/** * Load the ACL per role * * @param Role $role */ protected function loadAcls(Role $role) { if (User::ROLE_ANONYMOUS === $role->getRole()) { return; } $sid = $this->aclManager->getSid($role); foreach ($this->aclManager->getAllExtensions() as $extension) { $rootOid = $this->aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $this->aclManager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
protected function updateUserRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_ADMINISTRATOR)); $oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\Email'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); }
/** * @param AbstractRole $role */ protected function processPrivileges(AbstractRole $role) { $decodedPrivileges = json_decode($this->form->get('privileges')->getData(), true); $formPrivileges = []; foreach ($this->privilegeConfig as $fieldName => $config) { $privilegesArray = $decodedPrivileges[$fieldName]; $privileges = []; foreach ($privilegesArray as $privilege) { $aclPrivilege = new AclPrivilege(); foreach ($privilege['permissions'] as $name => $permission) { $aclPrivilege->addPermission(new AclPermission($permission['name'], $permission['accessLevel'])); } $aclPrivilegeIdentity = new AclPrivilegeIdentity($privilege['identity']['id'], $privilege['identity']['name']); $aclPrivilege->setIdentity($aclPrivilegeIdentity); $privileges[] = $aclPrivilege; } if ($config['fix_values']) { $this->fxPrivilegeValue($privileges, $config['default_value']); } $formPrivileges = array_merge($formPrivileges, $privileges); } array_walk($formPrivileges, function (AclPrivilege $privilege) { $privilege->setGroup($this->getAclGroup()); }); $this->privilegeRepository->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges)); $this->aclCache->clearCache(); }
protected function updateManagerRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_MANAGER)); // grant to manage own calendar events $oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarEvent'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM')->add('DELETE_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); }
/** * @param Role $role */ protected function processPrivileges(Role $role) { $formPrivileges = array(); foreach ($this->privilegeConfig as $fieldName => $config) { $privileges = $this->form->get($fieldName)->getData(); $formPrivileges = array_merge($formPrivileges, $privileges); } $this->aclManager->getPrivilegeRepository()->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges)); }
protected function updateUserRole(AclManager $manager) { $roles = ['ROLE_ONLINE_SALES_REP', 'ROLE_MARKETING_MANAGER', 'ROLE_LEADS_DEVELOPMENT_REP']; foreach ($roles as $roleName) { $sid = $manager->getSid($this->getRole($roleName)); $oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\EmailUser'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_BASIC')->add('CREATE_BASIC')->add('EDIT_BASIC'); $manager->setPermission($sid, $oid, $maskBuilder->get()); } }
protected function updateUserRole(AclManager $manager) { $roles = [LoadRolesData::ROLE_USER, LoadRolesData::ROLE_MANAGER]; foreach ($roles as $roleName) { $sid = $manager->getSid($this->getRole($roleName)); $oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\EmailUser'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_BASIC')->add('CREATE_BASIC')->add('EDIT_BASIC'); $manager->setPermission($sid, $oid, $maskBuilder->get()); } }
/** * Load the ACL per role * * @param AclManager $manager * @param Role $role * * @see Oro\Bundle\SecurityBundle\DataFixtures\ORM\LoadAclRoles */ protected function loadAcls(AclManager $manager, Role $role) { $sid = $manager->getSid($role); foreach ($manager->getAllExtensions() as $extension) { $rootOid = $manager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $manager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * @param Role $role */ protected function processPrivileges(Role $role) { $formPrivileges = array(); foreach ($this->privilegeConfig as $fieldName => $config) { $privileges = $this->form->get($fieldName)->getData(); if ($config['fix_values']) { $this->fxPrivilegeValue($privileges, $config['default_value']); } $formPrivileges = array_merge($formPrivileges, $privileges); } $this->privilegeRepository->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges)); }
protected function updateManagerRole(AclManager $manager) { $sid = $manager->getSid($this->getReference('manager_role')); // grant to view other user's calendar for the same business unit $oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarConnection'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); // grant to manage own calendar events $oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarEvent'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM')->add('DELETE_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); }
