/** * Creates a ResourceNode * @param AbstractResource $resource * @param User $creator * @return ResourceNode */ public function addResourceNode(AbstractResource $resource, User $creator) { $resourceNode = new ResourceNode(); $resourceNode->setName($resource->getName())->setCreator($creator)->setTool($this->getTool()); $this->getEntityManager()->persist($resourceNode); $this->getEntityManager()->flush(); return $resourceNode; }
/** * @param string $attribute * @param ResourceNode $resourceNode * @param null $user * * @return bool */ protected function isGranted($attribute, $resourceNode, $user = null) { // Make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof UserInterface) { return false; } // Checking admin roles $authChecker = $this->container->get('security.authorization_checker'); // Admins have access to everything if ($authChecker->isGranted('ROLE_ADMIN')) { // return true; } // Check if I'm the owner $creator = $resourceNode->getCreator(); if ($creator instanceof UserInterface && $user->getUsername() == $creator->getUsername()) { //return true; } // Checking possible links connected to this resource $request = $this->container->get('request_stack')->getCurrentRequest(); $courseCode = $request->get('course'); $sessionId = $request->get('session'); $links = $resourceNode->getLinks(); $linkFound = false; /** @var ResourceLink $link */ foreach ($links as $link) { $linkUser = $link->getUser(); $linkCourse = $link->getCourse(); $linkSession = $link->getSession(); $linkUserGroup = $link->getUserGroup(); // Check if resource was sent to the current user if ($linkUser instanceof UserInterface && $linkUser->getUsername() == $creator->getUsername()) { $linkFound = true; break; } // @todo Check if resource was sent to a usergroup // @todo Check if resource was sent to a group inside a course // Check if resource was sent to a course inside a session if ($linkSession instanceof Session && !empty($sessionId) && $linkCourse instanceof Course && !empty($courseCode)) { $session = $this->container->get('chamilo_core.manager.session')->find($sessionId); $course = $this->container->get('chamilo_core.manager.course')->findOneByCode($courseCode); if ($session instanceof Session && $course instanceof Course && $linkCourse->getCode() == $course->getCode() && $linkSession->getId() == $session->getId()) { $linkFound = true; break; } } // Check if resource was sent to a course if ($linkCourse instanceof Course && !empty($courseCode)) { $course = $this->container->get('chamilo_core.manager.course')->findOneByCode($courseCode); if ($course instanceof Course && $linkCourse->getCode() == $course->getCode()) { $linkFound = true; break; } } } // No link was found! if ($linkFound === false) { return false; } // Getting rights from the link $rightFromResourceLink = $link->getRights(); if ($rightFromResourceLink->count()) { // Taken rights from the link $rights = $rightFromResourceLink; } else { // Taken the rights from the default tool $rights = $link->getResourceNode()->getTool()->getToolResourceRights(); } // Asked mask $mask = new MaskBuilder(); $mask->add($attribute); $askedMask = $mask->get(); // Check all the right this link has. $roles = array(); foreach ($rights as $right) { $roles[$right->getMask()] = $right->getRole(); } // Setting zend simple ACL $acl = new Acl(); // Creating roles // @todo move this in a service $userRole = new Role('ROLE_USER'); $teacher = new Role(self::ROLE_CURRENT_COURSE_TEACHER); $student = new Role(self::ROLE_CURRENT_COURSE_STUDENT); $superAdmin = new Role('ROLE_SUPER_ADMIN'); $admin = new Role('ROLE_ADMIN'); // Adding roles to the ACL // User role $acl->addRole($userRole); // Adds role student $acl->addRole($student); // Adds teacher role, inherit student role $acl->addRole($teacher, $student); $acl->addRole($superAdmin); $acl->addRole($admin); // Adds a resource $resource = new Resource($link); $acl->addResource($resource); // Role and permissions settings // Students can view // Student can just view (read) $acl->allow($student, null, self::getReaderMask()); // Teacher can view/edit $acl->allow($teacher, null, array(self::getReaderMask(), self::getEditorMask())); // Admin can do everything $acl->allow($admin); $acl->allow($superAdmin); foreach ($user->getRoles() as $role) { if ($acl->isAllowed($role, $resource, $askedMask)) { dump('passed'); return true; } } dump('not allowed to ' . $attribute); return false; }