/**
  * TODO
  * 
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  * 
  * @throws EyeInvalidArgumentException
  * @throws EyeUnexpectedValueException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof Process) {
         throw new EyeInvalidArgumentException('$object must be a Process.');
     }
     $objectEyeosUser = null;
     try {
         $objectLoginContext = $object->getLoginContext();
         if ($objectLoginContext !== null) {
             $objectEyeosUser = $objectLoginContext->getEyeosUser();
         }
     } catch (EyeNullPointerException $e) {
     }
     // The process has no eyeos user associated to it: access granted
     if ($objectEyeosUser === null) {
         return true;
     }
     if (in_array('kill', $permission->getActions())) {
         foreach ($context->getSubject()->getPrincipals() as $principal) {
             if ($principal instanceof AbstractEyeosUser && $principal->getId() == $objectEyeosUser->getId()) {
                 return true;
             }
         }
         throw new EyeAccessControlException('Cannot kill process "' . $object->getName() . '"[' . $object->getPid() . '](' . $objectEyeosUser->getName() . ') as ' . $context->getEyeosUser()->getName() . ': not the owner.');
     }
     return true;
 }
 /**
  * TODO
  * 
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  * 
  * @throws EyeInvalidArgumentException
  * @throws EyeUnexpectedValueException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof VirtualFileMetaData) {
         throw new EyeInvalidArgumentException('$object must be a VirtualFileMetaData.');
     }
     try {
         $eyeosUser = $context->getEyeosUser();
     } catch (EyeNullPointerException $e) {
         $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
         return false;
     }
     foreach ($permission->getActions() as $action) {
         if ($action == 'delete') {
             // DELETE metadata requires WRITE access to the file
             $fileObject = $permission->getRelatedObject();
             if ($fileObject === null) {
                 throw new EyeNullPointerException('$permission->getRelatedObject()');
             }
             $fileObject->checkWritePermission();
         } else {
             if ($action == 'write') {
                 // Retrieve old metadata (and original owner)
                 $oldMetaData = $permission->getOriginalMetaData();
                 if ($oldMetaData === null) {
                     throw new EyeNullPointerException('$permission->getOriginalMetaData()');
                 }
                 $ownerName = $oldMetaData->get(EyeosAbstractVirtualFile::METADATA_KEY_OWNER);
                 // Compare new and old meta
                 //				$updatedKeys = array_keys(array_diff($object->getAll(), $oldMetaData->getAll()));
                 // Updating the following value means that we have write access on the file
                 //				$publicKeys = array(EyeosAbstractVirtualFile::METADATA_KEY_MODIFICATIONTIME);
                 //				if ($updatedKeys == $publicKeys) {
                 $fileObject = $permission->getRelatedObject();
                 if ($fileObject === null) {
                     throw new EyeNullPointerException('$permission->getRelatedObject()');
                 }
                 $fileObject->checkWritePermission();
                 //				}
                 //				// Some more sensitive values have been updated: only the owner has this right
                 //				else if ($eyeosUser->getName() != $ownerName) {
                 //					throw new EyeAccessControlException('Only the owner of the file (' . $ownerName . ') can write metadata to it.');
                 //				}
             }
         }
     }
     return true;
 }
 /**
  * TODO
  * 
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  * 
  * @throws EyeInvalidArgumentException
  * @throws EyeUnexpectedValueException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof EyeWorkgroupFile && !$object instanceof EyeWorkgroupConfFile) {
         throw new EyeInvalidArgumentException('$object must be an EyeWorkgroupFile or EyeWorkgroupConfFile.');
     }
     try {
         $eyeosUser = $context->getEyeosUser();
     } catch (EyeNullPointerException $e) {
         $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
         return false;
     }
     $workgroup = $object->getWorkgroup();
     // The current user is the owner of the workgroup => access granted
     if ($workgroup->getOwnerId() == $eyeosUser->getId()) {
         return true;
     }
     // Retrieve the role of the current user inside the workgroup (if member)
     $assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance();
