/** * @param OrmResultBefore $event */ public function onResultBefore(OrmResultBefore $event) { // listener logic is applied only to frontend part of application if ($this->securityFacade->getLoggedUser() instanceof User) { return; } $config = $event->getDatagrid()->getConfig(); $query = $event->getQuery(); /** @var Subselect|SelectStatement $select */ $select = $query->getAST(); $fromClause = $select instanceof SelectStatement ? $select->fromClause : $select->subselectFromClause; $skipAclCheck = true; /** @var IdentificationVariableDeclaration $identificationVariableDeclaration */ foreach ($fromClause->identificationVariableDeclarations as $identificationVariableDeclaration) { $entityName = $identificationVariableDeclaration->rangeVariableDeclaration->abstractSchemaName; $metadata = $this->metadataProvider->getMetadata($entityName); if ($metadata->hasOwner()) { $skipAclCheck = false; break; } } if ($skipAclCheck) { $config->offsetSetByPath(Builder::DATASOURCE_SKIP_ACL_CHECK, true); } }
/** * Gets organization of the given entity * * @param mixed $object * @return mixed * @throws InvalidEntityException If entity is not an object * @throws \InvalidArgumentException If owner property path is not defined */ public function getOrganization($object) { if (!is_object($object)) { throw new InvalidEntityException('$object must be an object.'); } $metadata = $this->metadataProvider->getMetadata(ClassUtils::getRealClass($object)); if ($metadata->getGlobalOwnerFieldName()) { return $this->getValue($object, $metadata->getGlobalOwnerFieldName()); } return null; }
/** * Gets organization of the given entity * * @param $object * @return object|null * @throws InvalidEntityException */ public function getOrganization($object) { if (!is_object($object)) { throw new InvalidEntityException('$object must be an object.'); } $result = null; $metadata = $this->metadataProvider->getMetadata(ClassUtils::getRealClass($object)); if ($metadata->getGlobalOwnerFieldName()) { $accessor = PropertyAccess::createPropertyAccessor(); $result = $accessor->getValue($object, $metadata->getGlobalOwnerFieldName()); } return $result; }
/** * Get data for query acl access level check * Return null if entity has full access, empty array if user does't have access to the entity * and array with entity field and field values which user have access. * * @param $entityClassName * @param $permissions * * @return null|array */ public function getAclConditionData($entityClassName, $permissions = 'VIEW') { if ($this->aclVoter === null || !$this->getUserId() || !$this->entityMetadataProvider->isProtectedEntity($entityClassName)) { return []; } $condition = null; $observer = new OneShotIsGrantedObserver(); $this->aclVoter->addOneShotIsGrantedObserver($observer); $isGranted = $this->getSecurityContext()->isGranted($permissions, 'entity:' . $entityClassName); if ($isGranted) { $condition = $this->buildConstraintIfAccessIsGranted($entityClassName, $observer->getAccessLevel(), $this->metadataProvider->getMetadata($entityClassName)); } return $condition; }
/** * Get data for query acl access level check * * @param $entityClassName * @param $permissions * * @return array Returns empty array if entity has full access, * array with null values if user does't have access to the entity * and array with entity field and field values which user has access to. * Array structure: * 0 - owner field name * 1 - owner values * 2 - owner association type * 3 - organization field name * 4 - organization values * 5 - should owners be checked * (for example, in case of Organization ownership type, owners should not be checked) */ public function getAclConditionData($entityClassName, $permissions = 'VIEW') { if ($this->aclVoter === null || !$this->getUserId() || !$this->entityMetadataProvider->isProtectedEntity($entityClassName)) { // return full access to the entity return []; } $observer = new OneShotIsGrantedObserver(); $this->aclVoter->addOneShotIsGrantedObserver($observer); $groupedEntityClassName = $entityClassName; if ($this->aclGroupProvider) { $group = $this->aclGroupProvider->getGroup(); if ($group) { $groupedEntityClassName = sprintf('%s@%s', $this->aclGroupProvider->getGroup(), $entityClassName); } } $isGranted = $this->getSecurityContext()->isGranted($permissions, new ObjectIdentity('entity', $groupedEntityClassName)); if ($isGranted) { $condition = $this->buildConstraintIfAccessIsGranted($entityClassName, $observer->getAccessLevel(), $this->metadataProvider->getMetadata($entityClassName)); } else { $condition = $this->getAccessDeniedCondition(); } return $condition; }
/** * Gets metadata for the given object * * @param mixed $object * * @return OwnershipMetadataInterface */ protected function getMetadata($object) { return $this->metadataProvider->getMetadata($this->getObjectClassName($object)); }