mirror of
https://gitlab.com/Chill-Projet/chill-bundles.git
synced 2025-06-07 18:44:08 +00:00
336 lines
11 KiB
PHP
336 lines
11 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Chill\MainBundle\Security\Authorization;
|
|
|
|
use Chill\MainBundle\Entity\User;
|
|
use Chill\MainBundle\Entity\Center;
|
|
use Chill\MainBundle\Entity\HasCenterInterface;
|
|
use Chill\MainBundle\Entity\HasScopeInterface;
|
|
use Chill\MainBundle\Repository\UserACLAwareRepository;
|
|
use Chill\MainBundle\Repository\UserACLAwareRepositoryInterface;
|
|
use Chill\MainBundle\Security\ParentRoleHelper;
|
|
use Chill\MainBundle\Security\Resolver\CenterResolverDispatcher;
|
|
use Chill\MainBundle\Security\Resolver\ScopeResolverDispatcher;
|
|
use Chill\MainBundle\Security\Resolver\ScopeResolverInterface;
|
|
use Psr\Log\LoggerInterface;
|
|
use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
|
|
use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
|
|
use Symfony\Component\Security\Core\Role\Role;
|
|
use Chill\MainBundle\Entity\Scope;
|
|
use Chill\MainBundle\Security\RoleProvider;
|
|
use Doctrine\ORM\EntityManagerInterface;
|
|
use Chill\MainBundle\Entity\GroupCenter;
|
|
use Chill\MainBundle\Entity\RoleScope;
|
|
use Symfony\Component\Security\Core\User\UserInterface;
|
|
|
|
/**
|
|
* Helper for authorizations.
|
|
*
|
|
* Provides methods for user and entities information.
|
|
*/
|
|
class AuthorizationHelper implements AuthorizationHelperInterface
|
|
{
|
|
private CenterResolverDispatcher $centerResolverDispatcher;
|
|
|
|
private ScopeResolverDispatcher $scopeResolverDispatcher;
|
|
|
|
private LoggerInterface $logger;
|
|
|
|
private UserACLAwareRepositoryInterface $userACLAwareRepository;
|
|
|
|
private ParentRoleHelper $parentRoleHelper;
|
|
|
|
public function __construct(
|
|
CenterResolverDispatcher $centerResolverDispatcher,
|
|
LoggerInterface $logger,
|
|
ScopeResolverDispatcher $scopeResolverDispatcher,
|
|
UserACLAwareRepositoryInterface $userACLAwareRepository,
|
|
ParentRoleHelper $parentRoleHelper
|
|
) {
|
|
$this->centerResolverDispatcher = $centerResolverDispatcher;
|
|
$this->logger = $logger;
|
|
$this->scopeResolverDispatcher = $scopeResolverDispatcher;
|
|
$this->userACLAwareRepository = $userACLAwareRepository;
|
|
$this->parentRoleHelper = $parentRoleHelper;
|
|
}
|
|
|
|
/**
|
|
* Determines if a user is active on this center
|
|
*
|
|
* @param Center|Center[] $center May be an array of center
|
|
*/
|
|
public function userCanReachCenter(User $user, $center): bool
|
|
{
|
|
if ($center instanceof \Traversable) {
|
|
foreach ($center as $c) {
|
|
if ($c->userCanReachCenter($user, $c)) {
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
if ($center instanceof Center) {
|
|
foreach ($user->getGroupCenters() as $groupCenter) {
|
|
if ($center->getId() === $groupCenter->getCenter()->getId()) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
throw new \UnexpectedValueException(
|
|
sprintf(
|
|
'The entity given is not an instance of %s, %s given',
|
|
Center::class,
|
|
get_class($center)
|
|
)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Determines if the user has access to the given entity.
|
|
*
|
|
* if the entity implements Chill\MainBundle\Entity\HasScopeInterface,
|
|
* the scope is taken into account.
