protected function updateUserRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_ADMINISTRATOR)); $oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\Email'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); }
protected function updateManagerRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_MANAGER)); // grant to manage own calendar events $oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarEvent'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM')->add('DELETE_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); }
protected function updateUserRole(AclManager $manager) { $roles = ['ROLE_ONLINE_SALES_REP', 'ROLE_MARKETING_MANAGER', 'ROLE_LEADS_DEVELOPMENT_REP']; foreach ($roles as $roleName) { $sid = $manager->getSid($this->getRole($roleName)); $oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\EmailUser'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_BASIC')->add('CREATE_BASIC')->add('EDIT_BASIC'); $manager->setPermission($sid, $oid, $maskBuilder->get()); } }
protected function updateUserRole(AclManager $manager) { $roles = [LoadRolesData::ROLE_USER, LoadRolesData::ROLE_MANAGER]; foreach ($roles as $roleName) { $sid = $manager->getSid($this->getRole($roleName)); $oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\EmailUser'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_BASIC')->add('CREATE_BASIC')->add('EDIT_BASIC'); $manager->setPermission($sid, $oid, $maskBuilder->get()); } }
/** * Load the ACL per role * * @param AclManager $manager * @param Role $role * * @see Oro\Bundle\SecurityBundle\DataFixtures\ORM\LoadAclRoles */ protected function loadAcls(AclManager $manager, Role $role) { $sid = $manager->getSid($role); foreach ($manager->getAllExtensions() as $extension) { $rootOid = $manager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $manager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * Load the ACL per role * * @param Role $role */ protected function loadAcls(Role $role) { if (User::ROLE_ANONYMOUS === $role->getRole()) { return; } $sid = $this->aclManager->getSid($role); foreach ($this->aclManager->getAllExtensions() as $extension) { $rootOid = $this->aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $this->aclManager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * @param AbstractRole $role */ protected function processPrivileges(AbstractRole $role) { $decodedPrivileges = json_decode($this->form->get('privileges')->getData(), true); $formPrivileges = []; foreach ($this->privilegeConfig as $fieldName => $config) { $privilegesArray = $decodedPrivileges[$fieldName]; $privileges = []; foreach ($privilegesArray as $privilege) { $aclPrivilege = new AclPrivilege(); foreach ($privilege['permissions'] as $name => $permission) { $aclPrivilege->addPermission(new AclPermission($permission['name'], $permission['accessLevel'])); } $aclPrivilegeIdentity = new AclPrivilegeIdentity($privilege['identity']['id'], $privilege['identity']['name']); $aclPrivilege->setIdentity($aclPrivilegeIdentity); $privileges[] = $aclPrivilege; } if ($config['fix_values']) { $this->fxPrivilegeValue($privileges, $config['default_value']); } $formPrivileges = array_merge($formPrivileges, $privileges); } array_walk($formPrivileges, function (AclPrivilege $privilege) { $privilege->setGroup($this->getAclGroup()); }); $this->privilegeRepository->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges)); $this->aclCache->clearCache(); }
/** * Gets all ACEs associated with given ACL and the given security identity * * @param SID $sid * @param AclInterface $acl * @param string $type The ACE type. Can be one of AclManager::*_ACE constants * @param string|null $field The name of a field. * Set to null for class-based or object-based ACE * Set to not null class-field-based or object-field-based ACE * @return EntryInterface[] */ protected function getAces(SID $sid, AclInterface $acl, $type, $field) { return array_filter($this->manager->getAceProvider()->getAces($acl, $type, $field), function ($ace) use(&$sid) { /** @var EntryInterface $ace */ return $sid->equals($ace->getSecurityIdentity()); }); }
