add acl on report search

2025-06-14 14:24:24 +00:00 · 2015-06-30 00:19:10 +02:00 · 2015-06-30 00:19:10 +02:00 · a16a097550
commit a16a097550
parent f14255c0fc
3 changed files with 82 additions and 4 deletions
--- a/Resources/config/services.yml
+++ b/Resources/config/services.yml
@ -8,6 +8,8 @@ services:
        class: Chill\ReportBundle\Search\ReportSearch
        arguments:
            - '@doctrine.orm.entity_manager'
+            - '@chill.main.security.authorization.helper'
+            - '@security.token_storage'
        calls:
            - [setContainer, ["@service_container"]]
        tags:
--- a/Search/ReportSearch.php
+++ b/Search/ReportSearch.php
@ -24,6 +24,11 @@ use Chill\MainBundle\Search\AbstractSearch;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\DependencyInjection\ContainerAwareInterface;
 use Chill\MainBundle\Search\ParsingException;
+use Doctrine\ORM\QueryBuilder;
+use Chill\MainBundle\Security\Authorization\AuthorizationHelper;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Role\Role;
+use Chill\MainBundle\Entity\Scope;

 /**
 * Search amongst reports
@ -39,9 +44,28 @@ class ReportSearch extends AbstractSearch implements ContainerAwareInterface
     */
    private $em;
    
-    public function __construct(EntityManagerInterface $em)
+    /**
+     *
+     * @var AuthorizationHelper
+     */
+    private $helper;
+    
+    /**
+     *
+     * @var \Chill\MainBundle\Entity\User
+     */
+    private $user;
+    
+    public function __construct(EntityManagerInterface $em,
+        AuthorizationHelper $helper, TokenStorageInterface $tokenStorage)
    {
        $this->em = $em;
+        $this->helper = $helper;
+        
+        if(! $tokenStorage->getToken()->getUser() instanceof \Chill\MainBundle\Entity\User) {
+            throw new \RuntimeException('an user must be associated with token');
+        }
+        $this->user = $tokenStorage->getToken()->getUser();
    }

    public function getOrder()
@ -120,9 +144,40 @@ class ReportSearch extends AbstractSearch implements ContainerAwareInterface
                    ;
        }
        
+        $query->andWhere($this->addACL($query));
+        
        return $query;
    }
    
+    private function addACL(QueryBuilder $qb)
+    {
+        //adding join
+        $qb->join('r.person', 'p');
+        
+        $role = new Role('CHILL_REPORT_SEE');
+        $reachableCenters = $this->helper->getReachableCenters($this->user, $role);
+        
+        $whereElement = $qb->expr()->orX();
+        $i = 0;
+        foreach ($reachableCenters as $center) {
+            $reachableScopesId = array_map(
+                    function (Scope $scope) { return $scope->getId(); },
+                    $this->helper->getReachableScopes($this->user, $role, $center)
+                    );
+            $whereElement->add(
+                    $qb->expr()->andX(
+                        $qb->expr()->eq('p.center', ':center_'.$i),
+                        $qb->expr()->in('r.scope', ':reachable_scopes_'.$i)
+                    )
+                )
+                ;
+            $qb->setParameter('center_'.$i, $center);
+            $qb->setParameter('reachable_scopes_'.$i, $reachableScopesId);
+        }
+        
+        return $whereElement;
+    }
+
    public function supports($domain)
    {
        return $domain === 'report';
--- a/Tests/Search/ReportSearchTest.php
+++ b/Tests/Search/ReportSearchTest.php
@ -90,17 +90,38 @@ class ReportSearchTest extends WebTestCase
        $this->assertGreaterThan(0, $crawler->filter('.error')->count());
    }
    
+    /**
+     * Test that the user do not see unauthorized results
+     * 
+     * We test for that that : 
+     * - we do not see any unauthorized scope mention
+     */
+    public function testUsersDoNotSeeUnauthorizedResults()
+    {
+        $clientSocial = $this->getAuthenticatedClient();
+        $clientAdministrative = $this->getAuthenticatedClient('center a_administrative');
        
+        $params = array('q' => '@report date:2015-01-05');
+        
+        $crawlerSocial = $clientSocial->request('GET', '/fr/search', $params);
+        $crawlerAdministrative = $clientAdministrative->request('GET', '/fr/search', $params);
+        
+        
+        $this->assertNotContains('social', $crawlerAdministrative->filter('.content')
+                ->text());
+        $this->assertNotContains('administrative', $crawlerAdministrative->filter('.content')
+                ->text());
+    }
    
    
    /**
     * 
     * @return \Symfony\Component\BrowserKit\Client
     */
-    private function getAuthenticatedClient()
+    private function getAuthenticatedClient($username = 'center a_social')
    {
        return static::createClient(array(), array(
-           'PHP_AUTH_USER' => 'center a_social',
+           'PHP_AUTH_USER' => $username,
           'PHP_AUTH_PW'   => 'password',
        ));
    }