Completed
Push — ezp30878_cant_add_image_with_p... ( e19ea7...263f1b )
by
unknown
20:16
created

PermissionResolver::getCurrentUserReference()   A

Complexity

Conditions 1
Paths 1

Size

Total Lines 4

Duplication

Lines 0
Ratio 0 %

Importance

Changes 0
Metric Value
cc 1
nc 1
nop 0
dl 0
loc 4
rs 10
c 0
b 0
f 0
1
<?php
2
3
/**
4
 * @copyright Copyright (C) eZ Systems AS. All rights reserved.
5
 * @license For full copyright and license information view LICENSE file distributed with this source code.
6
 */
7
namespace eZ\Publish\Core\Repository\Permission;
8
9
use eZ\Publish\API\Repository\PermissionResolver as PermissionResolverInterface;
10
use eZ\Publish\API\Repository\Repository as RepositoryInterface;
11
use eZ\Publish\API\Repository\Values\User\Limitation;
12
use eZ\Publish\API\Repository\Values\User\UserReference as APIUserReference;
13
use eZ\Publish\API\Repository\Values\ValueObject;
14
use eZ\Publish\Core\Base\Exceptions\InvalidArgumentValue;
15
use eZ\Publish\Core\Repository\Helper\LimitationService;
16
use eZ\Publish\Core\Repository\Helper\RoleDomainMapper;
17
use eZ\Publish\SPI\Limitation\Type as LimitationType;
18
use eZ\Publish\SPI\Persistence\User\Handler as UserHandler;
19
use Exception;
20
21
/**
22
 * Core implementation of PermissionResolver interface.
23
 */
24
class PermissionResolver implements PermissionResolverInterface
25
{
26
    /**
27
     * Counter for the current sudo nesting level {@see sudo()}.
28
     *
29
     * @var int
30
     */
31
    private $sudoNestingLevel = 0;
32
33
    /**
34
     * @var \eZ\Publish\Core\Repository\Helper\RoleDomainMapper
35
     */
36
    private $roleDomainMapper;
37
38
    /**
39
     * @var \eZ\Publish\Core\Repository\Helper\LimitationService
40
     */
41
    private $limitationService;
42
43
    /**
44
     * @var \eZ\Publish\SPI\Persistence\User\Handler
45
     */
46
    private $userHandler;
47
48
    /**
49
     * Currently logged in user reference for permission purposes.
50
     *
51
     * @var \eZ\Publish\API\Repository\Values\User\UserReference
52
     */
53
    private $currentUserRef;
54
55
    /**
56
     * @param \eZ\Publish\Core\Repository\Helper\RoleDomainMapper $roleDomainMapper
57
     * @param \eZ\Publish\Core\Repository\Helper\LimitationService $limitationService
58
     * @param \eZ\Publish\SPI\Persistence\User\Handler $userHandler
59
     * @param \eZ\Publish\API\Repository\Values\User\UserReference $userReference
60
     */
61
    public function __construct(
62
        RoleDomainMapper $roleDomainMapper,
63
        LimitationService $limitationService,
64
        UserHandler $userHandler,
65
        APIUserReference $userReference
66
    ) {
67
        $this->roleDomainMapper = $roleDomainMapper;
68
        $this->limitationService = $limitationService;
69
        $this->userHandler = $userHandler;
70
        $this->currentUserRef = $userReference;
71
    }
72
73
    public function getCurrentUserReference()
74
    {
75
        return $this->currentUserRef;
76
    }
77
78
    public function setCurrentUserReference(APIUserReference $userReference)
79
    {
80
        $id = $userReference->getUserId();
81
        if (!$id) {
82
            throw new InvalidArgumentValue('$user->getUserId()', $id);
83
        }
84
85
        $this->currentUserRef = $userReference;
86
    }
87
88
    public function hasAccess($module, $function, APIUserReference $userReference = null)
89
    {
90
        // Full access if sudo nesting level is set by {@see sudo()}
91
        if ($this->sudoNestingLevel > 0) {
92
            return true;
93
        }
94
95
        if ($userReference === null) {
96
            $userReference = $this->getCurrentUserReference();
97
        }
98
99
        // Uses SPI to avoid triggering permission checks in Role/User service
100
        $permissionSets = [];
101
        $spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userReference->getUserId(), true);
102
        foreach ($spiRoleAssignments as $spiRoleAssignment) {
103
            $permissionSet = ['limitation' => null, 'policies' => []];
104
105
            $spiRole = $this->userHandler->loadRole($spiRoleAssignment->roleId);
106
            foreach ($spiRole->policies as $spiPolicy) {
107
                if ($spiPolicy->module === '*' && $spiRoleAssignment->limitationIdentifier === null) {
108
                    return true;
109
                }
110
111
                if ($spiPolicy->module !== $module && $spiPolicy->module !== '*') {
112
                    continue;
113
                }
114
115
                if ($spiPolicy->function === '*' && $spiRoleAssignment->limitationIdentifier === null) {
116
                    return true;
117
                }
118
119
                if ($spiPolicy->function !== $function && $spiPolicy->function !== '*') {
120
                    continue;
121
                }
122
123
                if ($spiPolicy->limitations === '*' && $spiRoleAssignment->limitationIdentifier === null) {
124
                    return true;
125
                }
126
127
                $permissionSet['policies'][] = $this->roleDomainMapper->buildDomainPolicyObject($spiPolicy);
128
            }
129
130
            if (!empty($permissionSet['policies'])) {
131
                if ($spiRoleAssignment->limitationIdentifier !== null) {
132
                    $permissionSet['limitation'] = $this->limitationService
133
                        ->getLimitationType($spiRoleAssignment->limitationIdentifier)
134
                        ->buildValue($spiRoleAssignment->values);
0 ignored issues
show
Bug introduced by
It seems like $spiRoleAssignment->values can also be of type null; however, eZ\Publish\SPI\Limitation\Type::buildValue() does only seem to accept array<integer,*>, maybe add an additional type check?

