/** * {@inheritDoc} */ public function getUser() { if (is_object($user = $this->token->getUser())) { return $user; } return null; }
public function vote(TokenInterface $token, $object, array $attributes) { if ($object instanceof ResourceCollection) { $granted = false; $user = null; if ($token->getUser() instanceof User) { $user = $token->getUser(); } if ($this->manager->hasTemporaryAccessOnSomeResources($user)) { foreach ($attributes as $attribute) { if ($this->supportsAttribute($attribute) && $this->supportsClass($object)) { foreach ($object->getResources() as $resource) { if ($this->manager->hasTemporaryAccess($resource, $user)) { $granted = true; break; } } } } } if ($granted) { return VoterInterface::ACCESS_GRANTED; } else { return VoterInterface::ACCESS_DENIED; } } return VoterInterface::ACCESS_ABSTAIN; }
/** * {@inheritdoc} */ public function vote(TokenInterface $token, $object, array $attributes) { if (!$token->getUser() instanceof User) { return VoterInterface::ACCESS_ABSTAIN; } return $token->getUser()->hasRole('ROLE_SUPER_ADMIN') ? VoterInterface::ACCESS_GRANTED : VoterInterface::ACCESS_ABSTAIN; }
/** * @param string $attribute * @param CourseLearningMaterialInterface $material * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $material, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } $course = $material->getCourse(); if (!$course) { return false; } switch ($attribute) { case self::VIEW: $granted = $this->isViewGranted($course->getId(), $course->getSchool()->getId(), $user); // prevent access if associated LM is in draft, and the current user has no elevated privileges. if ($granted) { $granted = $this->userHasRole($token->getUser(), ['Faculty', 'Course Director', 'Developer']) || LearningMaterialStatusInterface::IN_DRAFT !== $material->getLearningMaterial()->getStatus()->getId(); } return $granted; break; case self::CREATE: case self::EDIT: case self::DELETE: // prevent any sort of write operation (create/edit/delete) if the parent course is locked or archived. if ($course->isLocked() || $course->isArchived()) { return false; } return $this->isWriteGranted($course->getId(), $course->getSchool()->getId(), $user); break; } return false; }
/** * @param Request $request * @param TokenInterface $token * * @return RedirectResponse|\Symfony\Component\HttpFoundation\Response */ public function onAuthenticationSuccess(Request $request, TokenInterface $token) { $token->getUser()->setLastlogin(new \DateTime()); $token->getUser()->save(); $log = new UserLog(); $log->setIpSource($request->getClientIp()); $token->getUser()->addUserLog($log); $token->getUser()->save(); /** @var SecurityContext $securityContext */ $securityContext = $this->container->get('security.context'); if ($securityContext->isGranted('ROLE_SUPER_ADMIN')) { return new RedirectResponse($this->container->get('router')->generate('sonata_admin_dashboard')); } if ($securityContext->isGranted('ROLE_ADMIN')) { return new RedirectResponse($this->container->get('router')->generate('pgs_admin_dashboard')); } if ($securityContext->isGranted('ROLE_OFFICE')) { return new RedirectResponse($this->container->get('router')->generate('pgs_office_dashboard')); } if ($securityContext->isGranted('ROLE_PRINCIPAL')) { return new RedirectResponse($this->container->get('router')->generate('pgs_principal_dashboard')); } if ($securityContext->isGranted('ROLE_SALES')) { return new RedirectResponse($this->container->get('router')->generate('pgs_sales_dashboard')); } if ($securityContext->isGranted('ROLE_USER')) { return new RedirectResponse($this->container->get('router')->generate('homepage')); } }