|
|
*
|
|
* @param User $user
|
|
* @param mixed $entity the entity may also implement HasScopeInterface
|
|
* @param string|Role $attribute
|
|
* @return boolean true if the user has access
|
|
*/
|
|
public function userHasAccess(User $user, $entity, $attribute)
|
|
{
|
|
$center = $this->centerResolverDispatcher->resolveCenter($entity);
|
|
|
|
if (is_iterable($center)) {
|
|
foreach ($center as $c) {
|
|
if ($this->userHasAccessForCenter($user, $c, $entity, $attribute)) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
} elseif ($center instanceof Center) {
|
|
return $this->userHasAccessForCenter($user, $center, $entity, $attribute);
|
|
} elseif (NULL === $center) {
|
|
return false;
|
|
} else {
|
|
throw new \UnexpectedValueException("could not resolver a center");
|
|
}
|
|
}
|
|
|
|
private function userHasAccessForCenter(User $user, Center $center, $entity, $attribute): bool
|
|
{
|
|
if (!$this->userCanReachCenter($user, $center)) {
|
|
$this->logger->debug("user cannot reach center of entity", [
|
|
'center_name' => $center->getName(),
|
|
'user' => $user->getUsername()
|
|
]);
|
|
return false;
|
|
}
|
|
|
|
foreach ($user->getGroupCenters() as $groupCenter){
|
|
//filter on center
|
|
if ($groupCenter->getCenter() === $center) {
|
|
$permissionGroup = $groupCenter->getPermissionsGroup();
|
|
//iterate on roleScopes
|
|
foreach($permissionGroup->getRoleScopes() as $roleScope) {
|
|
//check that the role allow to reach the required role
|
|
if ($this->isRoleReached($attribute, $roleScope->getRole())) {
|
|
//if yes, we have a right on something...
|
|
// perform check on scope if necessary
|
|
if ($this->scopeResolverDispatcher->isConcerned($entity)) {
|
|
$scope = $this->scopeResolverDispatcher->resolveScope($entity);
|
|
|
|
if (NULL === $scope) {
|
|
return true;
|
|
}
|
|
|
|
if (is_iterable($scope)) {
|
|
foreach ($scope as $s) {
|
|
if ($s === $roleScope->getScope()) {
|
|
return true;
|
|
}
|
|
}
|
|
} else {
|
|
if ($scope === $roleScope->getScope()) {
|
|
return true;
|
|
}
|
|
}
|
|
} else {
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
$this->logger->debug("user can reach center entity, but not role", [
|
|
'username' => $user->getUsername(),
|
|
'center' => $center->getName()
|
|
]);
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Get reachable Centers for the given user, role,
|
|
* and optionally Scope
|
|
*
|
|
* @return Center[]|array
|
|
*/
|
|
public function getReachableCenters(UserInterface $user, string $role, ?Scope $scope = null): array
|
|
{
|
|
if ($role instanceof Role) {
|
|
$role = $role->getRole();
|
|
}
|
|
$centers = array();
|
|
|
|
foreach ($user->getGroupCenters() as $groupCenter){
|
|
$permissionGroup = $groupCenter->getPermissionsGroup();
|
|
//iterate on roleScopes
|
|
foreach($permissionGroup->getRoleScopes() as $roleScope) {
|
|
//check that the role is in the reachable roles
|
|
if ($this->isRoleReached($role, $roleScope->getRole())) {
|
|
if ($scope === null) {
|
|
$centers[] = $groupCenter->getCenter();
|
|
break 1;
|
|
}
|
|
|
|
if ($scope->getId() == $roleScope->getScope()->getId()){
|
|
$centers[] = $groupCenter->getCenter();
|
|
break 1;
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
return $centers;
|
|
}
|
|
|
|
/**
|
|
* Filter an array of centers, return only center which are reachable
|
|
*
|
|
* @param User $user The user
|
|
* @param array $centers a list of centers which are going to be filtered
