/**
  * Check ACL based on acl_resource_id, route or uri.
  *
  * @param array $options
  */
 protected function processAcl(array &$options = array())
 {
     if (isset($options['check_access']) && $options['check_access'] == false) {
         $needCheck = false;
     } else {
         $needCheck = true;
     }
     $isAllowed = self::DEFAULT_ACL_POLICY;
     if (array_key_exists(self::ACL_RESOURCE_ID_KEY, $options)) {
         if (array_key_exists($options[self::ACL_RESOURCE_ID_KEY], $this->aclCache)) {
             $isAllowed = $this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]];
         } else {
             if ($needCheck) {
                 $isAllowed = $this->securityFacade->isGranted($options[self::ACL_RESOURCE_ID_KEY]);
             }
             $this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]] = $isAllowed;
         }
     } else {
         $routeInfo = $this->getRouteInfo($options);
         if ($routeInfo) {
             if (array_key_exists($routeInfo['key'], $this->aclCache)) {
                 $isAllowed = $this->aclCache[$routeInfo['key']];
             } else {
                 if ($needCheck) {
                     $isAllowed = $this->securityFacade->isClassMethodGranted($routeInfo['controller'], $routeInfo['action']);
                 }
                 $this->aclCache[$routeInfo['key']] = $isAllowed;
             }
         }
     }
     $options['extras']['isAllowed'] = $isAllowed;
 }
 /**
  * Checks if an access to a controller action is granted or not.
  *
  * This method is executed just before any controller action.
  *
  * @param  FilterControllerEvent $event
  * @throws AccessDeniedException
  */
 public function onKernelController(FilterControllerEvent $event)
 {
     $controller = $event->getController();
     /*
      * $controller passed can be either a class or a Closure. This is not usual in Symfony2 but it may happen.
      * If it is a class, it comes in array format
      */
     if (is_array($controller)) {
         list($object, $method) = $controller;
         $className = ClassUtils::getClass($object);
         $this->logger->debug(sprintf('Invoked controller "%s::%s". (%s)', $className, $method, $event->getRequestType() === HttpKernelInterface::MASTER_REQUEST ? 'MASTER_REQUEST' : 'SUB_REQUEST'));
         if (!$this->securityFacade->isClassMethodGranted($className, $method)) {
             if ($event->getRequestType() === HttpKernelInterface::MASTER_REQUEST) {
                 throw new AccessDeniedException(sprintf('Access denied to %s::%s.', $className, $method));
             }
         }
     }
 }
 public function testIsClassMethodGrantedGrantingByMethodAndClassAcls()
 {
     $oid = new ObjectIdentity('1', 'TestType');
     $annotation = $this->getMockBuilder('Oro\\Bundle\\SecurityBundle\\Annotation\\Acl')->disableOriginalConstructor()->getMock();
     $annotation->expects($this->once())->method('getId')->will($this->returnValue('method_annotation'));
     $annotation->expects($this->once())->method('getPermission')->will($this->returnValue('TEST_PERMISSION'));
     $annotation->expects($this->once())->method('getIgnoreClassAcl')->will($this->returnValue(false));
     $classOid = new ObjectIdentity('2', 'TestType');
     $classAnnotation = $this->getMockBuilder('Oro\\Bundle\\SecurityBundle\\Annotation\\Acl')->disableOriginalConstructor()->getMock();
     $classAnnotation->expects($this->once())->method('getId')->will($this->returnValue('class_annotation'));
     $classAnnotation->expects($this->once())->method('getPermission')->will($this->returnValue('TEST_PERMISSION_CLASS'));
     $this->annotationProvider->expects($this->at(0))->method('findAnnotation')->with('TestClass', 'TestMethod')->will($this->returnValue($annotation));
     $this->annotationProvider->expects($this->at(1))->method('findAnnotation')->with('TestClass')->will($this->returnValue($classAnnotation));
     $this->logger->expects($this->exactly(2))->method('debug');
     $this->objectIdentityFactory->expects($this->at(0))->method('get')->with($this->identicalTo($annotation))->will($this->returnValue($oid));
     $this->objectIdentityFactory->expects($this->at(1))->method('get')->with($this->identicalTo($classAnnotation))->will($this->returnValue($classOid));
     $this->tokenStorage->expects($this->at(0))->method('isGranted')->with($this->equalTo('TEST_PERMISSION'), $this->identicalTo($oid))->will($this->returnValue(true));
     $this->tokenStorage->expects($this->at(1))->method('isGranted')->with($this->equalTo('TEST_PERMISSION_CLASS'), $this->identicalTo($classOid))->will($this->returnValue(true));
     $result = $this->facade->isClassMethodGranted('TestClass', 'TestMethod');
     $this->assertTrue($result);
 }
 /**
  * Check ACL based on acl_resource_id, route or uri.
  *
  * @param array $options
  *
  * @return void
  */
 protected function processAcl(array &$options = array())
 {
     $isAllowed = self::DEFAULT_ACL_POLICY;
     $options['extras']['isAllowed'] = self::DEFAULT_ACL_POLICY;
     if (isset($options['check_access']) && $options['check_access'] === false) {
         return;
     }
     if ($this->hideAllForNotLoggedInUsers && !$this->securityFacade->hasLoggedUser()) {
         if (isset($options['extras']) && array_key_exists('showNonAuthorized', $options['extras']) && $options['extras']['showNonAuthorized']) {
             return;
         }
         $isAllowed = false;
     } elseif ($this->securityFacade->getToken() !== null) {
         // don't check access if it's CLI
         if (array_key_exists('extras', $options) && array_key_exists(self::ACL_POLICY_KEY, $options['extras'])) {
             $isAllowed = $options['extras'][self::ACL_POLICY_KEY];
         }
         if (array_key_exists(self::ACL_RESOURCE_ID_KEY, $options)) {
             if (array_key_exists($options[self::ACL_RESOURCE_ID_KEY], $this->aclCache)) {
                 $isAllowed = $this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]];
             } else {
                 $isAllowed = $this->securityFacade->isGranted($options[self::ACL_RESOURCE_ID_KEY]);
                 $this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]] = $isAllowed;
             }
         } else {
             $routeInfo = $this->getRouteInfo($options);
             if ($routeInfo) {
                 if (array_key_exists($routeInfo['key'], $this->aclCache)) {
                     $isAllowed = $this->aclCache[$routeInfo['key']];
                 } else {
                     $isAllowed = $this->securityFacade->isClassMethodGranted($routeInfo['controller'], $routeInfo['action']);
                     $this->aclCache[$routeInfo['key']] = $isAllowed;
                 }
             }
         }
     }
     $options['extras']['isAllowed'] = $isAllowed;
 }