/** * {@inheritdoc} */ protected function executeAction($context) { $aclClass = $this->manager->getRepository('OroSecurityBundle:AclClass')->findOneBy(['classType' => $context->data->getClassName()]); $removeScopes = array_diff($context->old['security']['share_scopes'], $context->new['security']['share_scopes']); if (!$aclClass || empty($removeScopes)) { return; } $qb = $this->qbManager->getRemoveAceQueryBuilder($aclClass, $removeScopes); $qb->getQuery()->execute(); $this->aclCache->clearCache(); }
/** * @param AbstractRole $role */ protected function processPrivileges(AbstractRole $role) { $decodedPrivileges = json_decode($this->form->get('privileges')->getData(), true); $formPrivileges = []; foreach ($this->privilegeConfig as $fieldName => $config) { $privilegesArray = $decodedPrivileges[$fieldName]; $privileges = []; foreach ($privilegesArray as $privilege) { $aclPrivilege = new AclPrivilege(); foreach ($privilege['permissions'] as $name => $permission) { $aclPrivilege->addPermission(new AclPermission($permission['name'], $permission['accessLevel'])); } $aclPrivilegeIdentity = new AclPrivilegeIdentity($privilege['identity']['id'], $privilege['identity']['name']); $aclPrivilege->setIdentity($aclPrivilegeIdentity); $privileges[] = $aclPrivilege; } if ($config['fix_values']) { $this->fxPrivilegeValue($privileges, $config['default_value']); } $formPrivileges = array_merge($formPrivileges, $privileges); } array_walk($formPrivileges, function (AclPrivilege $privilege) { $privilege->setGroup($this->getAclGroup()); }); $this->privilegeRepository->savePrivileges($this->aclManager->getSid($role), new ArrayCollection($formPrivileges)); $this->aclCache->clearCache(); }
/** * Removes ACEs if share scope was removed from entity config * * @param PostFlushConfigEvent $event */ public function postFlushConfig(PostFlushConfigEvent $event) { $configManager = $event->getConfigManager(); foreach ($event->getModels() as $model) { /** @var EntityConfigModel $model */ if ($model instanceof EntityConfigModel) { $aclClass = $this->registry->getRepository('OroSecurityBundle:AclClass')->findOneBy(['classType' => $model->getClassName()]); if (!$aclClass) { continue; } $changeSet = $configManager->getConfigChangeSet($configManager->getProvider('security')->getConfig($model->getClassName())); $removeScopes = []; if ($changeSet) { $removeScopes = array_diff($changeSet['share_scopes'][0], $changeSet['share_scopes'][1]); } if (empty($removeScopes)) { continue; } $qb = $this->qbManager->getRemoveAceQueryBuilder($aclClass, $removeScopes); $qb->getQuery()->execute(); $this->aclCache->clearCache(); } } }
/** * @param object $object * * @return string * * @throws \Symfony\Component\Security\Acl\Exception\InvalidDomainObjectException */ public function getSharedWithName($object) { $oid = ObjectIdentity::fromDomainObject($object); /** @var Acl $acl */ $acl = $this->aclCache->getFromCacheByIdentity($oid); $name = ''; $objectAces = $acl->getObjectAces(); if ($acl && $objectAces) { usort($objectAces, [$this, 'compareEntries']); /** @var Entry $entry */ $entry = $objectAces[0]; $sid = $entry->getSecurityIdentity(); $name = $this->getFormattedName($sid); } return $name; }
/** * {@inheritdoc} */ public function findAcls(array $oids, array $sids = array()) { $result = new \SplObjectStorage(); $currentBatch = array(); $oidLookup = array(); for ($i = 0, $c = count($oids); $i < $c; $i++) { $oid = $oids[$i]; $oidLookupKey = $oid->getIdentifier() . $oid->getType(); $oidLookup[$oidLookupKey] = $oid; $aclFound = false; // check if result already contains an ACL if ($result->contains($oid)) { $aclFound = true; } // check if this ACL has already been hydrated if (!$aclFound && isset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()])) { $acl = $this->loadedAcls[$oid->getType()][$oid->getIdentifier()]; if (!$acl->isSidLoaded($sids)) { // FIXME: we need to load ACEs for the missing SIDs. This is never // reached by the default implementation, since we do not // filter by SID throw new \RuntimeException('This is not supported by the default implementation.'); } else { $result->attach($oid, $acl); $aclFound = true; } } // check if we can locate the ACL in the cache if (!$aclFound && null !== $this->cache) { $acl = $this->cache->getFromCacheByIdentity($oid); if (null !== $acl) { if ($acl->isSidLoaded($sids)) { // check if any of the parents has been loaded since we need to // ensure that there is only ever one ACL per object identity $parentAcl = $acl->getParentAcl(); while (null !== $parentAcl) { $parentOid = $parentAcl->getObjectIdentity(); if (isset($this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()])) { $acl->setParentAcl($this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()]); break; } else { $this->loadedAcls[$parentOid->getType()][$parentOid->getIdentifier()] = $parentAcl; $this->updateAceIdentityMap($parentAcl); } $parentAcl = $parentAcl->getParentAcl(); } $this->loadedAcls[$oid->getType()][$oid->getIdentifier()] = $acl; $this->updateAceIdentityMap($acl); $result->attach($oid, $acl); $aclFound = true; } else { $this->cache->evictFromCacheByIdentity($oid); foreach ($this->findChildren($oid) as $childOid) { $this->cache->evictFromCacheByIdentity($childOid); } } } } // looks like we have to load the ACL from the database if (!$aclFound) { $currentBatch[] = $oid; } // Is it time to load the current batch? $currentBatchesCount = count($currentBatch); if ($currentBatchesCount > 0 && (self::MAX_BATCH_SIZE === $currentBatchesCount || $i + 1 === $c)) { try { $loadedBatch = $this->lookupObjectIdentities($currentBatch, $sids, $oidLookup); } catch (AclNotFoundException $aclNotFoundException) { if ($result->count()) { $partialResultException = new NotAllAclsFoundException('The provider could not find ACLs for all object identities.'); $partialResultException->setPartialResult($result); throw $partialResultException; } else { throw $aclNotFoundException; } } foreach ($loadedBatch as $loadedOid) { $loadedAcl = $loadedBatch->offsetGet($loadedOid); if (null !== $this->cache) { $this->cache->putInCache($loadedAcl); } if (isset($oidLookup[$loadedOid->getIdentifier() . $loadedOid->getType()])) { $result->attach($loadedOid, $loadedAcl); } } $currentBatch = array(); } } // check that we got ACLs for all the identities foreach ($oids as $oid) { if (!$result->contains($oid)) { if (1 === count($oids)) { $objectName = method_exists($oid, '__toString') ? $oid : get_class($oid); throw new AclNotFoundException(sprintf('No ACL found for %s.', $objectName)); } $partialResultException = new NotAllAclsFoundException('The provider could not find ACLs for all object identities.'); $partialResultException->setPartialResult($result); throw $partialResultException; } } return $result; }