdentity) { return false; } return $this->role === $sid->getRole(); }
/** * {@inheritdoc} */ public function equals(SecurityIdentityInterface $sid) { if (!$sid instanceof self) { return false; } return $this->id === $sid->getId() && $this->class === $sid->getClass(); }
/** * @param $entity * @param $mask * @param SecurityIdentityInterface $securityIdentity * @return $this */ public function revokeMask($entity, $mask, SecurityIdentityInterface $securityIdentity) { $acl = $this->getAcl($entity); $aces = $acl->getObjectAces(); foreach ($aces as $index => $ace) { if ($securityIdentity->equals($ace->getSecurityIdentity())) { $this->removeMask($index, $acl, $ace, $mask); } } $this->aclProvider->updateAcl($acl); return $this; }
/** * Deletes the given security identity. * * @param SID $sid */ public function deleteSid(SID $sid) { if ($this->isAclEnabled()) { if ($sid instanceof RoleSecurityIdentity) { /** * Marking removed Role as Disabled instead of delete, because straight deleting role identity breaks * ace indexes * TODO: Create a job to remove marked role identities and rebuild ace indexes */ $disabledSid = new RoleSecurityIdentity($sid->getRole() . uniqid(self::ROLE_DISABLED_FLAG)); $this->aclProvider->updateSecurityIdentity($disabledSid, $sid->getRole()); } else { $this->aclProvider->deleteSecurityIdentity($sid); } } }
/** * Transform a given ACL security identity into a SecurityIdentity model. * * If there is no model entry given, a new one will be created and saved to the database. * * @throws \InvalidArgumentException * * @param \Symfony\Component\Security\Acl\Model\SecurityIdentityInterface $aclIdentity * @param \PropelPDO $con * * @return \Propel\PropelBundle\Model\Acl\SecurityIdentity */ public static function fromAclIdentity(SecurityIdentityInterface $aclIdentity, \PropelPDO $con = null) { if ($aclIdentity instanceof UserSecurityIdentity) { $identifier = $aclIdentity->getClass() . '-' . $aclIdentity->getUsername(); $username = true; } elseif ($aclIdentity instanceof RoleSecurityIdentity) { $identifier = $aclIdentity->getRole(); $username = false; } else { throw new \InvalidArgumentException('The ACL identity must either be an instance of UserSecurityIdentity or RoleSecurityIdentity.'); } $obj = SecurityIdentityQuery::create()->filterByIdentifier($identifier)->filterByUsername($username)->findOneOrCreate($con); if ($obj->isNew()) { $obj->save($con); } return $obj; }
/** * Constructs the SQL for updating a security identity. * * @param SecurityIdentityInterface $sid * @param string $oldName * @throws \InvalidArgumentException * @return string */ protected function getUpdateSecurityIdentitySql(SecurityIdentityInterface $sid, $oldName) { if ($sid instanceof UserSecurityIdentity) { if ($sid->getUsername() == $oldName) { throw new \InvalidArgumentException('There are no changes.'); } $oldIdentifier = $sid->getClass() . '-' . $oldName; $newIdentifier = $sid->getClass() . '-' . $sid->getUsername(); $username = true; } elseif ($sid instanceof RoleSecurityIdentity) { if ($sid->getRole() == $oldName) { throw new \InvalidArgumentException('There are no changes.'); } $oldIdentifier = $oldName; $newIdentifier = $sid->getRole(); $username = false; } else { throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.'); } return sprintf('UPDATE %s SET identifier = %s WHERE identifier = %s AND username = %s', $this->options['sid_table_name'], $this->connection->quote($newIdentifier), $this->connection->quote($oldIdentifier), $this->connection->getDatabasePlatform()->convertBooleans($username)); }
/** * Deletes all ACEs for the given security identity from the given ACL * * @param ACL $acl * @param string $type The ACE type. Can be one of AclManager::*_ACE constants * @param string|null $field The name of a field. * Set to null for class-based or object-based ACE * Set to not null class-field-based or object-field-based ACE * @param SID $sid * @return bool True if at least one permission was deleted */ public function deleteAllPermissions(ACL $acl, $type, $field, SID $sid) { $hasChanges = false; $aces = $this->getAces($acl, $type, $field); foreach ($aces as $index => $ace) { if ($sid->equals($ace->getSecurityIdentity())) { $this->deleteAce($acl, $type, $field, $index); $hasChanges = true; } } return $hasChanges; }
