/**
* Adds the permissions for the current user to the serialization.
*
* @param ObjectEvent $event
*/
public function onPostSerialize(ObjectEvent $event)
{
$document = $event->getObject();
if (!($document instanceof SecurityBehavior && $document instanceof LocaleBehavior && $document instanceof WebspaceBehavior && $this->tokenStorage !== null && $this->tokenStorage->getToken() !== null && $this->tokenStorage->getToken()->getUser() instanceof UserInterface)) {
return;
}
/** @var JsonSerializationVisitor $visitor */
$visitor = $event->getVisitor();
$visitor->addData('_permissions', $this->accessControlManager->getUserPermissionByArray($document->getLocale(), ContentAdmin::SECURITY_CONTEXT_PREFIX . $document->getWebspaceName(), $document->getPermissions(), $this->tokenStorage->getToken()->getUser()));
}
/**
* {@inheritdoc}
*/
public function getParameters()
{
$parameters = [];
foreach ($this->adminPool->getSecurityContexts() as $system => $sections) {
foreach ($sections as $section => $contexts) {
foreach ($contexts as $context => $permissionTypes) {
$parameters[$context] = $this->accessControlManager->getUserPermissions(new SecurityCondition($context), $this->tokenStorage->getToken()->getUser());
}
}
}
return $parameters;
}
public function onPostSerialize(ObjectEvent $event)
{
$object = $event->getObject();
// FIXME This should be removed, once all entities are restructured not using the ApiWrapper, possible BC break
if ($object instanceof ApiWrapper) {
$object = $object->getEntity();
}
if (!$object instanceof SecuredEntityInterface) {
return;
}
$event->getVisitor()->addData('_permissions', $this->accessControlManager->getUserPermissions(new SecurityCondition($object->getSecurityContext(), null, get_class($object), $object->getId()), $this->tokenStorage->getToken()->getUser()));
}
public function testNegativeVoteWithMultipleAttributes()
{
$securityCondition = new SecurityCondition('sulu.security.roles', null);
$this->accessControlManager->getUserPermissions($securityCondition, $this->user)->willReturn(['view' => true, 'add' => true, 'security' => false]);
$access = $this->voter->vote($this->token->reveal(), $securityCondition, ['view', 'security']);
$this->assertSame(VoterInterface::ACCESS_DENIED, $access);
}
/**
* {@inheritdoc}
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
/** @var User $user */
$user = $token->getUser();
if (!is_object($object) || !$this->supportsClass(get_class($object))) {
return VoterInterface::ACCESS_ABSTAIN;
}
$userPermissions = $this->accessControlManager->getUserPermissions($object, $user);
// only if all attributes are granted the access is granted
foreach ($attributes as $attribute) {
if (isset($userPermissions[$attribute]) && !$userPermissions[$attribute]) {
return VoterInterface::ACCESS_DENIED;
}
}
return VoterInterface::ACCESS_GRANTED;
}
public function postAction(Request $request)
{
try {
$identifier = $request->get('id');
$type = $request->get('type');
$permissions = $request->get('permissions');
$securityContext = $request->get('securityContext');
if (!$identifier) {
throw new MissingParameterException(static::class, 'id');
}
if (!$type) {
throw new MissingParameterException(static::class, 'class');
}
if (!is_array($permissions)) {
throw new RestException('The "permissions" must be passed as an array');
}
if ($securityContext) {
$this->securityChecker->checkPermission($securityContext, PermissionTypes::SECURITY);
}
// transfer all permission strings to booleans
foreach ($permissions as &$permission) {
array_walk($permission, function (&$permissionLine) {
$permissionLine = $permissionLine === 'true' || $permissionLine === true;
});
}
$this->accessControlManager->setPermissions($type, $identifier, $permissions);
return $this->viewHandler->handle(View::create(['id' => $identifier, 'type' => $type, 'permissions' => $permissions]));
} catch (RestException $exc) {
return $this->viewHandler->handle(View::create($exc->toArray(), 400));
}
}
public function testOnPostSerializeWithApiWrapper()
{
$apiWrapper = $this->prophesize(ApiWrapper::class);
$entity = $this->prophesize(SecuredEntityInterface::class);
$entity->getId()->willReturn(7);
$entity->getSecurityContext()->willReturn('sulu.example');
$apiWrapper->getEntity()->willReturn($entity);
$this->objectEvent->getObject()->willReturn($apiWrapper);
$securityCondition = new SecurityCondition('sulu.example', null, get_class($entity->reveal()), 7);
$permission = ['_permissions' => ['permission' => 'value']];
$this->accessControlManager->getUserPermissions($securityCondition, $this->user->reveal())->willReturn($permission);
$this->visitor->addData('_permissions', $permission)->shouldBeCalled();
$this->securedEntitySubscriber->onPostSerialize($this->objectEvent->reveal());
}
/**
* Add data for serialization of content objects.