     $assignation->setUserId($eyeosUser->getId());
     $assignation->setWorkgroupId($workgroup->getId());
     $assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation));
     if ($assignation === false || $assignation->getStatus() == WorkgroupConstants::STATUS_INVITED) {
         throw new EyeAccessControlException('Access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (not member of the workgroup).');
     }
     $refPermissionActions = array();
     // Check access to a workgroup:// file
     if ($object instanceof EyeWorkgroupFile) {
         // The workgroup has its activity locked => write access denied
         if (in_array('write', $permission->getActions()) && $workgroup->getStatus() & AbstractEyeosWorkgroup::STATUS_ACTIVITY_LOCKED) {
             throw new EyeAccessControlException('Access denied to the specified file: the activity of the workgroup ' . $workgroup->getName() . ' is currently locked.');
         }
         switch ($assignation->getRole()) {
             case WorkgroupConstants::ROLE_ADMIN:
                 return true;
             case WorkgroupConstants::ROLE_EDITOR:
                 $refPermissionActions = array('read', 'write');
                 break;
             case WorkgroupConstants::ROLE_VIEWER:
                 $refPermissionActions = array('read');
                 break;
         }
     } elseif ($object instanceof EyeWorkgroupConfFile) {
         switch ($assignation->getRole()) {
             case WorkgroupConstants::ROLE_ADMIN:
                 return true;
             default:
                 $refPermissionActions = array('read');
                 break;
         }
     } else {
         $this->failureException = new EyeHandlerFailureException('Unknown $object class.');
         return false;
     }
     $refPermission = new VirtualFilePermission('', $refPermissionActions);
     if ($refPermission->implies($permission)) {
         return true;
     }
     throw new EyeAccessControlException('Access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).');
 }
 /**
  * TODO
  * 
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  * 
  * @throws EyeInvalidArgumentException
  * @throws EyeUnexpectedValueException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof EyeosPrincipalGroupAssignation) {
         throw new EyeInvalidArgumentException('$object must be a EyeosPrincipalGroupAssignation.');
     }
     try {
         $eyeosUser = $context->getEyeosUser();
     } catch (EyeNullPointerException $e) {
         $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
         return false;
     }
     try {
         $principal = UMManager::getInstance()->getPrincipalById($object->getPrincipalId());
     } catch (EyeNoSuchPrincipalException $e) {
         $actions = $permission->getActions();
         if (in_array('removefromgroup', $actions)) {
             // The principal we want to remove from the group is not found
             // => we can delete assignation safely, whoever we are
             return true;
         }
     }
     $group = UMManager::getInstance()->getPrincipalById($object->getGroupId());
     // Special processing for workgroup/master group assignations
     if ($principal instanceof IWorkgroup) {
         foreach ($permission->getActions() as $action) {
             switch ($action) {
                 case 'addtogroup':
                     if (!$context->getSubject()->getPrincipals()->contains($group)) {
                         throw new EyeAccessControlException('Cannot add workgroup "' . $principal->getName() . '" to group ' . $group->getName() . ': insufficient permissions.)');
                     }
                     break;
                 case 'removefromgroup':
                     if ($principal->getOwnerId() != $eyeosUser->getId()) {
                         throw new EyeAccessControlException('Cannot remove workgroup "' . $principal->getName() . '" from group ' . $group->getName() . ': insufficient permissions.)');
                     }
                     break;
             }
         }
         return true;
     }
     throw new EyeAccessControlException('Access denied to UM assignation (actions: ' . $permission->getActionsAsString() . ')');
 }
 /**
  * TODO
  * 
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  * 
  * @throws EyeInvalidArgumentException
  * @throws EyeUnexpectedValueException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof PrincipalMetaData) {
         throw new EyeInvalidArgumentException('$object must be a PrincipalMetaData.');
     }
     if (!$permission instanceof MetaDataPermission) {
         throw new EyeInvalidArgumentException('$permission must be a MetaDataPermission.');