/** * @param Role $role */ protected function processPrivileges(Role $role) { $formPrivileges = array(); foreach ($this->privilegeConfig as $fieldName => $config) { $privileges = $this->form->get($fieldName)->getData(); $formPrivileges = array_merge($formPrivileges, $privileges); } $this->aclManager->getPrivilegeRepository()->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges)); }
protected function updateManagerRole(AclManager $manager) { $sid = $manager->getSid($this->getReference('manager_role')); // grant to view other user's calendar for the same business unit $oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarConnection'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); // grant to manage own calendar events $oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarEvent'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM')->add('DELETE_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); }
/** * @param Role $role */ protected function processPrivileges(Role $role) { $formPrivileges = array(); foreach ($this->privilegeConfig as $fieldName => $config) { $privileges = $this->form->get($fieldName)->getData(); if ($config['fix_values']) { $this->fxPrivilegeValue($privileges, $config['default_value']); } $formPrivileges = array_merge($formPrivileges, $privileges); } $this->privilegeRepository->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges)); }
public function testProcessPrivileges() { $request = new Request(); $request->setMethod('POST'); $role = new AccountUserRole('TEST'); $roleSecurityIdentity = new RoleSecurityIdentity($role); $appendForm = $this->getMock('Symfony\\Component\\Form\\FormInterface'); $appendForm->expects($this->once())->method('getData')->willReturn([]); $removeForm = $this->getMock('Symfony\\Component\\Form\\FormInterface'); $removeForm->expects($this->once())->method('getData')->willReturn([]); $firstEntityPrivilege = $this->createPrivilege('entity', 'entity:FirstClass', 'VIEW'); $secondEntityPrivilege = $this->createPrivilege('entity', 'entity:SecondClass', 'VIEW'); $entityForm = $this->getMock('Symfony\\Component\\Form\\FormInterface'); $entityForm->expects($this->once())->method('getData')->willReturn([$firstEntityPrivilege, $secondEntityPrivilege]); $actionPrivilege = $this->createPrivilege('action', 'action', 'random_action'); $actionForm = $this->getMock('Symfony\\Component\\Form\\FormInterface'); $actionForm->expects($this->once())->method('getData')->willReturn([$actionPrivilege]); $form = $this->getMock('Symfony\\Component\\Form\\FormInterface'); $form->expects($this->once())->method('submit')->with($request); $form->expects($this->once())->method('isValid')->willReturn(true); $form->expects($this->any())->method('get')->willReturnMap([['appendUsers', $appendForm], ['removeUsers', $removeForm], ['entity', $entityForm], ['action', $actionForm]]); $this->formFactory->expects($this->once())->method('create')->willReturn($form); $objectManager = $this->getMock('Doctrine\\Common\\Persistence\\ObjectManager'); $this->managerRegistry->expects($this->any())->method('getManagerForClass')->with(get_class($role))->willReturn($objectManager); $expectedFirstEntityPrivilege = $this->createPrivilege('entity', 'entity:FirstClass', 'VIEW'); $expectedFirstEntityPrivilege->setGroup(AccountUser::SECURITY_GROUP); $expectedSecondEntityPrivilege = $this->createPrivilege('entity', 'entity:SecondClass', 'VIEW'); $expectedSecondEntityPrivilege->setGroup(AccountUser::SECURITY_GROUP); $expectedActionPrivilege = $this->createPrivilege('action', 'action', 'random_action'); $expectedActionPrivilege->setGroup(AccountUser::SECURITY_GROUP); $this->privilegeRepository->expects($this->once())->method('savePrivileges')->with($roleSecurityIdentity, new