/** * Try to set the current account identifier emitting the events, if possible * * @return void */ protected function initializeAccountIdentifier() { if ($this->securityContext->canBeInitialized()) { $account = $this->securityContext->getAccount(); if ($account !== null) { $this->eventEmittingService->setCurrentAccountIdentifier($account->getAccountIdentifier()); } } }
/** * Returns TRUE, if at least one of the currently authenticated accounts holds * a role with the given identifier, also recursively. * * @param string $roleIdentifier The string representation of the role to search for * @return boolean TRUE, if a role with the given string representation was found */ public function hasRole($roleIdentifier) { if ($roleIdentifier === 'Neos.Flow:Everybody') { return true; } if ($this->securityContext->canBeInitialized()) { return $this->securityContext->hasRole($roleIdentifier); } return false; }
/** * Gets the SQL query part to add to a query. * * @param ClassMetaData $targetEntity Metadata object for the target entity to be filtered * @param string $targetTableAlias The target table alias used in the current query * @return string The constraint SQL if there is available, empty string otherwise */ public function addFilterConstraint(ClassMetadata $targetEntity, $targetTableAlias) { $this->initializeDependencies(); /* * TODO: Instead of checking for class account we could introduce some interface for white listing entities from entity security checks * Problem with checking the Account is, that this filter calls getRoles() on the security context while accounts are not * yet fully initialized. By this we get a half built account object that will end up in access denied exception, * as it has no roles (and other properties) set */ if ($this->securityContext->areAuthorizationChecksDisabled() || $targetEntity->getName() === Account::class) { return ''; } if (!$this->securityContext->isInitialized()) { if (!$this->securityContext->canBeInitialized()) { return ''; } $this->securityContext->initialize(); } // This is needed to include the current context of roles into query cache identifier $this->setParameter('__contextHash', $this->securityContext->getContextHash(), 'string'); $sqlConstraints = []; $grantedConstraints = []; $deniedConstraints = []; foreach ($this->securityContext->getRoles() as $role) { $entityPrivileges = $role->getPrivilegesByType(EntityPrivilegeInterface::class); /** @var EntityPrivilegeInterface $privilege */ foreach ($entityPrivileges as $privilege) { if (!$privilege->matchesEntityType($targetEntity->getName())) { continue; } $sqlConstraint = $privilege->getSqlConstraint($targetEntity, $targetTableAlias); if ($sqlConstraint === null) { continue; } $sqlConstraints[] = ' NOT (' . $sqlConstraint . ')'; if ($privilege->isGranted()) { $grantedConstraints[] = ' NOT (' . $sqlConstraint . ')'; } elseif ($privilege->isDenied()) { $deniedConstraints[] = ' NOT (' . $sqlConstraint . ')'; } } } $grantedConstraints = array_diff($grantedConstraints, $deniedConstraints); $effectiveConstraints = array_diff($sqlConstraints, $grantedConstraints); if (count($effectiveConstraints) > 0) { return ' (' . implode(') AND (', $effectiveConstraints) . ') '; } return ''; }
/** * Tells if this node may be accessed according to the current security context. * * @return boolean */ public function isAccessible() { if ($this->hasAccessRestrictions() === false) { return true; } if ($this->securityContext->canBeInitialized() === false) { return true; } foreach ($this->accessRoles as $roleName) { if ($this->securityContext->hasRole($roleName)) { return true; } } return false; }
/** * Returns the currently logged in user, if any * * @return User The currently logged in user, or null * @api */ public function getCurrentUser() { if ($this->securityContext->canBeInitialized() === true) { $account = $this->securityContext->getAccount(); if ($account !== null) { return $this->getUser($account->getAccountIdentifier()); } } return null; }