diff -r 000000000000 -r 7f95f8617b0b vendor/symfony/src/Symfony/Component/Security/Acl/Domain/PermissionGrantingStrategy.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/vendor/symfony/src/Symfony/Component/Security/Acl/Domain/PermissionGrantingStrategy.php Sat Sep 24 15:40:41 2011 +0200 @@ -0,0 +1,209 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Symfony\Component\Security\Acl\Domain; + +use Symfony\Component\Security\Acl\Exception\NoAceFoundException; +use Symfony\Component\Security\Acl\Exception\SidNotLoadedException; +use Symfony\Component\Security\Acl\Model\AclInterface; +use Symfony\Component\Security\Acl\Model\AuditLoggerInterface; +use Symfony\Component\Security\Acl\Model\EntryInterface; +use Symfony\Component\Security\Acl\Model\PermissionGrantingStrategyInterface; +use Symfony\Component\Security\Acl\Model\SecurityIdentityInterface; + +/** + * The permission granting strategy to apply to the access control list. + * + * @author Johannes M. Schmitt + */ +class PermissionGrantingStrategy implements PermissionGrantingStrategyInterface +{ + const EQUAL = 'equal'; + const ALL = 'all'; + const ANY = 'any'; + + private $auditLogger; + + /** + * Sets the audit logger + * + * @param AuditLoggerInterface $auditLogger + * @return void + */ + public function setAuditLogger(AuditLoggerInterface $auditLogger) + { + $this->auditLogger = $auditLogger; + } + + /** + * {@inheritDoc} + */ + public function isGranted(AclInterface $acl, array $masks, array $sids, $administrativeMode = false) + { + try { + try { + $aces = $acl->getObjectAces(); + + if (!$aces) { + throw new NoAceFoundException(); + } + + return $this->hasSufficientPermissions($acl, $aces, $masks, $sids, $administrativeMode); + } catch (NoAceFoundException $noObjectAce) { + $aces = $acl->getClassAces(); + + if (!$aces) { + throw $noObjectAce; + } + + return $this->hasSufficientPermissions($acl, $aces, $masks, $sids, $administrativeMode); + } + } catch (NoAceFoundException $noClassAce) { + if ($acl->isEntriesInheriting() && null !== $parentAcl = $acl->getParentAcl()) { + return $parentAcl->isGranted($masks, $sids, $administrativeMode); + } + + throw $noClassAce; + } + } + + /** + * {@inheritDoc} + */ + public function isFieldGranted(AclInterface $acl, $field, array $masks, array $sids, $administrativeMode = false) + { + try { + try { + $aces = $acl->getObjectFieldAces($field); + if (!$aces) { + throw new NoAceFoundException(); + } + + return $this->hasSufficientPermissions($acl, $aces, $masks, $sids, $administrativeMode); + } catch (NoAceFoundException $noObjectAces) { + $aces = $acl->getClassFieldAces($field); + if (!$aces) { + throw $noObjectAces; + } + + return $this->hasSufficientPermissions($acl, $aces, $masks, $sids, $administrativeMode); + } + } catch (NoAceFoundException $noClassAces) { + if ($acl->isEntriesInheriting() && null !== $parentAcl = $acl->getParentAcl()) { + return $parentAcl->isFieldGranted($field, $masks, $sids, $administrativeMode); + } + + throw $noClassAces; + } + } + + /** + * Makes an authorization decision. + * + * The order of ACEs, and SIDs is significant; the order of permission masks + * not so much. It is important to note that the more specific security + * identities should be at the beginning of the SIDs array in order for this + * strategy to produce intuitive authorization decisions. + * + * First, we will iterate over permissions, then over security identities. + * For each combination of permission, and identity we will test the + * available ACEs until we find one which is applicable. + * + * The first applicable ACE will make the ultimate decision for the + * permission/identity combination. If it is granting, this method will return + * true, if it is denying, the method will continue to check the next + * permission/identity combination. + * + * This process is repeated until either a granting ACE is found, or no + * permission/identity combinations are left. In the latter case, we will + * call this method on the parent ACL if it exists, and isEntriesInheriting + * is true. Otherwise, we will either throw an NoAceFoundException, or deny + * access finally. + * + * @param AclInterface $acl + * @param array $aces An array of ACE to check against + * @param array $masks An array of permission masks + * @param array $sids An array of SecurityIdentityInterface implementations + * @param Boolean $administrativeMode True turns off audit logging + * @return Boolean true, or false; either granting, or denying access respectively. + */ + private function hasSufficientPermissions(AclInterface $acl, array $aces, array $masks, array $sids, $administrativeMode) + { + $firstRejectedAce = null; + + foreach ($masks as $requiredMask) { + foreach ($sids as $sid) { + foreach ($aces as $ace) { + if ($sid->equals($ace->getSecurityIdentity()) && $this->isAceApplicable($requiredMask, $ace)) { + if ($ace->isGranting()) { + if (!$administrativeMode && null !== $this->auditLogger) { + $this->auditLogger->logIfNeeded(true, $ace); + } + + return true; + } + + if (null === $firstRejectedAce) { + $firstRejectedAce = $ace; + } + + break 2; + } + } + } + } + + if (null !== $firstRejectedAce) { + if (!$administrativeMode && null !== $this->auditLogger) { + $this->auditLogger->logIfNeeded(false, $firstRejectedAce); + } + + return false; + } + + throw new NoAceFoundException(); + } + + /** + * Determines whether the ACE is applicable to the given permission/security + * identity combination. + * + * Per default, we support three different comparison strategies. + * + * Strategy ALL: + * The ACE will be considered applicable when all the turned-on bits in the + * required mask are also turned-on in the ACE mask. + * + * Strategy ANY: + * The ACE will be considered applicable when any of the turned-on bits in + * the required mask is also turned-on the in the ACE mask. + * + * Strategy EQUAL: + * The ACE will be considered applicable when the bitmasks are equal. + * + * @param integer $requiredMask + * @param EntryInterface $ace + * @return Boolean + */ + private function isAceApplicable($requiredMask, EntryInterface $ace) + { + $strategy = $ace->getStrategy(); + if (self::ALL === $strategy) { + return $requiredMask === ($ace->getMask() & $requiredMask); + } else if (self::ANY === $strategy) { + return 0 !== ($ace->getMask() & $requiredMask); + } else if (self::EQUAL === $strategy) { + return $requiredMask === $ace->getMask(); + } + + throw new \RuntimeException(sprintf('The strategy "%s" is not supported.', $strategy)); + } +}