39 private $tempPermissions = [];
40 private $tempPermissionIndex = 0;
42 private static $logger = null;
59 if (self::$logger == null) {
76 public function authorize($resource, $context, $action, $login=null, $applyDefaultPolicy=true) {
79 $login = $this->session->getAuthUser();
81 if (self::$logger->isDebugEnabled()) {
82 self::$logger->debug("Checking authorization for: '$resource?$context?$action' and user '".$login."'");
86 $resourceStr = ($resource instanceof ObjectId) ? $resource->__toString() : $resource;
90 $resourceType = $resourceDesc['resourceType'];
91 $oid = $resourceDesc['oid'];
92 $type = $resourceDesc['type'];
93 $oidProperty = $resourceDesc['oidProperty'];
94 $typeProperty = $resourceDesc['typeProperty'];
95 if (self::$logger->isDebugEnabled()) {
96 self::$logger->debug("Resource type: ".$resourceType);
101 switch ($resourceType) {
102 case (self::RESOURCE_TYPE_ENTITY_INSTANCE_PROPERTY):
103 $authorized = $this->authorizeAction($oidProperty, $oidProperty, $context, $action, $login);
104 if ($authorized === null) {
105 $authorized = $this->authorizeAction($oidProperty, $typeProperty, $context, $action, $login);
106 if ($authorized === null) {
107 $authorized = $this->authorizeAction($oidProperty, $oid, $context, $action, $login);
108 if ($authorized === null) {
109 $authorized = $this->authorizeAction($oidProperty, $type, $context, $action, $login);
115 case (self::RESOURCE_TYPE_ENTITY_INSTANCE):
116 $authorized = $this->authorizeAction($oid, $oid, $context, $action, $login);
117 if ($authorized === null) {
118 $authorized = $this->authorizeAction($oid, $type, $context, $action, $login);
122 case (self::RESOURCE_TYPE_ENTITY_TYPE_PROPERTY):
123 $authorized = $this->authorizeAction($typeProperty, $typeProperty, $context, $action, $login);
124 if ($authorized === null) {
125 $authorized = $this->authorizeAction($typeProperty, $type, $context, $action, $login);
130 $authorized = $this->authorizeAction($resourceStr, $resourceStr, $context, $action, $login);
135 if ($authorized === null && $resourceType == self::RESOURCE_TYPE_ENTITY_INSTANCE) {
136 if (self::$logger->isDebugEnabled()) {
137 self::$logger->debug("Check parent objects");
139 $mapper = $this->persistenceFacade->getMapper($type);
140 $parentRelations = $mapper->getRelations('parent');
141 if (sizeof($parentRelations) > 0) {
145 $object = $this->persistenceFacade->load($oidObj);
148 if ($object != null) {
149 foreach ($parentRelations as $parentRelation) {
150 if ($parentRelation->getThisAggregationKind() == 'composite') {
151 $parentType = $parentRelation->getOtherType();
154 $parents = $object->getValue($parentRelation->getOtherRole());
157 if ($parents != null) {
158 if (!$parentRelation->isMultiValued()) {
159 $parents = [$parents];
161 foreach ($parents as $parent) {
162 $authorized = $this->authorize($parent->getOID(), $context, $action);
174 if ($authorized === null && $applyDefaultPolicy) {
177 if (self::$logger->isDebugEnabled()) {
178 self::$logger->debug("Result for $resource?$context?$action: ".(!$authorized ? "not " : "")."authorized");
196 $context, $action, $login) {
197 if (self::$logger->isDebugEnabled()) {
198 self::$logger->debug("Authorizing $requestedResource?$context?$action ".
