public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey) { $secret = $token->getCredentials(); $userData = $this->session->getFlashBag()->get('arcanys_sso_auth.user_data'); if ($userData) { // TODO create mapping config in the future $username = reset($userData['uid']); $email = reset($userData['email']); $firstname = reset($userData['firstname']); $lastname = reset($userData['lastname']); $token = reset($userData['token']); $roles = $userData['rights']; if (!$roles) { $roles = ['ROLE_USER']; } } else { $this->saml2->login(); exit; } if (!$username) { throw new AuthenticationException("Failed to authenticate from SSO"); } $user = $userProvider->loadUserByUsername(['username' => $username, 'email' => $email, 'firstname' => $firstname, 'lastname' => $lastname, 'token' => $token, 'roles' => $roles]); return new PreAuthenticatedToken($user, $secret, $providerKey, $user->getRoles($roles)); }
/** * @var Ecedi\Donate\CoreBundle\Entity\User */ public function vote(TokenInterface $token, $object, array $attributes) { // check if the voter is used correct, only allow one attribute // this isn't a requirement, it's just one easy way for you to // design your voter if (1 !== count($attributes)) { throw new \InvalidArgumentException('Only one attribute is allowed for VIEW, EDIT or DELETE'); } // set the attribute to check against $attribute = $attributes[0]; // check if the given attribute is covered by this voter if (!$this->supportsAttribute($attribute)) { return VoterInterface::ACCESS_ABSTAIN; } // get current logged in user $currentUser = $token->getUser(); // make sure there is a user object (i.e. that the user is logged in) if (!$currentUser instanceof UserInterface) { return VoterInterface::ACCESS_DENIED; } switch ($attribute) { case self::LIST_USERS: if ($currentUser->hasRole('ROLE_ADMIN')) { return VoterInterface::ACCESS_GRANTED; } //others cannot view others break; case self::CREATE_USERS: if ($currentUser->hasRole('ROLE_ADMIN')) { return VoterInterface::ACCESS_GRANTED; } break; } return VoterInterface::ACCESS_DENIED; }
/** * {@inheritdoc} */ protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token) { $user = $token->getUser(); $expires = time() + $this->options['lifetime']; $value = $this->generateCookieValue(get_class($user), $user->getUsername(), $expires, $user->getPassword()); $response->headers->setCookie(new Cookie($this->options['name'], $value, $expires, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly'])); }
function it_returns_locale_of_currently_logged_admin_user(TokenStorageInterface $tokenStorage, TokenInterface $token, AdminUserInterface $admin) { $admin->getLocaleCode()->willReturn('en_US'); $token->getUser()->willreturn($admin); $tokenStorage->getToken()->willReturn($token); $this->getLocaleCode()->shouldReturn('en_US'); }
public function vote(TokenInterface $token, $object, array $attributes) { // check if the voter is used correct, only allow one attribute // this isn't a requirement, it's just one easy way for you to // design your voter if (1 !== count($attributes)) { throw new \InvalidArgumentException('Only one attribute is allowed for TicketVoter'); } // set the attribute to check against $attribute = $attributes[0]; // check if the given attribute is covered by this voter if (!$this->supportsAttribute($attribute)) { return VoterInterface::ACCESS_ABSTAIN; } // get current logged in user $user = $token->getUser(); // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof Netizen) { return VoterInterface::ACCESS_DENIED; } if ($this->freeAccess || $this->hasFreeAccess($user)) { return VoterInterface::ACCESS_GRANTED; } if ($user->hasValidTicket()) { return VoterInterface::ACCESS_GRANTED; } // if everything else fails: return VoterInterface::ACCESS_DENIED; }
/** * {@inheritDoc} */ public function onAuthenticationSuccess(Request $request, TokenInterface $token) { $session = $request->getSession(); $user = $token->getUser(); $session->registerAccount($user, $request, $this); return parent::onAuthenticationSuccess($request, $token); }
/** * Returns the vote for the given parameters. * * This method must return one of the following constants: * ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN. * * @param TokenInterface $token A TokenInterface instance * @param object|null $object The object to secure * @param array $attributes An array of attributes associated with the method being invoked * * @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED */ public function vote(TokenInterface $token, $object, array $attributes) { $class = get_class($object); if (!$this->supportsClass($class)) { return self::ACCESS_ABSTAIN; } $user = $token->getUser(); if ($user === 'anon.') { return self::ACCESS_ABSTAIN; } else { if (in_array('ADMINISTRATE_BLOG', $attributes) || in_array('SWITCH_ARTICLE_AUTHOR', $attributes)) { if ($user->hasRole('ROLE_BLOG_ADMIN')) { return self::ACCESS_GRANTED; } else { return self::ACCESS_DENIED; } } elseif (in_array('ADMINISTRATE_COMMENTS', $attributes)) { if ($user->hasRole('ROLE_BLOG_ADMIN') || $user->hasRole('ROLE_BLOG_EDITOR')) { return self::ACCESS_GRANTED; } else { return self::ACCESS_DENIED; } } return self::ACCESS_ABSTAIN; } }
