private function extractRoles()
{
$userRoles = $this->user->getRoles();
if ($this->roleHierarchy) {
return $this->roleHierarchy->getReachableRoles($userRoles);
}
return $userRoles;
}
public function check($resource, $privilege)
{
if ($this->user->isInRole(static::ROOT_ROLE)) {
return true;
}
if (!array_reduce($this->user->getRoles(), function ($prev, $role) use($resource, $privilege) {
return $this->acl->hasRole($role) && $this->acl->hasResource($resource) && $this->acl->isAllowed($role, $resource, $privilege) || $prev;
}, false)) {
throw new \AclException("Unauthorized access to resource '{$resource}' privilege '{$privilege}' :(", 403);
}
}
/**
* @Around("methodAnnotatedWith(Klimesf\Secured\Secured)")
*/
public function process(AroundMethod $m)
{
$secured = $this->getAnnotation($m);
foreach ($secured->roles as $role) {
if (!$this->user->isLoggedIn()) {
break;
}
if (in_array($role, $this->user->getRoles())) {
return $m->proceed();
}
}
$parentClass = $m->getTargetObjectReflection()->parentClass->name;
$methodName = $m->getTargetReflection()->name;
throw new AuthenticationException("User is not allowed to call " . $parentClass . '::' . $methodName . "().");
}
/**
* @param \Nette\Reflection\Method $element
*/
protected function checkMethod(Method $element)
{
$class = $element->class;
$name = $element->name;
$schema = $this->reader->getSchema($class);
$exception = null;
// users
if (isset($schema[$name]['users']) && count($schema[$name]['users']) > 0) {
$users = $schema[$name]['users'];
if (!in_array($this->user->getId(), $users)) {
$exception = sprintf('Access denied for your username: \'%s\'. Require: \'%s\'', $this->user->getId(), implode(', ', $users));
} else {
return;
}
} elseif (isset($schema[$name]['roles']) && count($schema[$name]['roles']) > 0) {
$userRoles = $this->user->getRoles();
$roles = $schema[$name]['roles'];
if (count(array_intersect($userRoles, $roles)) == 0) {
$exception = "Access denied for your roles: '" . implode(', ', $userRoles) . "'. Require one of: '" . implode(', ', $roles) . "'";
} else {
return;
}
} elseif (isset($schema[$name]['resource']) && $schema[$name]['resource']) {
if (!$this->user->isAllowed($schema[$name]['resource'], $schema[$name]['privilege'])) {
$exception = sprintf('Access denied for resource: \'%s\' and privilege: \'%s\'', $schema[$name]['resource'], $schema[$name]['privilege']);
} else {
return;
}
}
if ($exception) {
throw new ForbiddenRequestException($exception);
}
}
public static function loadFromSession(\Nette\Security\User $user)
{
$instance = new User();
$instance->setId($user->getIdentity()->id);
$instance->setRole($user->getRoles()[0]);
$instance->setEmail($user->getIdentity()->email);
$instance->setFirstName($user->getIdentity()->firstName);
$instance->setLastName($user->getIdentity()->lastName);
return $instance;
}
/**
* @return bool
*/
public function isAtLeastInRole($role, Nette\Security\User $user)
{
$result = TRUE;
foreach ($user->getRoles() as $userRole) {
if ($userRole === $role) {
return TRUE;
}
$result &= $this->acl->roleInheritsFrom($userRole, $role);
}
return (bool) $result;
}
/** Vytvoření komponenty
*
* @return \Nette\Application\UI\Form
*/
protected function createComponentForm()
{
$form = new Form();
$form->addText("login", "Přihlašovací jméno:")->setAttribute("autocomplete", "off")->setRequired("Prosím zadejte přihlašovací jméno.");
$form->addPassword("password1", "Heslo:")->setAttribute("class", "form-control")->setAttribute("autocomplete", "off");
$form->addPassword("password2", "Heslo pro kontrolu:")->setAttribute("class", "form-control")->setAttribute("autocomplete", "off");
$roles = $this->roleRepository->read()->where("name != ?", "root");
if (!$this->user->isInRole("root")) {
$roles->where("name NOT(?)", $this->user->getRoles());
}
$roles = $roles->fetchPairs("aclRoleID", "name");
$form->addSelect("role", "Oprávnění:", $roles)->setAttribute("class", "form-control");
$form->addCheckbox("active", "Aktivní");
$form->addButton("cancel", "Storno")->setHtmlId("cancel");
$form->addSubmit("sender", "Uložit změny")->setHtmlId("sender");
$form->addHidden("userID");
$form['password2']->addRule(Form::EQUAL, 'Hesla se neshodují', $form['password1']);
if ($this->rsuserID) {
$userEntity = $this->userRepository->get($this->rsuserID);
if ($userEntity) {
$form['login']->setValue($userEntity->login);
$form['login']->setAttribute("readonly");
$form['userID']->setValue($this->rsuserID);
$form['active']->setValue($userEntity->getActive());
if ($userEntity->getUserID() == $this->user->getId()) {
$form['role']->setDisabled();
}
if ($userEntity->getLogin() != "root" && $userEntity->getUserID() !== $this->user->getId()) {
$form['role']->setValue($userEntity->aclRoleID);
}
}
} else {
$form['password1']->setRequired("Prosím zadejte heslo.");
}
$form->onSuccess[] = callback($this, "Submit");
$form->onError[] = callback($this, "FormError");
return $form;
}
/**
* @param User $user
* @param $permission
* @return bool
*/
private function baseIsAllowed(&$secured, &$source, &$cache, User $user, $permission)
{
if (!$secured) {
return TRUE;
}
if (!isset($cache[$user->id][$permission])) {
if (!isset($cache[$user->id])) {
$cache[$user->id] = array();
}
if ($user->isInRole('admin')) {
$cache[$user->id][$permission] = TRUE;
return TRUE;
}
if (isset($source[$permission])) {
$permissionEntity = $source[$permission];
if (!$user->isLoggedIn()) {
$cache[$user->id][$permission] = FALSE;
return FALSE;
}
if ($permissionEntity->getAll()) {
$cache[$user->id][$permission] = TRUE;
return TRUE;
}
foreach ($user->getRoles() as $role) {
if (isset($permissionEntity->roles[$role])) {
$cache[$user->id][$permission] = TRUE;
return TRUE;
}
}
}
$cache[$user->id][$permission] = FALSE;
}
return $cache[$user->id][$permission];
}
public function getRoles() : array
{
return $this->user->getRoles();
}