public function __construct(AclAuthorization $authorization)
{
$authorization->addRole('member');
$authorization->addRole('admin');
$restrictedPrivileges = [Request::METHOD_PUT, Request::METHOD_PATCH, Request::METHOD_DELETE];
$hasNoRelation = new HasNoRelation();
$authorization->deny('member', 'Theodia\\V1\\Rest\\Calendar\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\Event\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\Place\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\User\\Controller::entity', $restrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\PlaceType\\Controller::entity', $restrictedPrivileges);
$authorization->deny('member', 'Theodia\\V1\\Rest\\Rite\\Controller::entity', $restrictedPrivileges);
$authorization->deny('member', 'Theodia\\V1\\Rest\\Tag\\Controller::entity', $restrictedPrivileges);
$relationRestrictedPrivileges = [Request::METHOD_PUT, Request::METHOD_PATCH];
$lastRelation = new LastRelation();
$hasNoRelationOrLastRelation = new AssertionAggregate();
$hasNoRelationOrLastRelation->addAssertion($hasNoRelation);
$hasNoRelationOrLastRelation->addAssertion($lastRelation);
$hasNoRelationOrLastRelation->setMode(AssertionAggregate::MODE_AT_LEAST_ONE);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', $relationRestrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', $relationRestrictedPrivileges, $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', [Request::METHOD_DELETE], $hasNoRelationOrLastRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', [Request::METHOD_DELETE], $hasNoRelationOrLastRelation);
$authorization->deny('admin', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::entity', [Request::METHOD_DELETE], $lastRelation);
$authorization->deny('admin', 'Theodia\\V1\\Rest\\UserPlace\\Controller::entity', [Request::METHOD_DELETE], $lastRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserCalendar\\Controller::collection', [Request::METHOD_POST], $hasNoRelation);
$authorization->deny('member', 'Theodia\\V1\\Rest\\UserPlace\\Controller::collection', [Request::METHOD_POST], $hasNoRelation);
}
/**
* @description Initialise ACL for all modules/controllers/actions
* @param MvcEvent $e
*/
public function initAcl(MvcEvent $e, $config)
{
$app = $e->getApplication();
$eventManager = $app->getEventManager();
$serviceManager = $app->getServiceManager();
$aclService = $serviceManager->get('VcoZfAuthAcl\\Service\\AclServiceInterface');
$acl = $aclService->getAcl();
/* @var $acl Acl */
//deny everything by default
$acl->deny();
//add roles
$roles = $config['acl']['roles'];
if (count($roles) > 0) {
foreach ($roles as $roleName => $roleParent) {
if ($roleName == '') {
throw new \Exception('Role name can not be empty');
}
$role = new GenericRole($roleName);
$acl->addRole($role, $roleParent);
}
}
//add resources
$resources = $config['acl']['resources'];
if (count($resources) > 0) {
foreach ($resources as $moduleName => $moduleResources) {
$moduleName = strtolower($moduleName);
if (!$acl->hasResource($moduleName)) {
$acl->addResource(new GenericResource($moduleName));
}
if (count($moduleResources) > 0) {
foreach ($moduleResources as $moduleResource) {
$moduleResource = strtolower($moduleResource);
if (!$acl->hasResource($moduleResource)) {
$acl->addResource(new GenericResource($moduleResource), $moduleName);
}
}
}
}
}
//allows
$allows = $config['acl']['allow'];
if (count($allows) > 0) {
foreach ($allows as $allow) {
$assertionsConfig = $allow['assertions'];
$assertion = null;
if (is_array($assertionsConfig) && count($assertionsConfig) > 0) {
$assertion = new AssertionAggregate();
foreach ($assertionsConfig as $assertClassName) {
$assertion->addAssertion(new $assertClassName());
}
} else {
if (is_string($assertionsConfig) && !empty($assertionsConfig)) {
$assertion = new $assertionsConfig();
}
}
$acl->allow($allow['roles'], $allow['resources'], $allow['privileges'], $assertion);
}
}
//denials
$denials = $config['acl']['deny'];
if (count($denials) > 0) {
foreach ($denials as $denial) {
$assertionsConfig = $denial['assertions'];
$assertion = null;
if (is_array($assertionsConfig) && count($assertionsConfig) > 0) {
$assertion = new AssertionAggregate();
foreach ($assertionsConfig as $assertClassName) {
$assertion->addAssertion(new $assertClassName());
}
} else {
if (is_string($assertionsConfig) && !empty($assertionsConfig)) {
$assertion = new $assertionsConfig();
}
}
$acl->deny($denial['roles'], $denial['resources'], $denial['privileges'], $assertion);
}
}
}
/**
* @param string|array|AssertionInterface $assertion
* @return null|AssertionInterface
*/
protected function normalizeAssertion($assertion)
{
if (!$assertion) {
return;
}
if ($assertion instanceof AssertionInterface) {
return $assertion;
}
$assertion = (array) $assertion;
if (count($assertion) > 1) {
$assertionAggregate = new AssertionAggregate();
foreach ($ruleData['assertion'] as $plugin) {
if (is_string($plugin) && $this->assertionPluginManager->has($plugin)) {
$plugin = $this->assertionPluginManager->get($plugin);
}
if ($plugin instanceof AssertionInterface) {
$assertionAggregate->addAssertion($plugin);
}
}
return $assertionAggregate;
}
$assertion = reset($assertion);
if (!$assertion instanceof AssertionInterface) {
if (is_string($assertion) && $this->assertionPluginManager->has($assertion)) {
$assertion = $this->assertionPluginManager->get($assertion);
} else {
$assertion = null;
}
}
return $assertion;
}
/**
* Add rules for "site_admin" role.
*
* @param Acl $acl
*/
protected function addRulesForSiteAdmin(Acl $acl)
{
$acl->allow('site_admin');
$acl->deny('site_admin', ['Omeka\\Module\\Manager', 'Omeka\\Controller\\Admin\\Module'], ['activate', 'deactivate', 'install', 'uninstall', 'upgrade', 'configure']);
$acl->deny('site_admin', 'Omeka\\Controller\\Admin\\Vocabulary', ['import']);
$acl->deny('site_admin', 'Omeka\\Controller\\Admin\\Setting');
$acl->deny('site_admin', 'Omeka\\Api\\Adapter\\VocabularyAdapter', ['create', 'update', 'delete']);
$acl->deny('site_admin', 'Omeka\\Entity\\Media', ['create', 'update', 'delete']);
$acl->deny('site_admin', 'Omeka\\Entity\\User', 'change-role-admin');
$acl->deny('site_admin', 'Omeka\\Entity\\User', ['change-role', 'activate-user', 'delete'], new IsSelfAssertion());
// Site admins should not be able to edit other admin users but should
// be able to edit themselves
$denyEdit = new AssertionAggregate();
$denyEdit->addAssertions([new UserIsAdminAssertion(), new AssertionNegation(new IsSelfAssertion())]);
$acl->deny('site_admin', 'Omeka\\Entity\\User', ['update', 'delete', 'change-password', 'edit-keys'], $denyEdit);
}