/** * Returns the vote for the given parameters. * * This method must return one of the following constants: * ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN. * * @param TokenInterface $token A TokenInterface instance * @param object $object The object to secure * @param array $attributes An array of attributes associated with the method being invoked * * @return integer either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED */ public function vote(TokenInterface $token, $object, array $attributes) { $result = VoterInterface::ACCESS_ABSTAIN; if (!$this->supportsClass(get_class($object))) { return $result; } foreach ($attributes as $attribute) { if (!$this->supportsAttribute($attribute)) { continue; } $result = VoterInterface::ACCESS_DENIED; switch ($attribute) { case Product::PRODUCT_OWNER: if ($token->getUser() === $object->getUser()) { return VoterInterface::ACCESS_GRANTED; } break; case Product::PRODUCT_LIKE: #echo '<pre>'; var_dump($object->getLikers()); exit; if ($token->getUser() !== $object->getUser() && !$object->getLikers()->contains($token->getUser())) { return VoterInterface::ACCESS_GRANTED; } break; } } return $result; }
public function vote(TokenInterface $token, $object, array $attributes) { if (0 === strpos($attributes[0], 'ROLE_')) { if ($token->getUser() instanceof User && in_array('ROLE_SUPER_ADMIN', $token->getUser()->getRoles())) { return self::ACCESS_GRANTED; } } return self::ACCESS_ABSTAIN; }
/** * @param TokenInterface $token * * @return array */ public static function getAuthenticationResponse(TokenInterface $token) { $response = array('success' => false); if ($token->isAuthenticated() && $token->getUser() instanceof User) { /* @var User $user */ $user = $token->getUser(); $response = array('success' => true, 'profile' => self::userToArray($user)); } return $response; }
/** * Redirige une authentification OAuth réussie vers le formulaire de demande d'authorisation * @param Request $request * @param TokenInterface $token * @return RedirectResponse */ public function onAuthenticationSuccess(Request $request, TokenInterface $token) { if (!is_null($token->getUser()->getOauthClient())) { $client = $token->getUser()->getOauthClient(); $redirection = new RedirectResponse($this->router->generate('fos_oauth_server_authorize', array('client_id' => $client->getPublicId(), 'response_type' => 'code', 'redirect_uri' => $client->getRedirectUris()[0]))); } else { $redirection = new RedirectResponse('/'); } return $redirection; }
/** * Удалять могут: Пользователь-Владелец, Администратор */ private function canDelete(User $user, TokenInterface $token) { if (!$token->getUser() instanceof User) { return false; } if ($token->getUser() === $user) { return true; } return $this->decisionManager->decide($token, array('ROLE_ADMIN')); }
/** * {@inheritdoc} * @see user_logout() */ public function logout(Request $request, Response $response, TokenInterface $token) { $user = $token->getUser(); if (is_a($user, 'Bangpound\\Bundle\\DrupalBundle\\Security\\User\\User')) { /** @var \Bangpound\Bundle\DrupalBundle\Security\User\User $user */ $user = $token->getUser()->getDrupalUser(); watchdog('user', 'Session closed for %name.', array('%name' => $user->name)); module_invoke_all('user_logout', $user); $GLOBALS['user'] = drupal_anonymous_user(); } }
/** * @inheritdoc */ public function isGranted($attributes, $object = null) { if (!is_array($attributes)) { $attributes = [$attributes]; } if (null === $object) { $object = $this->token->getUser(); } $acceptedRoles = array_intersect($attributes, $object->getRoles()); return 0 !== count($acceptedRoles); }
/** * {@inheritdoc} */ public function vote(TokenInterface $token, $page, array $attributes) { foreach ($attributes as $attribute) { if ($this->supportsAttribute($attribute) && $this->supportsClass($page)) { $userClass = $this->userClass; if ($token->getUser() instanceof $userClass && $token->getUser()->hasRole('ROLE_VICTOIRE') || $page->getAuthor() === $token->getUser()) { return VoterInterface::ACCESS_GRANTED; } } } return VoterInterface::ACCESS_DENIED; }