|
|
* @param string|Center $role
|
|
*/
|
|
public function filterReachableCenters(User $user, array $centers, $role): array
|
|
{
|
|
$results = [];
|
|
|
|
if ($role instanceof Role) {
|
|
$role = $role->getRole();
|
|
}
|
|
|
|
foreach ($centers as $center) {
|
|
if ($this->userCanReachCenter($user, $center)) {
|
|
$results[] = $center;
|
|
}
|
|
}
|
|
|
|
return $results;
|
|
}
|
|
|
|
/**
|
|
* Return all reachable scope for a given user, center and role
|
|
*
|
|
* @deprecated Use getReachableCircles
|
|
*
|
|
* @param Center|Center[] $center
|
|
* @return Scope[]|array
|
|
*/
|
|
public function getReachableScopes(UserInterface $user, string $role, $center): array
|
|
{
|
|
if ($role instanceof Role) {
|
|
$role = $role->getRole();
|
|
}
|
|
|
|
return $this->getReachableCircles($user, $role, $center);
|
|
}
|
|
|
|
/**
|
|
* Return all reachable circle for a given user, center and role
|
|
*
|
|
* @param string|Role $role
|
|
* @param Center|Center[] $center
|
|
* @return Scope[]
|
|
*/
|
|
public function getReachableCircles(UserInterface $user, $role, $center)
|
|
{
|
|
$scopes = [];
|
|
|
|
if (is_iterable($center)) {
|
|
foreach ($center as $c) {
|
|
$scopes = \array_merge($scopes, $this->getReachableCircles($user, $role, $c));
|
|
}
|
|
|
|
return $scopes;
|
|
}
|
|
|
|
if ($role instanceof Role) {
|
|
$role = $role->getRole();
|
|
}
|
|
|
|
foreach ($user->getGroupCenters() as $groupCenter){
|
|
if ($center->getId() === $groupCenter->getCenter()->getId()) {
|
|
//iterate on permissionGroup
|
|
$permissionGroup = $groupCenter->getPermissionsGroup();
|
|
//iterate on roleScopes
|
|
foreach($permissionGroup->getRoleScopes() as $roleScope) {
|
|
//check that the role is in the reachable roles
|
|
if ($this->isRoleReached($role, $roleScope->getRole())) {
|
|
$scopes[] = $roleScope->getScope();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return $scopes;
|
|
}
|
|
|
|
/**
|
|
*
|
|
* @deprecated use UserACLAwareRepositoryInterface::findUsersByReachedACL instead
|
|
* @param Center|Center[]|array $center
|
|
* @param Scope|Scope[]|array|null $scope
|
|
* @param bool $onlyActive true if get only active users
|
|
* @return User[]
|
|
*/
|
|
public function findUsersReaching(string $role, $center, $scope = null, bool $onlyEnabled = true): array
|
|
{
|
|
return $this->userACLAwareRepository
|
|
->findUsersByReachedACL($role, $center, $scope, $onlyEnabled);
|
|
}
|
|
|
|
/**
|
|
* Test if a parent role may give access to a given child role
|
|
*
|
|
* @param string $childRole The role we want to test if he is reachable
|
|
* @param string $parentRole The role which should give access to $childRole
|
|
* @return boolean true if the child role is granted by parent role
|
|
*/
|
|
private function isRoleReached(string $childRole, string $parentRole)
|
|
{
|
|
return $this->parentRoleHelper->isRoleReached($childRole, $parentRole);
|
|
}
|
|
|
|
/**
|
|
* Return all the role which give access to the given role. Only the role
|
|
* which are registered into Chill are taken into account.
|
|
*
|
|
* @param string $role
|
|
* @return string[] the role which give access to the given $role
|
|
*/
|
|
public function getParentRoles(string $role): array
|
|
{
|
|
trigger_deprecation('Chill\MainBundle', '2.0', 'use ParentRoleHelper::getParentRoles instead');
|
|
return $this->parentRoleHelper->getParentRoles($role);
|
|
}
|
|
}
|