Issues in AclHelper.php - New Issues - Inspection of "[NodeBundle] Allow duplicate with children (#2686..." - Kunstmaan/KunstmaanBundlesCMS - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 06c1ce...67d37c )

by Jeroen

created 2020-06-12 09:11 UTC

AdminBundle/Helper/Security/Acl/AclHelper.php (1 issue)

Labels

Bug 1

Severity

Major 1

Jeroen Thora 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Kunstmaan\AdminBundle\Helper\Security\Acl;

use Doctrine\ORM\EntityManager;
use Doctrine\ORM\Mapping\QuoteStrategy;
use Doctrine\ORM\Query;
use Doctrine\ORM\Query\Parameter;
use Doctrine\ORM\Query\ResultSetMapping;
use Doctrine\ORM\QueryBuilder;
use InvalidArgumentException;
use Kunstmaan\AdminBundle\Helper\Security\Acl\Permission\MaskBuilder;
use Kunstmaan\AdminBundle\Helper\Security\Acl\Permission\PermissionDefinition;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;

/**
 * AclHelper is a helper class to help setting the permissions when querying using ORM
 *
 * @see https://gist.github.com/1363377
 */
class AclHelper
{
    /**
     * @var EntityManager
     */
    private $em = null;

    /**
     * @var TokenStorageInterface
     */
    private $tokenStorage = null;

    /**
     * @var QuoteStrategy
     */
    private $quoteStrategy = null;

    /**
     * @var RoleHierarchyInterface
     */
    private $roleHierarchy = null;

    /**
     * @var bool
     */
    private $permissionsEnabled;

    /**
     * Constructor.
     *
     * @param EntityManager          $em           The entity manager
     * @param TokenStorageInterface  $tokenStorage The security token storage
     * @param RoleHierarchyInterface $rh           The role hierarchies
     */
    public function __construct(EntityManager $em, TokenStorageInterface $tokenStorage, RoleHierarchyInterface $rh, $permissionsEnabled = true)
    {
        $this->em = $em;
        $this->tokenStorage = $tokenStorage;
        $this->quoteStrategy = $em->getConfiguration()->getQuoteStrategy();
        $this->roleHierarchy = $rh;
        $this->permissionsEnabled = $permissionsEnabled;
    }

    /**
     * Clone specified query with parameters.
     *
     * @param Query $query
     *
     * @return Query
     */
    protected function cloneQuery(Query $query)
    {
        $aclAppliedQuery = clone $query;
        $params = $query->getParameters();
        /* @var $param Parameter */
        foreach ($params as $param) {
            $aclAppliedQuery->setParameter($param->getName(), $param->getValue(), $param->getType());
        }

        return $aclAppliedQuery;
    }

    /**
     * Apply the ACL constraints to the specified query builder, using the permission definition
     *
     * @param QueryBuilder         $queryBuilder  The query builder
     * @param PermissionDefinition $permissionDef The permission definition
     *
     * @return Query
     */
    public function apply(QueryBuilder $queryBuilder, PermissionDefinition $permissionDef)
    {
        if (!$this->permissionsEnabled) {
            return $queryBuilder->getQuery();
        }

        $whereQueryParts = $queryBuilder->getDQLPart('where');
        if (empty($whereQueryParts)) {
            $queryBuilder->where('1 = 1'); // this will help in cases where no where query is specified
        }

        $query = $this->cloneQuery($queryBuilder->getQuery());

        $builder = new MaskBuilder();
        foreach ($permissionDef->getPermissions() as $permission) {
            $mask = \constant(\get_class($builder) . '::MASK_' . strtoupper($permission));
            $builder->add($mask);
        }
        $query->setHint('acl.mask', $builder->get());
        $query->setHint(Query::HINT_CUSTOM_OUTPUT_WALKER, 'Kunstmaan\AdminBundle\Helper\Security\Acl\AclWalker');

