/**
* {@inheritdoc}
*/
protected function executeAction($context)
{
$aclClass = $this->manager->getRepository('OroSecurityBundle:AclClass')->findOneBy(['classType' => $context->data->getClassName()]);
$removeScopes = array_diff($context->old['security']['share_scopes'], $context->new['security']['share_scopes']);
if (!$aclClass || empty($removeScopes)) {
return;
}
$qb = $this->qbManager->getRemoveAceQueryBuilder($aclClass, $removeScopes);
$qb->getQuery()->execute();
$this->aclCache->clearCache();
}
/**
* @param AbstractRole $role
*/
protected function processPrivileges(AbstractRole $role)
{
$decodedPrivileges = json_decode($this->form->get('privileges')->getData(), true);
$formPrivileges = [];
foreach ($this->privilegeConfig as $fieldName => $config) {
$privilegesArray = $decodedPrivileges[$fieldName];
$privileges = [];
foreach ($privilegesArray as $privilege) {
$aclPrivilege = new AclPrivilege();
foreach ($privilege['permissions'] as $name => $permission) {
$aclPrivilege->addPermission(new AclPermission($permission['name'], $permission['accessLevel']));
}
$aclPrivilegeIdentity = new AclPrivilegeIdentity($privilege['identity']['id'], $privilege['identity']['name']);
$aclPrivilege->setIdentity($aclPrivilegeIdentity);
$privileges[] = $aclPrivilege;
}
if ($config['fix_values']) {
$this->fxPrivilegeValue($privileges, $config['default_value']);
}
$formPrivileges = array_merge($formPrivileges, $privileges);
}
array_walk($formPrivileges, function (AclPrivilege $privilege) {
$privilege->setGroup($this->getAclGroup());
});
$this->privilegeRepository->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges));
$this->aclCache->clearCache();
}
/**
* Removes ACEs if share scope was removed from entity config
*
* @param PostFlushConfigEvent $event
*/
public function postFlushConfig(PostFlushConfigEvent $event)
{
$configManager = $event->getConfigManager();
foreach ($event->getModels() as $model) {
/** @var EntityConfigModel $model */
if ($model instanceof EntityConfigModel) {
$aclClass = $this->registry->getRepository('OroSecurityBundle:AclClass')->findOneBy(['classType' => $model->getClassName()]);
if (!$aclClass) {
continue;
}
$changeSet = $configManager->getConfigChangeSet($configManager->getProvider('security')->getConfig($model->getClassName()));
$removeScopes = [];
if ($changeSet) {
$removeScopes = array_diff($changeSet['share_scopes'][0], $changeSet['share_scopes'][1]);
}
if (empty($removeScopes)) {
continue;
}
$qb = $this->qbManager->getRemoveAceQueryBuilder($aclClass, $removeScopes);
$qb->getQuery()->execute();
$this->aclCache->clearCache();
}
}
}
/**
* @param object $object
*
* @return string
*
* @throws \Symfony\Component\Security\Acl\Exception\InvalidDomainObjectException
*/
public function getSharedWithName($object)
{
$oid = ObjectIdentity::fromDomainObject($object);
/** @var Acl $acl */
$acl = $this->aclCache->getFromCacheByIdentity($oid);
$name = '';
$objectAces = $acl->getObjectAces();
if ($acl && $objectAces) {
usort($objectAces, [$this, 'compareEntries']);
/** @var Entry $entry */
$entry = $objectAces[0];
$sid = $entry->getSecurityIdentity();
$name = $this->getFormattedName($sid);
}
return $name;
}
/**
* {@inheritdoc}
*/
public function findAcls(array $oids, array $sids = array())
{
$result = new \SplObjectStorage();
$currentBatch = array();
$oidLookup = array();
for ($i = 0, $c = count($oids); $i < $c; $i++) {
$oid = $oids[$i];
$oidLookupKey = $oid->getIdentifier() . $oid->getType();
$oidLookup[$oidLookupKey] = $oid;
$aclFound = false;
// check if result already contains an ACL
if ($result->contains($oid)) {
$aclFound = true;
}
// check if this ACL has already been hydrated
if (!$aclFound && isset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()])) {
$acl = $this->loadedAcls[$oid->getType()][$oid->getIdentifier()];
if (!$acl->isSidLoaded($sids)) {
// FIXME: we need to load ACEs for the missing SIDs. This is never
// reached by the default implementation, since we do not
// filter by SID
throw new \RuntimeException('This is not supported by the default implementation.');
} else {
$result->attach($oid, $acl);
$aclFound = true;
}
}
// check if we can locate the ACL in the cache
if (!$aclFound && null !== $this->cache) {
$acl = $this->cache->getFromCacheByIdentity($oid);
if (null !== $acl) {
if ($acl->isSidLoaded($sids)) {
// check if any of the parents has been loaded since we need to
// ensure that there is only ever one ACL per object identity
$parentAcl = $acl->getParentAcl();
while (null !== $parentAcl) {
$parentOid = $parentAcl->getObjectIdentity();
if (isset($this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()])) {
$acl->setParentAcl($this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()]);
break;
} else {
$this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()] = $parentAcl;
$this->updateAceIdentityMap($parentAcl);
}
$parentAcl = $parentAcl->getParentAcl();
}
$this->loadedAcls[$oid->getType()][$oid->getIdentifier()] = $acl;
$this->updateAceIdentityMap($acl);
$result->attach($oid, $acl);
$aclFound = true;
} else {
$this->cache->evictFromCacheByIdentity($oid);
foreach ($this->findChildren($oid) as $childOid) {
$this->cache->evictFromCacheByIdentity($childOid);
}
}
}
}
// looks like we have to load the ACL from the database
if (!$aclFound) {
$currentBatch[] = $oid;
}
// Is it time to load the current batch?
$currentBatchesCount = count($currentBatch);
if ($currentBatchesCount > 0 && (self::MAX_BATCH_SIZE === $currentBatchesCount || $i + 1 === $c)) {
try {
$loadedBatch = $this->lookupObjectIdentities($currentBatch, $sids, $oidLookup);
} catch (AclNotFoundException $aclNotFoundException) {
if ($result->count()) {
$partialResultException = new NotAllAclsFoundException('The provider could not find ACLs for all object identities.');
$partialResultException->setPartialResult($result);
throw $partialResultException;
} else {
throw $aclNotFoundException;
}
}
foreach ($loadedBatch as $loadedOid) {
$loadedAcl = $loadedBatch->offsetGet($loadedOid);
if (null !== $this->cache) {
$this->cache->putInCache($loadedAcl);
}
if (isset($oidLookup[$loadedOid->getIdentifier() . $loadedOid->getType()])) {
$result->attach($loadedOid, $loadedAcl);
}
}
$currentBatch = array();
}
}
// check that we got ACLs for all the identities
foreach ($oids as $oid) {
if (!$result->contains($oid)) {
if (1 === count($oids)) {
$objectName = method_exists($oid, '__toString') ? $oid : get_class($oid);
throw new AclNotFoundException(sprintf('No ACL found for %s.', $objectName));
}
$partialResultException = new NotAllAclsFoundException('The provider could not find ACLs for all object identities.');
$partialResultException->setPartialResult($result);
throw $partialResultException;
}
}
return $result;
}