ArrayCollection([$expectedFirstEntityPrivilege, $expectedSecondEntityPrivilege, $expectedActionPrivilege])); $this->aclManager->expects($this->any())->method('getSid')->with($role)->willReturn($roleSecurityIdentity); $this->chainMetadataProvider->expects($this->once())->method('startProviderEmulation')->with(FrontendOwnershipMetadataProvider::ALIAS); $this->chainMetadataProvider->expects($this->once())->method('stopProviderEmulation'); $handler = new AccountUserRoleHandler($this->formFactory, $this->privilegeConfig); $handler->setManagerRegistry($this->managerRegistry); $handler->setAclPrivilegeRepository($this->privilegeRepository); $handler->setAclManager($this->aclManager); $handler->setChainMetadataProvider($this->chainMetadataProvider); $handler->setRequest($request); $handler->createForm($role); $handler->process($role); }
public function testFlush() { $oid1 = new ObjectIdentity('Acme\\Test1', 'entity'); $oid2 = new ObjectIdentity('Acme\\Test2', 'entity'); $oid3 = new ObjectIdentity('Acme\\Test3', 'entity'); $oid4 = new ObjectIdentity('Acme\\Test4', 'entity'); $newItemSid = $this->getMock('Symfony\\Component\\Security\\Acl\\Model\\SecurityIdentityInterface'); $newItem = new BatchItem($oid2, BatchItem::STATE_CREATE); $newItem->addAce(AclManager::OBJECT_ACE, 'TestField', $newItemSid, true, 123, 'all', true); $updateItemAcl = $this->getMock('Symfony\\Component\\Security\\Acl\\Model\\MutableAclInterface'); $deleteItemAcl = $this->getMock('Symfony\\Component\\Security\\Acl\\Model\\MutableAclInterface'); $this->setItems(array(new BatchItem($oid1, BatchItem::STATE_NONE), $newItem, new BatchItem($oid3, BatchItem::STATE_UPDATE, $updateItemAcl), new BatchItem($oid4, BatchItem::STATE_DELETE, $deleteItemAcl))); $this->aclProvider->expects($this->once())->method('beginTransaction'); $this->aclProvider->expects($this->once())->method('commit'); $acl = $this->getMock('Symfony\\Component\\Security\\Acl\\Model\\MutableAclInterface'); $this->aclProvider->expects($this->once())->method('createAcl')->with($this->identicalTo($oid2))->will($this->returnValue($acl)); $this->aceProvider->expects($this->once())->method('setPermission')->with($this->identicalTo($acl), $this->identicalTo($this->extension), $this->equalTo(true), $this->equalTo(AclManager::OBJECT_ACE), $this->equalTo('TestField'), $this->identicalTo($newItemSid), $this->equalTo(true), $this->equalTo(123), $this->equalTo('all'))->will($this->returnValue(true)); $this->aclProvider->expects($this->exactly(2))->method('updateAcl'); $this->aclProvider->expects($this->once())->method('deleteAcl')->with($this->identicalTo($oid4)); $this->manager->flush(); }
/** * @param ObjectIdentity $oid * @param string $class * @param int $requiredMask * @return bool * * @see \Oro\Bundle\SecurityBundle\Acl\Domain\PermissionGrantingStrategy::isAceApplicable * @SuppressWarnings(PHPMD.CyclomaticComplexity) * @SuppressWarnings(PHPMD.NPathComplexity) */ private function isGrantedOidMask(ObjectIdentity $oid, $class, $requiredMask) { if (null === ($loggedUser = $this->getLoggedUser())) { return false; } $extension = $this->aclManager->getExtensionSelector()->select($oid); foreach ($loggedUser->getRoles() as $role) { $sid = $this->aclManager->getSid($role); $aces = $this->aclManager->getAces($sid, $oid); if (!$aces && $oid->getType() !== ObjectIdentityFactory::ROOT_IDENTITY_TYPE) { $rootOid = $this->aclManager->getRootOid($oid); return $this->isGrantedOidMask($rootOid, $class, EntityMaskBuilder::GROUP_SYSTEM); } foreach ($aces as $ace) { if ($ace->getAcl()->getObjectIdentity()->getIdentifier() !== $extension->getExtensionKey()) { continue; } $aceMask = $ace->getMask(); if ($oid->getType() === ObjectIdentityFactory::ROOT_IDENTITY_TYPE) { $aceMask = $extension->adaptRootMask($aceMask, new $class()); } if ($extension->getServiceBits($requiredMask) !== $extension->getServiceBits($aceMask)) { continue; } $requiredMask = $extension->removeServiceBits($requiredMask); $aceMask = $extension->removeServiceBits($aceMask); $strategy = $ace->getStrategy(); if (PermissionGrantingStrategy::ALL === $strategy) { return $requiredMask === ($aceMask & $requiredMask); } elseif (PermissionGrantingStrategy::ANY === $strategy) { return 0 !== ($aceMask & $requiredMask); } elseif (PermissionGrantingStrategy::EQUAL === $strategy) { return $requiredMask === $aceMask; } } } return false; }