        $rootEntity = $permissionDef->getEntity();
        $rootAlias = $permissionDef->getAlias();
        // If either alias or entity was not specified - use default from QueryBuilder
        if (empty($rootEntity) || empty($rootAlias)) {
            $rootEntities = $queryBuilder->getRootEntities();
            $rootAliases = $queryBuilder->getRootAliases();
            $rootEntity = $rootEntities[0];
            $rootAlias = $rootAliases[0];
        }
        $query->setHint('acl.root.entity', $rootEntity);
        $query->setHint('acl.extra.query', $this->getPermittedAclIdsSQLForUser($query));

        $classMeta = $this->em->getClassMetadata($rootEntity);
        $entityRootTableName = $this->quoteStrategy->getTableName(
            $classMeta,
            $this->em->getConnection()->getDatabasePlatform()
        );
        $query->setHint('acl.entityRootTableName', $entityRootTableName);
        $query->setHint('acl.entityRootTableDqlAlias', $rootAlias);

        return $query;
    }

    /**
     * This query works well with small offset, but if want to use it with large offsets please refer to the link on how to implement
     * http://www.scribd.com/doc/14683263/Efficient-Pagination-Using-MySQL
     * This will only check permissions on the first entity added in the from clause, it will not check permissions
     * By default the number of rows returned are 10 starting from 0
     *
     * @param Query $query
     *
     * @return string
     */
    private function getPermittedAclIdsSQLForUser(Query $query)
    {
        $aclConnection = $this->em->getConnection();
        $databasePrefix = is_file($aclConnection->getDatabase()) ? '' : $aclConnection->getDatabase().'.';
        $mask = $query->getHint('acl.mask');
        $rootEntity = '"' . str_replace('\\', '\\\\', $query->getHint('acl.root.entity')) . '"';

        /* @var $token TokenInterface */
        $token = $this->tokenStorage->getToken();
        $userRoles = array();
        $user = null;
        if (!\is_null($token)) {
            $user = $token->getUser();
            if (method_exists($this->roleHierarchy, 'getReachableRoleNames')) {
                $userRoles = $this->roleHierarchy->getReachableRoleNames($token->getRoleNames());
            } else {
                // Symfony 3.4 compatibility
                $userRoles = $this->roleHierarchy->getReachableRoles($token->getRoles());
            }
        }

        // Security context does not provide anonymous role automatically.
        $uR = array('"IS_AUTHENTICATED_ANONYMOUSLY"');

        foreach ($userRoles as $role) {
            // The reason we ignore this is because by default FOSUserBundle adds ROLE_USER for every user
            if (is_string($role)) {
                if ($role !== 'ROLE_USER') {
                    $uR[] = '"' . $role . '"';
                }
            } else {
                // Symfony 3.4 compatibility
                if ($role->getRole() !== 'ROLE_USER') {
                    $uR[] = '"' . $role->getRole() . '"';
                }
            }
        }
        $uR = array_unique($uR);
        $inString = implode(' OR s.identifier = ', $uR);

        if (\is_object($user)) {
            $inString .= ' OR s.identifier = "' . str_replace(
                '\\',
                '\\\\',
                \get_class($user)
            ) . '-' . $user->getUserName() . '"';
class A
{
    public function foo() { }
}

class B extends A
{
    public function bar() { }
}

/**
 * @param A|B $x
 */
function someFunction($x)
{
    $x->foo(); // This call is fine as the method exists in A and B.
    $x->bar(); // This method only exists in B and might cause an error.
}
        }

        $selectQuery = <<<SELECTQUERY
SELECT DISTINCT o.object_identifier as id FROM {$databasePrefix}acl_object_identities as o
INNER JOIN {$databasePrefix}acl_classes c ON c.id = o.class_id
LEFT JOIN {$databasePrefix}acl_entries e ON (
    e.class_id = o.class_id AND (e.object_identity_id = o.id
    OR {$aclConnection->getDatabasePlatform()->getIsNullExpression('e.object_identity_id')})
)
LEFT JOIN {$databasePrefix}acl_security_identities s ON (
s.id = e.security_identity_id
)
WHERE c.class_type = {$rootEntity}
AND (s.identifier = {$inString})
AND e.mask & {$mask} > 0
SELECTQUERY;

        return $selectQuery;
    }

    /**
     * Returns valid IDs for a specific entity with ACL restrictions for current user applied
     *
     * @param PermissionDefinition $permissionDef
     *
     * @throws InvalidArgumentException
     *
     * @return array
     */
    public function getAllowedEntityIds(PermissionDefinition $permissionDef)
    {
        $rootEntity = $permissionDef->getEntity();
        if (empty($rootEntity)) {
            throw new InvalidArgumentException('You have to provide an entity class name!');
        }
        $builder = new MaskBuilder();
        foreach ($permissionDef->getPermissions() as $permission) {
            $mask = \constant(\get_class($builder) . '::MASK_' . strtoupper($permission));
            $builder->add($mask);
        }

