/** * Returns an array of common actions and whether they are allowed for current user * * This should NOT be used in our own code, because it is suboptimal, * instead a direct, single call to Authorization service is preferred. It exists here * only for ease of use for REST API. * @param AbstractModel $object * @return array */ private function getPermissions(AbstractModel $object) { $identity = $this->authentification->getIdentity(); $resourceId = $this->getResourceId($object); $resource = new \Application\Authorization\ModelResource($resourceId, $object); $result = []; $result['read'] = $this->authorization->isAuthorized($identity, $resource, Request::METHOD_GET); $result['update'] = $this->authorization->isAuthorized($identity, $resource, Request::METHOD_PUT); $result['delete'] = $this->authorization->isAuthorized($identity, $resource, Request::METHOD_DELETE); return $result; }
public function __construct(AclAuthorization $authorization) { $authorization->addRole('member'); $authorization->addRole('admin'); $restrictedPrivileges = [Request::METHOD_PUT, Request::METHOD_PATCH, Request::METHOD_DELETE]; $hasNoRelation = new HasNoRelation(); $authorization->deny('member', 'Theodia\\V1\\Rest\\Calendar\\Controller::entity', $restrictedPrivileges, $hasNoRelation); $authorization->deny('member', 'Theodia\\V1\\Rest\\Event\\Controller::entity', $restrictedPrivileges, $hasNoRelation); $authorization->deny('member', 'Theodia\\V1\\Rest\\Place\\Controller::entity', $restrictedPrivileges, $hasNoRelation); $authorization->deny('member', 'Theodia\\V1\\Rest\\User\\Controller::entity', $restrictedPrivileges, $hasNoRelation); $authorization->deny('member', 'Theodia\\V1\\Rest\\PlaceType\\Controller::entity', $restrictedPrivileges); $authorization->deny('member', 'Theodia\\V1\\Rest\\Rite\\Controller::entity', $restrictedPrivileges); $authorization->deny('member', 'Theodia\\V1\\Rest\\Tag\\Controller::entity', $restrictedPrivileges); $relationRestrictedPrivileges = [Request::METHOD_PUT, Request::METHOD_PATCH]; $lastRelation = new LastRelation(); $hasNoRelationOrLastRelation = new AssertionAggregate(); $hasNoRelationOrLastRelation->addAssertion($hasNoRelation); $hasNoRelationOrLastRelation->addAssertion($lastRelation); $hasNoRelationOrLastRelation->setMode(AssertionAggregate::MODE_AT_LEAST_ONE); $authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', $relationRestrictedPrivileges, $hasNoRelation); $authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', $relationRestrictedPrivileges, $hasNoRelation); $authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', [Request::METHOD_DELETE], $hasNoRelationOrLastRelation); $authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', [Request::METHOD_DELETE], $hasNoRelationOrLastRelation); $authorization->deny('admin', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', [Request::METHOD_DELETE], $lastRelation); $authorization->deny('admin', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', [Request::METHOD_DELETE], $lastRelation); $authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::collection', [Request::METHOD_POST], $hasNoRelation); $authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::collection', [Request::METHOD_POST], $hasNoRelation); }