/** * {@inheritdoc} */ public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey) { if (is_subclass_of($token->getUser(), $this->userClass)) { return new PreAuthenticatedToken($token->getUser(), $token->getCredentials(), $providerKey, $token->getUser()->getRoles()); } $ssoToken = $this->tokenRepository->find($token->getCredentials()); if (!$ssoToken) { throw new AuthenticationException(); } $user = $userProvider->loadUserByUsername($ssoToken->getUsername()); return new PreAuthenticatedToken($user, $token->getCredentials(), $providerKey, $user->getRoles()); }
public function setUp() { $this->user = $this->prophesize(UserInterface::class); $this->token = $this->prophesize(TokenInterface::class); $this->token->getUser()->willReturn($this->user); $this->accessControlManager = $this->prophesize(AccessControlManagerInterface::class); $this->tokenStorage = $this->prophesize(TokenStorageInterface::class); $this->tokenStorage->getToken()->willReturn($this->token->reveal()); $this->securedEntitySubscriber = new SecuredEntitySubscriber($this->accessControlManager->reveal(), $this->tokenStorage->reveal()); $this->visitor = $this->prophesize(GenericSerializationVisitor::class); $this->objectEvent = $this->prophesize(ObjectEvent::class); $this->objectEvent->getVisitor()->willReturn($this->visitor); }
public function authenticate(TokenInterface $token) { $user = $this->userProvider->loadUserByUsername($token->getUser(), $token->getCredentials()); $newToken = new UserToken($token->getUser(), $token->getCredentials(), "main", $user->getRoles()); $encoder = $this->encoder->getEncoder($user); // compute the encoded password $encodedPassword = $encoder->encodePassword($token->getCredentials(), $user->salt); $newToken = new UserToken($token->getUser(), $token->getCredentials(), "secured_area", $user->getRoles()); $username = $newToken->getUser(); if (empty($username) || $user->getPassword() != $encodedPassword) { throw new BadCredentialsException('Bad credentials :)'); } return $newToken; }
public function vote(TokenInterface $token, $object, array $attributes) { if (!$object || !$this->supportsClass(get_class($object))) { return self::ACCESS_ABSTAIN; } $user = ctype_digit($token->getUser()) ? $this->userRepository->find((int) $token->getUser()) : null; foreach ($attributes as $attribute) { $attribute = strtolower($attribute); if ($this->supportsAttribute($attribute)) { $isGranted = call_user_func([$this, 'isGranted'], $attribute, $object, $user); return $isGranted ? self::ACCESS_GRANTED : self::ACCESS_DENIED; } } return self::ACCESS_ABSTAIN; }
public function vote(TokenInterface $token, $object, array $attributes) { // check if the voter is used correct, only allow one attribute // this isn't a requirement, it's just one easy way for you to // design your voter if (1 !== count($attributes)) { throw new \InvalidArgumentException('Only one attribute is allowed for TicketVoter'); } // set the attribute to check against $attribute = $attributes[0]; // check if the given attribute is covered by this voter if (!$this->supportsAttribute($attribute)) { return VoterInterface::ACCESS_ABSTAIN; } // get current logged in user $user = $token->getUser(); // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof Netizen) { return VoterInterface::ACCESS_DENIED; } if ($this->freeAccess || $this->hasFreeAccess($user)) { return VoterInterface::ACCESS_GRANTED; } if ($user->hasValidTicket()) { return VoterInterface::ACCESS_GRANTED; } // if everything else fails: return VoterInterface::ACCESS_DENIED; }
function it_returns_locale_of_currently_logged_admin_user(TokenStorageInterface $tokenStorage, TokenInterface $token, AdminUserInterface $admin) { $admin->getLocaleCode()->willReturn('en_US'); $token->getUser()->willreturn($admin); $tokenStorage->getToken()->willReturn($token); $this->getLocaleCode()->shouldReturn('en_US'); }