     }
     try {
         $eyeosUser = $context->getEyeosUser();
     } catch (EyeNullPointerException $e) {
         $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
         return false;
     }
     $reqActions = $permission->getActions();
     if (in_array('delete', $reqActions) || in_array('write', $reqActions)) {
         if ($eyeosUser != $permission->getRelatedObject()) {
             throw new EyeAccessControlException('Only the owner of the metadata can write or delete them.');
         }
     }
     return true;
 }
 /**
  * TODO
  * 
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  * 
  * @throws EyeInvalidArgumentException
  * @throws EyeUnexpectedValueException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof WorkgroupMetaData) {
         throw new EyeInvalidArgumentException('$object must be a PrincipalMetaData.');
     }
     if (!$permission instanceof MetaDataPermission) {
         throw new EyeInvalidArgumentException('$permission must be a MetaDataPermission.');
     }
     $reqActions = $permission->getActions();
     // WRITE and DELETE require special privileges (owner or admin)
     if (in_array('delete', $reqActions) || in_array('write', $reqActions)) {
         $workgroup = $permission->getRelatedObject();
         try {
             $eyeosUser = $context->getEyeosUser();
         } catch (EyeNullPointerException $e) {
             $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
             return false;
         }
         // The current user is not the owner, search for the assignation to find his role
         if ($workgroup->getOwnerId() != $eyeosUser->getId()) {
             // First of all, is the current user member of the workgroup?
             if (!$context->getSubject()->getPrincipals()->contains($workgroup)) {
                 throw new EyeAccessControlException('Access denied to the metadata of workgroup "' . $workgroup->getName() . '": not a member.');
             }
             $assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance();
             $assignation->setUserId($eyeosUser->getId());
             $assignation->setWorkgroupId($workgroup->getId());
             $assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation));
             if ($assignation === false) {
                 throw new EyeUnexpectedValueException('Wrong assignation.');
             }
             if ($assignation->getRole() != WorkgroupConstants::ROLE_ADMIN) {
                 throw new EyeAccessControlException('Access denied: Only the owner or the admin of the workgroup can write or delete specified resource.');
             }
         }
     }
     return true;
 }
 /**
  * TODO
  * 
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  * 
  * @throws EyeInvalidArgumentException
  * @throws EyeUnexpectedValueException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof VirtualFileMetaData) {
         throw new EyeInvalidArgumentException('$object must be a VirtualFileMetaData.');
     }
     // This handler is only for workgroup files, so check that we are dealing with metadata of that kind
     $fileObject = $permission->getRelatedObject();
     if ($fileObject === null || !$fileObject instanceof EyeWorkgroupFile) {
         $this->failureException = new EyeHandlerFailureException('Can only work with metadata of workgroup files.');
         return false;
     }
     try {
         $eyeosUser = $context->getEyeosUser();
     } catch (EyeNullPointerException $e) {
         $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
         return false;
     }
     $UM = UMManager::getInstance();
     $workgroup = $fileObject->getWorkgroup();
     // Retrieve current user / file's workgroup assignation
     $assignation = $UM->getNewUserWorkgroupAssignationInstance();
     $assignation->setUserId($eyeosUser->getId());
     $assignation->setWorkgroupId($workgroup->getId());
     $assignation = current($UM->getAllUserWorkgroupAssignations($assignation));
     // No assignation found => user is not member of the group
     if ($assignation === false) {
         throw new EyeAccessControlException('Only members of workgroup "' . $workgroup . '" can access workgroup files.');
     }
     // Owner and admins have *all* permissions
     if ($assignation->getRole() === WorkgroupConstants::ROLE_OWNER || $assignation->getRole() === WorkgroupConstants::ROLE_ADMIN || $assignation->getRole() === WorkgroupConstants::ROLE_EDITOR) {
         return true;
     }
     // Don't perform further checks. Default behaviour will be handled by EyeosFileMetaDataSecurityHandler
     // using UNIX-like permissions of files. We just needed a special processing for owner and admins.
