/** * Check ACL based on acl_resource_id, route or uri. * * @param array $options */ protected function processAcl(array &$options = array()) { if (isset($options['check_access']) && $options['check_access'] == false) { $needCheck = false; } else { $needCheck = true; } $isAllowed = self::DEFAULT_ACL_POLICY; if (array_key_exists(self::ACL_RESOURCE_ID_KEY, $options)) { if (array_key_exists($options[self::ACL_RESOURCE_ID_KEY], $this->aclCache)) { $isAllowed = $this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]]; } else { if ($needCheck) { $isAllowed = $this->securityFacade->isGranted($options[self::ACL_RESOURCE_ID_KEY]); } $this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]] = $isAllowed; } } else { $routeInfo = $this->getRouteInfo($options); if ($routeInfo) { if (array_key_exists($routeInfo['key'], $this->aclCache)) { $isAllowed = $this->aclCache[$routeInfo['key']]; } else { if ($needCheck) { $isAllowed = $this->securityFacade->isClassMethodGranted($routeInfo['controller'], $routeInfo['action']); } $this->aclCache[$routeInfo['key']] = $isAllowed; } } } $options['extras']['isAllowed'] = $isAllowed; }
/** * Checks if an access to a controller action is granted or not. * * This method is executed just before any controller action. * * @param FilterControllerEvent $event * @throws AccessDeniedException */ public function onKernelController(FilterControllerEvent $event) { $controller = $event->getController(); /* * $controller passed can be either a class or a Closure. This is not usual in Symfony2 but it may happen. * If it is a class, it comes in array format */ if (is_array($controller)) { list($object, $method) = $controller; $className = ClassUtils::getClass($object); $this->logger->debug(sprintf('Invoked controller "%s::%s". (%s)', $className, $method, $event->getRequestType() === HttpKernelInterface::MASTER_REQUEST ? 'MASTER_REQUEST' : 'SUB_REQUEST')); if (!$this->securityFacade->isClassMethodGranted($className, $method)) { if ($event->getRequestType() === HttpKernelInterface::MASTER_REQUEST) { throw new AccessDeniedException(sprintf('Access denied to %s::%s.', $className, $method)); } } } }
public function testIsClassMethodGrantedGrantingByMethodAndClassAcls() { $oid = new ObjectIdentity('1', 'TestType'); $annotation = $this->getMockBuilder('Oro\\Bundle\\SecurityBundle\\Annotation\\Acl')->disableOriginalConstructor()->getMock(); $annotation->expects($this->once())->method('getId')->will($this->returnValue('method_annotation')); $annotation->expects($this->once())->method('getPermission')->will($this->returnValue('TEST_PERMISSION')); $annotation->expects($this->once())->method('getIgnoreClassAcl')->will($this->returnValue(false)); $classOid = new ObjectIdentity('2', 'TestType'); $classAnnotation = $this->getMockBuilder('Oro\\Bundle\\SecurityBundle\\Annotation\\Acl')->disableOriginalConstructor()->getMock(); $classAnnotation->expects($this->once())->method('getId')->will($this->returnValue('class_annotation')); $classAnnotation->expects($this->once())->method('getPermission')->will($this->returnValue('TEST_PERMISSION_CLASS')); $this->annotationProvider->expects($this->at(0))->method('findAnnotation')->with('TestClass', 'TestMethod')->will($this->returnValue($annotation)); $this->annotationProvider->expects($this->at(1))->method('findAnnotation')->with('TestClass')->will($this->returnValue($classAnnotation)); $this->logger->expects($this->exactly(2))->method('debug'); $this->objectIdentityFactory->expects($this->at(0))->method('get')->with($this->identicalTo($annotation))->will($this->returnValue($oid)); $this->objectIdentityFactory->expects($this->at(1))->method('get')->with($this->identicalTo($classAnnotation))->will($this->returnValue($classOid)); $this->tokenStorage->expects($this->at(0))->method('isGranted')->with($this->equalTo('TEST_PERMISSION'), $this->identicalTo($oid))->will($this->returnValue(true)); $this->tokenStorage->expects($this->at(1))->method('isGranted')->with($this->equalTo('TEST_PERMISSION_CLASS'), $this->identicalTo($classOid))->will($this->returnValue(true)); $result = $this->facade->isClassMethodGranted('TestClass', 'TestMethod'); $this->assertTrue($result); }
/** * Check ACL based on acl_resource_id, route or uri. * * @param array $options * * @return void */ protected function processAcl(array &$options = array()) { $isAllowed = self::DEFAULT_ACL_POLICY; $options['extras']['isAllowed'] = self::DEFAULT_ACL_POLICY; if (isset($options['check_access']) && $options['check_access'] === false) { return; } if ($this->hideAllForNotLoggedInUsers && !$this->securityFacade->hasLoggedUser()) { if (isset($options['extras']) && array_key_exists('showNonAuthorized', $options['extras']) && $options['extras']['showNonAuthorized']) { return; } $isAllowed = false; } elseif ($this->securityFacade->getToken() !== null) { // don't check access if it's CLI if (array_key_exists('extras', $options) && array_key_exists(self::ACL_POLICY_KEY, $options['extras'])) { $isAllowed = $options['extras'][self::ACL_POLICY_KEY]; } if (array_key_exists(self::ACL_RESOURCE_ID_KEY, $options)) { if (array_key_exists($options[self::ACL_RESOURCE_ID_KEY], $this->aclCache)) { $isAllowed = $this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]]; } else { $isAllowed = $this->securityFacade->isGranted($options[self::ACL_RESOURCE_ID_KEY]); $this->aclCache[$options[self::ACL_RESOURCE_ID_KEY]] = $isAllowed; } } else { $routeInfo = $this->getRouteInfo($options); if ($routeInfo) { if (array_key_exists($routeInfo['key'], $this->aclCache)) { $isAllowed = $this->aclCache[$routeInfo['key']]; } else { $isAllowed = $this->securityFacade->isClassMethodGranted($routeInfo['controller'], $routeInfo['action']); $this->aclCache[$routeInfo['key']] = $isAllowed; } } } } $options['extras']['isAllowed'] = $isAllowed; }