        $query = new Query($this->em);
        $query->setHint('acl.mask', $builder->get());
        $query->setHint('acl.root.entity', $rootEntity);
        $sql = $this->getPermittedAclIdsSQLForUser($query);

        $rsm = new ResultSetMapping();
        $rsm->addScalarResult('id', 'id');
        $nativeQuery = $this->em->createNativeQuery($sql, $rsm);

        $transform = function ($item) {
            return $item['id'];
        };
        $result = array_map($transform, $nativeQuery->getScalarResult());

        return $result;
    }

    /**
     * @return null|TokenStorageInterface
     */
    public function getTokenStorage()
    {
        return $this->tokenStorage;
    }
}


Push — master ( 06c1ce...67d37c )

AdminBundle/Helper/Security/Acl/AclHelper.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

1			<?php
2
3			namespace Kunstmaan\AdminBundle\Helper\Security\Acl;
4
5			use Doctrine\ORM\EntityManager;
6			use Doctrine\ORM\Mapping\QuoteStrategy;
7			use Doctrine\ORM\Query;
8			use Doctrine\ORM\Query\Parameter;
9			use Doctrine\ORM\Query\ResultSetMapping;
10			use Doctrine\ORM\QueryBuilder;
11			use InvalidArgumentException;
12			use Kunstmaan\AdminBundle\Helper\Security\Acl\Permission\MaskBuilder;
13			use Kunstmaan\AdminBundle\Helper\Security\Acl\Permission\PermissionDefinition;
14			use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
15			use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
16			use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
17
18			/**
19			* AclHelper is a helper class to help setting the permissions when querying using ORM
20			*
21			* @see https://gist.github.com/1363377
22			*/
23			class AclHelper
24			{
25			/**
26			* @var EntityManager
27			*/
28			private $em = null;
29
30			/**
31			* @var TokenStorageInterface
32			*/
33			private $tokenStorage = null;
34
35			/**
36			* @var QuoteStrategy
37			*/
38			private $quoteStrategy = null;
39
40			/**
41			* @var RoleHierarchyInterface
42			*/
43			private $roleHierarchy = null;
44
45			/**
46			* @var bool
47			*/
48			private $permissionsEnabled;
49
50			/**
51			* Constructor.
52			*
53			* @param EntityManager $em The entity manager
54			* @param TokenStorageInterface $tokenStorage The security token storage
55			* @param RoleHierarchyInterface $rh The role hierarchies
56			*/
57	5	View Code Duplication	public function __construct(EntityManager $em, TokenStorageInterface $tokenStorage, RoleHierarchyInterface $rh, $permissionsEnabled = true)
58			{
59	5		$this->em = $em;
60	5		$this->tokenStorage = $tokenStorage;
61	5		$this->quoteStrategy = $em->getConfiguration()->getQuoteStrategy();
62	5		$this->roleHierarchy = $rh;
63	5		$this->permissionsEnabled = $permissionsEnabled;
64	5		}
65
66			/**
67			* Clone specified query with parameters.
68			*
69			* @param Query $query
70			*
71			* @return Query
72			*/
73	2		protected function cloneQuery(Query $query)
74			{
75	2		$aclAppliedQuery = clone $query;
76	2		$params = $query->getParameters();
77			/* @var $param Parameter */
78	2		foreach ($params as $param) {
79	2		$aclAppliedQuery->setParameter($param->getName(), $param->getValue(), $param->getType());
80			}
81
82	2		return $aclAppliedQuery;
83			}
84
85			/**
86			* Apply the ACL constraints to the specified query builder, using the permission definition
87			*
88			* @param QueryBuilder $queryBuilder The query builder
89			* @param PermissionDefinition $permissionDef The permission definition
90			*
91			* @return Query
92			*/
93	2		public function apply(QueryBuilder $queryBuilder, PermissionDefinition $permissionDef)
94			{