     $this->failureException = new EyeHandlerFailureException('User is not the owner nor an admin of workgroup "' . $workgroup . '".');
     return false;
 }
Exemplo n.º 8
0
 public function updateCollaboratorPermission(IShareable $object, AbstractEyeosPrincipal $collaborator, IPermission $permission)
 {
     try {
         if ($object->getId() === null) {
             throw new EyeNullPointerException('$object ID cannot be null.');
         }
         $handlerClassName = null;
         foreach (self::getAllShareableObjectsHandlers() as $handler) {
             if ($handler->checkType($object)) {
                 $handlerClassName = get_class($handler);
                 break;
             }
         }
         if ($handlerClassName === null) {
             throw new EyeHandlerNotFoundException('Unable to find a ShareableObjectHandler for object of class ' . get_class($object) . '.');
         }
         $owner = $object->getShareOwner();
         SecurityManager::getInstance()->checkPermission($object, new SharePermission(array('updatecollaborator'), $collaborator));
         //prepare query array
         $shareInfoQuery = array(self::SHAREINFO_KEY_OWNERID => $owner->getId(), self::SHAREINFO_KEY_SHAREABLEID => $object->getId(), self::SHAREINFO_KEY_COLLABORATORID => $collaborator->getId(), self::SHAREINFO_KEY_PERMISSIONACTIONS => $permission->getActionsAsString(), self::SHAREINFO_KEY_HANDLERCLASSNAME => $handlerClassName);
         $this->getProvider()->updateShareInfo($owner, $shareInfoQuery);
         // TODO: we could also add the ShareInfo object containing the old permission as a
         // "related source" of the event
         $event = new SharingEvent(new BasicShareInfo($owner, $object, $collaborator, $permission, $handlerClassName));
         foreach ($this->listeners as $listener) {
             $listener->collaboratorPermissionUpdated($event);
         }
     } catch (Exception $e) {
         self::$Logger->warn('Unable to update collaborator ' . $collaborator->getName() . ' permissions for object of class ' . get_class($object) . '.');
         if (self::$Logger->isDebugEnabled()) {
             self::$Logger->debug(ExceptionStackUtil::getStackTrace($e, false));
         }
         throw $e;
     }
 }
 /**
  * TODO
  *
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  *
  * @throws EyeInvalidArgumentException
  * @throws EyeUnexpectedValueException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof IFile) {
         throw new EyeInvalidArgumentException('$object must be an IFile.');
     }
     if ($object instanceof EyeUserFile) {
         $name = $object->getName();
         if ($name == '.htaccess') {
             throw new EyeAccessControlException('You cannot access that kind of file (.HTACCESS).');
         }
         if ('' == $name) {
             throw new EyeAccessControlException('Empty filename not allowed');
         }
         if (strstr($name, '?')) {
             throw new EyeAccessControlException('Invalid character ? on filename');
         }
         if (strstr($name, '#')) {
             throw new EyeAccessControlException('Invalid character # on filename');
         }
         if (strstr($name, '&')) {
             throw new EyeAccessControlException('Invalid character & on filename');
         }
         if (strstr($name, '<')) {
             throw new EyeAccessControlException('Invalid character < on filename');
         }
         if (strstr($name, '>')) {
             throw new EyeAccessControlException('Invalid character > on filename');
         }
     }
     // If the target file does not exist or we are requesting a deletion permission,
     // we must check write permissions on the parent folder, to know whether the current
     // user is allowed or not to manipulate files within it.