*
* @param ObjectEvent $event
*/
public function onPostSerialize(ObjectEvent $event)
{
/** @var Content $content */
$content = $event->getObject();
/** @var JsonSerializationVisitor $visitor */
$visitor = $event->getVisitor();
if (!$content instanceof Content) {
return;
}
foreach ($content->getData() as $key => $value) {
$visitor->addData($key, $value);
}
$visitor->addData('publishedState', WorkflowStage::PUBLISHED === $content->getWorkflowStage());
if (RedirectType::EXTERNAL === $content->getNodeType()) {
$visitor->addData('linked', 'external');
} elseif (RedirectType::INTERNAL === $content->getNodeType()) {
$visitor->addData('linked', 'internal');
}
if (null !== $content->getLocalizationType()) {
$visitor->addData('type', $content->getLocalizationType()->toArray());
}
$visitor->addData('_permissions', $this->accessControlManager->getUserPermissionByArray($content->getLocale(), ContentAdmin::SECURITY_CONTEXT_PREFIX . $content->getWebspaceKey(), $content->getPermissions(), $this->tokenStorage->getToken()->getUser()));
}
/**
* {@inheritdoc}
*/
public function getNodesTree($uuid, $webspaceKey, $languageCode, $excludeGhosts = false, $excludeShadows = false, $appendWebspaceNode = false)
{
$nodes = $this->loadNodeAndAncestors($uuid, $webspaceKey, $languageCode, $excludeGhosts, $excludeShadows, true);
if ($appendWebspaceNode) {
$webspace = $this->webspaceManager->getWebspaceCollection()->getWebspace($webspaceKey);
$result = ['_embedded' => ['nodes' => [['id' => $this->sessionManager->getContentNode($webspace->getKey())->getIdentifier(), 'path' => '/', 'title' => $webspace->getName(), 'publishedState' => true, 'hasSub' => true, '_embedded' => ['nodes' => $nodes], '_links' => ['children' => ['href' => $this->apiBasePath . '?depth=1&webspace=' . $webspaceKey . '&language=' . $languageCode . ($excludeGhosts === true ? '&exclude-ghosts=true' : '')]]]]]];
} else {
$result = ['_embedded' => ['nodes' => $nodes]];
}
if ($this->tokenStorage && ($token = $this->tokenStorage->getToken())) {
$result['_permissions'] = $this->accessControlManager->getUserPermissions(new SecurityCondition('sulu.webspaces.' . $webspaceKey), $token->getUser());
}
// add api links
$result['_links'] = ['self' => ['href' => $this->apiBasePath . '/tree?uuid=' . $uuid . '&webspace=' . $webspaceKey . '&language=' . $languageCode . ($excludeGhosts === true ? '&exclude-ghosts=true' : '') . ($appendWebspaceNode === true ? '&webspace-node=true' : '')]];
return $result;
}
/**
* @dataProvider provideWrongPermissionData
*/
public function testPostActionWithWrongData($id, $class, $permissions)
{
$request = new Request([], ['id' => $id, 'type' => $class, 'permissions' => $permissions]);
$this->accessControlManager->setPermissions(Argument::cetera())->shouldNotBeCalled();
$this->permissionController->postAction($request);
}
