/** * @ApiDoc( * section="ACL Management", * description="Saves the given rules" * ) * * @Rest\RequestParam(name="targetId", requirements=".+", strict=true, description="Target id") * @Rest\RequestParam(name="targetType", requirements=".+", strict=true, description="Target type") * @Rest\RequestParam(name="rules", strict=false, description="ACL rules array") * * @Rest\Post("/user/acl") * * @param int $targetId * @param int $targetType * @param array $rules * * @return bool */ public function saveAcl($targetId, $targetType, $rules = null) { $targetId += 0; $targetType += 0; AclQuery::create()->filterByTargetId($targetId)->filterByTargetType($targetType)->delete(); if (0 < count($rules)) { $i = 1; if (is_array($rules)) { foreach ($rules as $rule) { $ruleObject = new Acl(); $ruleObject->setPrio($i); $ruleObject->setTargetType($targetType); $ruleObject->setTargetId($targetId); $ruleObject->setTargetId($targetId); $ruleObject->setObject(Objects::normalizeObjectKey(@$rule['object'])); $ruleObject->setSub(filter_var(@$rule['sub'], FILTER_VALIDATE_BOOLEAN)); $ruleObject->setAccess(filter_var(@$rule['access'], FILTER_VALIDATE_BOOLEAN)); $ruleObject->setFields(@$rule['fields']); $ruleObject->setConstraintType(@$rule['constraintType']); $ruleObject->setConstraintCode(@$rule['constraintCode']); $ruleObject->setMode(@$rule['mode'] + 0); $ruleObject->save(); $i++; } } } $this->cacher->invalidateCache('core/acl'); return true; }
public function setObject($mode, $objectKey, $constraintType, $constraintCode, $withSub = false, $targetType, $targetId, $access, $fields = null) { $objectKey = Objects::normalizeObjectKey($objectKey); $acl = new AclObject(); $acl->setMode($mode); $acl->setTargetType($targetType); $acl->setTargetId($targetId); $acl->setSub($withSub); $acl->setAccess($access); if ($fields) { $acl->setFields(json_encode($fields)); } $acl->setObject($objectKey); $acl->setConstraintCode(is_array($constraintCode) ? json_encode($constraintCode) : $constraintCode); $acl->setConstraintType($constraintType); $query = new \Jarves\Model\AclQuery(); $query->select('Prio'); $query->filterByObject($objectKey); $query->filterByMode($mode); $query->orderByPrio(Criteria::DESC); $highestPrio = (int) $query->findOne(); $acl->setPrio($highestPrio + 1); $this->cache[$objectKey . '_' . $mode] = null; $acl->save(); return $acl; }
public function testNestedSubPermission() { $this->getACL()->setCaching(false); $this->getACL()->removeObjectRules('jarves/node'); $tokenStorage = $this->getTokenStorage(); $token = new UsernamePasswordToken(UserQuery::create()->findOneByUsername('test'), null, "main"); $tokenStorage->setToken($token); $user = $this->getPageStack()->getUser(); $this->assertEquals('test', $user->getUsername()); $domain = DomainQuery::create()->findOne(); $root = NodeQuery::create()->findRoot($domain->getId()); $subNode = new Node(); $subNode->setTitle('TestNode tree'); $subNode->insertAsFirstChildOf($root); $subNode->save(); $subNode2 = new Node(); $subNode2->setTitle('TestNode sub'); $subNode2->insertAsFirstChildOf($subNode); $subNode2->save(); //make access for all $rule = new Acl(); $rule->setAccess(true); $rule->setObject('jarves/node'); $rule->setTargetType(\Jarves\ACL::TARGET_TYPE_USER); $rule->setTargetId($user->getId()); $rule->setMode(\Jarves\ACL::MODE_ALL); $rule->setConstraintType(\Jarves\ACL::CONSTRAINT_ALL); $rule->setPrio(2); $rule->save(); //revoke access for all children of `TestNode tree` $rule2 = new Acl(); $rule2->setAccess(false); $rule2->setObject('jarves/node'); $rule2->setTargetType(\Jarves\ACL::TARGET_TYPE_USER); $rule2->setTargetId($user->getId()); $rule2->setMode(\Jarves\ACL::MODE_ALL); $rule2->setConstraintType(\Jarves\ACL::CONSTRAINT_CONDITION); $rule2->setConstraintCode(json_encode(['title', '=', 'TestNode tree'])); $rule2->setPrio(3); $rule2->setSub(true); $rule2->save(); $this->getCacher()->invalidateCache('core'); $node1RequestListing = ACLRequest::create('jarves/node', $subNode->getId())->onlyListingMode(); $node2RequestListing = ACLRequest::create('jarves/node', $subNode2->getId())->onlyListingMode(); $this->assertFalse($this->getACL()->check($node1RequestListing)); $this->assertFalse($this->getACL()->check($node2RequestListing)); $items = $this->getObjects()->getBranch('jarves/node', $subNode->getId(), null, 1, null, ['permissionCheck' => true]); $this->assertNull($items, 'rule2 revokes the access to all elements'); $item = $this->getObjects()->get('jarves/node', $subNode2->getId(), ['permissionCheck' => true]); $this->assertNull($item); // Deactivate sub $rule2->setSub(false); $rule2->save(); $this->assertFalse($this->getACL()->check($node1RequestListing)); $this->assertTrue($this->getACL()->check($node2RequestListing)); $items = $this->getObjects()->getBranch('jarves/node', $subNode->getId(), null, 1, null, ['permissionCheck' => true]); $this->assertEquals('TestNode sub', $items[0]['title'], 'We got TestNode sub'); $item = $this->getObjects()->get('jarves/node', $subNode2->getId(), ['permissionCheck' => true]); $this->assertEquals('TestNode sub', $item['title'], 'We got TestNode sub'); // Activate access $rule2->setAccess(true); $rule2->save(); $this->assertTrue($this->getACL()->check($node1RequestListing)); $this->assertTrue($this->getACL()->check($node2RequestListing)); $items = $this->getObjects()->getBranch('jarves/node', $subNode->getId(), null, 1, null, ['permissionCheck' => true]); $this->assertEquals('TestNode sub', $items[0]['title'], 'We got TestNode sub'); $subNode->delete(); $subNode2->delete(); $rule->delete(); $rule2->delete(); $this->getACL()->setCaching(true); }