     if (!$object->exists() || in_array('delete', $permission->getActions())) {
         $parentFolder = $object->getParentFile();
         if (!$parentFolder->equals($object)) {
             $parentFolder->checkWritePermission();
             return true;
         }
     }
     try {
         $eyeosUser = $context->getEyeosUser();
     } catch (EyeNullPointerException $e) {
         $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
         return false;
     }
     $objectPermissions = $object->getPermissions(true);
     if (!is_int($objectPermissions)) {
         $this->failureException = new EyeHandlerFailureException('"' . $objectPermissions . '" is not a valid octal UNIX permission for file ' . $object->getPath() . '.');
         return false;
     }
     try {
         $owner = UMManager::getInstance()->getUserByName($object->getOwner());
     } catch (EyeNoSuchUserException $e) {
         //This is a workaround: when the owner of a workgroup file not longer exist
         //we have to set a new owner for that file, otherwise we have an exception
         //when we try to access to load owner informations.
         if (get_class($object) == 'EyeWorkgroupFile') {
             $object->fixOwner();
             $owner = UMManager::getInstance()->getUserByName($object->getOwner());
         } else {
             throw $e;
         }
     }
     $group = UMManager::getInstance()->getGroupByName($object->getGroup());
     $accessGranted = false;
     $actionText = '';
     foreach ($permission->getActions() as $action) {
         if ($action == 'admin') {
             if ($eyeosUser->getName() != $object->getOwner()) {
                 throw new EyeAccessControlException('Only the owner ' . $object->getOwner() . ' has admin rights for file ' . $object->getPath() . '.');
             }
             continue;
         } else {
             if ($action == 'read') {
                 $ref = 0400;
                 $actionText = 'Read';
             } else {
                 if ($action == 'write') {
                     $ref = 0200;
                     $actionText = 'Write';
                 } else {
                     if ($action == 'execute') {
                         $ref = 0100;
                         $actionText = 'Execution';
                     } else {
                         // the given action is not supported by this handler
                         $this->failureException = new EyeHandlerFailureException('Unknown action received: ' . $action . '. Wrong configuration?');
                         return false;
                     }
                 }
             }
         }
         //owner
         if ($eyeosUser->getId() == $owner->getId()) {
             if ($ref & $objectPermissions) {
                 $accessGranted = true;
                 continue;
             } else {
                 throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).');
             }
         } else {
             $ref = $ref >> 3;
             //group
             if ($context->getSubject()->getPrincipals()->contains($group)) {
                 if ($ref & $objectPermissions) {
                     $accessGranted = true;
                     continue;
                 } else {
                     throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).');
                 }
             } else {
                 $ref = $ref >> 3;
                 //others
                 if ($ref & $objectPermissions) {
                     $accessGranted = true;
                     continue;
                 } else {
                     throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).');
                 }
             }
         }
     }
     if (self::$Logger->isInfoEnabled()) {
         self::$Logger->info('Access granted to user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on file ' . $object->getPath() . '.');
     }
     return true;
 }
Exemplo n.º 10
0
 /**
  * @Description: Checa permissão das classes Allowpermission e AllowAnonimos
  */
 public function isPermission(IPermission $classePermission)
 {
     $permission = $classePermission->register();
     return $this->executeValidation($permission);
 }
Exemplo n.º 11
0
 /**
  * Checks if the specified permission's actions are "implied by" this object's actions.
