/**
* @param ResourceInterface|null $resource
* @return $this
*/
public function setResourceId(ResourceInterface $resource = null)
{
if ($resource) {
$this->resourceId = $resource->getResourceId();
}
return $this;
}
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
if (!$role instanceof UserInterface || !$resource instanceof JobInterface || 'edit' != $privilege) {
return false;
}
return $resource->getPermissions()->isGranted($role->getId(), Permissions::PERMISSION_CHANGE);
}
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
if (!$resource instanceof User) {
return false;
}
return $acl->isAdminRole($resource->getRole());
}
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
if (!$role instanceof UserInterface || !$resource instanceof FileInterface) {
return false;
}
$privilege = $privilege ?: PermissionsInterface::PERMISSION_VIEW;
return $resource->getPermissions()->isGranted($role, $privilege);
}
/**
* Checks permissions based on resources' permissions.
*
* {@inheritDoc}
*
* @see \Zend\Permissions\Acl\Assertion\AssertionInterface::assert()
*/
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
if (!$role instanceof UserInterface || !$resource instanceof ApplicationInterface) {
return false;
}
/* @var $resource ApplicationInterface */
$permission = 'read' == $privilege ? PermissionsInterface::PERMISSION_VIEW : PermissionsInterface::PERMISSION_CHANGE;
return $resource->getPermissions()->isGranted($role, $permission);
}
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
if ($resource instanceof Site) {
$site = $resource;
} elseif ($resource instanceof SitePage) {
$site = $resource->getSite();
} else {
return false;
}
return $site->isPublic();
}
public function assert(\Zend\Permissions\Acl\Acl $acl, \Zend\Permissions\Acl\Role\RoleInterface $role = null, \Zend\Permissions\Acl\Resource\ResourceInterface $resource = null, $privilege = null)
{
$model = $resource->getModel();
if ($model instanceof \Application\Model\Relation\UserCalendar) {
$collection = $model->getCalendar()->getUserCalendars();
} elseif ($model instanceof \Application\Model\Relation\UserPlace) {
$collection = $model->getPlace()->getUserPlaces();
} else {
throw new \InvalidArgumentException('The resource being checked is not a supported relation. Either implement the relation support, or modify ACL rules.');
}
return count($collection) === 1;
}
public function assert(\Zend\Permissions\Acl\Acl $acl, \Zend\Permissions\Acl\Role\RoleInterface $role = null, \Zend\Permissions\Acl\Resource\ResourceInterface $resource = null, $privilege = null)
{
$model = $resource->getModel();
if (!$model instanceof \Application\Authorization\HasRelationToUsersInterface) {
throw new \InvalidArgumentException('The resource being checked must implement HasRelationToUsersInterface. Either implement the interface, or modify ACL rules.');
}
// If we found the user in relations, that means there is a relation, so return false (duh!)
foreach ($model->getUsers() as $user) {
if ($user === $role->getUser()) {
return false;
}
}
return true;
}
/**
* Returns true if and only if the assertion conditions are met
*
* This method is passed the ACL, Role, Resource, and privilege to which the authorization query applies. If the
* $role, $resource, or $privilege parameters are null, it means that the query applies to all Roles, Resources, or
* privileges, respectively.
*
* @param Acl $acl
* @param RoleInterface $role
* @param ResourceInterface $resource
* @param string $privilege
* @return bool
*/
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
if (!$role instanceof User) {
return false;
}
if (!$resource instanceof OrganResourceInterface) {
return false;
}
$member = $role->getMember();
$organ = $resource->getResourceOrgan();
foreach ($member->getOrganInstallations() as $organInstall) {
if ($organInstall->getOrgan()->getId() === $organ->getId() && $this->isCurrentMember($organInstall)) {
return true;
}
}
return false;
}
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
if ($resource instanceof Site) {
$site = $resource;
} elseif ($resource instanceof SitePage) {
$site = $resource->getSite();
} else {
// Not a recognized resource.
return false;
}
$criteria = Criteria::create()->where(Criteria::expr()->eq('user', $role));
$sitePermission = $site->getSitePermissions()->matching($criteria)->first();
if (!$sitePermission) {
// This user has no site permission
return false;
}
$userRoleNumber = $this->getRoleNumber($sitePermission->getRole());
return $userRoleNumber <= $this->roleNumber;
}
/**
* Checks permissions based on resources' permissions.
*
* {@inheritDoc}
*
* @see \Zend\Permissions\Acl\Assertion\AssertionInterface::assert()
*/
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
if (!$role instanceof UserInterface || !$resource instanceof ApplicationInterface) {
return false;
}
/* @var $resource ApplicationInterface|DraftableEntityInterface */
$permissions = $resource->getPermissions();
/* If application is a draft, only the associated user may view and edit.
