/**
* {@inheritDoc}
*/
public function getUser()
{
if (is_object($user = $this->token->getUser())) {
return $user;
}
return null;
}
public function vote(TokenInterface $token, $object, array $attributes)
{
if ($object instanceof ResourceCollection) {
$granted = false;
$user = null;
if ($token->getUser() instanceof User) {
$user = $token->getUser();
}
if ($this->manager->hasTemporaryAccessOnSomeResources($user)) {
foreach ($attributes as $attribute) {
if ($this->supportsAttribute($attribute) && $this->supportsClass($object)) {
foreach ($object->getResources() as $resource) {
if ($this->manager->hasTemporaryAccess($resource, $user)) {
$granted = true;
break;
}
}
}
}
}
if ($granted) {
return VoterInterface::ACCESS_GRANTED;
} else {
return VoterInterface::ACCESS_DENIED;
}
}
return VoterInterface::ACCESS_ABSTAIN;
}
/**
* {@inheritdoc}
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
if (!$token->getUser() instanceof User) {
return VoterInterface::ACCESS_ABSTAIN;
}
return $token->getUser()->hasRole('ROLE_SUPER_ADMIN') ? VoterInterface::ACCESS_GRANTED : VoterInterface::ACCESS_ABSTAIN;
}
/**
* @param string $attribute
* @param CourseLearningMaterialInterface $material
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $material, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
$course = $material->getCourse();
if (!$course) {
return false;
}
switch ($attribute) {
case self::VIEW:
$granted = $this->isViewGranted($course->getId(), $course->getSchool()->getId(), $user);
// prevent access if associated LM is in draft, and the current user has no elevated privileges.
if ($granted) {
$granted = $this->userHasRole($token->getUser(), ['Faculty', 'Course Director', 'Developer']) || LearningMaterialStatusInterface::IN_DRAFT !== $material->getLearningMaterial()->getStatus()->getId();
}
return $granted;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// prevent any sort of write operation (create/edit/delete) if the parent course is locked or archived.
if ($course->isLocked() || $course->isArchived()) {
return false;
}
return $this->isWriteGranted($course->getId(), $course->getSchool()->getId(), $user);
break;
}
return false;
}
/**
* @param Request $request
* @param TokenInterface $token
*
* @return RedirectResponse|\Symfony\Component\HttpFoundation\Response
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token)
{
$token->getUser()->setLastlogin(new \DateTime());
$token->getUser()->save();
$log = new UserLog();
$log->setIpSource($request->getClientIp());
$token->getUser()->addUserLog($log);
$token->getUser()->save();
/** @var SecurityContext $securityContext */
$securityContext = $this->container->get('security.context');
if ($securityContext->isGranted('ROLE_SUPER_ADMIN')) {
return new RedirectResponse($this->container->get('router')->generate('sonata_admin_dashboard'));
}
if ($securityContext->isGranted('ROLE_ADMIN')) {
return new RedirectResponse($this->container->get('router')->generate('pgs_admin_dashboard'));
}
if ($securityContext->isGranted('ROLE_OFFICE')) {
return new RedirectResponse($this->container->get('router')->generate('pgs_office_dashboard'));
}
if ($securityContext->isGranted('ROLE_PRINCIPAL')) {
return new RedirectResponse($this->container->get('router')->generate('pgs_principal_dashboard'));
}
if ($securityContext->isGranted('ROLE_SALES')) {
return new RedirectResponse($this->container->get('router')->generate('pgs_sales_dashboard'));
}
if ($securityContext->isGranted('ROLE_USER')) {
return new RedirectResponse($this->container->get('router')->generate('homepage'));
}
}
/**
* Returns the vote for the given parameters.
*
* This method must return one of the following constants:
* ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN.