/** * @param SecurityIdentityInterface $sid * * @return string */ protected function getFormattedName(SecurityIdentityInterface $sid) { if ($sid instanceof UserSecurityIdentity && $sid->getUsername()) { $user = $this->manager->getRepository('OroUserBundle:User')->findOneBy(['username' => $sid->getUsername()]); if ($user) { return $this->nameFormatter->format($user); } } elseif ($sid instanceof BusinessUnitSecurityIdentity) { $businessUnit = $this->manager->getRepository('OroOrganizationBundle:BusinessUnit')->find($sid->getId()); if ($businessUnit) { return $businessUnit->getName(); } } return ''; }
/** * Constructs the SQL for inserting a security identity. * * @param SecurityIdentityInterface $sid * * @throws \InvalidArgumentException * * @return string */ protected function getInsertSecurityIdentitySql(SecurityIdentityInterface $sid) { if ($sid instanceof UserSecurityIdentity) { $identifier = $sid->getClass() . '-' . $sid->getUsername(); $username = true; } elseif ($sid instanceof RoleSecurityIdentity) { $identifier = $sid->getRole(); $username = false; } elseif ($sid instanceof JournalRoleSecurityIdentity) { $identifier = $sid->getIdentifier(); $username = false; } else { throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, JournalRoleSecurityIdentity or RoleSecurityIdentity.'); } return sprintf('INSERT INTO %s (identifier, username) VALUES (%s, %s)', $this->options['sid_table_name'], $this->connection->quote($identifier), $this->connection->getDatabasePlatform()->convertBooleans($username)); }
/** * Create an array of the security identity for inserting in the document * * @param SecurityIdentityInterface $sid * @throws \InvalidArgumentException * @return array */ protected function getSecurityIdentityQuery(SecurityIdentityInterface $sid) { if ($sid instanceof UserSecurityIdentity) { return array('username' => $sid->getUsername(), 'class' => $sid->getClass()); } else { if ($sid instanceof RoleSecurityIdentity) { return array('role' => $sid->getRole()); } else { throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.'); } } }
/** * Gets all ACEs associated with given ACL and the given security identity * * @param SID $sid * @param OID $oid * @param string $type The ACE type. Can be one of self::*_ACE constants * @param string|null $field The name of a field. * Set to null for class-based or object-based ACE * Set to not null class-field-based or object-field-based ACE * @return EntryInterface[] */ protected function doGetAces(SID $sid, OID $oid, $type, $field) { $acl = $this->getAcl($oid); if (!$acl) { return array(); } return array_filter($this->aceProvider->getAces($acl, $type, $field), function ($ace) use(&$sid) { /** @var EntryInterface $ace */ return $sid->equals($ace->getSecurityIdentity()); }); }
/** * Deletes all ACEs the given type and security identity from the list of ACEs associated with this item * * @param string $type The ACE type. Can be one of AclManager::*_ACE constants * @param string|null $field The name of a field. * Set to null for class-based or object-based ACE * Set to not null class-field-based or object-field-based ACE * @param SID $sid */ public function removeAces($type, $field, SID $sid) { if ($this->aces !== null) { $toRemoveKeys = []; foreach ($this->aces as $key => $val) { if ($sid->equals($val->getSecurityIdentity()) && $type === $val->getType() && $field === $val->getField()) { $toRemoveKeys[] = $key; break; } } if (!empty($toRemoveKeys)) { foreach ($toRemoveKeys as $key) { $this->aces->remove($key); } } } }
/** * Get Security Identifier and Username flag to create SQL queries * * @param SecurityIdentityInterface $sid * * @throws \InvalidArgumentException * * @return array */ protected function getSecurityIdentifier(SecurityIdentityInterface $sid) { if ($sid instanceof UserSecurityIdentity) { return [$sid->getClass() . '-' . $sid->getUsername(), true]; } elseif ($sid instanceof RoleSecurityIdentity) { return [$sid->getRole(), false]; } elseif ($sid instanceof BusinessUnitSecurityIdentity) { return [$sid->getClass() . '-' . $sid->getId(), false]; } else { throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity or RoleSecurityIdentity' . ' or BusinessUnitSecurityIdentity.'); } }
