If no authenticated roles could be found the "Anonymous" role is returned.
The "Neos.Flow:Everybody" roles is always returned.
|
public getRoles ( ) : |
||
| return | ||
/**
* Gets the SQL query part to add to a query.
*
* @param ClassMetaData $targetEntity Metadata object for the target entity to be filtered
* @param string $targetTableAlias The target table alias used in the current query
* @return string The constraint SQL if there is available, empty string otherwise
*/
public function addFilterConstraint(ClassMetadata $targetEntity, $targetTableAlias)
{
$this->initializeDependencies();
/*
* TODO: Instead of checking for class account we could introduce some interface for white listing entities from entity security checks
* Problem with checking the Account is, that this filter calls getRoles() on the security context while accounts are not
* yet fully initialized. By this we get a half built account object that will end up in access denied exception,
* as it has no roles (and other properties) set
*/
if ($this->securityContext->areAuthorizationChecksDisabled() || $targetEntity->getName() === Account::class) {
return '';
}
if (!$this->securityContext->isInitialized()) {
if (!$this->securityContext->canBeInitialized()) {
return '';
}
$this->securityContext->initialize();
}
// This is needed to include the current context of roles into query cache identifier
$this->setParameter('__contextHash', $this->securityContext->getContextHash(), 'string');
$sqlConstraints = [];
$grantedConstraints = [];
$deniedConstraints = [];
foreach ($this->securityContext->getRoles() as $role) {
$entityPrivileges = $role->getPrivilegesByType(EntityPrivilegeInterface::class);
/** @var EntityPrivilegeInterface $privilege */
foreach ($entityPrivileges as $privilege) {
if (!$privilege->matchesEntityType($targetEntity->getName())) {
continue;
}
$sqlConstraint = $privilege->getSqlConstraint($targetEntity, $targetTableAlias);
if ($sqlConstraint === null) {
continue;
}
$sqlConstraints[] = ' NOT (' . $sqlConstraint . ')';
if ($privilege->isGranted()) {
$grantedConstraints[] = ' NOT (' . $sqlConstraint . ')';
} elseif ($privilege->isDenied()) {
$deniedConstraints[] = ' NOT (' . $sqlConstraint . ')';
}
}
}
$grantedConstraints = array_diff($grantedConstraints, $deniedConstraints);
$effectiveConstraints = array_diff($sqlConstraints, $grantedConstraints);
if (count($effectiveConstraints) > 0) {
return ' (' . implode(') AND (', $effectiveConstraints) . ') ';
}
return '';
}
/**
* Returns a string message, giving insights what happened during privilege evaluation.
*
* @param string $privilegeReasonMessage
* @return string
*/
protected function renderDecisionReasonMessage($privilegeReasonMessage)
{
if (count($this->securityContext->getRoles()) === 0) {
$rolesMessage = 'No authenticated roles';
} else {
$rolesMessage = 'Authenticated roles: ' . implode(', ', array_keys($this->securityContext->getRoles()));
}
return sprintf('Access denied for method' . chr(10) . 'Method: %s::%s()' . chr(10) . chr(10) . '%s' . chr(10) . chr(10) . '%s', $this->joinPoint->getClassName(), $this->joinPoint->getMethodName(), $privilegeReasonMessage, $rolesMessage);
}
/**
* @param NodeInterface $node
* @return string[] Array of granted node property names
*/
public function getDeniedNodePropertiesForEditing(NodeInterface $node)
{
$privilegeSubject = new PropertyAwareNodePrivilegeSubject($node);
$deniedNodePropertyNames = array();
$grantedNodePropertyNames = array();
$abstainedNodePropertyNames = array();
foreach ($this->securityContext->getRoles() as $role) {
/** @var EditNodePropertyPrivilege $editNodePropertyPrivilege */
foreach ($role->getPrivilegesByType(EditNodePropertyPrivilege::class) as $editNodePropertyPrivilege) {
if (!$editNodePropertyPrivilege->matchesSubject($privilegeSubject)) {
continue;
}
if ($editNodePropertyPrivilege->isGranted()) {
$grantedNodePropertyNames = array_merge($grantedNodePropertyNames, $editNodePropertyPrivilege->getNodePropertyNames());
} elseif ($editNodePropertyPrivilege->isDenied()) {
$deniedNodePropertyNames = array_merge($deniedNodePropertyNames, $editNodePropertyPrivilege->getNodePropertyNames());
} else {
$abstainedNodePropertyNames = array_merge($abstainedNodePropertyNames, $editNodePropertyPrivilege->getNodePropertyNames());
}
}
}
$implicitlyDeniedNodePropertyNames = array_diff($abstainedNodePropertyNames, $grantedNodePropertyNames);
return array_merge($implicitlyDeniedNodePropertyNames, $deniedNodePropertyNames);
}
/**
* Returns TRUE if access is granted on the given privilege target in the current security context
*
* @param string $privilegeTargetIdentifier The identifier of the privilege target to decide on
* @param array $privilegeParameters Optional array of privilege parameters (simple key => value array)
* @return boolean TRUE if access is granted, FALSE otherwise
*/
public function isPrivilegeTargetGranted($privilegeTargetIdentifier, array $privilegeParameters = [])
{
return $this->isPrivilegeTargetGrantedForRoles($this->securityContext->getRoles(), $privilegeTargetIdentifier, $privilegeParameters);
}
