vendor/symfony/security-acl/Voter/AclVoter.php line 54

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Acl\Voter;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\Security\Acl\Exception\AclNotFoundException;
  16. use Symfony\Component\Security\Acl\Exception\NoAceFoundException;
  17. use Symfony\Component\Security\Acl\Model\AclProviderInterface;
  18. use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface;
  19. use Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface;
  20. use Symfony\Component\Security\Acl\Model\SecurityIdentityRetrievalStrategyInterface;
  21. use Symfony\Component\Security\Acl\Permission\PermissionMapInterface;
  22. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  23. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  25. if (class_exists(\Symfony\Component\Security\Core\Security::class)) {
  26.     /**
  27.      * @internal
  28.      */
  29.     trait AclVoterTrait
  30.     {
  31.         public function vote(TokenInterface $token$subject, array $attributes)
  32.         {
  33.             return $this->doVote($token$subject$attributes);
  34.         }
  35.     }
  36. } else {
  37.     /**
  38.      * @internal
  39.      */
  40.     trait AclVoterTrait
  41.     {
  42.         public function vote(TokenInterface $tokenmixed $subject, array $attributes): int
  43.         {
  44.             return $this->doVote($token$subject$attributes);
  45.         }
  46.     }
  47. }
  49. /**
  50.  * This voter can be used as a base class for implementing your own permissions.
  51.  *
  52.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  53.  */
  54. class AclVoter implements VoterInterface
  55. {
  56.     use AclVoterTrait;
  58.     private $aclProvider;
  59.     private $permissionMap;
  60.     private $objectIdentityRetrievalStrategy;
  61.     private $securityIdentityRetrievalStrategy;
  62.     private $allowIfObjectIdentityUnavailable;
  63.     private $logger;
  65.     public function __construct(AclProviderInterface $aclProviderObjectIdentityRetrievalStrategyInterface $oidRetrievalStrategySecurityIdentityRetrievalStrategyInterface $sidRetrievalStrategyPermissionMapInterface $permissionMapLoggerInterface $logger null$allowIfObjectIdentityUnavailable true)
  66.     {
  67.         $this->aclProvider $aclProvider;
  68.         $this->permissionMap $permissionMap;
  69.         $this->objectIdentityRetrievalStrategy $oidRetrievalStrategy;
  70.         $this->securityIdentityRetrievalStrategy $sidRetrievalStrategy;
  71.         $this->logger $logger;
  72.         $this->allowIfObjectIdentityUnavailable $allowIfObjectIdentityUnavailable;
  73.     }
  75.     public function supportsAttribute($attribute)
  76.     {
  77.         return \is_string($attribute) && $this->permissionMap->contains($attribute);
  78.     }
  80.     private function doVote(TokenInterface $token$subject, array $attributes): int
  81.     {
  82.         foreach ($attributes as $attribute) {
  83.             if (!$this->supportsAttribute($attribute)) {
  84.                 continue;
  85.             }
  87.             if (null === $masks $this->permissionMap->getMasks($attribute$subject)) {
  88.                 continue;
  89.             }
  91.             if (null === $subject) {
  92.                 if (null !== $this->logger) {
  93.                     $this->logger->debug(sprintf('Object identity unavailable. Voting to %s.'$this->allowIfObjectIdentityUnavailable 'grant access' 'abstain'));
  94.                 }
  96.                 return $this->allowIfObjectIdentityUnavailable self::ACCESS_GRANTED self::ACCESS_ABSTAIN;
  97.             } elseif ($subject instanceof FieldVote) {
  98.                 $field $subject->getField();
  99.                 $subject $subject->getDomainObject();
  100.             } else {
  101.                 $field null;
  102.             }
  104.             if ($subject instanceof ObjectIdentityInterface) {
  105.                 $oid $subject;
  106.             } elseif (null === $oid $this->objectIdentityRetrievalStrategy->getObjectIdentity($subject)) {
  107.                 if (null !== $this->logger) {
  108.                     $this->logger->debug(sprintf('Object identity unavailable. Voting to %s.'$this->allowIfObjectIdentityUnavailable 'grant access' 'abstain'));
  109.                 }
  111.                 return $this->allowIfObjectIdentityUnavailable self::ACCESS_GRANTED self::ACCESS_ABSTAIN;
  112.             }
  114.             if (!$this->supportsClass($oid->getType())) {
  115.                 return self::ACCESS_ABSTAIN;
  116.             }
  118.             $sids $this->securityIdentityRetrievalStrategy->getSecurityIdentities($token);
  120.             try {
  121.                 $acl $this->aclProvider->findAcl($oid$sids);
  123.                 if (null === $field && $acl->isGranted($masks$sidsfalse)) {
  124.                     if (null !== $this->logger) {
  125.                         $this->logger->debug('ACL found, permission granted. Voting to grant access.');
  126.                     }
  128.                     return self::ACCESS_GRANTED;
  129.                 } elseif (null !== $field && $acl->isFieldGranted($field$masks$sidsfalse)) {
  130.                     if (null !== $this->logger) {
  131.                         $this->logger->debug('ACL found, permission granted. Voting to grant access.');
  132.                     }
  134.                     return self::ACCESS_GRANTED;
  135.                 }
  137.                 if (null !== $this->logger) {
  138.                     $this->logger->debug('ACL found, insufficient permissions. Voting to deny access.');
  139.                 }
  141.                 return self::ACCESS_DENIED;
  142.             } catch (AclNotFoundException $e) {
  143.                 if (null !== $this->logger) {
  144.                     $this->logger->debug('No ACL found for the object identity. Voting to deny access.');
  145.                 }
  147.                 return self::ACCESS_DENIED;
  148.             } catch (NoAceFoundException $e) {
  149.                 if (null !== $this->logger) {
  150.                     $this->logger->debug('ACL found, no ACE applicable. Voting to deny access.');
  151.                 }
  153.                 return self::ACCESS_DENIED;
  154.             }
  155.         }
  157.         // no attribute was supported
  158.         return self::ACCESS_ABSTAIN;
  159.     }
  161.     /**
  162.      * You can override this method when writing a voter for a specific domain
  163.      * class.
  164.      *
  165.      * @param string $class The class name
  166.      *
  167.      * @return bool
  168.      */
  169.     public function supportsClass($class)
  170.     {
  171.         return true;
  172.     }
  173. }