  * @param Permission $permission
  * @return boolean
  */
 public function implies(IPermission $permission)
 {
     if ($this->name != $permission->getName()) {
         return false;
     }
     return parent::implies($permission);
 }
 /**
  * TODO
  * 
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  * 
  * @throws EyeInvalidArgumentException
  * @throws EyeUnexpectedValueException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof IShareable) {
         throw new EyeInvalidArgumentException('$object must be an IShareable.');
     }
     if ($object->getId(false) === null) {
         $this->failureException = new EyeHandlerFailureException('$object has no ID and though is probably not currently shared.');
         return false;
     }
     try {
         $eyeosUser = $context->getEyeosUser();
     } catch (EyeNullPointerException $e) {
         $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
         return false;
     }
     // General sharing actions (addCollaborator, removeCollaborator, updateCollaborator)
     $actions = $permission->getActions();
     if (in_array('addcollaborator', $actions) || in_array('removecollaborator', $actions) || in_array('updatecollaborator', $actions)) {
         // currently, only the owner can perform those actions
         if ($eyeosUser->getId() != $object->getShareOwner()->getId()) {
             self::$Logger->info('Access denied to non-owner user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on object ' . $object->getId() . '.');
             throw new EyeAccessControlException('Only the owner of the object can perform that kind of actions (' . $permission->getActionsAsString() . ').');
         }
         self::$Logger->debug('Access granted to owner ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on object ' . $object->getId() . '.');
         return true;
     }
     // Object-dependant sharing actions
     try {
         $shareInfos = SharingManager::getInstance()->getAllShareInfo($object);
     } catch (Exception $e) {
         $logger = Logger::getLogger('system.services.Security.ShareableObjectSecurityHandler');
         $logger->warn('Cannot retrieve shareinfo on object with ID: ' . $object->getId(false));
         if ($logger->isDebugEnabled()) {
             $logger->debug(ExceptionStackUtil::getStackTrace($e, false));
         } else {
             $logger->warn('Exception message: ' . $e->getMessage());
         }
         $this->failureException = new EyeHandlerFailureException('Cannot retrieve shareinfo on object with ID: ' . $object->getId(false) . ': ' . $e->getMessage());
         return false;
     }
     foreach ($shareInfos as $shareInfo) {
         $collaborator = $shareInfo->getCollaborator();
         //$collaborator is a group
         if ($collaborator instanceof IGroup) {
             // "is the subject in the current login context representative of the group collaborator?"
             if (in_array($collaborator, $context->getSubject()->getPrincipals())) {
                 if ($shareInfo->getPermissions()->implies($permission)) {
                     return true;
                 } else {
                     throw new EyeAccessControlException('$object permission actions (' . $shareInfo->getPermissions()->getActionsAsString() . ') ' . 'do not imply requested permission (' . $permission->getActionsAsString() . ') for collaborator ' . $eyeosUser->getName() . '');
                 }
             }
         } else {
             if ($shareInfo->getCollaborator()->getId() == $eyeosUser->getId()) {
                 if ($shareInfo->getPermissions()->implies($permission)) {
                     return true;
                 } else {
                     throw new EyeAccessControlException('$object permission actions (' . $shareInfo->getPermissions()->getActionsAsString() . ') ' . 'do not imply requested permission (' . $permission->getActionsAsString() . ') for collaborator ' . $eyeosUser->getName() . '');
                 }
             }
         }
     }
     // No matching collaborator found => this module is not applicable to the current check => set it as FAILED
     $this->failureException = new EyeHandlerFailureException('No matching collaborator found for object with ID ' . $object->getId(false) . '.');
     return false;
 }
 /**
  * TODO
  * 
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  * 
  * @throws EyeInvalidArgumentException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof AbstractEyeosWorkgroup && !$object instanceof EyeosUserWorkgroupAssignation) {
         throw new EyeInvalidArgumentException('$object must be an AbstractEyeosWorkgroup or an EyeosUserWorkgroupAssignation.');
     }
     // $object is a Workgroup => check for actions: Create, Update, Delete
     if ($object instanceof AbstractEyeosWorkgroup) {
         $wgManagersGroups = UMManager::getInstance()->getGroupByName('wg-managers');
         // The user must be member of the system group "wg-managers"
         if (!$context->getSubject()->getPrincipals()->contains($wgManagersGroups)) {
             throw new EyeAccessControlException('The specified action requires privileges of group "wg-managers".');
         }
         // Update or Delete? Must be owner
         if (in_array('update', $permission->getActions()) || in_array('delete', $permission->getActions())) {
             try {
                 $eyeosUser = $context->getEyeosUser();
             } catch (EyeNullPointerException $e) {
                 $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
                 return false;
             }
             if ($object->getOwnerId() != $eyeosUser->getId()) {
                 throw new EyeAccessControlException('Only the owner of the workgroup can perform the requested action(s): ' . $permission->getActionsAsString() . '.');
             }
         }
         return true;
     } else {
         try {
             $eyeosUser = $context->getEyeosUser();
         } catch (EyeNullPointerException $e) {
             $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