95	2		if (!$this->permissionsEnabled) {
96			return $queryBuilder->getQuery();
97			}
98
99	2		$whereQueryParts = $queryBuilder->getDQLPart('where');
100	2		if (empty($whereQueryParts)) {
101	2		$queryBuilder->where('1 = 1'); // this will help in cases where no where query is specified
102			}
103
104	2		$query = $this->cloneQuery($queryBuilder->getQuery());
105
106	2		$builder = new MaskBuilder();
107	2	View Code Duplication	foreach ($permissionDef->getPermissions() as $permission) {
108	2		$mask = \constant(\get_class($builder) . '::MASK_' . strtoupper($permission));
109	2		$builder->add($mask);
110			}
111	2		$query->setHint('acl.mask', $builder->get());
112	2		$query->setHint(Query::HINT_CUSTOM_OUTPUT_WALKER, 'Kunstmaan\AdminBundle\Helper\Security\Acl\AclWalker');
113
114	2		$rootEntity = $permissionDef->getEntity();
115	2		$rootAlias = $permissionDef->getAlias();
116			// If either alias or entity was not specified - use default from QueryBuilder
117	2		if (empty($rootEntity) \|\| empty($rootAlias)) {
118	2		$rootEntities = $queryBuilder->getRootEntities();
119	2		$rootAliases = $queryBuilder->getRootAliases();
120	2		$rootEntity = $rootEntities[0];
121	2		$rootAlias = $rootAliases[0];
122			}
123	2		$query->setHint('acl.root.entity', $rootEntity);
124	2		$query->setHint('acl.extra.query', $this->getPermittedAclIdsSQLForUser($query));
125
126	2		$classMeta = $this->em->getClassMetadata($rootEntity);
127	2		$entityRootTableName = $this->quoteStrategy->getTableName(
128	2		$classMeta,
129	2		$this->em->getConnection()->getDatabasePlatform()
130			);
131	2		$query->setHint('acl.entityRootTableName', $entityRootTableName);
132	2		$query->setHint('acl.entityRootTableDqlAlias', $rootAlias);
133
134	2		return $query;
135			}
136
137			/**
138			* This query works well with small offset, but if want to use it with large offsets please refer to the link on how to implement
139			* http://www.scribd.com/doc/14683263/Efficient-Pagination-Using-MySQL
140			* This will only check permissions on the first entity added in the from clause, it will not check permissions
141			* By default the number of rows returned are 10 starting from 0
142			*
143			* @param Query $query
144			*
145			* @return string
146			*/
147	3		private function getPermittedAclIdsSQLForUser(Query $query)
148			{
149	3		$aclConnection = $this->em->getConnection();
150	3		$databasePrefix = is_file($aclConnection->getDatabase()) ? '' : $aclConnection->getDatabase().'.';
151	3		$mask = $query->getHint('acl.mask');
152	3		$rootEntity = '"' . str_replace('\\', '\\\\', $query->getHint('acl.root.entity')) . '"';
153
154			/* @var $token TokenInterface */
155	3		$token = $this->tokenStorage->getToken();
156	3		$userRoles = array();
157	3		$user = null;
158	3	View Code Duplication	if (!\is_null($token)) {
159	3		$user = $token->getUser();
160	3		if (method_exists($this->roleHierarchy, 'getReachableRoleNames')) {
161	3		$userRoles = $this->roleHierarchy->getReachableRoleNames($token->getRoleNames());
162			} else {
163			// Symfony 3.4 compatibility
164			$userRoles = $this->roleHierarchy->getReachableRoles($token->getRoles());
165			}
166			}
167
168			// Security context does not provide anonymous role automatically.
169	3		$uR = array('"IS_AUTHENTICATED_ANONYMOUSLY"');
170
171	3	View Code Duplication	foreach ($userRoles as $role) {
172			// The reason we ignore this is because by default FOSUserBundle adds ROLE_USER for every user
173	3		if (is_string($role)) {
174	3		if ($role !== 'ROLE_USER') {
175	3		$uR[] = '"' . $role . '"';
176			}
177			} else {
178			// Symfony 3.4 compatibility
179			if ($role->getRole() !== 'ROLE_USER') {