199 "using permissions of $permissionResource?$context?$action");
205 if (self::$logger->isDebugEnabled()) {
206 self::$logger->debug("Has temporary permission");
212 $permissions = $this->getPermissions($permissionResource, $context, $action);
213 if (self::$logger->isDebugEnabled()) {
216 if ($permissions != null) {
218 $authorized = $this->matchRoles($requestedResource, $permissions, $login);
221 if (self::$logger->isDebugEnabled()) {
222 self::$logger->debug("Result: ".(is_bool($authorized) ? ((!$authorized ? "not " : "")."authorized") : "not defined"));
248 $resourceType = null;
252 $typeProperty = null;
253 $extensionRemoved = preg_replace('/\.[^\.]*?$/', '', $resource);
257 $type = $oidObj->getType();
261 $oid = $extensionRemoved;
262 $type = $oidObj->getType();
263 $oidProperty = $resource;
264 $typeProperty = $type.substr($resource, strlen($extensionRemoved));
266 elseif ($this->persistenceFacade->isKnownType($resource)) {
270 elseif ($this->persistenceFacade->isKnownType($extensionRemoved)) {
272 $type = $extensionRemoved;
273 $typeProperty = $resource;
280 'resourceType' => $resourceType,
283 'oidProperty' => $oidProperty,
284 'typeProperty' => $typeProperty
298 if (strlen($value) == 0) {
307 $roleValues = explode(" ", $value);
308 foreach ($roleValues as $roleValue) {
309 $roleValue = trim($roleValue);
311 preg_match('/^([+-]?)(.+)$/', $roleValue, $matches);
312 if (sizeof($matches) > 0) {
313 $prefix = $matches[1];
316 $result['default'] = $prefix == '-' ? false : true;
319 if ($prefix === '-') {
320 $result['deny'][] = $role;
324 $result['allow'][] = $role;
330 if (!isset($result['default'])) {
331 $result['default'] = false;
348 if (isset($permissions['allow'])) {
349 foreach ($permissions['allow'] as $role) {
353 if (isset($permissions['deny'])) {
354 foreach ($permissions['deny'] as $role) {
358 return trim($result);
371 protected function matchRoles($resource, $permissions, $login) {
372 if (self::$logger->isDebugEnabled()) {
373 self::$logger->debug("Matching roles for ".$login);
375 $user = $this->principalFactory->getUser($login, true);
377 foreach (['allow' => true, 'deny' => false] as $key => $result) {
378 if (isset($permissions[$key])) {
379 foreach ($permissions[$key] as $role) {
380 if ($this->matchRole($user, $role, $resource)) {
381 if (self::$logger->isDebugEnabled()) {
382 self::$logger->debug($key." because of role ".$role);
390 if (self::$logger->isDebugEnabled()) {
391 self::$logger->debug("Check default ".$permissions['default']);
393 return (isset($permissions['default']) ? $permissions['default'] : false);
404 $isDynamicRole = isset($this->dynamicRoles[$role]);
405 return (($isDynamicRole && $this->dynamicRoles[$role]->match($user, $resource) === true)
406 || (!$isDynamicRole && $user->hasRole($role)));
413 $this->tempPermissionIndex++;
415 if (self::$logger->isDebugEnabled()) {
416 self::$logger->debug("Adding temporary permission for '$actionKey'");
418 $handle = $actionKey.'#'.$this->tempPermissionIndex;
419 $this->tempPermissions[$handle] = $actionKey;
427 if (self::$logger->isDebugEnabled()) {
428 self::$logger->debug("Removing temporary permission for '$handle'");
430 unset($this->tempPermissions[$handle]);
437 if (sizeof($this->tempPermissions) == 0) {
442 $permissions = array_flip($this->tempPermissions);
444 if (!isset($permissions[$actionKey])) {
448 switch ($resourceDesc['resourceType']) {
450 $typeResource = $resourceDesc['type'];
453 $typeResource = $resourceDesc['typeProperty'];
456 $typeResource = null;
459 if ($typeResource != null) {
463 return isset($permissions[$actionKey]);
470 $this->tempPermissions = [];
Session is the interface for session implementations and defines access to session variables.
getPermissions($resource, $context, $action)
Permission management.
static getDump($variable, $strlen=100, $width=25, $depth=10, $i=0, &$objects=[])
Get the dump of a variable as string.
setPrincipalFactory(PrincipalFactory $principalFactory)
Set the principal factory instances.
const PERMISSION_MODIFIER_ALLOW
const RESOURCE_TYPE_ENTITY_TYPE
__construct(PersistenceFacade $persistenceFacade, Session $session, array $dynamicRoles=[])
Constructor.
const RESOURCE_TYPE_OTHER
addTempPermission($resource, $context, $action)
StringUtil provides support for string manipulation.
ObjectId is the unique identifier of an object.
hasRole($roleName)
Check for a certain role in the user roles.
static parse($oid)
Parse a serialized object id string into an ObjectId instance.
const RESOURCE_TYPE_ENTITY_INSTANCE
matchRoles($resource, $permissions, $login)
Matches the roles of the user and the roles in the given permissions.
static createKey($resource, $context, $action)
Create an action key from the given values.
PersistenceFacade defines the interface for PersistenceFacade implementations.
deserializePermissions($value)
Parse a permissions string and return an associative array with the keys 'default',...
static getLogger($name)
Get the logger with the given name.
const RESOURCE_TYPE_ENTITY_TYPE_PROPERTY
hasTempPermission($resource, $context, $action)
An action key is a combination of a resource, context and action that is represented as a string.
parseResource($resource)
Get the resource type and parameters (as applicable) from a resource.
authorize($resource, $context, $action, $login=null, $applyDefaultPolicy=true)
PrincipalFactory implementations are used to retrieve User and Role instances.
AbstractPermissionManager is the base class for concrete PermissionManager implementations.
PermissionManager implementations are used to handle all authorization requests.
LogManager is used to retrieve Logger instances.
removeTempPermission($handle)
PersistenceAction values are used to define actions on PersistentObject instances.
matchRole(User $user, $role, $resource)
Check if a user matches the role for a resource.
authorizeAction($requestedResource, $permissionResource, $context, $action, $login)
Authorize a resource, context, action triple by using the permissions set on another resource (e....
User is the interface for users.
const RESOURCE_TYPE_ENTITY_INSTANCE_PROPERTY
getDefaultPolicy($login)
Get the default policy that is used if no permission is set up for a requested action.
serializePermissions($permissions)
Convert an associative permissions array with keys 'default', 'allow', 'deny' into a string.
const PERMISSION_MODIFIER_DENY