/** * Add ACL check to API get list query criteria * * @param GetListBefore $event */ public function onGetListBefore(GetListBefore $event) { $acl = $this->securityFacade->getRequestAcl($this->request, true); if ($acl && $event->getClassName() === $acl->getClass()) { $event->setCriteria($this->aclHelper->applyAclToCriteria($event->getClassName(), $event->getCriteria(), $acl->getPermission())); } }
/** * Stores the object in the request. * * @param Request $request * @param ConfigurationInterface $configuration * @return bool * @throws AccessDeniedException When User doesn't have permission to the object */ public function apply(Request $request, ConfigurationInterface $configuration) { $request->attributes->set('_oro_access_checked', false); $isSet = parent::apply($request, $configuration); if ($this->securityFacade && $isSet) { $object = $request->attributes->get($configuration->getName()); if ($object) { $granted = $this->securityFacade->isRequestObjectIsGranted($request, $object); if ($granted === -1) { $acl = $this->securityFacade->getRequestAcl($request); throw new AccessDeniedException('You do not get ' . $acl->getPermission() . ' permission for this object'); } elseif ($granted === 1) { $request->attributes->set('_oro_access_checked', true); } } } return $isSet; }
public function testGeWrongRequestAcl() { $request = new Request(); $request->attributes->add(['_controller' => 'wrong controller']); $this->annotationProvider->expects($this->never())->method('findAnnotation'); $this->classResolver->expects($this->never())->method('isEntity'); $this->classResolver->expects($this->never())->method('getEntityClass'); $this->assertNull($this->facade->getRequestAcl($request, true)); }