/** * Decides on a resource. * * @param string $resource The resource to decide on * @return void * @throws \TYPO3\Flow\Security\Exception\AccessDeniedException If access is not granted */ public function decideOnResource($resource) { if ($this->overrideDecision === FALSE) { throw new \TYPO3\Flow\Security\Exception\AccessDeniedException('Access denied (override)', 1291652709); } elseif ($this->overrideDecision === TRUE) { return; } parent::decideOnResource($resource); }
/** * Shows the effective policy rules currently active in the system * * @param boolean $grantsOnly Only list methods effectively granted to the given roles * @return void */ public function showEffectivePolicyCommand($grantsOnly = FALSE) { $roles = array(); $roleIdentifiers = $this->request->getExceedingArguments(); if (empty($roleIdentifiers) === TRUE) { $this->outputLine('Please specify at leas one role, to calculate the effective privileges for!'); $this->quit(1); } foreach ($roleIdentifiers as $roleIdentifier) { if ($this->policyService->hasRole($roleIdentifier)) { $currentRole = $this->policyService->getRole($roleIdentifier); $roles[$roleIdentifier] = $currentRole; foreach ($this->policyService->getAllParentRoles($currentRole) as $parentRoleIdentifier => $parentRole) { if (!isset($roles[$parentRoleIdentifier])) { $roles[$parentRoleIdentifier] = $parentRole; } } } } if (count($roles) === 0) { $this->outputLine('The specified role(s) do not exist.'); $this->quit(1); } $this->outputLine(PHP_EOL . 'The following roles will be used for calculating the effective privileges (retrieved from the configured roles hierarchy):' . PHP_EOL); foreach ($roles as $roleIdentifier => $role) { $this->outputLine($roleIdentifier); } $dummySecurityContext = new DummyContext(); $dummySecurityContext->setRoles($roles); $accessDecisionManager = new AccessDecisionVoterManager($this->objectManager, $dummySecurityContext); if ($this->policyCache->has('acls')) { $classes = array(); $acls = $this->policyCache->get('acls'); foreach ($acls as $classAndMethodName => $aclEntry) { if (strpos($classAndMethodName, '->') === FALSE) { continue; } list($className, $methodName) = explode('->', $classAndMethodName); $className = $this->objectManager->getCaseSensitiveObjectName($className); $reflectionClass = new \ReflectionClass($className); foreach ($reflectionClass->getMethods() as $casSensitiveMethodName) { if ($methodName === strtolower($casSensitiveMethodName->getName())) { $methodName = $casSensitiveMethodName->getName(); break; } } $runtimeEvaluationsInPlace = FALSE; foreach ($aclEntry as $role => $resources) { if (in_array($role, $roles) === FALSE) { continue; } if (!isset($classes[$className])) { $classes[$className] = array(); } if (!isset($classes[$className][$methodName])) { $classes[$className][$methodName] = array(); $classes[$className][$methodName]['resources'] = array(); } foreach ($resources as $resourceName => $privilege) { $classes[$className][$methodName]['resources'][$resourceName] = $privilege; if ($privilege['runtimeEvaluationsClosureCode'] !== FALSE) { $runtimeEvaluationsInPlace = TRUE; } } } if ($runtimeEvaluationsInPlace === FALSE) { try { $accessDecisionManager->decideOnJoinPoint(new JoinPoint(NULL, $className, $methodName, array())); } catch (AccessDeniedException $e) { $classes[$className][$methodName]['effectivePrivilege'] = $e->getMessage(); } if (!isset($classes[$className][$methodName]['effectivePrivilege'])) { $classes[$className][$methodName]['effectivePrivilege'] = 'Access granted'; } } else { $classes[$className][$methodName]['effectivePrivilege'] = 'Could not be calculated. Runtime evaluations in place!'; } } foreach ($classes as $className => $methods) { $classNamePrinted = FALSE; foreach ($methods as $methodName => $resources) { if ($grantsOnly === TRUE && $resources['effectivePrivilege'] !== 'Access granted') { continue; } if ($classNamePrinted === FALSE) { $this->outputLine(PHP_EOL . PHP_EOL . ' <b>' . $className . '</b>'); $classNamePrinted = TRUE; } $this->outputLine(PHP_EOL . ' ' . $methodName); if (isset($resources['resources']) === TRUE && is_array($resources['resources']) === TRUE) { foreach ($resources['resources'] as $resourceName => $privilege) { switch ($privilege['privilege']) { case PolicyService::PRIVILEGE_GRANT: $this->outputLine(' Resource "<i>' . $resourceName . '</i>": Access granted'); break; case PolicyService::PRIVILEGE_DENY: $this->outputLine(' Resource "<i>' . $resourceName . '</i>": Access denied'); break; case PolicyService::PRIVILEGE_ABSTAIN: $this->outputLine(' Resource "<i>' . $resourceName . '</i>": Vote abstained (no acl entry for given roles)'); break; } } } $this->outputLine(' <b>Effective privilege for given roles: ' . $resources['effectivePrivilege'] . '</b>'); } } } else { $this->outputLine('Could not find any policy entries, please warmup caches...'); } }