예제 #1
0
 /**
  * Validate that assignments not already exists and filter validations against existing.
  *
  * @param mixed $contentId
  * @param SPIRole $spiRole
  * @param array|null $limitation
  *
  * @return array[]|null Filtered version of $limitation
  *
  * @throws \eZ\Publish\Core\Base\Exceptions\InvalidArgumentException If assignment already exists
  */
 protected function checkAssignmentAndFilterLimitationValues($contentId, SPIRole $spiRole, array $limitation = null)
 {
     $spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($contentId);
     foreach ($spiRoleAssignments as $spiAssignment) {
         // Ignore assignments to other roles
         if ($spiAssignment->roleId !== $spiRole->id) {
             continue;
         }
         // Throw if Role is already assigned without limitations
         if ($spiAssignment->limitationIdentifier === null) {
             throw new InvalidArgumentException('$role', "Role '{$spiRole->id}' already assigned without limitations");
         }
         // Ignore if we are going to assign without limitations
         if ($limitation === null) {
             continue;
         }
         // Ignore if not assigned with same limitation identifier
         if (!isset($limitation[$spiAssignment->limitationIdentifier])) {
             continue;
         }
         // Throw if Role is already assigned with all the same limitations
         $newValues = array_diff($limitation[$spiAssignment->limitationIdentifier], $spiAssignment->values);
         if (empty($newValues)) {
             throw new InvalidArgumentException('$role', "Role '{$spiRole->id}' already assigned with same '{$spiAssignment->limitationIdentifier}' value");
         }
         // Continue using the filtered list of limitations
         $limitation[$spiAssignment->limitationIdentifier] = $newValues;
     }
     return $limitation;
 }
 public function hasAccess($module, $function, APIUserReference $userReference = null)
 {
     // Full access if sudo nesting level is set by {@see sudo()}
     if ($this->sudoNestingLevel > 0) {
         return true;
     }
     if ($userReference === null) {
         $userReference = $this->getCurrentUserReference();
     }
     // Uses SPI to avoid triggering permission checks in Role/User service
     $permissionSets = array();
     $spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userReference->getUserId(), true);
     foreach ($spiRoleAssignments as $spiRoleAssignment) {
         $permissionSet = array('limitation' => null, 'policies' => array());
         $spiRole = $this->userHandler->loadRole($spiRoleAssignment->roleId);
         foreach ($spiRole->policies as $spiPolicy) {
             if ($spiPolicy->module === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                 return true;
             }
             if ($spiPolicy->module !== $module && $spiPolicy->module !== '*') {
                 continue;
             }
             if ($spiPolicy->function === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                 return true;
             }
             if ($spiPolicy->function !== $function && $spiPolicy->function !== '*') {
                 continue;
             }
             if ($spiPolicy->limitations === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                 return true;
             }
             $permissionSet['policies'][] = $this->roleDomainMapper->buildDomainPolicyObject($spiPolicy);
         }
         if (!empty($permissionSet['policies'])) {
             if ($spiRoleAssignment->limitationIdentifier !== null) {
                 $permissionSet['limitation'] = $this->limitationService->getLimitationType($spiRoleAssignment->limitationIdentifier)->buildValue($spiRoleAssignment->values);
             }
             $permissionSets[] = $permissionSet;
         }
     }
     if (!empty($permissionSets)) {
         return $permissionSets;
     }
     return false;
     // No policies matching $module and $function, or they contained limitations
 }
 /**
  * Returns the roles assigned to the given user group
  *
  * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to read a role
  *
  * @param \eZ\Publish\API\Repository\Values\User\UserGroup $userGroup
  *
  * @return \eZ\Publish\API\Repository\Values\User\UserGroupRoleAssignment[]
  */
 public function getRoleAssignmentsForUserGroup(UserGroup $userGroup)
 {
     if ($this->repository->hasAccess('role', 'read') !== true) {
         throw new UnauthorizedException('role', 'read');
     }
     $roleAssignments = array();
     $spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userGroup->id);
     foreach ($spiRoleAssignments as $spiRoleAssignment) {
         $roleAssignments[] = $this->buildDomainUserGroupRoleAssignmentObject($spiRoleAssignment, $userGroup);
     }
     return $roleAssignments;
 }
예제 #4
0
 /**
  * Loads the users of a user group
  *
  * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to read the users or user group
  *
  * @param \eZ\Publish\API\Repository\Values\User\UserGroup $userGroup
  * @param int $offset
  * @param int $limit
  *
  * @return \eZ\Publish\API\Repository\Values\User\User[]
  */
 public function loadUsersOfUserGroup(APIUserGroup $userGroup, $offset = 0, $limit = -1)
 {
     $loadedUserGroup = $this->loadUserGroup($userGroup->id);
     if ($loadedUserGroup->getVersionInfo()->getContentInfo()->mainLocationId === null) {
         return array();
     }
     $mainGroupLocation = $this->repository->getLocationService()->loadLocation($loadedUserGroup->getVersionInfo()->getContentInfo()->mainLocationId);
     $searchQuery = new Query();
     $searchQuery->filter = new CriterionLogicalAnd(array(new CriterionContentTypeId($this->settings['userClassID']), new CriterionParentLocationId($mainGroupLocation->id)));
     $searchQuery->offset = $offset > 0 ? (int) $offset : 0;
     $searchQuery->limit = $limit >= 1 ? (int) $limit : null;
     $searchQuery->sortClauses = array($this->getSortClauseBySortField($mainGroupLocation->sortField, $mainGroupLocation->sortOrder));
     $searchResult = $this->repository->getSearchService()->findContent($searchQuery, array());
     $users = array();
     foreach ($searchResult->searchHits as $resultItem) {
         $spiUser = $this->userHandler->load($resultItem->valueObject->id);
         $users[] = $this->buildDomainUserObject($spiUser, $resultItem->valueObject);
     }
     return $users;
 }
예제 #5
0
 /**
  * Loads the users of a user group.
  *
  * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to read the users or user group
  *
  * @param \eZ\Publish\API\Repository\Values\User\UserGroup $userGroup
  * @param int $offset the start offset for paging
  * @param int $limit the number of users returned
  *
  * @return \eZ\Publish\API\Repository\Values\User\User[]
  */
 public function loadUsersOfUserGroup(APIUserGroup $userGroup, $offset = 0, $limit = 25)
 {
     $loadedUserGroup = $this->loadUserGroup($userGroup->id);
     if ($loadedUserGroup->getVersionInfo()->getContentInfo()->mainLocationId === null) {
         return array();
     }
     $mainGroupLocation = $this->repository->getLocationService()->loadLocation($loadedUserGroup->getVersionInfo()->getContentInfo()->mainLocationId);
     $searchQuery = new LocationQuery();
     $searchQuery->filter = new CriterionLogicalAnd(array(new CriterionContentTypeId($this->settings['userClassID']), new CriterionParentLocationId($mainGroupLocation->id)));
     $searchQuery->offset = $offset;
     $searchQuery->limit = $limit;
     $searchQuery->performCount = false;
     $searchQuery->sortClauses = $mainGroupLocation->getSortClauses();
     $searchResult = $this->repository->getSearchService()->findLocations($searchQuery);
     $users = array();
     foreach ($searchResult->searchHits as $resultItem) {
         $users[] = $this->buildDomainUserObject($this->userHandler->load($resultItem->valueObject->contentInfo->id), $this->repository->getContentService()->internalLoadContent($resultItem->valueObject->contentInfo->id));
     }
     return $users;
 }