             return false;
         }
         try {
             $workgroup = UMManager::getInstance()->getWorkgroupById($object->getWorkgroupId());
         } catch (EyeNoSuchWorkgroupException $e) {
             throw new EyeAccessControlException('Unknown workgroup with ID "' . $object->getWorkgroupId() . '".', 0, $e);
         }
         // Retrieve the role of the current user in the workgroup
         $currentUserAssignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance();
         $currentUserAssignation->setUserId($eyeosUser->getId());
         $currentUserAssignation->setWorkgroupId($object->getWorkgroupId());
         $currentUserAssignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($currentUserAssignation));
         foreach ($permission->getActions() as $action) {
             // Add to workgroup
             if ($action == 'addtoworkgroup') {
                 // If the workgroup's privacy mode is OPEN
                 if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_OPEN) {
                     // If the current user is the one joining the workgroup
                     if ($eyeosUser->getId() == $object->getUserId()) {
                         // Check for illegal role
                         if ($object->getRole() === WorkgroupConstants::ROLE_OWNER && $workgroup->getOwnerId() != $object->getUserId() || $object->getRole() === WorkgroupConstants::ROLE_ADMIN) {
                             throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot join a workgroup as owner or admin.');
                         }
                         return true;
                     } else {
                         // If the current user is not a member, exit here
                         if ($currentUserAssignation === false) {
                             throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
                         }
                         // If the current user is the owner or an admin, he has the right to INVITE
                         if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) {
                             throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
                         }
                         if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) {
                             throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.');
                         }
                         return true;
                     }
                 } else {
                     if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_ONREQUEST) {
                         // If the current user is the one joining the workgroup
                         if ($eyeosUser->getId() == $object->getUserId()) {
                             // Check for illegal role
                             if ($object->getRole() === WorkgroupConstants::ROLE_OWNER && $workgroup->getOwnerId() != $object->getUserId() || $object->getRole() === WorkgroupConstants::ROLE_ADMIN) {
                                 throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot apply for membership of workgroup ' . $workgroup->getName() . ' as owner or admin.');
                             }
                             // The status must be PENDING
                             if ($workgroup->getOwnerId() != $object->getUserId() && $object->getStatus() !== WorkgroupConstants::STATUS_PENDING) {
                                 throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": can only apply for membership of workgroup ' . $workgroup->getName() . '.');
                             }
                             return true;
                         } else {
                             // If the current user is not a member, exit here
                             if ($currentUserAssignation === false) {
                                 throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
                             }
                             // If the current user is the owner or an admin, he has the right to INVITE
                             if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) {
                                 throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
                             }
                             if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) {
                                 throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.');
                             }
                             return true;
                         }
                     } else {
                         if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_ONINVITATION) {
                             // If the current user is the one joining the workgroup
                             if ($eyeosUser->getId() == $object->getUserId()) {
                                 // If the owner joins his workgroup (at creation), access granted
                                 if ($eyeosUser->getId() == $workgroup->getOwnerId()) {
                                     return true;
                                 }
                                 throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot apply for membership of workgroup ' . $workgroup->getName() . ', access is on invitation only.');
                             } else {
                                 // If the current user is not a member, exit here
                                 if ($currentUserAssignation === false) {
                                     throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
                                 }
                                 // If the current user is the owner or an admin, he has the right to INVITE
                                 if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) {
                                     throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
                                 }
                                 if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) {