*
* @param TokenInterface $token A TokenInterface instance
* @param object $object The object to secure
* @param array $attributes An array of attributes associated with the method being invoked
*
* @return integer either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
$result = VoterInterface::ACCESS_ABSTAIN;
if (!$this->supportsClass(get_class($object))) {
return $result;
}
foreach ($attributes as $attribute) {
if (!$this->supportsAttribute($attribute)) {
continue;
}
$result = VoterInterface::ACCESS_DENIED;
switch ($attribute) {
case Product::PRODUCT_OWNER:
if ($token->getUser() === $object->getUser()) {
return VoterInterface::ACCESS_GRANTED;
}
break;
case Product::PRODUCT_LIKE:
#echo '<pre>'; var_dump($object->getLikers()); exit;
if ($token->getUser() !== $object->getUser() && !$object->getLikers()->contains($token->getUser())) {
return VoterInterface::ACCESS_GRANTED;
}
break;
}
}
return $result;
}
public function vote(TokenInterface $token, $object, array $attributes)
{
if (0 === strpos($attributes[0], 'ROLE_')) {
if ($token->getUser() instanceof User && in_array('ROLE_SUPER_ADMIN', $token->getUser()->getRoles())) {
return self::ACCESS_GRANTED;
}
}
return self::ACCESS_ABSTAIN;
}
/**
* @param TokenInterface $token
*
* @return array
*/
public static function getAuthenticationResponse(TokenInterface $token)
{
$response = array('success' => false);
if ($token->isAuthenticated() && $token->getUser() instanceof User) {
/* @var User $user */
$user = $token->getUser();
$response = array('success' => true, 'profile' => self::userToArray($user));
}
return $response;
}
/**
* Redirige une authentification OAuth réussie vers le formulaire de demande d'authorisation
* @param Request $request
* @param TokenInterface $token
* @return RedirectResponse
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token)
{
if (!is_null($token->getUser()->getOauthClient())) {
$client = $token->getUser()->getOauthClient();
$redirection = new RedirectResponse($this->router->generate('fos_oauth_server_authorize', array('client_id' => $client->getPublicId(), 'response_type' => 'code', 'redirect_uri' => $client->getRedirectUris()[0])));
} else {
$redirection = new RedirectResponse('/');
}
return $redirection;
}
/**
* Удалять могут: Пользователь-Владелец, Администратор
*/
private function canDelete(User $user, TokenInterface $token)
{
if (!$token->getUser() instanceof User) {
return false;
}
if ($token->getUser() === $user) {
return true;
}
return $this->decisionManager->decide($token, array('ROLE_ADMIN'));
}
/**
* {@inheritdoc}
* @see user_logout()
*/
public function logout(Request $request, Response $response, TokenInterface $token)
{
$user = $token->getUser();
if (is_a($user, 'Bangpound\\Bundle\\DrupalBundle\\Security\\User\\User')) {
/** @var \Bangpound\Bundle\DrupalBundle\Security\User\User $user */
$user = $token->getUser()->getDrupalUser();
watchdog('user', 'Session closed for %name.', array('%name' => $user->name));
module_invoke_all('user_logout', $user);
$GLOBALS['user'] = drupal_anonymous_user();
}
}
/**
* @inheritdoc
*/
public function isGranted($attributes, $object = null)
{
if (!is_array($attributes)) {
$attributes = [$attributes];
}
if (null === $object) {
$object = $this->token->getUser();
}
$acceptedRoles = array_intersect($attributes, $object->getRoles());
return 0 !== count($acceptedRoles);
}
/**
* {@inheritdoc}
*/
public function vote(TokenInterface $token, $page, array $attributes)
{
foreach ($attributes as $attribute) {
if ($this->supportsAttribute($attribute) && $this->supportsClass($page)) {
$userClass = $this->userClass;
if ($token->getUser() instanceof $userClass && $token->getUser()->hasRole('ROLE_VICTOIRE') || $page->getAuthor() === $token->getUser()) {
return VoterInterface::ACCESS_GRANTED;
}
}
}
return VoterInterface::ACCESS_DENIED;
}
/**
* {@inheritdoc}
*/
public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
{
if (is_subclass_of($token->getUser(), $this->userClass)) {
return new PreAuthenticatedToken($token->getUser(), $token->getCredentials(), $providerKey, $token->getUser()->getRoles());
}
$ssoToken = $this->tokenRepository->find($token->getCredentials());
if (!$ssoToken) {
throw new AuthenticationException();
}
$user = $userProvider->loadUserByUsername($ssoToken->getUsername());
return new PreAuthenticatedToken($user, $token->getCredentials(), $providerKey, $user->getRoles());
}
public function setUp()
{
$this->user = $this->prophesize(UserInterface::class);
$this->token = $this->prophesize(TokenInterface::class);
$this->token->getUser()->willReturn($this->user);
$this->accessControlManager = $this->prophesize(AccessControlManagerInterface::class);
$this->tokenStorage = $this->prophesize(TokenStorageInterface::class);
$this->tokenStorage->getToken()->willReturn($this->token->reveal());
$this->securedEntitySubscriber = new SecuredEntitySubscriber($this->accessControlManager->reveal(), $this->tokenStorage->reveal());
$this->visitor = $this->prophesize(GenericSerializationVisitor::class);
$this->objectEvent = $this->prophesize(ObjectEvent::class);
