/** * Builds a form with given fields. * * @param object $builder A Formbuilder interface object * @param array $options An array of options */ public function buildForm(FormBuilderInterface $builder, array $options) { $dataArr = $builder->getData(); $config = $this->container->getParameter('opit_opit_hrm_user'); $builder->add('username', 'text', array('attr' => array('placeholder' => 'Username'))); $builder->add('email', 'text', array('attr' => array('placeholder' => 'Email'))); $builder->add('groups', 'entity', array('class' => 'OpitOpitHrmUserBundle:Groups', 'query_builder' => function (EntityRepository $er) { $securityContext = $this->container->get('security.context'); $dq = $er->createQueryBuilder('g'); if (!$securityContext->isGranted('ROLE_ADMIN')) { $roleHierarchy = new RoleHierarchy($this->container->getParameter('security.role_hierarchy.roles')); $roles = $roleHierarchy->getReachableRoles($securityContext->getToken()->getRoles()); $allowedRoles = array(); foreach ($roles as $role) { // Exclude ROLE_SYSTEM_ADMIN role // As per definition, a system admin can only set roles lower than his highest role in the hierachy if ('ROLE_SYSTEM_ADMIN' != $role->getRole()) { $allowedRoles[] = $role->getRole(); } } $dq->where('g.role IN (:allowedRoles)'); $dq->setParameter(':allowedRoles', $allowedRoles); } return $dq->orderBy('g.name', 'ASC'); }, 'property' => 'name', 'multiple' => true, 'expanded' => true, 'label_attr' => array('id' => 'idGroups'))); $builder->add('isActive', 'choice', array('choices' => $this->container->getParameter('opithrm_user_status'))); // Display ldap feature related form inputs if (isset($config['ldap']['enabled']) && true === $config['ldap']['enabled']) { $builder->add('ldapEnabled', 'choice', array('choices' => array('No', 'Yes'), 'multiple' => false, 'expanded' => true, 'data' => $dataArr->isLdapEnabled() || 0)); } $builder->add('employee', new EmployeeType($this->container, $dataArr->getEmployee())); }
/** * Returns the vote for the given parameters. * * This method must return one of the following constants: * ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN. * * @param TokenInterface $token A TokenInterface instance * @param object|null $object The object to secure * @param array $attributes An array of attributes associated with the method being invoked * * @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED */ public function vote(TokenInterface $token, $object, array $attributes) { if ($token->getUser() instanceof UserInterface === false) { return self::ACCESS_ABSTAIN; } if (!$object || !$this->supportsClass(get_class($object))) { return self::ACCESS_ABSTAIN; } // abstain vote by default in case none of the attributes are supported $vote = self::ACCESS_ABSTAIN; foreach ($attributes as $attribute) { if (!$this->supportsAttribute($attribute)) { continue; } // as soon as at least one attribute is supported, default is to deny access $vote = self::ACCESS_DENIED; if ($token->getUser()->hasRole('ROLE_ADMIN')) { return self::ACCESS_ABSTAIN; } foreach ($token->getUser()->getRoles() as $role) { $roleHierarchy = $this->roleHierarchy->getReachableRoles([new Role($role)]); foreach ($roleHierarchy as $node) { if ($node->getRole() == $attribute) { return self::ACCESS_GRANTED; } } } } return $vote; }
/** * @param array $hierarchy */ public function __construct(EntityManager $em, $session = '', $sessionKey = '') { $this->em = $em; $this->session = $session; $this->sessionKey = $sessionKey; $hierarchy = $this->buildRolesTree(); parent::__construct($hierarchy); }
private function getUserRolesArray($user) { $userRoles = $user->getRoles(); array_walk($userRoles, function (&$value, $idx) { $value = new Role($value); }); return $this->roleHierarchy->getReachableRoles($userRoles); }