/** * {@inheritDoc} */ public function vote(TokenInterface $token, $object, array $attributes) { if (!$object || !is_object($object)) { return self::ACCESS_ABSTAIN; } $objectClass = ClassUtils::getClass($object); if (!$this->supportsClass($objectClass)) { return self::ACCESS_ABSTAIN; } foreach ($attributes as $attribute) { if (!$this->supportsAttribute($attribute)) { return self::ACCESS_ABSTAIN; } } $object = $this->convertToSupportedObject($object, $objectClass); /** @var EmailUser[] $emailUsers */ $emailUsers = $object->getEmailUsers(); foreach ($attributes as $attribute) { foreach ($emailUsers as $emailUser) { if ($this->container->get('oro_security.security_facade')->isGranted($attribute, $emailUser)) { return self::ACCESS_GRANTED; } if ($mailbox = $emailUser->getMailboxOwner() !== null && $token instanceof UsernamePasswordOrganizationToken) { $repo = $this->container->get('doctrine')->getRepository('OroEmailBundle:Mailbox'); $mailboxes = $repo->findAvailableMailboxes($token->getUser(), $token->getOrganizationContext()); if (in_array($mailbox, $mailboxes)) { return self::ACCESS_GRANTED; } } } } return self::ACCESS_DENIED; }
public function vote(TokenInterface $token, $transition, array $attributes) { if (in_array('WORKFLOW_TRANSITION', $attributes)) { //check if the current user is allowed to use the transition $user = $token->getUser(); $userGroupsCol = $user->getGroups(); //make array of collection $userGroups = array(); foreach ($userGroupsCol as $userGroup) { $userGroups[] = $userGroup; } $transitionGroupsCol = $transition->getGroups(); //make array of collection $transitionGroups = array(); foreach ($transitionGroupsCol as $transitionGroup) { $transitionGroups[] = $transitionGroup; } foreach ($userGroups as $userGroup) { if (in_array($userGroup, $transitionGroups)) { return self::ACCESS_GRANTED; } } return self::ACCESS_DENIED; } return self::ACCESS_ABSTAIN; }
/** * @param string $attribute * @param CourseLearningMaterialInterface $material * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $material, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } $course = $material->getCourse(); if (!$course) { return false; } switch ($attribute) { case self::VIEW: $granted = $this->isViewGranted($course->getId(), $course->getSchool()->getId(), $user); // prevent access if associated LM is in draft, and the current user has no elevated privileges. if ($granted) { $granted = $this->userHasRole($token->getUser(), ['Faculty', 'Course Director', 'Developer']) || LearningMaterialStatusInterface::IN_DRAFT !== $material->getLearningMaterial()->getStatus()->getId(); } return $granted; break; case self::CREATE: case self::EDIT: case self::DELETE: // prevent any sort of write operation (create/edit/delete) if the parent course is locked or archived. if ($course->isLocked() || $course->isArchived()) { return false; } return $this->isWriteGranted($course->getId(), $course->getSchool()->getId(), $user); break; } return false; }
/** * Get valid UserApi for given token * * @param TokenInterface $token * @param PersistentCollection $secrets * @param User $user * * @return bool|UserApi */ protected function getValidUserApi(TokenInterface $token, PersistentCollection $secrets, User $user) { $currentIteration = 0; $nonce = $token->getAttribute('nonce'); $secretsCount = $secrets->count(); /** @var UserApi $userApi */ foreach ($secrets as $userApi) { $currentIteration++; $isSecretValid = $this->validateDigest($token->getAttribute('digest'), $nonce, $token->getAttribute('created'), $userApi->getApiKey(), $this->getSalt($user)); if ($isSecretValid && !$userApi->getUser()->getOrganizations()->contains($userApi->getOrganization())) { throw new BadCredentialsException('Wrong API key.'); } if ($isSecretValid && !$userApi->getOrganization()->isEnabled()) { throw new BadCredentialsException('Organization is not active.'); } // delete nonce from cache because user have another api keys if (!$isSecretValid && $secretsCount !== $currentIteration) { $this->getNonceCache()->delete($nonce); } if ($isSecretValid) { return $userApi; } } return false; }
function vote(TokenInterface $token, $node, array $attributes) { if (!$node instanceof Node) { return self::ACCESS_ABSTAIN; } if (!in_array($attributes[0], array_keys($this->roles))) { return self::ACCESS_ABSTAIN; } $user = $token->getUser(); $parent = $node->getParent(); if (!is_null($parent) && !$this->container->get('security.authorization_checker')->isGranted($attributes, $parent)) { return self::ACCESS_DENIED; } if (method_exists($node, 'getInherit') && $node->getInherit()) { return self::ACCESS_GRANTED; } if ($node->getOwner() == $user) { return self::ACCESS_GRANTED; } foreach ($node->getUsers() as $nodeUser) { if ($nodeUser->getUser() == $user && $this->roles[$nodeUser->getRole()] >= $this->roles[$attributes[0]]) { return self::ACCESS_GRANTED; } } foreach ($user->getAssocTeams() as $team) { foreach ($node->getTeams() as $nodeTeam) { if ($nodeTeam->getTeam() == $team->getTeam() && $this->roles[$nodeTeam->getRole()] >= $this->roles[$attributes[0]]) { return self::ACCESS_GRANTED; } } } return self::ACCESS_DENIED; }
protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); /** @var Estate */ $estate = $subject; if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MANAGER'))) { return true; } break; case self::CREATE: if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MANAGER'))) { return true; } break; case self::EDIT: if ($user->getUsername() === $estate->getCreatedBy() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; case self::REMOVE: if ($user->getUsername() === $estate->getCreatedBy() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; } return false; }
/** * @param string $attribute * @param ObjectiveInterface $objective * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $objective, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // Any authenticated user can see all objectives. return true; break; case self::CREATE: case self::EDIT: case self::DELETE: // Well...poop. // The rules for granting access hinge on the ownership context of the given objective. // Is this a course objective? or a program year object? perhaps a session objective? // No easy way of telling. // So really, this is three voters in one. // TODO: Clean this mess up. [ST 2015/08/05] if (!$objective->getCourses()->isEmpty()) { // got courses? if so, it's a course objective. return $this->isCreateEditDeleteGrantedForCourseObjective($objective, $user); } elseif (!$objective->getSessions()->isEmpty()) { // and so on.. return $this->isCreateEditDeleteGrantedForSessionObjective($objective, $user); } elseif (!$objective->getProgramYears()->isEmpty()) { // and so on .. return $this->isCreateEditDeleteGrantedForProgramYearObjective($objective, $user); } break; } return false; }
/** * @param TokenInterface $post * @param mixed $post * @param array $attributes * @return integer */ public function vote(TokenInterface $token, $post, array $attributes) { if (!$this->supportsClass(get_class($post))) { return VoterInterface::ACCESS_ABSTAIN; } if (1 !== count($attributes)) { throw new \InvalidArgumentException('Only one attribute is allowed for VIEW or EDIT'); } $attribute = $attributes[0]; if (!$this->supportsAttribute($attribute)) { return VoterInterface::ACCESS_ABSTAIN; } $user = $token->getUser(); if (!$user instanceof UserInterface) { return VoterInterface::ACCESS_DENIED; } switch ($attribute) { case self::VIEW: return VoterInterface::ACCESS_GRANTED; break; case self::EDIT: case self::DELETE: if ($user->getId() === $post->getOwner()->getId()) { return VoterInterface::ACCESS_GRANTED; } break; } return VoterInterface::ACCESS_DENIED; }
protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); /** @var Comment */ $comment = $subject; // $subject must be a Comment instance, thanks to the supports method if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::CREATE: // if the user is an admin, allow them to create new comments if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MODERATOR', 'ROLE_USER'))) { return true; } break; case self::EDIT: // if the user is the author of the comment or admin or moderator, allow them to edit the comments if ($comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_ADMIN')) && $comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_MODERATOR')) && $this->canYouDoIt($comment, $user)) { return true; } break; case self::REMOVE: // if the user is the author of the comment or admin or moderator, allow them to remove the posts in the some order if ($comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_ADMIN')) && $comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_MODERATOR')) && $this->canYouDoIt($comment, $user)) { return true; } break; } return false; }
/** * @return boolean */ public function supportsToken(TokenInterface $token, $providerKey) { if (!$token instanceof PreAuthenticatedToken) { return false; } return $token->getProviderKey() === $providerKey; }
protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); /** @var Post */ $post = $subject; // $subject must be a Post instance, thanks to the supports method if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::CREATE: // if the user is an admin, allow them to create new posts if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; case self::EDIT: // if the user is the author of the post, allow them to edit the posts if ($user->getEmail() === $post->getAuthorEmail() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; case self::REMOVE: // if the user is the author of the post, allow them to edit the posts if ($user->getEmail() === $post->getAuthorEmail() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) { return true; } break; } return false; }