$this->objectEvent->getVisitor()->willReturn($this->visitor);
}
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUser(), $token->getCredentials());
$newToken = new UserToken($token->getUser(), $token->getCredentials(), "main", $user->getRoles());
$encoder = $this->encoder->getEncoder($user);
// compute the encoded password
$encodedPassword = $encoder->encodePassword($token->getCredentials(), $user->salt);
$newToken = new UserToken($token->getUser(), $token->getCredentials(), "secured_area", $user->getRoles());
$username = $newToken->getUser();
if (empty($username) || $user->getPassword() != $encodedPassword) {
throw new BadCredentialsException('Bad credentials :)');
}
return $newToken;
}
public function vote(TokenInterface $token, $object, array $attributes)
{
if (!$object || !$this->supportsClass(get_class($object))) {
return self::ACCESS_ABSTAIN;
}
$user = ctype_digit($token->getUser()) ? $this->userRepository->find((int) $token->getUser()) : null;
foreach ($attributes as $attribute) {
$attribute = strtolower($attribute);
if ($this->supportsAttribute($attribute)) {
$isGranted = call_user_func([$this, 'isGranted'], $attribute, $object, $user);
return $isGranted ? self::ACCESS_GRANTED : self::ACCESS_DENIED;
}
}
return self::ACCESS_ABSTAIN;
}
public function vote(TokenInterface $token, $object, array $attributes)
{
// check if the voter is used correct, only allow one attribute
// this isn't a requirement, it's just one easy way for you to
// design your voter
if (1 !== count($attributes)) {
throw new \InvalidArgumentException('Only one attribute is allowed for TicketVoter');
}
// set the attribute to check against
$attribute = $attributes[0];
// check if the given attribute is covered by this voter
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
// get current logged in user
$user = $token->getUser();
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof Netizen) {
return VoterInterface::ACCESS_DENIED;
}
if ($this->freeAccess || $this->hasFreeAccess($user)) {
return VoterInterface::ACCESS_GRANTED;
}
if ($user->hasValidTicket()) {
return VoterInterface::ACCESS_GRANTED;
}
// if everything else fails:
return VoterInterface::ACCESS_DENIED;
}
function it_returns_locale_of_currently_logged_admin_user(TokenStorageInterface $tokenStorage, TokenInterface $token, AdminUserInterface $admin)
{
$admin->getLocaleCode()->willReturn('en_US');
$token->getUser()->willreturn($admin);
$tokenStorage->getToken()->willReturn($token);
$this->getLocaleCode()->shouldReturn('en_US');
}
public function vote(TokenInterface $token, $object, array $attributes)
{
$user = $token->getUser();
$type = ProjectGitAccess::WRITE_PERMISSION;
foreach ($attributes as $attribute) {
switch ($attribute) {
case 'GIT_DELETE':
case 'GIT_FORCE':
$type = ProjectGitAccess::ADMIN_PERMISSION;
break 2;
}
}
if (is_array($object) && isset($object[0]) && $object[0] instanceof Project) {
$object = new PushTarget($object[0], $object[1]);
}
if (!$object instanceof PushTarget) {
return VoterInterface::ACCESS_ABSTAIN;
}
foreach ($object->getProject()->getGitAccesses() as $access) {
if ($access->isGranted($user, $object->getReference(), $type)) {
return self::ACCESS_GRANTED;
}
}
return self::ACCESS_DENIED;
}
/**
* Returns the vote for the given parameters.
*
* This method must return one of the following constants:
* ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN.
*
* @param TokenInterface $token A TokenInterface instance
* @param object|null $object The object to secure
* @param array $attributes An array of attributes associated with the method being invoked
*
* @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
$class = get_class($object);
if (!$this->supportsClass($class)) {
return self::ACCESS_ABSTAIN;
}
$user = $token->getUser();
if ($user === 'anon.') {
return self::ACCESS_ABSTAIN;
} else {
if (in_array('ADMINISTRATE_BLOG', $attributes) || in_array('SWITCH_ARTICLE_AUTHOR', $attributes)) {
if ($user->hasRole('ROLE_BLOG_ADMIN')) {
return self::ACCESS_GRANTED;
} else {
return self::ACCESS_DENIED;
}
} elseif (in_array('ADMINISTRATE_COMMENTS', $attributes)) {
if ($user->hasRole('ROLE_BLOG_ADMIN') || $user->hasRole('ROLE_BLOG_EDITOR')) {
return self::ACCESS_GRANTED;
} else {
return self::ACCESS_DENIED;
}
}
return self::ACCESS_ABSTAIN;
}
}
/**
* {@inheritdoc}
*/
protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
{
$series = base64_encode(random_bytes(64));
$tokenValue = base64_encode(random_bytes(64));
$this->tokenProvider->createNewToken(new PersistentToken(get_class($user = $token->getUser()), $user->getUsername(), $series, $tokenValue, new \DateTime()));
$response->headers->setCookie(new Cookie($this->options['name'], $this->encodeCookie(array($series, $tokenValue)), time() + $this->options['lifetime'], $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));
}
/**
* @var Ecedi\Donate\CoreBundle\Entity\User
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
// check if the voter is used correct, only allow one attribute
// this isn't a requirement, it's just one easy way for you to
// design your voter