/** * Constructor. * * @param array $hierarchy An array defining the hierarchy */ public function __construct(array $hierarchy) { // Reverse the role hierarchy. $reversed = []; foreach ($hierarchy as $main => $roles) { foreach ($roles as $role) { $reversed[$role][] = $main; } } // Use the original algorithm to build the role map. parent::__construct($reversed); }
/** * Vote * * This function is automatically called by the framework * * You can call it manually within a Controller with an $object/$attributes as argument * * The default $attributes will be the roles required for the current URL * * @param TokenInterface $token * @param object $object * @param array $attributes * * @return int */ public function vote(TokenInterface $token, $object, array $attributes) { $result = VoterInterface::ACCESS_ABSTAIN; foreach ($attributes as $attribute) { // Check if this Voter supports this Role if (!$this->supportsAttribute($attribute)) { continue; } // Get the Role Hierarchy $roleHierarchy = new RoleHierarchy($this->container->getParameter('security.role_hierarchy.roles')); // Get all the grantes roles from the Hierarchy $grantedRoles = $roleHierarchy->getReachableRoles($token->getRoles()); // ROLE_ADMIN has full access // Can't use ->isGranted because this method uses the Voters = (infinite loop)! foreach ($grantedRoles as $grantedRole) { if ($grantedRole->getRole() == 'ROLE_BACKEND_ADMIN') { return VoterInterface::ACCESS_GRANTED; } } // Get the current route // Need to use a Try Catch because subrequests (_fragment) can be voted... try { $route = $this->container->get('router')->match($this->container->get('request')->getPathInfo()); } catch (ResourceNotFoundException $e) { continue; } // If there is a section_id parameter in the Route if (array_key_exists('sectionId', $route)) { // Check is the user can access this Section if ($this->container->get('unifik_system.section_filter')->canAccess($route['sectionId'])) { return VoterInterface::ACCESS_GRANTED; } else { $result = VoterInterface::ACCESS_DENIED; } } } return $result; }
public function testGetReachableRoles() { $role = new RoleHierarchy(array('ROLE_ADMIN' => array('ROLE_USER'), 'ROLE_SUPER_ADMIN' => array('ROLE_ADMIN', 'ROLE_FOO'))); $this->assertEquals(array(new Role('ROLE_USER')), $role->getReachableRoles(array(new Role('ROLE_USER')))); $this->assertEquals(array(new Role('ROLE_FOO')), $role->getReachableRoles(array(new Role('ROLE_FOO')))); $this->assertEquals(array(new Role('ROLE_ADMIN'), new Role('ROLE_USER')), $role->getReachableRoles(array(new Role('ROLE_ADMIN')))); $this->assertEquals(array(new Role('ROLE_FOO'), new Role('ROLE_ADMIN'), new Role('ROLE_USER')), $role->getReachableRoles(array(new Role('ROLE_FOO'), new Role('ROLE_ADMIN')))); $this->assertEquals(array(new Role('ROLE_SUPER_ADMIN'), new Role('ROLE_ADMIN'), new Role('ROLE_FOO'), new Role('ROLE_USER')), $role->getReachableRoles(array(new Role('ROLE_SUPER_ADMIN')))); }
/** * * @param array $hierarchy */ public function __construct(Doctrine $doctrine) { $this->em = $doctrine->getManager(); parent::__construct($this->buildRolesTree()); }
public function __construct(array $hierarchy, EntityManagerInterface $em) { $this->em = $em; parent::__construct($this->buildRolesTree($hierarchy)); }
/** * * @param RoleManagerInterface $rm */ public function __construct(RoleManagerInterface $rm) { $this->rm = $rm; $map = $this->buildRolesTree(); parent::__construct($map); }
/** * * @param array $hierarchy * @param ObjectManager $objectManager */ public function __construct(array $staticHierarchy, ObjectManager $objectManager) { $this->objectManager = $objectManager; parent::__construct($this->buildGroupTree($staticHierarchy)); }