public function vote(TokenInterface $token, Location $object, array $attributes) { if (in_array('ROLE_LOCATION_MODERATOR', $token->getRoles())) { return VoterInterface::ACCESS_GRANTED; } return VoterInterface::ACCESS_ABSTAIN; }
/** * @param string $attribute * @param ProgramInterface $program * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $program, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // do not enforce special views permissions on programs. return true; break; case self::CREATE: case self::EDIT: case self::DELETE: // the given user is granted CREATE, EDIT and DELETE permissions on the given program // when at least one of the following statements is true // 1. The user's primary school is the same as the program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 2. The user has WRITE permissions on the program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 3. The user has WRITE permissions on the program. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($program->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $program->getSchool()->getId())) || $this->permissionManager->userHasWritePermissionToProgram($user, $program); break; } return false; }
public function vote(TokenInterface $token, $object, array $attributes) { $user = $token->getUser(); $type = ProjectGitAccess::WRITE_PERMISSION; foreach ($attributes as $attribute) { switch ($attribute) { case 'GIT_DELETE': case 'GIT_FORCE': $type = ProjectGitAccess::ADMIN_PERMISSION; break 2; } } if (is_array($object) && isset($object[0]) && $object[0] instanceof Project) { $object = new PushTarget($object[0], $object[1]); } if (!$object instanceof PushTarget) { return VoterInterface::ACCESS_ABSTAIN; } foreach ($object->getProject()->getGitAccesses() as $access) { if ($access->isGranted($user, $object->getReference(), $type)) { return self::ACCESS_GRANTED; } } return self::ACCESS_DENIED; }
/** * {@inheritdoc} */ public function vote(TokenInterface $token, $subject, array $attributes) { if (!$subject instanceof NodeInterface) { return VoterInterface::ACCESS_ABSTAIN; } $user = $token->getUser(); if (!$user instanceof DrupalUser) { return VoterInterface::ACCESS_ABSTAIN; } $account = $user->getDrupalAccount(); $vote = VoterInterface::ACCESS_ABSTAIN; // Let non-Drupal core permission pass, this will allows event-driven // modules to handle something else than core permissions, way better! foreach ($attributes as $attribute) { // Ignore non-Drupal core attributes if ($attribute !== 'view' && $attribute !== 'update' && $attribute !== 'delete') { time(); } $access = $this->nodeAccess($subject, $attribute, $account); // Order is DENY, ALLOW, default is IGNORE if (VoterInterface::ACCESS_DENIED === $access) { return $access; } if (VoterInterface::ACCESS_GRANTED === $access) { $vote = $access; } } return $vote; }
public function authenticate(TokenInterface $token) { $ldapUserCredentials = $token->getLDAPUserCredentials(); $ldapConnection = $this->ldapService->getConnection(); if ($ldapConnection) { $ldapBind = $this->ldapService->bind($ldapConnection, $ldapUserCredentials['username'], $ldapUserCredentials['password']); if (true === $ldapBind) { $ldapEntry = $this->ldapService->read($ldapConnection, "uid=" . $ldapUserCredentials['username'] . "," . $this->ldapService->getDn(), "(objectclass=*)", array('ou', 'sn', 'cn', 'mail')); if (is_array($ldapEntry) && isset($ldapEntry['count']) && $ldapEntry['count']) { $ldapUserObject = $ldapEntry[0]; $user = $this->entityLibrary->get('User')->findOneByUsername($ldapUserCredentials['username']); if (!$user) { $roleGeneral = $this->entityLibrary->get('Role')->findOneByName('ROLE_GENERAL'); $groupGeneral = $this->entityLibrary->get('UserGroup')->findOneByName('General'); $user = new User(); $user->setName($ldapUserObject['cn'][0] . ' ' . $ldapUserObject['sn'][0]); $user->setEmail($ldapUserObject['mail'][0]); $user->setUsername($ldapUserCredentials['username']); $user->setSalt(uniqid()); $user->addRole($roleGeneral); $user->addUserGroup($groupGeneral); $this->entityLibrary->get('User')->save($user); } $authenticatedToken = new LDAPToken($user->getRoles()); $authenticatedToken->setUser($user); $authenticatedToken->setLDAPUserCredentials($ldapUserCredentials); return $authenticatedToken; } } throw new AuthenticationException('The LDAP credentials are not found.'); } throw new AuthenticationException('The LDAP authentication failed.'); }
/** * Only SuperAdmin (Dev & Plaform admin) can manage Keywords & Api clients * * @param string $attribute * @param mixed $subject * @param TokenInterface $token * * @return bool */ protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { if ($this->isSuperAdmin($token->getUser())) { return true; } return false; }