/** * Gets all ACEs associated with given ACL and the given security identity * * @param SID $sid * @param AclInterface $acl * @param string $type The ACE type. Can be one of AclManager::*_ACE constants * @param string|null $field The name of a field. * Set to null for class-based or object-based ACE * Set to not null class-field-based or object-field-based ACE * @return EntryInterface[] */ protected function getAces(SID $sid, AclInterface $acl, $type, $field) { return array_filter($this->manager->getAceProvider()->getAces($acl, $type, $field), function ($ace) use(&$sid) { /** @var EntryInterface $ace */ return $sid->equals($ace->getSecurityIdentity()); }); }
/** * Constructs sql restriction based on sid specified as array and fills list * of used sql params to be bind in prepared statement * * @param SecurityIdentityInterface $sid sid * @param array &$valuesForBind list of params to be bind * * @return string */ private function getSidSqlRestriction(SecurityIdentityInterface $sid, &$valuesForBind) { if ($sid instanceof UserSecurityIdentity) { $identifier = $sid->getClass() . '-' . $sid->getUsername(); $isUsername = true; } elseif ($sid instanceof RoleSecurityIdentity) { $identifier = $sid->getRole(); $isUsername = false; } else { throw new InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.'); } $sidSqlRestriction = sprintf("INNER JOIN %s s ON e.security_identity_id = s.id AND s.identifier = :identifier AND s.username = :username", $this->options['sid_table_name']); $valuesForBind['identifier'] = ['value' => $identifier, 'type' => PDO::PARAM_STR]; $valuesForBind['username'] = ['value' => $isUsername, 'type' => PDO::PARAM_BOOL]; return $sidSqlRestriction; }
/** * @param SecurityIdentityInterface $sid * * @return mixed */ protected function getSecurityIdentityId(SecurityIdentityInterface $sid) { if ($sid instanceof UserSecurityIdentity) { $identifier = $sid->getClass() . '-' . $sid->getUsername(); $username = true; } elseif ($sid instanceof RoleSecurityIdentity) { //skip Role SID because we didn't share records for Role return null; } elseif ($sid instanceof BusinessUnitSecurityIdentity) { $identifier = $sid->getClass() . '-' . $sid->getId(); $username = false; } else { throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity or RoleSecurityIdentity ' . 'or BusinessUnitSecurityIdentity.'); } return $this->getObjectManager()->getRepository('OroSecurityBundle:AclSecurityIdentity')->findOneBy(['identifier' => $identifier, 'username' => $username]); }
/** * Constructs the SQL for selecting the primary key of a security identity. * * @param SecurityIdentityInterface $sid * @throws \InvalidArgumentException * @return string */ protected function getSelectSecurityIdentityIdSql(SecurityIdentityInterface $sid) { if ($sid instanceof UserSecurityIdentity) { $identifier = $sid->getClass() . '-' . $sid->getUsername(); $username = true; } elseif ($sid instanceof RoleSecurityIdentity) { $identifier = $sid->getRole(); $username = false; } else { throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.'); } return sprintf('SELECT id FROM %s WHERE identifier = %s AND username = %s', $this->options['sid_table_name'], $this->connection->quote($identifier), $this->connection->getDatabasePlatform()->convertBooleans($username)); }
/** * @param ObjectIdentityInterface $objectIdentity * @param SecurityIdentityInterface $securityIdentity * @param string|string[] $permissions * @param string $type * @param null|string $field */ protected function revoke(ObjectIdentityInterface $objectIdentity, SecurityIdentityInterface $securityIdentity, $permissions, $type, $field = null) { if (null === ($acl = $this->findAcl($objectIdentity))) { return; } $index = false; $oldMask = 0; /** @var Entry $ace */ foreach ($acl->{$this->resolveAceMethod('get', $type, $field)}($field) as $k => $ace) { if ($securityIdentity->equals($ace->getSecurityIdentity())) { $index = $k; $oldMask = $ace->getMask(); continue; } } if (false !== $index) { $maskBuilder = $this->permissionMap->getMaskBuilder(); $maskBuilder->set($oldMask); foreach ((array) $permissions as $permission) { $maskBuilder->remove($permission); } if (null === $field) { $acl->{$this->resolveAceMethod('update', $type)}($index, $maskBuilder->get()); } else { $acl->{$this->resolveAceMethod('update', $type, $field)}($index, $field, $maskBuilder->get()); } } $this->aclProvider->updateAcl($acl); }