protected function updateManagerRole(AclManager $manager) { $sid = $manager->getSid($this->getReference('manager_role')); // grant to view other user's calendar for the same business unit $oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarConnection'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); // grant to manage own calendar events $oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarEvent'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM')->add('DELETE_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); }
/** * Load the ACL per role * * @param Role $role */ protected function loadAcls(Role $role) { if (User::ROLE_ANONYMOUS === $role->getRole()) { return; } $sid = $this->aclManager->getSid($role); foreach ($this->aclManager->getAllExtensions() as $extension) { $rootOid = $this->aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $this->aclManager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
protected function updateUserRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_ADMINISTRATOR)); $oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\Email'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); }
/** * Makes necessary modifications for existing ACE * * @param SID $sid * @param OID $oid * @param int $existingMask * @param int[] $masks [input/output] * @param int[] $rootMasks * @param AclExtensionInterface $extension * @return bool|int The mask if it was processed, otherwise, false */ protected function updateExistingPermissions(SID $sid, OID $oid, $existingMask, $masks, $rootMasks, AclExtensionInterface $extension) { $mask = $this->findSimilarMask($masks, $existingMask, $extension); $rootMask = $this->findSimilarMask($rootMasks, $existingMask, $extension); if ($mask === false && $rootMask === false) { // keep existing ACE as is, because both $mask and $rootMask were not found } elseif ($rootMask === false) { // if $rootMask was not found, just update existing ACE using $mask $this->manager->setPermission($sid, $oid, $mask); } elseif ($mask === false) { // if $mask was not found, use $rootMask to check // whether existing ACE need to be removed or keep as is if ($existingMask === $extension->adaptRootMask($rootMask, $oid)) { // remove existing ACE because it provides the same permissions as the root ACE $this->manager->deletePermission($sid, $oid, $existingMask); } } else { // both $mask and $rootMask were found if ($mask === $extension->adaptRootMask($rootMask, $oid)) { // remove existing ACE, if $mask provides the same permissions as $rootMask $this->manager->deletePermission($sid, $oid, $existingMask); } else { // update existing ACE using $mask, if permissions provide by $mask and $rootMask are different $this->manager->setPermission($sid, $oid, $mask); } } return $mask; }
protected function updateManagerRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_MANAGER)); // grant to manage own calendar events $oid = $manager->getOid('entity:Oro\\Bundle\\CalendarBundle\\Entity\\CalendarEvent'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_SYSTEM')->add('CREATE_SYSTEM')->add('EDIT_SYSTEM')->add('DELETE_SYSTEM'); $manager->setPermission($sid, $oid, $maskBuilder->get()); }
protected function updateUserRole(AclManager $manager) { $roles = ['ROLE_ONLINE_SALES_REP', 'ROLE_MARKETING_MANAGER', 'ROLE_LEADS_DEVELOPMENT_REP']; foreach ($roles as $roleName) { $sid = $manager->getSid($this->getRole($roleName)); $oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\EmailUser'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_BASIC')->add('CREATE_BASIC')->add('EDIT_BASIC'); $manager->setPermission($sid, $oid, $maskBuilder->get()); } }
protected function updateUserRole(AclManager $manager) { $roles = [LoadRolesData::ROLE_USER, LoadRolesData::ROLE_MANAGER]; foreach ($roles as $roleName) { $sid = $manager->getSid($this->getRole($roleName)); $oid = $manager->getOid('entity:Oro\\Bundle\\EmailBundle\\Entity\\EmailUser'); $maskBuilder = $manager->getMaskBuilder($oid)->add('VIEW_BASIC')->add('CREATE_BASIC')->add('EDIT_BASIC'); $manager->setPermission($sid, $oid, $maskBuilder->get()); } }
public function testSetPermissionForEntityClassNoAcl() { $sid = $this->getMock('Symfony\\Component\\Security\\Acl\\Model\\SecurityIdentityInterface'); $oid = new ObjectIdentity('entity', 'Acme\\Test'); $granting = true; $mask = 123; $strategy = 'any'; $this->aclProvider->expects($this->once())->method('findAcl')->with($this->identicalTo($oid))->will($this->throwException(new AclNotFoundException())); $this->extension->expects($this->once())->method('validateMask')->with($this->equalTo($mask), $this->identicalTo($oid)); $this->aceProvider->expects($this->never())->method('setPermission'); $this->manager->setPermission($sid, $oid, $mask, $granting, $strategy); }