                                     throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.');
                                 }
                                 return true;
                             }
                         }
                     }
                 }
             } else {
                 if ($action == 'removefromworkgroup') {
                     // If the current user is the one leaving the workgroup
                     if ($eyeosUser->getId() == $object->getUserId()) {
                         return true;
                     }
                     // if the user is not a member, exit here
                     if ($currentUserAssignation === false) {
                         throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
                     }
                     if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) {
                         throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
                     }
                     return true;
                 } else {
                     if ($action == 'update') {
                         // if the user is not a member, exit here
                         if ($currentUserAssignation === false) {
                             throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
                         }
                         // Current user is the one from the assignation $object,
                         // and the transition is from "invited" to "member" => access granted
                         if ($eyeosUser->getId() == $currentUserAssignation->getUserId() && $currentUserAssignation->getStatus() === WorkgroupConstants::STATUS_INVITED && $object->getStatus() === WorkgroupConstants::STATUS_MEMBER) {
                             return true;
                         } else {
                             if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) {
                                 throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
                             }
                             return true;
                         }
                     } else {
                         // Unknown action
                         $this->failureException = new EyeHandlerFailureException('Unknown action specified: ' . $action);
                         return false;
                     }
                 }
             }
         }
     }
 }
 /**
  * TODO
  * 
  * @param mixed $object
  * @param IPermission $permission
  * @param LoginContext $context
  * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
  * 
  * @throws EyeInvalidArgumentException
  * @throws EyeUnexpectedValueException
  * @throws EyeAccessControlException
  */
 public function checkPermission($object, IPermission $permission, LoginContext $context)
 {
     if (!$object instanceof EyeosApplicationDescriptor) {
         throw new EyeInvalidArgumentException('$object must be an EyeosApplicationDescriptor.');
     }
     try {
         $eyeosUser = $context->getEyeosUser();
     } catch (EyeNullPointerException $e) {
         $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
         return false;
     }
     $meta = $object->getMeta();
     if ($meta === null) {
         throw new EyeNullPointerException('$meta cannot be null.');
     }
     $sysParams = $meta->get('eyeos.application.systemParameters');
     // Extract owner, group and permissions from application's metadata
     try {
         $owner = UMManager::getInstance()->getUserByName($sysParams['owner']);
     } catch (EyeNoSuchPrincipalException $e) {
         $this->failureException = new EyeHandlerFailureException('Unknown owner "' . $owner . '".');
         return false;
     }
     try {
         $group = UMManager::getInstance()->getGroupByName($sysParams['group']);
     } catch (EyeNoSuchPrincipalException $e) {
         $this->failureException = new EyeHandlerFailureException('Unknown group "' . $group . '".');
         return false;
     }
     try {
         $perms = AdvancedPathLib::permsToOctal($sysParams['permissions']);
     } catch (Exception $e) {
         $this->failureException = new EyeHandlerFailureException('"' . $perms . '" is not a valid octal UNIX permission for application ' . $object->getName() . '.');
         return false;
     }
     // Loop on actions (but here we currently know the action "execute" only)
     $accessGranted = false;
     $actionText = '';
     foreach ($permission->getActions() as $action) {
         if ($action == 'execute') {
             $ref = 0100;
             $actionText = 'Execution';
         } else {
             // the given action is not supported by this handler
             $this->failureException = new EyeHandlerFailureException('Unknown action received: ' . $action . '.');
             return false;
         }
         //owner
         if ($eyeosUser->getId() == $owner->getId()) {
             if ($ref & $perms) {
                 $accessGranted = true;
                 continue;
             } else {
                 throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).');
             }
         } else {
             $ref = $ref >> 3;
             //group
             if ($context->getSubject()->getPrincipals()->contains($group)) {
                 if ($ref & $perms) {
                     $accessGranted = true;
                     continue;
                 } else {
                     throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).');
                 }
             } else {
                 $ref = $ref >> 3;
                 //others
                 if ($ref & $perms) {
                     $accessGranted = true;
                     continue;
                 } else {
                     throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).');
                 }
             }
         }
     }
     if (self::$Logger->isInfoEnabled()) {
         self::$Logger->info('Access granted to user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on application ' . $object->getName() . '.');
     }
     return true;
 }