/**
* Validate that assignments not already exists and filter validations against existing.
*
* @param mixed $contentId
* @param SPIRole $spiRole
* @param array|null $limitation
*
* @return array[]|null Filtered version of $limitation
*
* @throws \eZ\Publish\Core\Base\Exceptions\InvalidArgumentException If assignment already exists
*/
protected function checkAssignmentAndFilterLimitationValues($contentId, SPIRole $spiRole, array $limitation = null)
{
$spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($contentId);
foreach ($spiRoleAssignments as $spiAssignment) {
// Ignore assignments to other roles
if ($spiAssignment->roleId !== $spiRole->id) {
continue;
}
// Throw if Role is already assigned without limitations
if ($spiAssignment->limitationIdentifier === null) {
throw new InvalidArgumentException('$role', "Role '{$spiRole->id}' already assigned without limitations");
}
// Ignore if we are going to assign without limitations
if ($limitation === null) {
continue;
}
// Ignore if not assigned with same limitation identifier
if (!isset($limitation[$spiAssignment->limitationIdentifier])) {
continue;
}
// Throw if Role is already assigned with all the same limitations
$newValues = array_diff($limitation[$spiAssignment->limitationIdentifier], $spiAssignment->values);
if (empty($newValues)) {
throw new InvalidArgumentException('$role', "Role '{$spiRole->id}' already assigned with same '{$spiAssignment->limitationIdentifier}' value");
}
// Continue using the filtered list of limitations
$limitation[$spiAssignment->limitationIdentifier] = $newValues;
}
return $limitation;
}
public function hasAccess($module, $function, APIUserReference $userReference = null)
{
// Full access if sudo nesting level is set by {@see sudo()}
if ($this->sudoNestingLevel > 0) {
return true;
}
if ($userReference === null) {
$userReference = $this->getCurrentUserReference();
}
// Uses SPI to avoid triggering permission checks in Role/User service
$permissionSets = array();
$spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userReference->getUserId(), true);
foreach ($spiRoleAssignments as $spiRoleAssignment) {
$permissionSet = array('limitation' => null, 'policies' => array());
$spiRole = $this->userHandler->loadRole($spiRoleAssignment->roleId);
foreach ($spiRole->policies as $spiPolicy) {
if ($spiPolicy->module === '*' && $spiRoleAssignment->limitationIdentifier === null) {
return true;
}
if ($spiPolicy->module !== $module && $spiPolicy->module !== '*') {
continue;
}
if ($spiPolicy->function === '*' && $spiRoleAssignment->limitationIdentifier === null) {
return true;
}
if ($spiPolicy->function !== $function && $spiPolicy->function !== '*') {
continue;
}
if ($spiPolicy->limitations === '*' && $spiRoleAssignment->limitationIdentifier === null) {
return true;
}
$permissionSet['policies'][] = $this->roleDomainMapper->buildDomainPolicyObject($spiPolicy);
}
if (!empty($permissionSet['policies'])) {
if ($spiRoleAssignment->limitationIdentifier !== null) {
$permissionSet['limitation'] = $this->limitationService->getLimitationType($spiRoleAssignment->limitationIdentifier)->buildValue($spiRoleAssignment->values);
}
$permissionSets[] = $permissionSet;
}
}
if (!empty($permissionSets)) {
return $permissionSets;
}
return false;
// No policies matching $module and $function, or they contained limitations
}
/**
* Returns the roles assigned to the given user group
*
* @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to read a role
*
* @param \eZ\Publish\API\Repository\Values\User\UserGroup $userGroup
*
* @return \eZ\Publish\API\Repository\Values\User\UserGroupRoleAssignment[]
*/
public function getRoleAssignmentsForUserGroup(UserGroup $userGroup)
{
if ($this->repository->hasAccess('role', 'read') !== true) {
throw new UnauthorizedException('role', 'read');
}
$roleAssignments = array();
$spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userGroup->id);
foreach ($spiRoleAssignments as $spiRoleAssignment) {
$roleAssignments[] = $this->buildDomainUserGroupRoleAssignmentObject($spiRoleAssignment, $userGroup);
}
return $roleAssignments;
}
/**
* Loads the users of a user group
*
* @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to read the users or user group
*
* @param \eZ\Publish\API\Repository\Values\User\UserGroup $userGroup
* @param int $offset
* @param int $limit
*
* @return \eZ\Publish\API\Repository\Values\User\User[]
*/
public function loadUsersOfUserGroup(APIUserGroup $userGroup, $offset = 0, $limit = -1)
{
$loadedUserGroup = $this->loadUserGroup($userGroup->id);
if ($loadedUserGroup->getVersionInfo()->getContentInfo()->mainLocationId === null) {
return array();
}
$mainGroupLocation = $this->repository->getLocationService()->loadLocation($loadedUserGroup->getVersionInfo()->getContentInfo()->mainLocationId);
$searchQuery = new Query();
$searchQuery->filter = new CriterionLogicalAnd(array(new CriterionContentTypeId($this->settings['userClassID']), new CriterionParentLocationId($mainGroupLocation->id)));
$searchQuery->offset = $offset > 0 ? (int) $offset : 0;
$searchQuery->limit = $limit >= 1 ? (int) $limit : null;
$searchQuery->sortClauses = array($this->getSortClauseBySortField($mainGroupLocation->sortField, $mainGroupLocation->sortOrder));
$searchResult = $this->repository->getSearchService()->findContent($searchQuery, array());
$users = array();
foreach ($searchResult->searchHits as $resultItem) {
$spiUser = $this->userHandler->load($resultItem->valueObject->id);
$users[] = $this->buildDomainUserObject($spiUser, $resultItem->valueObject);
}
return $users;
}
/**
* Loads the users of a user group.
*
* @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to read the users or user group
*
* @param \eZ\Publish\API\Repository\Values\User\UserGroup $userGroup
* @param int $offset the start offset for paging
* @param int $limit the number of users returned
*
* @return \eZ\Publish\API\Repository\Values\User\User[]
*/
public function loadUsersOfUserGroup(APIUserGroup $userGroup, $offset = 0, $limit = 25)
{
$loadedUserGroup = $this->loadUserGroup($userGroup->id);
if ($loadedUserGroup->getVersionInfo()->getContentInfo()->mainLocationId === null) {
return array();
}
$mainGroupLocation = $this->repository->getLocationService()->loadLocation($loadedUserGroup->getVersionInfo()->getContentInfo()->mainLocationId);
$searchQuery = new LocationQuery();
$searchQuery->filter = new CriterionLogicalAnd(array(new CriterionContentTypeId($this->settings['userClassID']), new CriterionParentLocationId($mainGroupLocation->id)));
$searchQuery->offset = $offset;
$searchQuery->limit = $limit;
$searchQuery->performCount = false;
$searchQuery->sortClauses = $mainGroupLocation->getSortClauses();
$searchResult = $this->repository->getSearchService()->findLocations($searchQuery);
$users = array();
foreach ($searchResult->searchHits as $resultItem) {
$users[] = $this->buildDomainUserObject($this->userHandler->load($resultItem->valueObject->contentInfo->id), $this->repository->getContentService()->internalLoadContent($resultItem->valueObject->contentInfo->id));
}
return $users;
}