If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check:

/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}

If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue.

Loading history...
135
                }
136
137
                $permissionSets[] = $permissionSet;
138
            }
139
        }
140
141
        if (!empty($permissionSets)) {
142
            return $permissionSets;
143
        }
144
145
        return false; // No policies matching $module and $function, or they contained limitations
146
    }
147
148
    public function canUser($module, $function, ValueObject $object, array $targets = [])
149
    {
150
        $permissionSets = $this->hasAccess($module, $function);
151
        if ($permissionSets === false || $permissionSets === true) {
152
            return $permissionSets;
153
        }
154
155
        if (empty($targets)) {
156
            $targets = null;
157
        }
158
159
        $currentUserRef = $this->getCurrentUserReference();
160
        foreach ($permissionSets as $permissionSet) {
0 ignored issues
show
Bug introduced by
The expression $permissionSets of type boolean|array is not guaranteed to be traversable. How about adding an additional type check?

There are different options of fixing this problem.

  1. If you want to be on the safe side, you can add an additional type-check:

    $collection = json_decode($data, true);
    if ( ! is_array($collection)) {
        throw new \RuntimeException('$collection must be an array.');
    }
    
    foreach ($collection as $item) { /** ... */ }
    
  2. If you are sure that the expression is traversable, you might want to add a doc comment cast to improve IDE auto-completion and static analysis:

    /** @var array $collection */
    $collection = json_decode($data, true);
    
    foreach ($collection as $item) { /** .. */ }
    
  3. Mark the issue as a false-positive: Just hover the remove button, in the top-right corner of this issue for more options.

Loading history...
161
            /**
162
             * First deal with Role limitation if any.
163
             *
164
             * Here we accept ACCESS_GRANTED and ACCESS_ABSTAIN, the latter in cases where $object and $targets
165
             * are not supported by limitation.
166
             *
167
             * @var \eZ\Publish\API\Repository\Values\User\Limitation[]
168
             */
169
            if ($permissionSet['limitation'] instanceof Limitation) {
170
                $type = $this->limitationService->getLimitationType($permissionSet['limitation']->getIdentifier());
171
                $accessVote = $type->evaluate($permissionSet['limitation'], $currentUserRef, $object, $targets);
0 ignored issues
show
Bug introduced by
It seems like $targets defined by parameter $targets on line 148 can also be of type array; however, eZ\Publish\SPI\Limitation\Type::evaluate() does only seem to accept null|array<integer,objec...ry\Values\ValueObject>>, maybe add an additional type check?