180			$uR[] = '"' . $role->getRole() . '"';
181			}
182			}
183			}
184	3		$uR = array_unique($uR);
185	3		$inString = implode(' OR s.identifier = ', $uR);
186
187	3	View Code Duplication	if (\is_object($user)) {
188	2		$inString .= ' OR s.identifier = "' . str_replace(
189	2		'\\',
190	2		'\\\\',
191	2		\get_class($user)
192	2		) . '-' . $user->getUserName() . '"';
			0 ignored issues – show Bug introduced 2020-06-11 21:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getUserName` does only exist in `Symfony\Component\Security\Core\User\UserInterface`, but not in `Stringable`. It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A { public function foo() { } } class B extends A { public function bar() { } } /** * @param A\|B $x / function someFunction($x) { $x->foo(); // This call is fine as the method exists in A and B. $x->bar(); // This method only exists in B and might cause an error. } Available Fixes Add an additional type-check: /* * @param A\|B $x / function someFunction($x) { $x->foo(); if ($x instanceof B) { $x->bar(); } } Only allow a single type to be passed if the variable comes from a parameter: function someFunction(B $x) { /* ... */ } Loading history...
193			}
194
195			$selectQuery = <<<SELECTQUERY
196	3		SELECT DISTINCT o.object_identifier as id FROM {$databasePrefix}acl_object_identities as o
197	3		INNER JOIN {$databasePrefix}acl_classes c ON c.id = o.class_id
198	3		LEFT JOIN {$databasePrefix}acl_entries e ON (
199			e.class_id = o.class_id AND (e.object_identity_id = o.id
200	3		OR {$aclConnection->getDatabasePlatform()->getIsNullExpression('e.object_identity_id')})
201			)
202	3		LEFT JOIN {$databasePrefix}acl_security_identities s ON (
203			s.id = e.security_identity_id
204			)
205	3		WHERE c.class_type = {$rootEntity}
206	3		AND (s.identifier = {$inString})
207	3		AND e.mask & {$mask} > 0
208			SELECTQUERY;
209
210	3		return $selectQuery;
211			}
212
213			/**
214			* Returns valid IDs for a specific entity with ACL restrictions for current user applied
215			*
216			* @param PermissionDefinition $permissionDef
217			*
218			* @throws InvalidArgumentException
219			*
220			* @return array
221			*/
222	2		public function getAllowedEntityIds(PermissionDefinition $permissionDef)
223			{
224	2		$rootEntity = $permissionDef->getEntity();
225	2		if (empty($rootEntity)) {
226	1		throw new InvalidArgumentException('You have to provide an entity class name!');
227			}
228	1		$builder = new MaskBuilder();
229	1	View Code Duplication	foreach ($permissionDef->getPermissions() as $permission) {
230	1		$mask = \constant(\get_class($builder) . '::MASK_' . strtoupper($permission));
231	1		$builder->add($mask);
232			}
233
234	1		$query = new Query($this->em);
235	1		$query->setHint('acl.mask', $builder->get());
236	1		$query->setHint('acl.root.entity', $rootEntity);
237	1		$sql = $this->getPermittedAclIdsSQLForUser($query);
238
239	1		$rsm = new ResultSetMapping();
240	1		$rsm->addScalarResult('id', 'id');
241	1		$nativeQuery = $this->em->createNativeQuery($sql, $rsm);
242
243			$transform = function ($item) {
244	1		return $item['id'];
245	1		};
246	1		$result = array_map($transform, $nativeQuery->getScalarResult());
247
248	1		return $result;
249			}
250
251			/**
252			* @return null\|TokenStorageInterface
253			*/
254	1		public function getTokenStorage()
255			{
256	1		return $this->tokenStorage;
257			}
258			}
259

Kunstmaan / KunstmaanBundlesCMS

Push — master ( 06c1ce...67d37c )

AdminBundle/Helper/Security/Acl/AclHelper.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Duplication Side-by-Side

Filter issues like