/**
* Add ACL check to API get list query criteria
*
* @param GetListBefore $event
*/
public function onGetListBefore(GetListBefore $event)
{
$acl = $this->securityFacade->getRequestAcl($this->request, true);
if ($acl && $event->getClassName() === $acl->getClass()) {
$event->setCriteria($this->aclHelper->applyAclToCriteria($event->getClassName(), $event->getCriteria(), $acl->getPermission()));
}
}
/**
* Stores the object in the request.
*
* @param Request $request
* @param ConfigurationInterface $configuration
* @return bool
* @throws AccessDeniedException When User doesn't have permission to the object
*/
public function apply(Request $request, ConfigurationInterface $configuration)
{
$request->attributes->set('_oro_access_checked', false);
$isSet = parent::apply($request, $configuration);
if ($this->securityFacade && $isSet) {
$object = $request->attributes->get($configuration->getName());
if ($object) {
$granted = $this->securityFacade->isRequestObjectIsGranted($request, $object);
if ($granted === -1) {
$acl = $this->securityFacade->getRequestAcl($request);
throw new AccessDeniedException('You do not get ' . $acl->getPermission() . ' permission for this object');
} elseif ($granted === 1) {
$request->attributes->set('_oro_access_checked', true);
}
}
}
return $isSet;
}
public function testGeWrongRequestAcl()
{
$request = new Request();
$request->attributes->add(['_controller' => 'wrong controller']);
$this->annotationProvider->expects($this->never())->method('findAnnotation');
$this->classResolver->expects($this->never())->method('isEntity');
$this->classResolver->expects($this->never())->method('getEntityClass');
$this->assertNull($this->facade->getRequestAcl($request, true));
}
