/** * Assigns a role to the given user. * * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to assign a role * @throws \eZ\Publish\API\Repository\Exceptions\LimitationValidationException if $roleLimitation is not valid * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException If assignment already exists * * @param \eZ\Publish\API\Repository\Values\User\Role $role * @param \eZ\Publish\API\Repository\Values\User\User $user * @param \eZ\Publish\API\Repository\Values\User\Limitation\RoleLimitation $roleLimitation an optional role limitation (which is either a subtree limitation or section limitation) */ public function assignRoleToUser(APIRole $role, User $user, RoleLimitation $roleLimitation = null) { if ($this->repository->canUser('role', 'assign', $user, $role) !== true) { throw new UnauthorizedException('role', 'assign'); } if ($roleLimitation === null) { $limitation = null; } else { $limitationValidationErrors = $this->limitationService->validateLimitation($roleLimitation); if (!empty($limitationValidationErrors)) { throw new LimitationValidationException($limitationValidationErrors); } $limitation = array($roleLimitation->getIdentifier() => $roleLimitation->limitationValues); } // Check if objects exists $spiRole = $this->userHandler->loadRole($role->id); $spiUser = $this->userHandler->load($user->id); $limitation = $this->checkAssignmentAndFilterLimitationValues($spiUser->id, $spiRole, $limitation); $this->repository->beginTransaction(); try { $this->userHandler->assignRole($spiUser->id, $spiRole->id, $limitation); $this->repository->commit(); } catch (Exception $e) { $this->repository->rollback(); throw $e; } }
/** * Loads a role for the given id * * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to read this role * @throws \eZ\Publish\API\Repository\Exceptions\NotFoundException if a role with the given id was not found * * @param mixed $id * * @return \eZ\Publish\API\Repository\Values\User\Role */ public function loadRole($id) { if ($this->repository->hasAccess('role', 'read') !== true) { throw new UnauthorizedException('role', 'read'); } $spiRole = $this->userHandler->loadRole($id); return $this->buildDomainRoleObject($spiRole); }
public function hasAccess($module, $function, APIUserReference $userReference = null) { // Full access if sudo nesting level is set by {@see sudo()} if ($this->sudoNestingLevel > 0) { return true; } if ($userReference === null) { $userReference = $this->getCurrentUserReference(); } // Uses SPI to avoid triggering permission checks in Role/User service $permissionSets = array(); $spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userReference->getUserId(), true); foreach ($spiRoleAssignments as $spiRoleAssignment) { $permissionSet = array('limitation' => null, 'policies' => array()); $spiRole = $this->userHandler->loadRole($spiRoleAssignment->roleId); foreach ($spiRole->policies as $spiPolicy) { if ($spiPolicy->module === '*' && $spiRoleAssignment->limitationIdentifier === null) { return true; } if ($spiPolicy->module !== $module && $spiPolicy->module !== '*') { continue; } if ($spiPolicy->function === '*' && $spiRoleAssignment->limitationIdentifier === null) { return true; } if ($spiPolicy->function !== $function && $spiPolicy->function !== '*') { continue; } if ($spiPolicy->limitations === '*' && $spiRoleAssignment->limitationIdentifier === null) { return true; } $permissionSet['policies'][] = $this->roleDomainMapper->buildDomainPolicyObject($spiPolicy); } if (!empty($permissionSet['policies'])) { if ($spiRoleAssignment->limitationIdentifier !== null) { $permissionSet['limitation'] = $this->limitationService->getLimitationType($spiRoleAssignment->limitationIdentifier)->buildValue($spiRoleAssignment->values); } $permissionSets[] = $permissionSet; } } if (!empty($permissionSets)) { return $permissionSets; } return false; // No policies matching $module and $function, or they contained limitations }