/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof VirtualFileMetaData) {
throw new EyeInvalidArgumentException('$object must be a VirtualFileMetaData.');
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
foreach ($permission->getActions() as $action) {
if ($action == 'delete') {
// DELETE metadata requires WRITE access to the file
$fileObject = $permission->getRelatedObject();
if ($fileObject === null) {
throw new EyeNullPointerException('$permission->getRelatedObject()');
}
$fileObject->checkWritePermission();
} else {
if ($action == 'write') {
// Retrieve old metadata (and original owner)
$oldMetaData = $permission->getOriginalMetaData();
if ($oldMetaData === null) {
throw new EyeNullPointerException('$permission->getOriginalMetaData()');
}
$ownerName = $oldMetaData->get(EyeosAbstractVirtualFile::METADATA_KEY_OWNER);
// Compare new and old meta
// $updatedKeys = array_keys(array_diff($object->getAll(), $oldMetaData->getAll()));
// Updating the following value means that we have write access on the file
// $publicKeys = array(EyeosAbstractVirtualFile::METADATA_KEY_MODIFICATIONTIME);
// if ($updatedKeys == $publicKeys) {
$fileObject = $permission->getRelatedObject();
if ($fileObject === null) {
throw new EyeNullPointerException('$permission->getRelatedObject()');
}
$fileObject->checkWritePermission();
// }
// // Some more sensitive values have been updated: only the owner has this right
// else if ($eyeosUser->getName() != $ownerName) {
// throw new EyeAccessControlException('Only the owner of the file (' . $ownerName . ') can write metadata to it.');
// }
}
}
}
return true;
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof PrincipalMetaData) {
throw new EyeInvalidArgumentException('$object must be a PrincipalMetaData.');
}
if (!$permission instanceof MetaDataPermission) {
throw new EyeInvalidArgumentException('$permission must be a MetaDataPermission.');
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
$reqActions = $permission->getActions();
if (in_array('delete', $reqActions) || in_array('write', $reqActions)) {
if ($eyeosUser != $permission->getRelatedObject()) {
throw new EyeAccessControlException('Only the owner of the metadata can write or delete them.');
}
}
return true;
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof WorkgroupMetaData) {
throw new EyeInvalidArgumentException('$object must be a PrincipalMetaData.');
}
if (!$permission instanceof MetaDataPermission) {
throw new EyeInvalidArgumentException('$permission must be a MetaDataPermission.');
}
$reqActions = $permission->getActions();
// WRITE and DELETE require special privileges (owner or admin)
if (in_array('delete', $reqActions) || in_array('write', $reqActions)) {
$workgroup = $permission->getRelatedObject();
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
// The current user is not the owner, search for the assignation to find his role
if ($workgroup->getOwnerId() != $eyeosUser->getId()) {
// First of all, is the current user member of the workgroup?
if (!$context->getSubject()->getPrincipals()->contains($workgroup)) {
throw new EyeAccessControlException('Access denied to the metadata of workgroup "' . $workgroup->getName() . '": not a member.');
}
$assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance();
$assignation->setUserId($eyeosUser->getId());
$assignation->setWorkgroupId($workgroup->getId());
$assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation));
if ($assignation === false) {
throw new EyeUnexpectedValueException('Wrong assignation.');
}
if ($assignation->getRole() != WorkgroupConstants::ROLE_ADMIN) {
throw new EyeAccessControlException('Access denied: Only the owner or the admin of the workgroup can write or delete specified resource.');
}
}
}
return true;
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof VirtualFileMetaData) {
throw new EyeInvalidArgumentException('$object must be a VirtualFileMetaData.');
}
// This handler is only for workgroup files, so check that we are dealing with metadata of that kind
$fileObject = $permission->getRelatedObject();
if ($fileObject === null || !$fileObject instanceof EyeWorkgroupFile) {
$this->failureException = new EyeHandlerFailureException('Can only work with metadata of workgroup files.');
return false;
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
$UM = UMManager::getInstance();
$workgroup = $fileObject->getWorkgroup();
// Retrieve current user / file's workgroup assignation
$assignation = $UM->getNewUserWorkgroupAssignationInstance();
$assignation->setUserId($eyeosUser->getId());
$assignation->setWorkgroupId($workgroup->getId());
$assignation = current($UM->getAllUserWorkgroupAssignations($assignation));
// No assignation found => user is not member of the group
if ($assignation === false) {
throw new EyeAccessControlException('Only members of workgroup "' . $workgroup . '" can access workgroup files.');
}
// Owner and admins have *all* permissions
if ($assignation->getRole() === WorkgroupConstants::ROLE_OWNER || $assignation->getRole() === WorkgroupConstants::ROLE_ADMIN || $assignation->getRole() === WorkgroupConstants::ROLE_EDITOR) {
return true;
}
// Don't perform further checks. Default behaviour will be handled by EyeosFileMetaDataSecurityHandler
// using UNIX-like permissions of files. We just needed a special processing for owner and admins.
$this->failureException = new EyeHandlerFailureException('User is not the owner nor an admin of workgroup "' . $workgroup . '".');
return false;
}
