示例#1
0
 /**
  * Gets permissions of the given user
  *
  * @param User          $user
  * @param Criteria|null $filters
  *
  * @return array
  */
 public function getUserPermissions(User $user, Criteria $filters = null)
 {
     $entityAclExtension = $this->aclSelector->select($user);
     $resources = array_map(function (AclClassInfo $class) use($entityAclExtension) {
         return ['type' => $entityAclExtension->getExtensionKey(), 'resource' => $class->getClassName()];
     }, $entityAclExtension->getClasses());
     if ($filters) {
         $collection = new ArrayCollection($resources);
         $resources = $collection->matching($filters)->toArray();
     }
     $result = [];
     $originalToken = $this->impersonateUser($user);
     try {
         foreach ($resources as $resource) {
             $oid = new ObjectIdentity($resource['type'], $resource['resource']);
             $permissions = [];
             foreach ($entityAclExtension->getAllowedPermissions($oid) as $permission) {
                 if ($this->securityContext->isGranted($permission, $oid)) {
                     $permissions[] = $permission;
                 }
             }
             $result[] = array_merge($resource, ['permissions' => $permissions]);
         }
         $this->undoImpersonation($originalToken);
     } catch (\Exception $e) {
         $this->undoImpersonation($originalToken);
         throw $e;
     }
     return $result;
 }
示例#2
0
 /**
  * {@inheritDoc}
  */
 public function contains($permission)
 {
     foreach ($this->extensionSelector->all() as $extension) {
         if ($extension->hasMasks(empty($permission) ? $extension->getDefaultPermission() : $permission)) {
             return true;
         }
     }
     return false;
 }
示例#3
0
 /**
  * @param  OwnershipMetadataProvider $metadataProvider
  * @param  OwnerTree                 $ownerTree
  * @return AclExtensionSelector
  */
 public function createAclExtensionSelector(OwnershipMetadataProvider $metadataProvider = null, OwnerTree $ownerTree = null)
 {
     $idAccessor = new ObjectIdAccessor();
     $selector = new AclExtensionSelector($idAccessor);
     $actionMetadataProvider = $this->testCase->getMockBuilder('Oro\\Bundle\\SecurityBundle\\Metadata\\ActionMetadataProvider')->disableOriginalConstructor()->getMock();
     $actionMetadataProvider->expects($this->testCase->any())->method('isKnownAction')->will($this->testCase->returnValue(true));
     $selector->addAclExtension(new ActionAclExtension($actionMetadataProvider));
     $selector->addAclExtension($this->createEntityAclExtension($metadataProvider, $ownerTree, $idAccessor));
     return $selector;
 }
示例#4
0
 /**
  * Constructs an ObjectIdentity for the given domain object or based on the given descriptor.
  *
  * The descriptor is a string in the following format: "ExtensionKey:Class"
  *
  * Examples:
  *     get($object)
  *     get('Entity:AcmeBundle\SomeClass')
  *     get('Entity:AcmeBundle:SomeEntity')
  *     get('Action:Some Action')
  *
  * @param mixed $val An domain object, object identity descriptor (id:type) or ACL annotation
  * @return ObjectIdentity
  * @throws InvalidDomainObjectException
  */
 public function get($val)
 {
     try {
         $result = $this->extensionSelector->select($val)->getObjectIdentity($val);
         if ($result === null) {
             $objInfo = is_object($val) ? get_class($val) : (string) $val;
             throw new \InvalidArgumentException(sprintf('Cannot create ObjectIdentity for: %s.', $objInfo));
         }
     } catch (\InvalidArgumentException $ex) {
         throw new InvalidDomainObjectException($ex->getMessage(), 0, $ex);
     }
     return $result;
 }
示例#5
0
 /**
  * {@inheritdoc}
  */
 public function vote(TokenInterface $token, $object, array $attributes)
 {
     $this->securityToken = $token;
     $this->object = $object instanceof FieldVote ? $object->getDomainObject() : $object;
     list($this->object, $group) = $this->separateAclGroupFromObject($this->object);
     try {
         $this->extension = $this->extensionSelector->select($this->object);
     } catch (InvalidDomainObjectException $e) {
         return self::ACCESS_ABSTAIN;
     }
     // replace empty permissions with default ones
     $attributesCount = count($attributes);
     for ($i = 0; $i < $attributesCount; $i++) {
         if (empty($attributes[$i])) {
             $attributes[$i] = $this->extension->getDefaultPermission();
         }
     }
     //check acl group
     $result = $this->checkAclGroup($group);
     if ($result !== self::ACCESS_DENIED) {
         $result = parent::vote($token, $this->object, $attributes);
         //check organization context
         $result = $this->checkOrganizationContext($result);
     }
     $this->extension = null;
     $this->object = null;
     $this->securityToken = null;
     $this->triggeredMask = null;
     if ($this->oneShotIsGrantedObserver) {
         $this->oneShotIsGrantedObserver = null;
     }
     return $result;
 }
示例#6
0
 /**
  * {@inheritdoc}
  */
 public function vote(TokenInterface $token, $object, array $attributes)
 {
     $this->securityToken = $token;
     $this->object = $object instanceof FieldVote ? $object->getDomainObject() : $object;
     $this->extension = $this->extensionSelector->select($object);
     // replace empty permissions with default ones
     for ($i = 0; $i < count($attributes); $i++) {
         if (empty($attributes[$i])) {
             $attributes[$i] = $this->extension->getDefaultPermission();
         }
     }
     $result = parent::vote($token, $object, $attributes);
     $this->extension = null;
     $this->object = null;
     $this->securityToken = null;
     return $result;
 }
示例#7
0
 /**
  * Updates or creates ACE with the given attributes
  *
  * @param SID $sid
  * @param OID $oid
  * @param bool $replace If true the mask and strategy of the existing ACE should be replaced with the given ones
  * @param string $type The ACE type. Can be one of self::*_ACE constants
  * @param string|null $field The name of a field.
  *                           Set to null for class-based or object-based ACE
  *                           Set to not null class-field-based or object-field-based ACE
  * @param int $mask
  * @param bool $granting
  * @param string|null $strategy If null the strategy should not be changed for existing ACE
  *                              or the appropriate strategy should be  selected automatically for new ACE
  *                                  ALL strategy is used for $granting = true
  *                                  ANY strategy is used for $granting = false
  * @throws InvalidAclMaskException
  */
 protected function doSetPermission(SID $sid, OID $oid, $replace, $type, $field, $mask, $granting, $strategy = null)
 {
     $acl = $this->getAcl($oid, true);
     $key = $this->getKey($oid);
     if ($this->items[$key]->getState() !== BatchItem::STATE_DELETE) {
         $extension = $this->extensionSelector->select($oid);
         $extension->validateMask($mask, $oid);
         if ($acl === null && $this->items[$key]->getState() === BatchItem::STATE_CREATE) {
             $this->items[$key]->addAce($type, $field, $sid, $granting, $mask, $strategy);
         } else {
             $hasChanges = $this->aceProvider->setPermission($acl, $extension, $replace, $type, $field, $sid, $granting, $mask, $strategy);
             if ($hasChanges) {
                 $this->items[$key]->setState(BatchItem::STATE_UPDATE);
             }
         }
     }
 }
示例#8
0
 public function getAclExtension()
 {
     return $this->extensionSelector->select($this->object);
 }
示例#9
0
 /**
  * @param  string      $permission
  * @param  mixed       $object
  * @return MaskBuilder
  */
 private function getMaskBuilder($permission, $object)
 {
     return $this->selector->select($object)->getMaskBuilder($permission);
 }