/** * Returns true if and only if the assertion conditions are met * This method is passed the ACL, Role, Resource, and privilege to which * the authorization query applies. If the $role, $resource, or $privilege * parameters are null, it means that the query applies to all Roles, * Resources, or privileges, respectively. * * @param Zend_Acl $acl * @param Zend_Acl_Role_Interface $role * @param Zend_Acl_Resource_Interface $resource * @param null $privilege * @return bool * @throws Exception */ public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null) { // We need specific objects to check against each other if (NULL === $role || NULL === $resource) { return false; } // Ensure we're handled User models if (!$role instanceof UserModel) { throw new Exception('Role must be an instance of UserModel'); } $orgId = $role->getOrganizationId(); switch (true) { case $resource instanceof OrgModelAbstract: return $orgId === $resource->getParentId(); case $resource instanceof Model\PreBillModel: return true; //TODO: we need serviceProviderId from ericsson return $orgId === $resource->getServiceProvider()->getId(); case $resource instanceof UserModel: try { $org = $resource->getOrganization(); if (NULL !== $org) { return $orgId === $org->getParentId(); } App::log()->err("User (" . $resource->getId() . ") organization (" . $resource->getOrganizationId() . ") doesn't exist"); return false; } catch (Exception $e) { return false; } case $resource instanceof Model\CommercialGroupModel: // customerId is one of service provider customers? // TODO aggregatorId case? $org = OrgService::getInstance()->load($resource->getCustomerId()); return $org && $orgId === $org->getParentId(); case $resource instanceof Model\ReportModel: $params = $resource->getParams(); if (isset($params['orgId']) && !empty($params['orgId'])) { $org = OrgService::getInstance()->load($params['orgId']); return $org && $orgId === $org->getParentId(); } else { return true; } } throw new Exception('Resource must be an instance of OrgModelAbstract or UserModel'); }
/** * Returns true if and only if the assertion conditions are met * * This method is passed the ACL, Role, Resource, and privilege to which * the authorization query applies. If the $role, $resource, or $privilege * parameters are null, it means that the query applies to all Roles, * Resources, or privileges, respectively. * * @param Zend_Acl $acl * @param Zend_Acl_Role_Interface $role * @param Zend_Acl_Resource_Interface $resource * @param string $privilege * @return boolean */ public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null) { // We need specific objects to check against each other if (NULL === $role || NULL === $resource) { return false; } // Ensure we're handled User models if (!$role instanceof UserModel) { throw new Exception('Role must be an instance of UserModel'); } if ($resource instanceof WatcherModel) { if ($role instanceof \Application\Model\CurrentUserModel && $role->isApiAuthUser()) { return $role->apiId == $resource->owner; } return $role->id === $resource->owner; } if ($resource instanceof UserConfigModel) { return $role->id === $resource->userId; } if (!$resource instanceof UserModel) { throw new Exception('Resource must be an instance of UserModel'); } return $role->getId() === $resource->getId(); }
/** * Returns true if and only if the assertion conditions are met * * This method is passed the ACL, Role, Resource, and privilege to which * the authorization query applies. If the $role, $resource, or $privilege * parameters are null, it means that the query applies to all Roles, * Resources, or privileges, respectively. * * @param Zend_Acl $acl * @param Zend_Acl_Role_Interface $role * @param Zend_Acl_Resource_Interface $resource * @param string $privilege * @return boolean */ public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null) { // We need specific objects to check against each other if (NULL === $role || NULL === $resource) { return false; } // Ensure we're handled User models if (!$role instanceof UserModel) { throw new Exception('Role must be an instance of UserModel'); } $orgId = $role->getOrganizationId(); switch (true) { case $resource instanceof OrgModelAbstract: return $orgId === $resource->getId(); case $resource instanceof UserModel: case $resource instanceof TemplateModel: return $orgId === $resource->getOrganizationId(); case $resource instanceof Async\Model\AsyncResponse: $cOrgId = \Application\Model\Mapper\OrganizationMapper::cleanOrgId($orgId); return $orgId === $resource->getOrganizationId() || $cOrgId === $resource->getOrganizationId(); case $resource instanceof Model\TariffPlanLifeCycleModel: case $resource instanceof Model\TariffPlanServicesModel: case $resource instanceof Model\RestrictionModel: case $resource instanceof Model\ServicePackModel: $orgType = Model\Mapper\OrganizationMapper::getTypeByOrgId($orgId); switch ($orgType) { case Model\Organization\OrgServiceProviderModel::ORG_TYPE: return $orgId === $resource->getServiceProviderId(); case Model\Organization\OrgCustomerModel::ORG_TYPE: // $spList = Service\ServicePackService::getInstance()->listAll(); // foreach ($spList->getItems() as $sp) { // if ($sp->getId() === $resource->getId()) { // return true; // } // } /* * There is no way to know if only one ServicePack is assigned to a customer, * only retrieving all servicePacks assigned. It is too much slow. In Ericsson we trust. */ return true; default: return false; } case $resource instanceof Model\SupplServicesModel: return $orgId === $resource->getServiceProviderId() || $orgId === $resource->getCustomerId(); case $resource instanceof Model\CommercialGroupModel: case $resource instanceof Model\SupervisionGroupModel: return $orgId === $resource->getCustomerId(); case $resource instanceof SimModel: /** @var $resource \Application\Model\SimModel */ return $orgId === $resource->getMasterId() || $orgId === $resource->getServiceProviderCommercialId() || $orgId === $resource->getServiceProviderEnablerId() || $orgId === $resource->getAggregatorId() || $orgId === $resource->getCustomerId() || $orgId === $resource->getEndUserId(); case $resource instanceof Model\ReportModel: $params = $resource->getParams(); if (isset($params['orgId']) && !empty($params['orgId'])) { return $orgId === $params['orgId']; } else { return true; } } throw new Exception('Resource must be an instance of OrgModelAbstract, UserModel or SimModel'); }