/** * @param ObjectIdentity $oid * @param string $class * @param int $requiredMask * @return bool * * @see \Oro\Bundle\SecurityBundle\Acl\Domain\PermissionGrantingStrategy::isAceApplicable * @SuppressWarnings(PHPMD.CyclomaticComplexity) * @SuppressWarnings(PHPMD.NPathComplexity) */ private function isGrantedOidMask(ObjectIdentity $oid, $class, $requiredMask) { if (null === ($loggedUser = $this->getLoggedUser())) { return false; } $extension = $this->aclManager->getExtensionSelector()->select($oid); foreach ($loggedUser->getRoles() as $role) { $sid = $this->aclManager->getSid($role); $aces = $this->aclManager->getAces($sid, $oid); if (!$aces && $oid->getType() !== ObjectIdentityFactory::ROOT_IDENTITY_TYPE) { $rootOid = $this->aclManager->getRootOid($oid); return $this->isGrantedOidMask($rootOid, $class, EntityMaskBuilder::GROUP_SYSTEM); } foreach ($aces as $ace) { if ($ace->getAcl()->getObjectIdentity()->getIdentifier() !== $extension->getExtensionKey()) { continue; } $aceMask = $ace->getMask(); if ($oid->getType() === ObjectIdentityFactory::ROOT_IDENTITY_TYPE) { $aceMask = $extension->adaptRootMask($aceMask, new $class()); } if ($extension->getServiceBits($requiredMask) !== $extension->getServiceBits($aceMask)) { continue; } $requiredMask = $extension->removeServiceBits($requiredMask); $aceMask = $extension->removeServiceBits($aceMask); $strategy = $ace->getStrategy(); if (PermissionGrantingStrategy::ALL === $strategy) { return $requiredMask === ($aceMask & $requiredMask); } elseif (PermissionGrantingStrategy::ANY === $strategy) { return 0 !== ($aceMask & $requiredMask); } elseif (PermissionGrantingStrategy::EQUAL === $strategy) { return $requiredMask === $aceMask; } } } return false; }
/** * @param ObjectManager $manager * @param AclManager $aclManager */ protected function setBuyerShoppingListPermissions(ObjectManager $manager, AclManager $aclManager) { $chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain'); $allowedAcls = ['VIEW_BASIC', 'CREATE_BASIC', 'EDIT_BASIC', 'DELETE_BASIC']; $role = $this->getBuyerRole($manager); if ($aclManager->isAclEnabled()) { $sid = $aclManager->getSid($role); $className = $this->container->getParameter('orob2b_shopping_list.entity.shopping_list.class'); foreach ($aclManager->getAllExtensions() as $extension) { if ($extension instanceof EntityAclExtension) { $chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS); $oid = $aclManager->getOid('entity:' . $className); $builder = $aclManager->getMaskBuilder($oid); $mask = $builder->reset()->get(); foreach ($allowedAcls as $acl) { $mask = $builder->add($acl)->get(); } $aclManager->setPermission($sid, $oid, $mask); $chainMetadataProvider->stopProviderEmulation(); } } } }
protected function loadUserRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_USER)); foreach ($manager->getAllExtensions() as $extension) { $rootOid = $manager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { if ($maskBuilder->hasConst('GROUP_BASIC')) { if ($maskBuilder->hasConst('MASK_VIEW_SYSTEM')) { $mask = $maskBuilder->getConst('MASK_VIEW_SYSTEM'); /* @todo now only SYSTEM level is supported | $maskBuilder->getConst('MASK_CREATE_BASIC') | $maskBuilder->getConst('MASK_EDIT_BASIC') | $maskBuilder->getConst('MASK_DELETE_BASIC') | $maskBuilder->getConst('MASK_ASSIGN_BASIC') | $maskBuilder->getConst('MASK_SHARE_BASIC'); */ } else { $mask = $maskBuilder->getConst('GROUP_BASIC'); } } else { $mask = $maskBuilder->getConst('GROUP_NONE'); } $manager->setPermission($sid, $rootOid, $mask, true); } } }
/** * @param AclManager $aclManager * @param AccountUserRole $role * @param string $className * @param array $allowedAcls */ protected function setRolePermissions(AclManager $aclManager, AccountUserRole $role, $className, array $allowedAcls) { /* @var $chainMetadataProvider ChainMetadataProvider */ $chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain'); if ($aclManager->isAclEnabled()) { $sid = $aclManager->getSid($role); foreach ($aclManager->getAllExtensions() as $extension) { if ($extension instanceof EntityAclExtension) { $chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS); $oid = $aclManager->getOid('entity:' . $className); $builder = $aclManager->getMaskBuilder($oid); $mask = $builder->reset()->get(); foreach ($allowedAcls as $acl) { $mask = $builder->add($acl)->get(); } $aclManager->setPermission($sid, $oid, $mask); $chainMetadataProvider->stopProviderEmulation(); } } } }
/** * @param ObjectManager $manager * @param AclManager $aclManager * @return AccountUserRole */ protected function createBuyerRole(ObjectManager $manager, AclManager $aclManager) { $role = $this->createEntity(self::BUYER, $this->defaultRoles[self::BUYER]); $this->setWebsiteDefaultRoles($manager, $role); if ($aclManager->isAclEnabled()) { $sid = $aclManager->getSid($role); foreach ($aclManager->getAllExtensions() as $extension) { $this->setPermissionGroup($aclManager, $extension, $sid, 'GROUP_NONE'); } } return $role; }