/** * @param TokenInterface $token * @param mixed $object * @param array $attributes * * @return int */ public function vote(TokenInterface $token, $object, array $attributes) { if (!is_object($object)) { return self::ACCESS_ABSTAIN; } if (!in_array(get_class($object), $this->classes)) { return self::ACCESS_ABSTAIN; } if (!in_array($attributes[0], array_keys($this->roles))) { return self::ACCESS_ABSTAIN; } /** * @var User $user */ $user = $token->getUser(); foreach ($this->roles[$attributes[0]] as $role => $func) { if (!$user->hasRole($role)) { continue; } if ($func === true || method_exists($this, $func) && call_user_func([$this, $func], $user, $object)) { return self::ACCESS_GRANTED; } } return self::ACCESS_DENIED; }
/** * Returns the vote for the given parameters. * * This method must return one of the following constants: * ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN. * * @param TokenInterface $token A TokenInterface instance * @param object|null $object The object to secure * @param array $attributes An array of attributes associated with the method being invoked * * @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED */ public function vote(TokenInterface $token, $object, array $attributes) { if ($token->getUser() instanceof UserInterface === false) { return self::ACCESS_ABSTAIN; } if (!$object || !$this->supportsClass(get_class($object))) { return self::ACCESS_ABSTAIN; } // abstain vote by default in case none of the attributes are supported $vote = self::ACCESS_ABSTAIN; foreach ($attributes as $attribute) { if (!$this->supportsAttribute($attribute)) { continue; } // as soon as at least one attribute is supported, default is to deny access // $vote = self::ACCESS_DENIED; /** @var UserInterface $user */ $currentSite = $this->siteManager->getCurrentSite(); // $roles = $this->roleHierarchy->getReachableRoles($token->getRoles()); // // if (in_array(new OrganizerRole($currentSite), $roles)) { // return self::ACCESS_GRANTED; // } $organizerRole = new OrganizerRole($currentSite); if ($token->getUser()->hasRole($organizerRole->getRole())) { return self::ACCESS_GRANTED; } } return $vote; }
/** * {@inheritdoc} */ protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token) { $series = base64_encode(random_bytes(64)); $tokenValue = base64_encode(random_bytes(64)); $this->tokenProvider->createNewToken(new PersistentToken(get_class($user = $token->getUser()), $user->getUsername(), $series, $tokenValue, new \DateTime())); $response->headers->setCookie(new Cookie($this->options['name'], $this->encodeCookie(array($series, $tokenValue)), time() + $this->options['lifetime'], $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly'])); }
/** * @param string $attribute * @param InstructorGroupInterface $group * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $group, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // unlike instructor details, instructor groups // should be visible to any authenticated user in the system. // do not enforce any special permissions for viewing them. return true; break; case self::CREATE: case self::EDIT: case self::DELETE: // grant CREATE, EDIT and DELETE privileges if at least one of the following // statements is true: // 1. the user's primary school is the group's owning school // and the user has at least one of the 'Course Director' and 'Developer' roles. // 2. the user has WRITE rights on the group's owning school via the permissions system // and the user has at least one of the 'Course Director' and 'Developer' roles. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $group->getSchool()->getId())); break; } return false; }
public function authenticate(TokenInterface $token) { if ($token->getRequestToken() === $token->getAuthToken()) { return $token; } throw new AuthenticationException('The Authentication failed.'); }
public function vote(TokenInterface $token, $group, array $attributes) { // check if class of this object is supported by this voter if (!$this->supportsClass(get_class($group))) { return VoterInterface::ACCESS_ABSTAIN; } // check if the given attribute is covered by this voter if (!$this->supportsAttribute($attributes[0])) { return VoterInterface::ACCESS_ABSTAIN; } // get current logged in user $user = $token->getUser(); //allow the token to have ROLE_SUPER_ADMIN before we check the user, for testing if (in_array(new Role("ROLE_SUPER_ADMIN"), $token->getRoles())) { return VoterInterface::ACCESS_GRANTED; } // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof User) { return VoterInterface::ACCESS_DENIED; } switch ($attributes[0]) { case self::VIEW: if ($user->hasGroup($group->getName())) { return VoterInterface::ACCESS_GRANTED; } break; case self::EDIT: if ($user->hasGroup($group->getName()) && $user->hasRole("ROLE_ADMIN")) { return VoterInterface::ACCESS_GRANTED; } break; } return VoterInterface::ACCESS_DENIED; }