diff --git a/src/Janus/ServiceRegistry/Security/Authorization/Voter/SspVoter.php b/src/Janus/ServiceRegistry/Security/Authorization/Voter/SspVoter.php index c0000715..bdda6c1e 100644 --- a/src/Janus/ServiceRegistry/Security/Authorization/Voter/SspVoter.php +++ b/src/Janus/ServiceRegistry/Security/Authorization/Voter/SspVoter.php @@ -6,6 +6,7 @@ use Janus\ServiceRegistry\Bundle\CoreBundle\DependencyInjection\ConfigProxy; use Janus\ServiceRegistry\Entity\Connection\Revision; use Janus\ServiceRegistry\Entity\User; +use sspmod_janus_Entity; use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Role\Role; @@ -78,7 +79,7 @@ public function supportsClass($class) * ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN. * * @param TokenInterface $token A TokenInterface instance - * @param \sspmod_janus_Entity $object The object to secure + * @param sspmod_janus_Entity $object The object to secure * @param array $attributes An array of attributes associated with the method being invoked * * @return integer either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED @@ -106,7 +107,7 @@ public function vote(TokenInterface $token, $object, array $attributes) /** * @param \stdClass $object - * @return \sspmod_janus_Entity + * @return sspmod_janus_Entity * @throws \RuntimeException */ protected function getEntityForObject($object) @@ -121,7 +122,7 @@ protected function getEntityForObject($object) return null; } - if ($object instanceof \sspmod_janus_Entity) { + if ($object instanceof sspmod_janus_Entity) { return $object; } @@ -137,11 +138,11 @@ protected function getEntityForObject($object) /** * @param User $user * @param string $right - * @param \sspmod_janus_Entity $entity + * @param sspmod_janus_Entity $entity * @param string $entityWorkflowState * @return bool */ - protected function voteAttribute(User $user, $right, \sspmod_janus_Entity $entity = null, $entityWorkflowState = null) + protected function voteAttribute(User $user, $right, sspmod_janus_Entity $entity = null, $entityWorkflowState = null) { // 'normalize' to all lowercase without whitespace $right = strtolower(str_replace(' ', '', $right)); @@ -156,15 +157,10 @@ protected function voteAttribute(User $user, $right, \sspmod_janus_Entity $entit return $this->voteAttribute($user, static::RIGHT_ALL_ENTITIES); } - if ($entity && isset($this->access[$right][static::CONFIG_WORKFLOW_STATES][$entityWorkflowState])) { - $allowedRoles = $this->access[$right][static::CONFIG_WORKFLOW_STATES][$entityWorkflowState]; - } elseif (isset($this->access[$right][static::CONFIG_WORKFLOW_STATES][static::CONFIG_WORKFLOW_STATE_ALL])) { - $allowedRoles = $this->access[$right][static::CONFIG_WORKFLOW_STATES][static::CONFIG_WORKFLOW_STATE_ALL]; - } else if (isset($this->access[$right][static::CONFIG_DEFAULT_PERMISSION])) { - // Return default permission for element - return (bool) $this->access[$right][static::CONFIG_DEFAULT_PERMISSION]; - } else { - return false; + $allowedRoles = $this->getAllowedRoles($right, $entity, $entityWorkflowState); + + if (!$allowedRoles) { + return $this->getDefaultVote($right); } $roles = $user->getRoles(); @@ -197,10 +193,10 @@ protected function voteAttribute(User $user, $right, \sspmod_janus_Entity $entit } /** - * @param \sspmod_janus_Entity $entity + * @param sspmod_janus_Entity $entity * @return \sspmod_janus_EntityController */ - protected function getEntityControllerForEntity(\sspmod_janus_Entity $entity) + protected function getEntityControllerForEntity(sspmod_janus_Entity $entity) { if (!isset($this->entityControllers[$entity->getId()])) { $controller = new \sspmod_janus_EntityController($this->configuration); @@ -225,4 +221,37 @@ protected function getEntityControllerForEntityId($entityId) return $this->entityControllers[$entityId]; } + + /** + * Check if the given right only belongs to users with specific roles. + * + * @param string $right + * @param sspmod_janus_Entity $entity + * @param string|null $entityWorkflowState + * @return string[]|null + */ + private function getAllowedRoles($right, sspmod_janus_Entity $entity = null, $entityWorkflowState = null) + { + // If we have an entity and it is at a specific workflow state, check if we have a specific right for that. + if ($entity && isset($this->access[$right][static::CONFIG_WORKFLOW_STATES][$entityWorkflowState])) { + return $this->access[$right][static::CONFIG_WORKFLOW_STATES][$entityWorkflowState]; + } + + // Otherwise check if we have the right for all workflow states. + if (isset($this->access[$right][static::CONFIG_WORKFLOW_STATES][static::CONFIG_WORKFLOW_STATE_ALL])) { + return $this->access[$right][static::CONFIG_WORKFLOW_STATES][static::CONFIG_WORKFLOW_STATE_ALL]; + } + + return null; + } + + private function getDefaultVote($right) + { + if (!isset($this->access[$right][static::CONFIG_DEFAULT_PERMISSION])) { + // Return default permission for element + return (bool) $this->access[$right][static::CONFIG_DEFAULT_PERMISSION]; + } + + return false; + } }