/**
* Return AclPermission object for given permission, ACL mask and ACL privilege
*
* @param AclExtensionInterface $extension
* @param string $permission
* @param string $mask
* @param AclPrivilege $privilege
* @return AclPermission
*/
protected function getAclPermission(AclExtensionInterface $extension, $permission, $mask, AclPrivilege $privilege)
{
return new AclPermission($permission, $extension->getAccessLevel($mask, $permission, $privilege->getIdentity()->getId()));
}
/**
* @param AbstractRole $role
*/
protected function processPrivileges(AbstractRole $role)
{
$decodedPrivileges = json_decode($this->form->get('privileges')->getData(), true);
$formPrivileges = [];
foreach ($this->privilegeConfig as $fieldName => $config) {
$privilegesArray = $decodedPrivileges[$fieldName];
$privileges = [];
foreach ($privilegesArray as $privilege) {
$aclPrivilege = new AclPrivilege();
foreach ($privilege['permissions'] as $name => $permission) {
$aclPrivilege->addPermission(new AclPermission($permission['name'], $permission['accessLevel']));
}
$aclPrivilegeIdentity = new AclPrivilegeIdentity($privilege['identity']['id'], $privilege['identity']['name']);
$aclPrivilege->setIdentity($aclPrivilegeIdentity);
$privileges[] = $aclPrivilege;
}
if ($config['fix_values']) {
$this->fxPrivilegeValue($privileges, $config['default_value']);
}
$formPrivileges = array_merge($formPrivileges, $privileges);
}
array_walk($formPrivileges, function (AclPrivilege $privilege) {
$privilege->setGroup($this->getAclGroup());
});
$this->privilegeRepository->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges));
$this->aclCache->clearCache();
}
/**
* @param string $id
* @param array $permissions
* @return AclPrivilege
*/
public static function getPrivilege($id, array $permissions)
{
$privilege = new AclPrivilege();
$privilege->setIdentity(new AclPrivilegeIdentity($id));
foreach ($permissions as $name => $accessLevel) {
$privilege->addPermission(new AclPermission($name, $accessLevel));
}
return $privilege;
}
/**
* @param int $level
*/
protected function setRolePermissions($level)
{
$chainMetadataProvider = $this->getContainer()->get('oro_security.owner.metadata_provider.chain');
$chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS);
$role = $this->getContainer()->get('doctrine')->getManagerForClass('OroB2BCustomerBundle:AccountUserRole')->getRepository('OroB2BCustomerBundle:AccountUserRole')->findOneBy(['role' => LoadAccountUsersData::BUYER]);
$aclPrivilege = new AclPrivilege();
$identity = new AclPrivilegeIdentity('entity:OroB2B\\Bundle\\RFPBundle\\Entity\\Request', 'orob2b.rfp.request.entity_label');
$aclPrivilege->setIdentity($identity);
$permissions = [new AclPermission('VIEW', $level), new AclPermission('CREATE', $level), new AclPermission('EDIT', $level), new AclPermission('DELETE', $level), new AclPermission('ASSIGN', $level)];
foreach ($permissions as $permission) {
$aclPrivilege->addPermission($permission);
}
$this->getContainer()->get('oro_security.acl.privilege_repository')->savePrivileges($this->getContainer()->get('oro_security.acl.manager')->getSid($role), new ArrayCollection([$aclPrivilege]));
$chainMetadataProvider->stopProviderEmulation();
}
/**
* Adds permissions to the given $privilege based on the given ACEs.
* The $permissions argument is used to filter privileges for the given permissions only.
*
* @param AclPrivilege $privilege
* @param string[] $permissions
* @param EntryInterface[] $aces
* @param AclExtensionInterface $extension
* @param bool $itIsRootAcl
*/
protected function addAcesPermissions(AclPrivilege $privilege, array $permissions, array $aces, AclExtensionInterface $extension, $itIsRootAcl = false)
{
if (empty($aces)) {
return;
}
foreach ($aces as $ace) {
if (!$ace->isGranting()) {
// denying ACE is not supported
continue;
}
$mask = $ace->getMask();
if ($itIsRootAcl) {
$mask = $extension->adaptRootMask($mask, $privilege->getIdentity()->getId());
}
if ($extension->removeServiceBits($mask) === 0) {
foreach ($permissions as $permission) {
if (!$privilege->hasPermission($permission)) {
$privilege->addPermission(new AclPermission($permission, AccessLevel::NONE_LEVEL));
}
}
} else {
foreach ($extension->getPermissions($mask) as $permission) {
if (!$privilege->hasPermission($permission) && in_array($permission, $permissions)) {
$privilege->addPermission(new AclPermission($permission, $extension->getAccessLevel($mask, $permission)));
}
}
}
}
}
/**
* @param string $extensionKey
* @param string $id
* @param string $name
* @return AclPrivilege
*/
protected function createPrivilege($extensionKey, $id, $name)
{
$privilege = new AclPrivilege();
$privilege->setExtensionKey($extensionKey);
$privilege->setIdentity(new AclPrivilegeIdentity($id, $name));
return $privilege;
}
/**
* @param int $level
* @param AclPrivilegeIdentity $identity
*/
protected function setRolePermissions($level, AclPrivilegeIdentity $identity)
{
$aclPrivilege = new AclPrivilege();
$aclPrivilege->setIdentity($identity);
$permissions = [new AclPermission('VIEW', $level)];
foreach ($permissions as $permission) {
$aclPrivilege->addPermission($permission);
}
$this->getContainer()->get('oro_security.acl.privilege_repository')->savePrivileges($this->getContainer()->get('oro_security.acl.manager')->getSid($this->role), new ArrayCollection([$aclPrivilege]));
}
public function testPermissions()
{
$obj = new AclPrivilege();
$this->assertFalse($obj->hasPermissions());
$this->assertFalse($obj->hasPermission('VIEW'));
$this->assertEquals(0, $obj->getPermissionCount());
$permission = new AclPermission('VIEW', AccessLevel::BASIC_LEVEL);
$obj->addPermission($permission);
$this->assertTrue($obj->hasPermissions());
$this->assertTrue($obj->hasPermission('VIEW'));
$this->assertFalse($obj->hasPermission('Another'));
$this->assertEquals(1, $obj->getPermissionCount());
$obj->removePermission($permission);
$this->assertFalse($obj->hasPermissions());
$this->assertFalse($obj->hasPermission('VIEW'));
$this->assertEquals(0, $obj->getPermissionCount());
}
