/** * Given a SecurableItem, add and remove permissions * based on what the provided ExplicitReadWriteModelPermissions indicates should be done. * Sets @see SecurableItem->setTreatCurrentUserAsOwnerForPermissions as true in order to ensure the current user * can effectively add permissions even if the current user is no longer the owner. * @param SecurableItem $securableItem * @param ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions * @return boolean * @throws NotSupportedException() */ public static function resolveExplicitReadWriteModelPermissions(SecurableItem $securableItem, ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions) { assert('$securableItem->id > 0'); $securableItem->setTreatCurrentUserAsOwnerForPermissions(true); $saveSecurableItem = false; if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitables() as $permitable) { $securableItem->addPermissions($permitable, Permission::READ); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadWritePermitablesCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadWritePermitables() as $permitable) { $securableItem->addPermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemoveCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemove() as $permitable) { $securableItem->removePermissions($permitable, Permission::READ, Permission::ALLOW); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemoveCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemove() as $permitable) { $securableItem->removePermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER, Permission::ALLOW); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($saveSecurableItem) { $setBackToProcess = false; if ($securableItem->shouldProcessWorkflowOnSave()) { $securableItem->setDoNotProcessWorkflowOnSave(); $setBackToProcess = true; } $saved = $securableItem->save(); if ($setBackToProcess) { $securableItem->setProcessWorkflowOnSave(); } $securableItem->setTreatCurrentUserAsOwnerForPermissions(false); return $saved; } $securableItem->setTreatCurrentUserAsOwnerForPermissions(false); return true; }