1 | <?php |
||||
2 | |||||
3 | /* |
||||
4 | * This file is part of the API Platform project. |
||||
5 | * |
||||
6 | * (c) Kévin Dunglas <[email protected]> |
||||
7 | * |
||||
8 | * For the full copyright and license information, please view the LICENSE |
||||
9 | * file that was distributed with this source code. |
||||
10 | */ |
||||
11 | |||||
12 | declare(strict_types=1); |
||||
13 | |||||
14 | namespace ApiPlatform\Core\Security; |
||||
15 | |||||
16 | use Symfony\Component\ExpressionLanguage\ExpressionLanguage; |
||||
17 | use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface; |
||||
18 | use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; |
||||
19 | use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; |
||||
20 | use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface; |
||||
21 | use Symfony\Component\Security\Core\Role\Role; |
||||
22 | use Symfony\Component\Security\Core\Role\RoleHierarchyInterface; |
||||
23 | |||||
24 | /** |
||||
25 | * Checks if the logged user has sufficient permissions to access the given resource. |
||||
26 | * |
||||
27 | * @author Kévin Dunglas <[email protected]> |
||||
28 | */ |
||||
29 | final class ResourceAccessChecker implements ResourceAccessCheckerInterface |
||||
30 | { |
||||
31 | private $expressionLanguage; |
||||
32 | private $authenticationTrustResolver; |
||||
33 | private $roleHierarchy; |
||||
34 | private $tokenStorage; |
||||
35 | private $authorizationChecker; |
||||
36 | |||||
37 | public function __construct(ExpressionLanguage $expressionLanguage = null, AuthenticationTrustResolverInterface $authenticationTrustResolver = null, RoleHierarchyInterface $roleHierarchy = null, TokenStorageInterface $tokenStorage = null, AuthorizationCheckerInterface $authorizationChecker = null) |
||||
38 | { |
||||
39 | $this->expressionLanguage = $expressionLanguage; |
||||
40 | $this->authenticationTrustResolver = $authenticationTrustResolver; |
||||
41 | $this->roleHierarchy = $roleHierarchy; |
||||
42 | $this->tokenStorage = $tokenStorage; |
||||
43 | $this->authorizationChecker = $authorizationChecker; |
||||
44 | } |
||||
45 | |||||
46 | public function isGranted(string $resourceClass, string $expression, array $extraVariables = []): bool |
||||
47 | { |
||||
48 | if (null === $this->tokenStorage || null === $this->authenticationTrustResolver) { |
||||
49 | throw new \LogicException('The "symfony/security" library must be installed to use the "security" attribute.'); |
||||
50 | } |
||||
51 | if (null === $token = $this->tokenStorage->getToken()) { |
||||
52 | throw new \LogicException('The current token must be set to use the "security" attribute (is the URL behind a firewall?).'); |
||||
53 | } |
||||
54 | if (null === $this->expressionLanguage) { |
||||
55 | throw new \LogicException('The "symfony/expression-language" library must be installed to use the "security".'); |
||||
56 | } |
||||
57 | |||||
58 | return (bool) $this->expressionLanguage->evaluate($expression, array_merge($extraVariables, $this->getVariables($token))); |
||||
59 | } |
||||
60 | |||||
61 | /** |
||||
62 | * @copyright Fabien Potencier <[email protected]> |
||||
63 | * |
||||
64 | * @see https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php |
||||
65 | */ |
||||
66 | private function getVariables(TokenInterface $token): array |
||||
67 | { |
||||
68 | return [ |
||||
69 | 'token' => $token, |
||||
70 | 'user' => $token->getUser(), |
||||
71 | 'roles' => $this->getEffectiveRoles($token), |
||||
72 | 'trust_resolver' => $this->authenticationTrustResolver, |
||||
73 | // needed for the is_granted expression function |
||||
74 | 'auth_checker' => $this->authorizationChecker, |
||||
75 | ]; |
||||
76 | } |
||||
77 | |||||
78 | /** |
||||
79 | * @return string[] |
||||
80 | */ |
||||
81 | private function getEffectiveRoles(TokenInterface $token): array |
||||
82 | { |
||||
83 | if (null === $this->roleHierarchy) { |
||||
84 | return method_exists($token, 'getRoleNames') ? $token->getRoleNames() : array_map('strval', $token->getRoles()); |
||||
0 ignored issues
–
show
|
|||||
85 | } |
||||
86 | |||||
87 | if (method_exists($this->roleHierarchy, 'getReachableRoleNames')) { |
||||
88 | return $this->roleHierarchy->getReachableRoleNames($token->getRoleNames()); |
||||
89 | } |
||||
90 | |||||
91 | return array_map(function (Role $role): string { |
||||
92 | return $role->getRole(); |
||||
93 | }, $this->roleHierarchy->getReachableRoles($token->getRoles())); |
||||
0 ignored issues
–
show
The function
Symfony\Component\Securi...enInterface::getRoles() has been deprecated: since Symfony 4.3, use the getRoleNames() method instead
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
This function has been deprecated. The supplier of the function has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the function will be removed and what other function to use instead.
Loading history...
|
|||||
94 | } |
||||
95 | } |
||||
96 |
This function has been deprecated. The supplier of the function has supplied an explanatory message.
The explanatory message should give you some clue as to whether and when the function will be removed and what other function to use instead.