if (1 !== count($attributes)) {
throw new \InvalidArgumentException('Only one attribute is allowed for VIEW, EDIT or DELETE');
}
// set the attribute to check against
$attribute = $attributes[0];
// check if the given attribute is covered by this voter
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
// get current logged in user
$currentUser = $token->getUser();
// make sure there is a user object (i.e. that the user is logged in)
if (!$currentUser instanceof UserInterface) {
return VoterInterface::ACCESS_DENIED;
}
switch ($attribute) {
case self::LIST_USERS:
if ($currentUser->hasRole('ROLE_ADMIN')) {
return VoterInterface::ACCESS_GRANTED;
}
//others cannot view others
break;
case self::CREATE_USERS:
if ($currentUser->hasRole('ROLE_ADMIN')) {
return VoterInterface::ACCESS_GRANTED;
}
break;
}
return VoterInterface::ACCESS_DENIED;
}
/**
* @param TokenInterface $token
* @param mixed $object
* @param array $attributes
*
* @return int
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
if (!is_object($object)) {
return self::ACCESS_ABSTAIN;
}
if (!in_array(get_class($object), $this->classes)) {
return self::ACCESS_ABSTAIN;
}
if (!in_array($attributes[0], array_keys($this->roles))) {
return self::ACCESS_ABSTAIN;
}
/**
* @var User $user
*/
$user = $token->getUser();
foreach ($this->roles[$attributes[0]] as $role => $func) {
if (!$user->hasRole($role)) {
continue;
}
if ($func === true || method_exists($this, $func) && call_user_func([$this, $func], $user, $object)) {
return self::ACCESS_GRANTED;
}
}
return self::ACCESS_DENIED;
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token)
{
$apiKey = $token->getUser()->getApiKey();
$userId = $token->getUser()->getId();
$userName = $token->getUser()->getUsername();
$email = $token->getUser()->getEmail();
$data['authToken'] = $apiKey;
$data['userid'] = $userId;
$data['username'] = $userName;
$data['email'] = $email;
$data = json_encode($data, JSON_FORCE_OBJECT);
$response = new Response(null, Response::HTTP_OK);
$response->setContent($data);
$response->headers->set('Content-Type', 'application/json');
return $response;
}
/**
* @param string $attribute
* @param InstructorGroupInterface $group
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $group, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// unlike instructor details, instructor groups
// should be visible to any authenticated user in the system.
// do not enforce any special permissions for viewing them.
return true;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// grant CREATE, EDIT and DELETE privileges if at least one of the following
// statements is true:
// 1. the user's primary school is the group's owning school
// and the user has at least one of the 'Course Director' and 'Developer' roles.
// 2. the user has WRITE rights on the group's owning school via the permissions system
// and the user has at least one of the 'Course Director' and 'Developer' roles.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $group->getSchool()->getId()));
break;
}
return false;
}
/**
* {@inheritdoc}
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
if (!$this->supportsClass(get_class($object))) {
return self::ACCESS_ABSTAIN;
}
foreach ($attributes as $attribute) {
if ($this->supportsAttribute($attribute) && $object instanceof UserInterface && $token->getUser() instanceof UserInterface) {
if ($object->isSuperAdmin() && !$token->getUser()->isSuperAdmin()) {
// deny a non super admin user to edit or delete a super admin user
return self::ACCESS_DENIED;
}
}
}
// leave the permission voting to the AclVoter that is using the default permission map
return self::ACCESS_ABSTAIN;
}
/**
* @param TokenInterface $post
* @param mixed $post
* @param array $attributes
* @return integer
*/
public function vote(TokenInterface $token, $post, array $attributes)
{
if (!$this->supportsClass(get_class($post))) {
return VoterInterface::ACCESS_ABSTAIN;
}
if (1 !== count($attributes)) {
throw new \InvalidArgumentException('Only one attribute is allowed for VIEW or EDIT');
}
$attribute = $attributes[0];
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return VoterInterface::ACCESS_DENIED;
}
switch ($attribute) {
case self::VIEW:
return VoterInterface::ACCESS_GRANTED;
break;
case self::EDIT:
case self::DELETE:
if ($user->getId() === $post->getOwner()->getId()) {
return VoterInterface::ACCESS_GRANTED;
}
break;
}
return VoterInterface::ACCESS_DENIED;
}
/**
* {@inheritdoc}
*/
protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
{
$user = $token->getUser();
$expires = time() + $this->options['lifetime'];
$value = $this->generateCookieValue(get_class($user), $user->getUsername(), $expires, $user->getPassword());
$response->headers->setCookie(new Cookie($this->options['name'], $value, $expires, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));
}
/**
* {@inheritDoc}
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token)
{
$session = $request->getSession();
$user = $token->getUser();
$session->registerAccount($user, $request, $this);
return parent::onAuthenticationSuccess($request, $token);
}
