vendor/symfony/security-acl/Voter/AclVoter.php line 30

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Acl\Voter;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\Security\Acl\Exception\NoAceFoundException;
  16. use Symfony\Component\Security\Acl\Exception\AclNotFoundException;
  17. use Symfony\Component\Security\Acl\Model\AclProviderInterface;
  18. use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface;
  19. use Symfony\Component\Security\Acl\Permission\PermissionMapInterface;
  20. use Symfony\Component\Security\Acl\Model\SecurityIdentityRetrievalStrategyInterface;
  21. use Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface;
  22. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  23. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  25. /**
  26.  * This voter can be used as a base class for implementing your own permissions.
  27.  *
  28.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  29.  */
  30. class AclVoter implements VoterInterface
  31. {
  32.     private $aclProvider;
  33.     private $permissionMap;
  34.     private $objectIdentityRetrievalStrategy;
  35.     private $securityIdentityRetrievalStrategy;
  36.     private $allowIfObjectIdentityUnavailable;
  37.     private $logger;
  39.     public function __construct(AclProviderInterface $aclProviderObjectIdentityRetrievalStrategyInterface $oidRetrievalStrategySecurityIdentityRetrievalStrategyInterface $sidRetrievalStrategyPermissionMapInterface $permissionMapLoggerInterface $logger null$allowIfObjectIdentityUnavailable true)
  40.     {
  41.         $this->aclProvider $aclProvider;
  42.         $this->permissionMap $permissionMap;
  43.         $this->objectIdentityRetrievalStrategy $oidRetrievalStrategy;
  44.         $this->securityIdentityRetrievalStrategy $sidRetrievalStrategy;
  45.         $this->logger $logger;
  46.         $this->allowIfObjectIdentityUnavailable $allowIfObjectIdentityUnavailable;
  47.     }
  49.     public function supportsAttribute($attribute)
  50.     {
  51.         return is_string($attribute) && $this->permissionMap->contains($attribute);
  52.     }
  54.     public function vote(TokenInterface $token$object, array $attributes)
  55.     {
  56.         foreach ($attributes as $attribute) {
  57.             if (!$this->supportsAttribute($attribute)) {
  58.                 continue;
  59.             }
  61.             if (null === $masks $this->permissionMap->getMasks($attribute$object)) {
  62.                 continue;
  63.             }
  65.             if (null === $object) {
  66.                 if (null !== $this->logger) {
  67.                     $this->logger->debug(sprintf('Object identity unavailable. Voting to %s.'$this->allowIfObjectIdentityUnavailable 'grant access' 'abstain'));
  68.                 }
  70.                 return $this->allowIfObjectIdentityUnavailable self::ACCESS_GRANTED self::ACCESS_ABSTAIN;
  71.             } elseif ($object instanceof FieldVote) {
  72.                 $field $object->getField();
  73.                 $object $object->getDomainObject();
  74.             } else {
  75.                 $field null;
  76.             }
  78.             if ($object instanceof ObjectIdentityInterface) {
  79.                 $oid $object;
  80.             } elseif (null === $oid $this->objectIdentityRetrievalStrategy->getObjectIdentity($object)) {
  81.                 if (null !== $this->logger) {
  82.                     $this->logger->debug(sprintf('Object identity unavailable. Voting to %s.'$this->allowIfObjectIdentityUnavailable 'grant access' 'abstain'));
  83.                 }
  85.                 return $this->allowIfObjectIdentityUnavailable self::ACCESS_GRANTED self::ACCESS_ABSTAIN;
  86.             }
  88.             if (!$this->supportsClass($oid->getType())) {
  89.                 return self::ACCESS_ABSTAIN;
  90.             }
  92.             $sids $this->securityIdentityRetrievalStrategy->getSecurityIdentities($token);
  94.             try {
  95.                 $acl $this->aclProvider->findAcl($oid$sids);
  97.                 if (null === $field && $acl->isGranted($masks$sidsfalse)) {
  98.                     if (null !== $this->logger) {
  99.                         $this->logger->debug('ACL found, permission granted. Voting to grant access.');
  100.                     }
  102.                     return self::ACCESS_GRANTED;
  103.                 } elseif (null !== $field && $acl->isFieldGranted($field$masks$sidsfalse)) {
  104.                     if (null !== $this->logger) {
  105.                         $this->logger->debug('ACL found, permission granted. Voting to grant access.');
  106.                     }
  108.                     return self::ACCESS_GRANTED;
  109.                 }
  111.                 if (null !== $this->logger) {
  112.                     $this->logger->debug('ACL found, insufficient permissions. Voting to deny access.');
  113.                 }
  115.                 return self::ACCESS_DENIED;
  116.             } catch (AclNotFoundException $e) {
  117.                 if (null !== $this->logger) {
  118.                     $this->logger->debug('No ACL found for the object identity. Voting to deny access.');
  119.                 }
  121.                 return self::ACCESS_DENIED;
  122.             } catch (NoAceFoundException $e) {
  123.                 if (null !== $this->logger) {
  124.                     $this->logger->debug('ACL found, no ACE applicable. Voting to deny access.');
  125.                 }
  127.                 return self::ACCESS_DENIED;
  128.             }
  129.         }
  131.         // no attribute was supported
  132.         return self::ACCESS_ABSTAIN;
  133.     }
  135.     /**
  136.      * You can override this method when writing a voter for a specific domain
  137.      * class.
  138.      *
  139.      * @param string $class The class name
  140.      *
  141.      * @return bool
  142.      */
  143.     public function supportsClass($class)
  144.     {
  145.         return true;
  146.     }
  147. }