mirror of
https://gitlab.com/Chill-Projet/chill-bundles.git
synced 2025-06-14 14:24:24 +00:00
add acl on report search
This commit is contained in:
parent
f14255c0fc
commit
a16a097550
@ -8,6 +8,8 @@ services:
|
|||||||
class: Chill\ReportBundle\Search\ReportSearch
|
class: Chill\ReportBundle\Search\ReportSearch
|
||||||
arguments:
|
arguments:
|
||||||
- '@doctrine.orm.entity_manager'
|
- '@doctrine.orm.entity_manager'
|
||||||
|
- '@chill.main.security.authorization.helper'
|
||||||
|
- '@security.token_storage'
|
||||||
calls:
|
calls:
|
||||||
- [setContainer, ["@service_container"]]
|
- [setContainer, ["@service_container"]]
|
||||||
tags:
|
tags:
|
||||||
|
|||||||
@ -24,6 +24,11 @@ use Chill\MainBundle\Search\AbstractSearch;
|
|||||||
use Doctrine\ORM\EntityManagerInterface;
|
use Doctrine\ORM\EntityManagerInterface;
|
||||||
use Symfony\Component\DependencyInjection\ContainerAwareInterface;
|
use Symfony\Component\DependencyInjection\ContainerAwareInterface;
|
||||||
use Chill\MainBundle\Search\ParsingException;
|
use Chill\MainBundle\Search\ParsingException;
|
||||||
|
use Doctrine\ORM\QueryBuilder;
|
||||||
|
use Chill\MainBundle\Security\Authorization\AuthorizationHelper;
|
||||||
|
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
||||||
|
use Symfony\Component\Security\Core\Role\Role;
|
||||||
|
use Chill\MainBundle\Entity\Scope;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Search amongst reports
|
* Search amongst reports
|
||||||
@ -39,9 +44,28 @@ class ReportSearch extends AbstractSearch implements ContainerAwareInterface
|
|||||||
*/
|
*/
|
||||||
private $em;
|
private $em;
|
||||||
|
|
||||||
public function __construct(EntityManagerInterface $em)
|
/**
|
||||||
|
*
|
||||||
|
* @var AuthorizationHelper
|
||||||
|
*/
|
||||||
|
private $helper;
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* @var \Chill\MainBundle\Entity\User
|
||||||
|
*/
|
||||||
|
private $user;
|
||||||
|
|
||||||
|
public function __construct(EntityManagerInterface $em,
|
||||||
|
AuthorizationHelper $helper, TokenStorageInterface $tokenStorage)
|
||||||
{
|
{
|
||||||
$this->em = $em;
|
$this->em = $em;
|
||||||
|
$this->helper = $helper;
|
||||||
|
|
||||||
|
if(! $tokenStorage->getToken()->getUser() instanceof \Chill\MainBundle\Entity\User) {
|
||||||
|
throw new \RuntimeException('an user must be associated with token');
|
||||||
|
}
|
||||||
|
$this->user = $tokenStorage->getToken()->getUser();
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getOrder()
|
public function getOrder()
|
||||||
@ -120,8 +144,39 @@ class ReportSearch extends AbstractSearch implements ContainerAwareInterface
|
|||||||
;
|
;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$query->andWhere($this->addACL($query));
|
||||||
|
|
||||||
return $query;
|
return $query;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private function addACL(QueryBuilder $qb)
|
||||||
|
{
|
||||||
|
//adding join
|
||||||
|
$qb->join('r.person', 'p');
|
||||||
|
|
||||||
|
$role = new Role('CHILL_REPORT_SEE');
|
||||||
|
$reachableCenters = $this->helper->getReachableCenters($this->user, $role);
|
||||||
|
|
||||||
|
$whereElement = $qb->expr()->orX();
|
||||||
|
$i = 0;
|
||||||
|
foreach ($reachableCenters as $center) {
|
||||||
|
$reachableScopesId = array_map(
|
||||||
|
function (Scope $scope) { return $scope->getId(); },
|
||||||
|
$this->helper->getReachableScopes($this->user, $role, $center)
|
||||||
|
);
|
||||||
|
$whereElement->add(
|
||||||
|
$qb->expr()->andX(
|
||||||
|
$qb->expr()->eq('p.center', ':center_'.$i),
|
||||||
|
$qb->expr()->in('r.scope', ':reachable_scopes_'.$i)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
;
|
||||||
|
$qb->setParameter('center_'.$i, $center);
|
||||||
|
$qb->setParameter('reachable_scopes_'.$i, $reachableScopesId);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $whereElement;
|
||||||
|
}
|
||||||
|
|
||||||
public function supports($domain)
|
public function supports($domain)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -90,17 +90,38 @@ class ReportSearchTest extends WebTestCase
|
|||||||
$this->assertGreaterThan(0, $crawler->filter('.error')->count());
|
$this->assertGreaterThan(0, $crawler->filter('.error')->count());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test that the user do not see unauthorized results
|
||||||
|
*
|
||||||
|
* We test for that that :
|
||||||
|
* - we do not see any unauthorized scope mention
|
||||||
|
*/
|
||||||
|
public function testUsersDoNotSeeUnauthorizedResults()
|
||||||
|
{
|
||||||
|
$clientSocial = $this->getAuthenticatedClient();
|
||||||
|
$clientAdministrative = $this->getAuthenticatedClient('center a_administrative');
|
||||||
|
|
||||||
|
$params = array('q' => '@report date:2015-01-05');
|
||||||
|
|
||||||
|
$crawlerSocial = $clientSocial->request('GET', '/fr/search', $params);
|
||||||
|
$crawlerAdministrative = $clientAdministrative->request('GET', '/fr/search', $params);
|
||||||
|
|
||||||
|
|
||||||
|
$this->assertNotContains('social', $crawlerAdministrative->filter('.content')
|
||||||
|
->text());
|
||||||
|
$this->assertNotContains('administrative', $crawlerAdministrative->filter('.content')
|
||||||
|
->text());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @return \Symfony\Component\BrowserKit\Client
|
* @return \Symfony\Component\BrowserKit\Client
|
||||||
*/
|
*/
|
||||||
private function getAuthenticatedClient()
|
private function getAuthenticatedClient($username = 'center a_social')
|
||||||
{
|
{
|
||||||
return static::createClient(array(), array(
|
return static::createClient(array(), array(
|
||||||
'PHP_AUTH_USER' => 'center a_social',
|
'PHP_AUTH_USER' => $username,
|
||||||
'PHP_AUTH_PW' => 'password',
|
'PHP_AUTH_PW' => 'password',
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user