/** * @param ObjectManager $manager * @param AclManager $aclManager */ protected function setBuyerShoppingListPermissions(ObjectManager $manager, AclManager $aclManager) { $chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain'); $allowedAcls = ['VIEW_BASIC', 'CREATE_BASIC', 'EDIT_BASIC', 'DELETE_BASIC']; $role = $this->getBuyerRole($manager); if ($aclManager->isAclEnabled()) { $sid = $aclManager->getSid($role); $className = $this->container->getParameter('orob2b_shopping_list.entity.shopping_list.class'); foreach ($aclManager->getAllExtensions() as $extension) { if ($extension instanceof EntityAclExtension) { $chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS); $oid = $aclManager->getOid('entity:' . $className); $builder = $aclManager->getMaskBuilder($oid); $mask = $builder->reset()->get(); foreach ($allowedAcls as $acl) { $mask = $builder->add($acl)->get(); } $aclManager->setPermission($sid, $oid, $mask); $chainMetadataProvider->stopProviderEmulation(); } } } }
protected function loadUserRole(AclManager $manager) { $sid = $manager->getSid($this->getRole(LoadRolesData::ROLE_USER)); foreach ($manager->getAllExtensions() as $extension) { $rootOid = $manager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { if ($maskBuilder->hasConst('GROUP_BASIC')) { if ($maskBuilder->hasConst('MASK_VIEW_SYSTEM')) { $mask = $maskBuilder->getConst('MASK_VIEW_SYSTEM'); /* @todo now only SYSTEM level is supported | $maskBuilder->getConst('MASK_CREATE_BASIC') | $maskBuilder->getConst('MASK_EDIT_BASIC') | $maskBuilder->getConst('MASK_DELETE_BASIC') | $maskBuilder->getConst('MASK_ASSIGN_BASIC') | $maskBuilder->getConst('MASK_SHARE_BASIC'); */ } else { $mask = $maskBuilder->getConst('GROUP_BASIC'); } } else { $mask = $maskBuilder->getConst('GROUP_NONE'); } $manager->setPermission($sid, $rootOid, $mask, true); } } }
/** * Load the ACL per role * * @param AclManager $manager * @param Role $role * * @see Oro\Bundle\SecurityBundle\DataFixtures\ORM\LoadAclRoles */ protected function loadAcls(AclManager $manager, Role $role) { $sid = $manager->getSid($role); foreach ($manager->getAllExtensions() as $extension) { $rootOid = $manager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $manager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * @param AclManager $aclManager * @param AccountUserRole $role * @param string $className * @param array $allowedAcls */ protected function setRolePermissions(AclManager $aclManager, AccountUserRole $role, $className, array $allowedAcls) { /* @var $chainMetadataProvider ChainMetadataProvider */ $chainMetadataProvider = $this->container->get('oro_security.owner.metadata_provider.chain'); if ($aclManager->isAclEnabled()) { $sid = $aclManager->getSid($role); foreach ($aclManager->getAllExtensions() as $extension) { if ($extension instanceof EntityAclExtension) { $chainMetadataProvider->startProviderEmulation(FrontendOwnershipMetadataProvider::ALIAS); $oid = $aclManager->getOid('entity:' . $className); $builder = $aclManager->getMaskBuilder($oid); $mask = $builder->reset()->get(); foreach ($allowedAcls as $acl) { $mask = $builder->add($acl)->get(); } $aclManager->setPermission($sid, $oid, $mask); $chainMetadataProvider->stopProviderEmulation(); } } } }
/** * @param AclManager $aclManager * @param SecurityIdentityInterface $sid */ protected function setPermissionGroup(AclManager $aclManager, SecurityIdentityInterface $sid) { foreach ($aclManager->getAllExtensions() as $extension) { $rootOid = $aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { $fullAccessMask = $maskBuilder->hasConst('GROUP_SYSTEM') ? $maskBuilder->getConst('GROUP_SYSTEM') : $maskBuilder->getConst('GROUP_ALL'); $aclManager->setPermission($sid, $rootOid, $fullAccessMask, true); } } }
/** * @param AclManager $aclManager * @param AclExtensionInterface $extension * @param SecurityIdentityInterface $sid * @param string $group */ protected function setPermissionGroup(AclManager $aclManager, AclExtensionInterface $extension, SecurityIdentityInterface $sid, $group) { $rootOid = $aclManager->getRootOid($extension->getExtensionKey()); foreach ($extension->getAllMaskBuilders() as $maskBuilder) { if ($maskBuilder->hasConst($group)) { $mask = $maskBuilder->getConst($group); $aclManager->setPermission($sid, $rootOid, $mask, true); break; } } }