/** * @param ObjectManager $manager * @param AclManager $aclManager */ protected function setBuyerShoppingListPermissions(ObjectManager $manager, AclManager $aclManager) { $chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain'); $allowedAcls = ['VIEW_BASIC', 'CREATE_BASIC', 'EDIT_BASIC', 'DELETE_BASIC']; $role = $this->getBuyerRole($manager); if ($aclManager->isAclEnabled()) { $sid = $aclManager->getSid($role); $className = $this->container->getParameter('orob2b_shopping_list.entity.shopping_list.class'); foreach ($aclManager->getAllExtensions() as $extension) { if ($extension instanceof EntityAclExtension) { $chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS); $oid = $aclManager->getOid('entity:' . $className); $builder = $aclManager->getMaskBuilder($oid); $mask = $builder->reset()->get(); foreach ($allowedAcls as $acl) { $mask = $builder->add($acl)->get(); } $aclManager->setPermission($sid, $oid, $mask); $chainMetadataProvider->stopProviderEmulation(); } } } }
/** * @param AclManager $aclManager * @param AclExtensionInterface $extension * @param SecurityIdentityInterface $sid * @param string $group */ protected function setPermissionGroup(AclManager $aclManager, AclExtensionInterface $extension, SecurityIdentityInterface $sid, $group) { $rootOid = $aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { if ($maskBuilder->hasConst($group)) { $mask = $maskBuilder->getConst($group); $aclManager->setPermission($sid, $rootOid, $mask, true); break; } } }
/** * @param AclManager $aclManager * @param SecurityIdentityInterface $sid */ protected function setPermissionGroup(AclManager $aclManager, SecurityIdentityInterface $sid) { foreach ($aclManager->getAllExtensions() as $extension) { $rootOid = $aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $aclManager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * @param AclManager $aclManager * @param AccountUserRole $role * @param string $className * @param array $allowedAcls */ protected function setRolePermissions(AclManager $aclManager, AccountUserRole $role, $className, array $allowedAcls) { /* @var $chainMetadataProvider ChainMetadataProvider */ $chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain'); if ($aclManager->isAclEnabled()) { $sid = $aclManager->getSid($role); foreach ($aclManager->getAllExtensions() as $extension) { if ($extension instanceof EntityAclExtension) { $chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS); $oid = $aclManager->getOid('entity:' . $className); $builder = $aclManager->getMaskBuilder($oid); $mask = $builder->reset()->get(); foreach ($allowedAcls as $acl) { $mask = $builder->add($acl)->get(); } $aclManager->setPermission($sid, $oid, $mask); $chainMetadataProvider->stopProviderEmulation(); } } } }
protected function loadUserRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_USER)); foreach ($manager->getAllExtensions() as $extension) { $rootOid = $manager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { if ($maskBuilder->hasConst('GROUP_BASIC')) { if ($maskBuilder->hasConst('MASK_VIEW_SYSTEM')) { $mask = $maskBuilder->getConst('MASK_VIEW_SYSTEM'); /* @todo now only SYSTEM level is supported | $maskBuilder->getConst('MASK_CREATE_BASIC') | $maskBuilder->getConst('MASK_EDIT_BASIC') | $maskBuilder->getConst('MASK_DELETE_BASIC') | $maskBuilder->getConst('MASK_ASSIGN_BASIC') | $maskBuilder->getConst('MASK_SHARE_BASIC'); */ } else { $mask = $maskBuilder->getConst('GROUP_BASIC'); } } else { $mask = $maskBuilder->getConst('GROUP_NONE'); } $manager->setPermission($sid, $rootOid, $mask, true); } } }