* As an anonymous user is not saved with the entity, we need to check the 'change' permission.
*/
if ($resource->isDraft()) {
return $role === $resource->getUser() || $permissions->isGranted($role, PermissionsInterface::PERMISSION_CHANGE);
}
if (ApplicationInterface::PERMISSION_SUBSEQUENT_ATTACHMENT_UPLOAD == $privilege) {
// only applicant is allowed to upload subsequent attachments
return $permissions->isAssigned($role) && $permissions->isGranted($role, PermissionsInterface::PERMISSION_VIEW);
}
$permission = 'read' == $privilege ? PermissionsInterface::PERMISSION_VIEW : PermissionsInterface::PERMISSION_CHANGE;
return $permissions->isGranted($role, $permission);
}
/**
* Returns true, if the user has write access to the job granted from the organization.
*
* @param RoleInterface $role This must be a UserInterface instance
* @param ResourceInterface $resource This must be a JobInterface instance
*
* @return bool
*/
protected function checkOrganizationPermissions($role, $resource)
{
/* @var $resource \Jobs\Entity\JobInterface */
/* @var $role \Auth\Entity\UserInterface */
$organization = $resource->getOrganization();
if (!$organization) {
return false;
}
if ($organization->isHiringOrganization()) {
$organization = $organization->getParent();
}
$orgUser = $organization->getUser();
if ($orgUser && $role->getId() == $orgUser->getId()) {
return true;
}
$employees = $organization->getEmployees();
foreach ($employees as $emp) {
/* @var $emp \Organizations\Entity\EmployeeInterface */
if ($emp->getUser()->getId() == $role->getId() && $emp->getPermissions()->isAllowed(EmployeePermissionsInterface::JOBS_CHANGE)) {
return true;
}
}
return false;
}
/**
* @param \Phpro\SmartCrud\Event\CrudEvent $event
* @param \BjyAuthorize\Service\Authorize $authorizeService
* @param \Zend\Permissions\Acl\Resource\ResourceInterface $resource
*/
protected function mockEvent($authorizeService, $event, $resource)
{
$authorizeService->isAllowed(Argument::cetera())->willReturn(true);
$this->mockListenerFactory($authorizeService->getWrappedObject());
$event->getEntity()->willReturn($resource->getWrappedObject());
}
/**
* Returns true if and only if the assertion conditions are met
*
* This method is passed the ACL, Role, Resource, and privilege to which the authorization query applies. If the
* $role, $resource, or $privilege parameters are null, it means that the query applies to all Roles, Resources, or
* privileges, respectively.
*
* @param Acl $acl
* @param RoleInterface $role
* @param ResourceInterface $resource
* @param string $privilege
*
* @return bool
*/
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
/* @var ResourceInterface|Cv $resource */
return $role instanceof UserInterface && $resource instanceof CvInterface && 'view' == $privilege && ($resource->getPermissions()->isGranted($role, PermissionsInterface::PERMISSION_VIEW) || Status::PUBLIC_TO_ALL == (string) $resource->getStatus());
}
/**
* Checks write Access on attachments
*
* @param RoleInterface $role
* @param ResourceInterface $resource
* @return boolean
*/
protected function assertWrite($role, $resource)
{
$job = $resource->getJob();
return $job && $role->getId() == $job->getUser()->getId();
}
/**
* Returns true if and only if the assertion conditions are met
*
* This method is passed the ACL, Role, Resource, and privilege to which the authorization query applies. If the
* $role, $resource, or $privilege parameters are null, it means that the query applies to all Roles, Resources, or
* privileges, respectively.
*
* @param Acl $acl
* @param RoleInterface $role
* @param ResourceInterface $resource
* @param string $privilege
* @return bool
*/
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
if ($this->inWhitelist($role->getRoleId(), $resource->getResourceId(), $privilege)) {
return false;
}
$rows = $this->getRolesAndResources($role->getRoleId(), $resource->getResourceId());
foreach ($rows as $row) {
$methods = explode(',', $row['methods']);
if (!in_array($privilege, $methods)) {
return false;
}
}
return true;
}
public function removeResource(ResourceInterface $resource)
{
unset($this->resources[$resource->getResourceId()]);
return $this;
}
public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
{
return 'edit' == $privilege && $role instanceof UserInterface && $resource instanceof OrganizationInterface && $resource->getPermissions()->isGranted($role, PermissionsInterface::PERMISSION_CHANGE);
}
