hdabo_sf: vendor/bundles/JMS/SecurityExtraBundle/Security/Authorization/AfterInvocation/AclAfterInvocationProvider.php@d672f7dd74dc (annotated)

0 7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	1	<?php
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	2
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	3	/*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	4	* Copyright 2010 Johannes M. Schmitt <schmittjoh@gmail.com>
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	5	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	6	* Licensed under the Apache License, Version 2.0 (the "License");
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	7	* you may not use this file except in compliance with the License.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	8	* You may obtain a copy of the License at
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	9	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	10	* http://www.apache.org/licenses/LICENSE-2.0
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	11	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	12	* Unless required by applicable law or agreed to in writing, software
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	13	* distributed under the License is distributed on an "AS IS" BASIS,
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	14	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	15	* See the License for the specific language governing permissions and
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	16	* limitations under the License.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	17	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	18
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	19	namespace JMS\SecurityExtraBundle\Security\Authorization\AfterInvocation;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	20
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	21	use Symfony\Component\HttpKernel\Log\LoggerInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	22	use Symfony\Component\Security\Acl\Exception\AclNotFoundException;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	23	use Symfony\Component\Security\Acl\Exception\NoAceFoundException;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	24	use Symfony\Component\Security\Acl\Model\SecurityIdentityRetrievalStrategyInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	25	use Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	26	use Symfony\Component\Security\Acl\Model\AclProviderInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	27	use Symfony\Component\Security\Acl\Permission\PermissionMapInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	28	use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	29	use Symfony\Component\Security\Core\Exception\AccessDeniedException;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	30
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	31	/**
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	32	* This after invocation provider filters returned objects based on ACLs.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	33	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	34	* @author Johannes M. Schmitt <schmittjoh@gmail.com>
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	35	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	36	class AclAfterInvocationProvider implements AfterInvocationProviderInterface
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	37	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	38	private $aclProvider;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	39	private $oidRetrievalStrategy;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	40	private $sidRetrievalStrategy;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	41	private $permissionMap;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	42	private $logger;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	43
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	44	public function __construct(AclProviderInterface $aclProvider, ObjectIdentityRetrievalStrategyInterface $oidRetrievalStrategy, SecurityIdentityRetrievalStrategyInterface $sidRetrievalStrategy, PermissionMapInterface $permissionMap, LoggerInterface $logger = null)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	45	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	46	$this->aclProvider = $aclProvider;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	47	$this->oidRetrievalStrategy = $oidRetrievalStrategy;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	48	$this->sidRetrievalStrategy = $sidRetrievalStrategy;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	49	$this->permissionMap = $permissionMap;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	50	$this->logger = $logger;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	51	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	52
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	53	public function decide(TokenInterface $token, $secureObject, array $attributes, $returnedObject)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	54	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	55	if (null === $returnedObject) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	56	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	57	$this->logger->debug('Returned object was null, skipping security check.');
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	58	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	59
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	60	return null;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	61	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	62
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	63	foreach ($attributes as $attribute) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	64	if (!$this->supportsAttribute($attribute)) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	65	continue;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	66	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	67
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	68	if (null === $oid = $this->oidRetrievalStrategy->getObjectIdentity($returnedObject)) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	69	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	70	$this->logger->debug('Returned object was no domain object, skipping security check.');
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	71	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	72
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	73	return $returnedObject;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	74	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	75
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	76	$sids = $this->sidRetrievalStrategy->getSecurityIdentities($token);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	77
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	78	try {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	79	$acl = $this->aclProvider->findAcl($oid, $sids);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	80	if ($acl->isGranted($this->permissionMap->getMasks($attribute, $returnedObject), $sids, false)) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	81	return $returnedObject;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	82	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	83
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	84	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	85	$this->logger->debug('Token has been denied access for returned object.');
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	86	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	87	} catch (AclNotFoundException $noAcl) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	88	throw new AccessDeniedException('No applicable ACL found for domain object.');
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	89	} catch (NoAceFoundException $noAce) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	90	if (null !== $this->logger) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	91	$this->logger->debug('No applicable ACE found for the given Token, denying access.');
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	92	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	93	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	94
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	95	throw new AccessDeniedException('ACL has denied access for attribute: '.$attribute);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	96	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	97
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	98	// no attribute was supported
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	99	return $returnedObject;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	100	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	101
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	102	public function supportsAttribute($attribute)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	103	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	104	return $this->permissionMap->contains($attribute);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	105	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	106
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	107	public function supportsClass($className)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	108	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	109	return true;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	110	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	111	}

author	cavaliet
	Mon, 07 Jul 2014 17:23:47 +0200
changeset 122	d672f7dd74dc
parent 0	7f95f8617b0b
permissions	-rwxr-xr-x