private function initRoles() { if (!$this->policyService->hasRole('DLigo.Animaltool:Admin')) { $this->policyService->createRole('DLigo.Animaltool:Admin'); } if (!$this->policyService->hasRole('DLigo.Animaltool:Catcher')) { $this->policyService->createRole('DLigo.Animaltool:Catcher'); } if (!$this->policyService->hasRole('DLigo.Animaltool:Doctor')) { $this->policyService->createRole('DLigo.Animaltool:Doctor'); } }
/** * Initializes the roles field by fetching the role objects referenced by the roleIdentifiers * * @return void */ protected function initializeRoles() { if ($this->roles !== null) { return; } $this->roles = []; foreach ($this->roleIdentifiers as $key => $roleIdentifier) { // check for and clean up roles no longer available if ($this->policyService->hasRole($roleIdentifier)) { $this->roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier); } else { unset($this->roleIdentifiers[$key]); } } }
/** * @test */ public function hasRoleReturnsTrueIfTheSpecifiedRoleIsConfigured() { $this->mockPolicyConfiguration = ['roles' => ['Some.Package:SomeRole' => []]]; $this->assertTrue($this->policyService->hasRole('Some.Package:SomeRole')); }
/** * Replaces a role identifier not containing a "." into fully qualified role identifier from the TYPO3.Neos namespace. * * @param string $roleIdentifier * @return string * @throws NoSuchRoleException */ protected function normalizeRoleIdentifier($roleIdentifier) { if (strpos($roleIdentifier, ':') === false) { $roleIdentifier = 'TYPO3.Neos:' . $roleIdentifier; } if (!$this->policyService->hasRole($roleIdentifier)) { throw new NoSuchRoleException(sprintf('The role %s does not exist.', $roleIdentifier), 1422540184); } return $roleIdentifier; }
/** * Shows the effective policy rules currently active in the system * * @param boolean $grantsOnly Only list methods effectively granted to the given roles * @return void */ public function showEffectivePolicyCommand($grantsOnly = FALSE) { $roles = array(); $roleIdentifiers = $this->request->getExceedingArguments(); if (empty($roleIdentifiers) === TRUE) { $this->outputLine('Please specify at leas one role, to calculate the effective privileges for!'); $this->quit(1); } foreach ($roleIdentifiers as $roleIdentifier) { if ($this->policyService->hasRole($roleIdentifier)) { $currentRole = $this->policyService->getRole($roleIdentifier); $roles[$roleIdentifier] = $currentRole; foreach ($this->policyService->getAllParentRoles($currentRole) as $parentRoleIdentifier => $parentRole) { if (!isset($roles[$parentRoleIdentifier])) { $roles[$parentRoleIdentifier] = $parentRole; } } } } if (count($roles) === 0) { $this->outputLine('The specified role(s) do not exist.'); $this->quit(1); } $this->outputLine(PHP_EOL . 'The following roles will be used for calculating the effective privileges (retrieved from the configured roles hierarchy):' . PHP_EOL); foreach ($roles as $roleIdentifier => $role) { $this->outputLine($roleIdentifier); } $dummySecurityContext = new DummyContext(); $dummySecurityContext->setRoles($roles); $accessDecisionManager = new AccessDecisionVoterManager($this->objectManager, $dummySecurityContext); if ($this->policyCache->has('acls')) { $classes = array(); $acls = $this->policyCache->get('acls'); foreach ($acls as $classAndMethodName => $aclEntry) { if (strpos($classAndMethodName, '->') === FALSE) { continue; } list($className, $methodName) = explode('->', $classAndMethodName); $className = $this->objectManager->getCaseSensitiveObjectName($className); $reflectionClass = new \ReflectionClass($className); foreach ($reflectionClass->getMethods() as $casSensitiveMethodName) { if ($methodName === strtolower($casSensitiveMethodName->getName())) { $methodName = $casSensitiveMethodName->getName(); break; } } $runtimeEvaluationsInPlace = FALSE; foreach ($aclEntry as $role => $resources) { if (in_array($role, $roles) === FALSE) { continue; } if (!isset($classes[$className])) { $classes[$className] = array(); } if (!isset($classes[$className][$methodName])) { $classes[$className][$methodName] = array(); $classes[$className][$methodName]['resources'] = array(); } foreach ($resources as $resourceName => $privilege) { $classes[$className][$methodName]['resources'][$resourceName] = $privilege; if ($privilege['runtimeEvaluationsClosureCode'] !== FALSE) { $runtimeEvaluationsInPlace = TRUE; } } } if ($runtimeEvaluationsInPlace === FALSE) { try { $accessDecisionManager->decideOnJoinPoint(new JoinPoint(NULL, $className, $methodName, array())); } catch (AccessDeniedException $e) { $classes[$className][$methodName]['effectivePrivilege'] = $e->getMessage(); } if (!isset($classes[$className][$methodName]['effectivePrivilege'])) { $classes[$className][$methodName]['effectivePrivilege'] = 'Access granted'; } } else { $classes[$className][$methodName]['effectivePrivilege'] = 'Could not be calculated. Runtime evaluations in place!'; } } foreach ($classes as $className => $methods) { $classNamePrinted = FALSE; foreach ($methods as $methodName => $resources) { if ($grantsOnly === TRUE && $resources['effectivePrivilege'] !== 'Access granted') { continue; } if ($classNamePrinted === FALSE) { $this->outputLine(PHP_EOL . PHP_EOL . ' <b>' . $className . '</b>'); $classNamePrinted = TRUE; } $this->outputLine(PHP_EOL . ' ' . $methodName); if (isset($resources['resources']) === TRUE && is_array($resources['resources']) === TRUE) { foreach ($resources['resources'] as $resourceName => $privilege) { switch ($privilege['privilege']) { case PolicyService::PRIVILEGE_GRANT: $this->outputLine(' Resource "<i>' . $resourceName . '</i>": Access granted'); break; case PolicyService::PRIVILEGE_DENY: $this->outputLine(' Resource "<i>' . $resourceName . '</i>": Access denied'); break; case PolicyService::PRIVILEGE_ABSTAIN: $this->outputLine(' Resource "<i>' . $resourceName . '</i>": Vote abstained (no acl entry for given roles)'); break; } } } $this->outputLine(' <b>Effective privilege for given roles: ' . $resources['effectivePrivilege'] . '</b>'); } } } else { $this->outputLine('Could not find any policy entries, please warmup caches...'); } }