hdabo_sf: vendor/symfony/src/Symfony/Component/Security/Acl/Voter/AclVoter.php@6b24cd6b51c5 (annotated)

0 7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	1	<?php
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	2
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	3	/*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	4	* This file is part of the Symfony package.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	5	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	6	* (c) Fabien Potencier <fabien@symfony.com>
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	7	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	8	* For the full copyright and license information, please view the LICENSE
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	9	* file that was distributed with this source code.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	10	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	11
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	12	namespace Symfony\Component\Security\Acl\Voter;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	13
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	14	use Symfony\Component\HttpKernel\Log\LoggerInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	15	use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	16	use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	17	use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	18	use Symfony\Component\Security\Acl\Exception\NoAceFoundException;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	19	use Symfony\Component\Security\Acl\Exception\AclNotFoundException;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	20	use Symfony\Component\Security\Acl\Model\AclProviderInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	21	use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	22	use Symfony\Component\Security\Acl\Permission\PermissionMapInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	23	use Symfony\Component\Security\Acl\Model\SecurityIdentityRetrievalStrategyInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	24	use Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	25	use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	26	use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	27	use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	28
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	29	/**
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	30	* This voter can be used as a base class for implementing your own permissions.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	31	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	32	* @author Johannes M. Schmitt <schmittjoh@gmail.com>
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	33	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	34	class AclVoter implements VoterInterface
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	35	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	36	private $aclProvider;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	37	private $permissionMap;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	38	private $objectIdentityRetrievalStrategy;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	39	private $securityIdentityRetrievalStrategy;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	40	private $allowIfObjectIdentityUnavailable;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	41	private $logger;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	42
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	43	public function __construct(AclProviderInterface $aclProvider, ObjectIdentityRetrievalStrategyInterface $oidRetrievalStrategy, SecurityIdentityRetrievalStrategyInterface $sidRetrievalStrategy, PermissionMapInterface $permissionMap, LoggerInterface $logger = null, $allowIfObjectIdentityUnavailable = true)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	44	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	45	$this->aclProvider = $aclProvider;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	46	$this->permissionMap = $permissionMap;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	47	$this->objectIdentityRetrievalStrategy = $oidRetrievalStrategy;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	48	$this->securityIdentityRetrievalStrategy = $sidRetrievalStrategy;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	49	$this->logger = $logger;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	50	$this->allowIfObjectIdentityUnavailable = $allowIfObjectIdentityUnavailable;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	51	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	52
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	53	public function supportsAttribute($attribute)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	54	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	55	return $this->permissionMap->contains($attribute);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	56	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	57
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	58	public function vote(TokenInterface $token, $object, array $attributes)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	59	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	60	foreach ($attributes as $attribute) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	61	if (null === $masks = $this->permissionMap->getMasks($attribute, $object)) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	62	continue;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	63	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	64
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	65	if (null === $object) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	66	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	67	$this->logger->debug(sprintf('Object identity unavailable. Voting to %s', $this->allowIfObjectIdentityUnavailable? 'grant access' : 'abstain'));
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	68	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	69
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	70	return $this->allowIfObjectIdentityUnavailable ? self::ACCESS_GRANTED : self::ACCESS_ABSTAIN;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	71	} else if ($object instanceof FieldVote) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	72	$field = $object->getField();
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	73	$object = $object->getDomainObject();
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	74	} else {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	75	$field = null;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	76	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	77
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	78	if ($object instanceof ObjectIdentityInterface) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	79	$oid = $object;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	80	} else if (null === $oid = $this->objectIdentityRetrievalStrategy->getObjectIdentity($object)) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	81	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	82	$this->logger->debug(sprintf('Object identity unavailable. Voting to %s', $this->allowIfObjectIdentityUnavailable? 'grant access' : 'abstain'));
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	83	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	84
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	85	return $this->allowIfObjectIdentityUnavailable ? self::ACCESS_GRANTED : self::ACCESS_ABSTAIN;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	86	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	87
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	88	if (!$this->supportsClass($oid->getType())) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	89	return self::ACCESS_ABSTAIN;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	90	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	91
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	92	$sids = $this->securityIdentityRetrievalStrategy->getSecurityIdentities($token);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	93
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	94	try {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	95	$acl = $this->aclProvider->findAcl($oid, $sids);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	96
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	97	if (null === $field && $acl->isGranted($masks, $sids, false)) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	98	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	99	$this->logger->debug('ACL found, permission granted. Voting to grant access');
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	100	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	101
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	102	return self::ACCESS_GRANTED;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	103	} else if (null !== $field && $acl->isFieldGranted($field, $masks, $sids, false)) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	104	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	105	$this->logger->debug('ACL found, permission granted. Voting to grant access');
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	106	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	107
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	108	return self::ACCESS_GRANTED;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	109	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	110
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	111	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	112	$this->logger->debug('ACL found, insufficient permissions. Voting to deny access.');
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	113	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	114
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	115	return self::ACCESS_DENIED;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	116	} catch (AclNotFoundException $noAcl) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	117	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	118	$this->logger->debug('No ACL found for the object identity. Voting to deny access.');
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	119	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	120
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	121	return self::ACCESS_DENIED;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	122	} catch (NoAceFoundException $noAce) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	123	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	124	$this->logger->debug('ACL found, no ACE applicable. Voting to deny access.');
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	125	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	126
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	127	return self::ACCESS_DENIED;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	128	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	129	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	130
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	131	// no attribute was supported
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	132	return self::ACCESS_ABSTAIN;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	133	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	134
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	135	/**
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	136	* You can override this method when writing a voter for a specific domain
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	137	* class.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	138	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	139	* @param string $class The class name
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	140	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	141	* @return Boolean
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	142	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	143	public function supportsClass($class)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	144	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	145	return true;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	146	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	147	}

author	cavaliet
	Fri, 28 Oct 2011 14:57:11 +0200
changeset 23	6b24cd6b51c5
parent 0	7f95f8617b0b
permissions	-rwxr-xr-x