public function vote(TokenInterface $token, $object, array $attributes) { $user = $token->getUser(); $type = ProjectGitAccess::WRITE_PERMISSION; foreach ($attributes as $attribute) { switch ($attribute) { case 'GIT_DELETE': case 'GIT_FORCE': $type = ProjectGitAccess::ADMIN_PERMISSION; break 2; } } if (is_array($object) && isset($object[0]) && $object[0] instanceof Project) { $object = new PushTarget($object[0], $object[1]); } if (!$object instanceof PushTarget) { return VoterInterface::ACCESS_ABSTAIN; } foreach ($object->getProject()->getGitAccesses() as $access) { if ($access->isGranted($user, $object->getReference(), $type)) { return self::ACCESS_GRANTED; } } return self::ACCESS_DENIED; }
/** * Returns the vote for the given parameters. * * This method must return one of the following constants: * ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN. * * @param TokenInterface $token A TokenInterface instance * @param object|null $object The object to secure * @param array $attributes An array of attributes associated with the method being invoked * * @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED */ public function vote(TokenInterface $token, $object, array $attributes) { $class = get_class($object); if (!$this->supportsClass($class)) { return self::ACCESS_ABSTAIN; } $user = $token->getUser(); if ($user === 'anon.') { return self::ACCESS_ABSTAIN; } else { if (in_array('ADMINISTRATE_BLOG', $attributes) || in_array('SWITCH_ARTICLE_AUTHOR', $attributes)) { if ($user->hasRole('ROLE_BLOG_ADMIN')) { return self::ACCESS_GRANTED; } else { return self::ACCESS_DENIED; } } elseif (in_array('ADMINISTRATE_COMMENTS', $attributes)) { if ($user->hasRole('ROLE_BLOG_ADMIN') || $user->hasRole('ROLE_BLOG_EDITOR')) { return self::ACCESS_GRANTED; } else { return self::ACCESS_DENIED; } } return self::ACCESS_ABSTAIN; } }
/** * {@inheritdoc} */ protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token) { $series = base64_encode(random_bytes(64)); $tokenValue = base64_encode(random_bytes(64)); $this->tokenProvider->createNewToken(new PersistentToken(get_class($user = $token->getUser()), $user->getUsername(), $series, $tokenValue, new \DateTime())); $response->headers->setCookie(new Cookie($this->options['name'], $this->encodeCookie(array($series, $tokenValue)), time() + $this->options['lifetime'], $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly'])); }
/** * @var Ecedi\Donate\CoreBundle\Entity\User */ public function vote(TokenInterface $token, $object, array $attributes) { // check if the voter is used correct, only allow one attribute // this isn't a requirement, it's just one easy way for you to // design your voter if (1 !== count($attributes)) { throw new \InvalidArgumentException('Only one attribute is allowed for VIEW, EDIT or DELETE'); } // set the attribute to check against $attribute = $attributes[0]; // check if the given attribute is covered by this voter if (!$this->supportsAttribute($attribute)) { return VoterInterface::ACCESS_ABSTAIN; } // get current logged in user $currentUser = $token->getUser(); // make sure there is a user object (i.e. that the user is logged in) if (!$currentUser instanceof UserInterface) { return VoterInterface::ACCESS_DENIED; } switch ($attribute) { case self::LIST_USERS: if ($currentUser->hasRole('ROLE_ADMIN')) { return VoterInterface::ACCESS_GRANTED; } //others cannot view others break; case self::CREATE_USERS: if ($currentUser->hasRole('ROLE_ADMIN')) { return VoterInterface::ACCESS_GRANTED; } break; } return VoterInterface::ACCESS_DENIED; }
/** * @param TokenInterface $token * @param mixed $object * @param array $attributes * * @return int */ public function vote(TokenInterface $token, $object, array $attributes) { if (!is_object($object)) { return self::ACCESS_ABSTAIN; } if (!in_array(get_class($object), $this->classes)) { return self::ACCESS_ABSTAIN; } if (!in_array($attributes[0], array_keys($this->roles))) { return self::ACCESS_ABSTAIN; } /** * @var User $user */ $user = $token->getUser(); foreach ($this->roles[$attributes[0]] as $role => $func) { if (!$user->hasRole($role)) { continue; } if ($func === true || method_exists($this, $func) && call_user_func([$this, $func], $user, $object)) { return self::ACCESS_GRANTED; } } return self::ACCESS_DENIED; }
