/** * Load the ACL per role * * @param Role $role */ protected function loadAcls(Role $role) { if (User::ROLE_ANONYMOUS === $role->getRole()) { return; } $sid = $this->aclManager->getSid($role); foreach ($this->aclManager->getAllExtensions() as $extension) { $rootOid = $this->aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $this->aclManager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * Prepares the context is used in savePrivileges method * * @param array $context * @param array $rootKeys * @param SID $sid * @param ArrayCollection|AclPrivilege[] $privileges */ protected function initSaveContext(array &$context, array $rootKeys, SID $sid, ArrayCollection $privileges) { foreach ($this->manager->getAllExtensions() as $extension) { $extensionKey = $extension->getExtensionKey(); /** @var MaskBuilder[] $maskBuilders */ $maskBuilders = array(); $this->prepareMaskBuilders($maskBuilders, $extension); $context[$extensionKey] = array('extension' => $extension, 'maskBuilders' => $maskBuilders); if (isset($rootKeys[$extensionKey])) { $privilege = $privileges[$rootKeys[$extensionKey]]; $rootMasks = $this->getPermissionMasks($privilege->getPermissions(), $extension, $maskBuilders); } else { $rootMasks = array(); $oid = $this->manager->getRootOid($extension->getExtensionKey()); foreach ($this->manager->getAces($sid, $oid) as $ace) { if (!$ace->isGranting()) { // denying ACE is not supported continue; } $rootMasks[] = $ace->getMask(); } // add missing masks foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $emptyMask = $maskBuilder->get(); $maskAlreadyExist = false; foreach ($rootMasks as $rootMask) { if ($extension->getServiceBits($emptyMask) === $extension->getServiceBits($rootMask)) { $maskAlreadyExist = true; break; } } if (!$maskAlreadyExist) { $rootMasks[] = $emptyMask; } } } $context[$extensionKey]['rootMasks'] = $rootMasks; } }
/** * @param ObjectIdentity $oid * @param string $class * @param int $requiredMask * @return bool * * @see \Oro\Bundle\SecurityBundle\Acl\Domain\PermissionGrantingStrategy::isAceApplicable * @SuppressWarnings(PHPMD.CyclomaticComplexity) * @SuppressWarnings(PHPMD.NPathComplexity) */ private function isGrantedOidMask(ObjectIdentity $oid, $class, $requiredMask) { if (null === ($loggedUser = $this->getLoggedUser())) { return false; } $extension = $this->aclManager->getExtensionSelector()->select($oid); foreach ($loggedUser->getRoles() as $role) { $sid = $this->aclManager->getSid($role); $aces = $this->aclManager->getAces($sid, $oid); if (!$aces && $oid->getType() !== ObjectIdentityFactory::ROOT_IDENTITY_TYPE) { $rootOid = $this->aclManager->getRootOid($oid); return $this->isGrantedOidMask($rootOid, $class, EntityMaskBuilder::GROUP_SYSTEM); } foreach ($aces as $ace) { if ($ace->getAcl()->getObjectIdentity()->getIdentifier() !== $extension->getExtensionKey()) { continue; } $aceMask = $ace->getMask(); if ($oid->getType() === ObjectIdentityFactory::ROOT_IDENTITY_TYPE) { $aceMask = $extension->adaptRootMask($aceMask, new $class()); } if ($extension->getServiceBits($requiredMask) !== $extension->getServiceBits($aceMask)) { continue; } $requiredMask = $extension->removeServiceBits($requiredMask); $aceMask = $extension->removeServiceBits($aceMask); $strategy = $ace->getStrategy(); if (PermissionGrantingStrategy::ALL === $strategy) { return $requiredMask === ($aceMask & $requiredMask); } elseif (PermissionGrantingStrategy::ANY === $strategy) { return 0 !== ($aceMask & $requiredMask); } elseif (PermissionGrantingStrategy::EQUAL === $strategy) { return $requiredMask === $aceMask; } } } return false; }
protected function loadUserRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_USER)); foreach ($manager->getAllExtensions() as $extension) { $rootOid = $manager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { if ($maskBuilder->hasConst('GROUP_BASIC')) { if ($maskBuilder->hasConst('MASK_VIEW_SYSTEM')) { $mask = $maskBuilder->getConst('MASK_VIEW_SYSTEM'); /* @todo now only SYSTEM level is supported | $maskBuilder->getConst('MASK_CREATE_BASIC') | $maskBuilder->getConst('MASK_EDIT_BASIC') | $maskBuilder->getConst('MASK_DELETE_BASIC') | $maskBuilder->getConst('MASK_ASSIGN_BASIC') | $maskBuilder->getConst('MASK_SHARE_BASIC'); */ } else { $mask = $maskBuilder->getConst('GROUP_BASIC'); } } else { $mask = $maskBuilder->getConst('GROUP_NONE'); } $manager->setPermission($sid, $rootOid, $mask, true); } } }
/** * Load the ACL per role * * @param AclManager $manager * @param Role $role * * @see Oro\Bundle\SecurityBundle\DataFixtures\ORM\LoadAclRoles */ protected function loadAcls(AclManager $manager, Role $role) { $sid = $manager->getSid($role); foreach ($manager->getAllExtensions() as $extension) { $rootOid = $manager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $manager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
public function testGetRootOid() { $oid = new ObjectIdentity('test', 'test'); $this->objectIdentityFactory->expects($this->once())->method('root')->with($this->equalTo('test'))->will($this->returnValue($oid)); $this->assertTrue($oid === $this->manager->getRootOid('test')); }
/** * @param AclManager $aclManager * @param SecurityIdentityInterface $sid */ protected function setPermissionGroup(AclManager $aclManager, SecurityIdentityInterface $sid) { foreach ($aclManager->getAllExtensions() as $extension) { $rootOid = $aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $aclManager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * @param AclManager $aclManager * @param AclExtensionInterface $extension * @param SecurityIdentityInterface $sid * @param string $group */ protected function setPermissionGroup(AclManager $aclManager, AclExtensionInterface $extension, SecurityIdentityInterface $sid, $group) { $rootOid = $aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { if ($maskBuilder->hasConst($group)) { $mask = $maskBuilder->getConst($group); $aclManager->setPermission($sid, $rootOid, $mask, true); break; } } }