This check looks at variables that have been passed in as parameters and are passed out again to other methods.

If the outgoing method call has stricter type requirements than the method itself, an issue is raised.

An additional type check may prevent trouble.

Loading history...
172
                if ($accessVote === LimitationType::ACCESS_DENIED) {
173
                    continue;
174
                }
175
            }
176
177
            /**
178
             * Loop over all policies.
179
             *
180
             * These are already filtered by hasAccess and given hasAccess did not return boolean
181
             * there must be some, so only return true if one of them says yes.
182
             *
183
             * @var \eZ\Publish\API\Repository\Values\User\Policy
184
             */
185
            foreach ($permissionSet['policies'] as $policy) {
186
                $limitations = $policy->getLimitations();
187
188
                /*
189
                 * Return true if policy gives full access (aka no limitations)
190
                 */
191
                if ($limitations === '*') {
192
                    return true;
193
                }
194
195
                /*
196
                 * Loop over limitations, all must return ACCESS_GRANTED for policy to pass.
197
                 * If limitations was empty array this means same as '*'
198
                 */
199
                $limitationsPass = true;
200
                foreach ($limitations as $limitation) {
201
                    $type = $this->limitationService->getLimitationType($limitation->getIdentifier());
202
                    $accessVote = $type->evaluate($limitation, $currentUserRef, $object, $targets);
0 ignored issues
show
Bug introduced by
It seems like $targets defined by parameter $targets on line 148 can also be of type array; however, eZ\Publish\SPI\Limitation\Type::evaluate() does only seem to accept null|array<integer,objec...ry\Values\ValueObject>>, maybe add an additional type check?

This check looks at variables that have been passed in as parameters and are passed out again to other methods.

If the outgoing method call has stricter type requirements than the method itself, an issue is raised.

An additional type check may prevent trouble.

Loading history...
203
                    /*
204
                     * For policy limitation atm only support ACCESS_GRANTED
205
                     *
206
                     * Reasoning: Right now, use of a policy limitation not valid for a policy is per definition a
207
                     * BadState. To reach this you would have to configure the "policyMap" wrongly, like using
208
                     * Node (Location) limitation on state/assign. So in this case Role Limitations will return
209
                     * ACCESS_ABSTAIN (== no access here), and other limitations will throw InvalidArgument above,
210
                     * both cases forcing dev to investigate to find miss configuration. This might be relaxed in
211
                     * the future if valid use cases for ACCESS_ABSTAIN on policy limitations becomes known.
212
                     */
213
                    if ($accessVote !== LimitationType::ACCESS_GRANTED) {
214
                        $limitationsPass = false;
215
                        break; // Break to next policy, all limitations must pass
216
                    }
217
                }
218
                if ($limitationsPass) {
219
                    return true;
220
                }
221
            }
222
        }
223
224
        return false; // None of the limitation sets wanted to let you in, sorry!
225
    }
226
227
    /**
228
     * @internal For internal use only, do not depend on this method.
229
     *
230
     * Allows API execution to be performed with full access sand-boxed.
231
     *
232
     * The closure sandbox will do a catch all on exceptions and rethrow after
233
     * re-setting the sudo flag.
234
     *
235
     * Example use:
236
     *     $location = $repository->sudo(
237
     *         function ( Repository $repo ) use ( $locationId )
238
     *         {
239
     *             return $repo->getLocationService()->loadLocation( $locationId )
240
     *         }
241
     *     );
242
     *
243
     *
244
     * @param \Closure $callback
245
     * @param \eZ\Publish\API\Repository\Repository $outerRepository
246
     *
247
     * @throws \RuntimeException Thrown on recursive sudo() use.
248
     * @throws \Exception Re throws exceptions thrown inside $callback
249
     *
250
     * @return mixed
251
     */
252 View Code Duplication
    public function sudo(\Closure $callback, RepositoryInterface $outerRepository)
253
    {
254
        ++$this->sudoNestingLevel;
255
        try {
256
            $returnValue = $callback($outerRepository);
257
        } catch (Exception $e) {
258
            --$this->sudoNestingLevel;
259
            throw $e;
260
        }
261
262
        --$this->sudoNestingLevel;
263
264
        return $returnValue;
265
    }
266
}
267