If no authenticated roles could be found the "Anonymous" role is returned.
The "Neos.Flow:Everybody" roles is always returned.
public getRoles ( ) : |
||
리턴 |
/** * Gets the SQL query part to add to a query. * * @param ClassMetaData $targetEntity Metadata object for the target entity to be filtered * @param string $targetTableAlias The target table alias used in the current query * @return string The constraint SQL if there is available, empty string otherwise */ public function addFilterConstraint(ClassMetadata $targetEntity, $targetTableAlias) { $this->initializeDependencies(); /* * TODO: Instead of checking for class account we could introduce some interface for white listing entities from entity security checks * Problem with checking the Account is, that this filter calls getRoles() on the security context while accounts are not * yet fully initialized. By this we get a half built account object that will end up in access denied exception, * as it has no roles (and other properties) set */ if ($this->securityContext->areAuthorizationChecksDisabled() || $targetEntity->getName() === Account::class) { return ''; } if (!$this->securityContext->isInitialized()) { if (!$this->securityContext->canBeInitialized()) { return ''; } $this->securityContext->initialize(); } // This is needed to include the current context of roles into query cache identifier $this->setParameter('__contextHash', $this->securityContext->getContextHash(), 'string'); $sqlConstraints = []; $grantedConstraints = []; $deniedConstraints = []; foreach ($this->securityContext->getRoles() as $role) { $entityPrivileges = $role->getPrivilegesByType(EntityPrivilegeInterface::class); /** @var EntityPrivilegeInterface $privilege */ foreach ($entityPrivileges as $privilege) { if (!$privilege->matchesEntityType($targetEntity->getName())) { continue; } $sqlConstraint = $privilege->getSqlConstraint($targetEntity, $targetTableAlias); if ($sqlConstraint === null) { continue; } $sqlConstraints[] = ' NOT (' . $sqlConstraint . ')'; if ($privilege->isGranted()) { $grantedConstraints[] = ' NOT (' . $sqlConstraint . ')'; } elseif ($privilege->isDenied()) { $deniedConstraints[] = ' NOT (' . $sqlConstraint . ')'; } } } $grantedConstraints = array_diff($grantedConstraints, $deniedConstraints); $effectiveConstraints = array_diff($sqlConstraints, $grantedConstraints); if (count($effectiveConstraints) > 0) { return ' (' . implode(') AND (', $effectiveConstraints) . ') '; } return ''; }
/** * Returns a string message, giving insights what happened during privilege evaluation. * * @param string $privilegeReasonMessage * @return string */ protected function renderDecisionReasonMessage($privilegeReasonMessage) { if (count($this->securityContext->getRoles()) === 0) { $rolesMessage = 'No authenticated roles'; } else { $rolesMessage = 'Authenticated roles: ' . implode(', ', array_keys($this->securityContext->getRoles())); } return sprintf('Access denied for method' . chr(10) . 'Method: %s::%s()' . chr(10) . chr(10) . '%s' . chr(10) . chr(10) . '%s', $this->joinPoint->getClassName(), $this->joinPoint->getMethodName(), $privilegeReasonMessage, $rolesMessage); }
/** * @param NodeInterface $node * @return string[] Array of granted node property names */ public function getDeniedNodePropertiesForEditing(NodeInterface $node) { $privilegeSubject = new PropertyAwareNodePrivilegeSubject($node); $deniedNodePropertyNames = array(); $grantedNodePropertyNames = array(); $abstainedNodePropertyNames = array(); foreach ($this->securityContext->getRoles() as $role) { /** @var EditNodePropertyPrivilege $editNodePropertyPrivilege */ foreach ($role->getPrivilegesByType(EditNodePropertyPrivilege::class) as $editNodePropertyPrivilege) { if (!$editNodePropertyPrivilege->matchesSubject($privilegeSubject)) { continue; } if ($editNodePropertyPrivilege->isGranted()) { $grantedNodePropertyNames = array_merge($grantedNodePropertyNames, $editNodePropertyPrivilege->getNodePropertyNames()); } elseif ($editNodePropertyPrivilege->isDenied()) { $deniedNodePropertyNames = array_merge($deniedNodePropertyNames, $editNodePropertyPrivilege->getNodePropertyNames()); } else { $abstainedNodePropertyNames = array_merge($abstainedNodePropertyNames, $editNodePropertyPrivilege->getNodePropertyNames()); } } } $implicitlyDeniedNodePropertyNames = array_diff($abstainedNodePropertyNames, $grantedNodePropertyNames); return array_merge($implicitlyDeniedNodePropertyNames, $deniedNodePropertyNames); }
/** * Returns TRUE if access is granted on the given privilege target in the current security context * * @param string $privilegeTargetIdentifier The identifier of the privilege target to decide on * @param array $privilegeParameters Optional array of privilege parameters (simple key => value array) * @return boolean TRUE if access is granted, FALSE otherwise */ public function isPrivilegeTargetGranted($privilegeTargetIdentifier, array $privilegeParameters = []) { return $this->isPrivilegeTargetGrantedForRoles($this->securityContext->getRoles(), $privilegeTargetIdentifier, $privilegeParameters); }