public function onAuthenticationSuccess(Request $request, TokenInterface $token) { $apiKey = $token->getUser()->getApiKey(); $userId = $token->getUser()->getId(); $userName = $token->getUser()->getUsername(); $email = $token->getUser()->getEmail(); $data['authToken'] = $apiKey; $data['userid'] = $userId; $data['username'] = $userName; $data['email'] = $email; $data = json_encode($data, JSON_FORCE_OBJECT); $response = new Response(null, Response::HTTP_OK); $response->setContent($data); $response->headers->set('Content-Type', 'application/json'); return $response; }
/** * @param string $attribute * @param InstructorGroupInterface $group * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $group, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // unlike instructor details, instructor groups // should be visible to any authenticated user in the system. // do not enforce any special permissions for viewing them. return true; break; case self::CREATE: case self::EDIT: case self::DELETE: // grant CREATE, EDIT and DELETE privileges if at least one of the following // statements is true: // 1. the user's primary school is the group's owning school // and the user has at least one of the 'Course Director' and 'Developer' roles. // 2. the user has WRITE rights on the group's owning school via the permissions system // and the user has at least one of the 'Course Director' and 'Developer' roles. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $group->getSchool()->getId())); break; } return false; }
/** * {@inheritdoc} */ public function vote(TokenInterface $token, $object, array $attributes) { if (!$this->supportsClass(get_class($object))) { return self::ACCESS_ABSTAIN; } foreach ($attributes as $attribute) { if ($this->supportsAttribute($attribute) && $object instanceof UserInterface && $token->getUser() instanceof UserInterface) { if ($object->isSuperAdmin() && !$token->getUser()->isSuperAdmin()) { // deny a non super admin user to edit or delete a super admin user return self::ACCESS_DENIED; } } } // leave the permission voting to the AclVoter that is using the default permission map return self::ACCESS_ABSTAIN; }
/** * @param TokenInterface $post * @param mixed $post * @param array $attributes * @return integer */ public function vote(TokenInterface $token, $post, array $attributes) { if (!$this->supportsClass(get_class($post))) { return VoterInterface::ACCESS_ABSTAIN; } if (1 !== count($attributes)) { throw new \InvalidArgumentException('Only one attribute is allowed for VIEW or EDIT'); } $attribute = $attributes[0]; if (!$this->supportsAttribute($attribute)) { return VoterInterface::ACCESS_ABSTAIN; } $user = $token->getUser(); if (!$user instanceof UserInterface) { return VoterInterface::ACCESS_DENIED; } switch ($attribute) { case self::VIEW: return VoterInterface::ACCESS_GRANTED; break; case self::EDIT: case self::DELETE: if ($user->getId() === $post->getOwner()->getId()) { return VoterInterface::ACCESS_GRANTED; } break; } return VoterInterface::ACCESS_DENIED; }
/** * {@inheritdoc} */ protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token) { $user = $token->getUser(); $expires = time() + $this->options['lifetime']; $value = $this->generateCookieValue(get_class($user), $user->getUsername(), $expires, $user->getPassword()); $response->headers->setCookie(new Cookie($this->options['name'], $value, $expires, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly'])); }
/** * {@inheritDoc} */ public function onAuthenticationSuccess(Request $request, TokenInterface $token) { $session = $request->getSession(); $user = $token->getUser(); $session->registerAccount($user, $request, $this); return parent::onAuthenticationSuccess($request, $token); }