PermissionService - Code Metrics - Inspection of "EZP-26057: fix docblock param type" - ezsystems/ezpublish-kernel - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — EZP-26057-permission-api ( dfd049...6b7828 )

unknown

created 2016-07-12 09:25 UTC

PermissionService B

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	290
Duplicated Lines	5.17 %

Coupling/Cohesion

Components	1
Dependencies	12

Importance

Changes	1
Bugs	0	Features	1

Metric	Value
dl	15
loc	290
c	1
b	0
f	1
rs	8.295
wmc	42
lcom	1
cbo	12

7 Methods

Rating	Name	Duplication	Size	Complexity
A	__construct()	0	17	1
A	getCurrentUser()	0	10	2
A	getCurrentUserReference()	0	4	1
C	hasAccess()	0	59	18
D	canUser()	0	84	14
A	sudo()	0	14	3
A	setCurrentUserReference()	15	15	3

How to fix Duplicated Code Complexity

Duplicated Code

Duplicate code is one of the most pungent code smells. A rule that is often used is to re-structure code once it is duplicated in three or more places.

Common duplication problems, and corresponding solutions are:

If you have the same expression in different places: Extract expression to a method
If you have the same method in different sub-classes: Extract method, and pull up field to the parent class
If you have the same code in unrelated classes: Consider extracting the code to a new class, and injecting that class

Complex Class

Tip: Before tackling complexity, make sure that you eliminate any duplication first. This often can reduce the size of classes significantly.

Complex classes like PermissionService often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.

Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.

While breaking up the class, it is a good idea to analyze how other classes use PermissionService, and based on these observations, apply Extract Interface, too.

<?php

/**
 * @copyright Copyright (C) eZ Systems AS. All rights reserved.
 * @license For full copyright and license information view LICENSE file distributed with this source code.
 */
namespace eZ\Publish\Core\Repository;

use eZ\Publish\API\Repository\PermissionService as PermissionServiceInterface;
use eZ\Publish\API\Repository\Repository as RepositoryInterface;
use eZ\Publish\API\Repository\UserService as UserServiceInterface;
use eZ\Publish\API\Repository\Values\User\User;
use eZ\Publish\API\Repository\Values\User\Limitation;
use eZ\Publish\API\Repository\Values\User\UserReference as APIUserReference;
use eZ\Publish\API\Repository\Values\ValueObject;
use eZ\Publish\Core\Base\Exceptions\InvalidArgumentType;
use eZ\Publish\Core\Base\Exceptions\InvalidArgumentValue;
use eZ\Publish\Core\Repository\Helper\LimitationService;
use eZ\Publish\Core\Repository\Helper\RoleDomainMapper;
use eZ\Publish\Core\Repository\Values\User\UserReference;
use eZ\Publish\SPI\Limitation\Type as LimitationType;
use eZ\Publish\SPI\Persistence\User\Handler as UserHandler;
use Exception;

/**
 * Core implementation of PermissionsService interface.
 */
class PermissionService implements PermissionServiceInterface
{
    /**
     * Counter for the current sudo nesting level {@see sudo()}.
     *
     * @var int
     */
    private $sudoNestingLevel = 0;

    /**
     * @var \eZ\Publish\API\Repository\Repository
     */
    private $repository;

    /**
     * @var \eZ\Publish\API\Repository\UserService
     */
    private $userService;

    /**
     * @var \eZ\Publish\Core\Repository\Helper\RoleDomainMapper
     */
    private $roleDomainMapper;

    /**
     * @var \eZ\Publish\Core\Repository\Helper\LimitationService
     */
    private $limitationService;

    /**
     * @var \eZ\Publish\SPI\Persistence\User\Handler
     */
    private $userHandler;

    /**
     * Currently logged in user object if already loaded.
     *
     * @var \eZ\Publish\API\Repository\Values\User\User|null
     */
    private $currentUser;

    /**
     * Currently logged in user reference for permission purposes.
     *
     * @var \eZ\Publish\API\Repository\Values\User\UserReference
     */
    private $currentUserRef;

    /**
     * @param \eZ\Publish\API\Repository\Repository $repository
     * @param \eZ\Publish\API\Repository\UserService $userService
     * @param \eZ\Publish\Core\Repository\Helper\RoleDomainMapper $roleDomainMapper
     * @param \eZ\Publish\Core\Repository\Helper\LimitationService $limitationService
     * @param \eZ\Publish\SPI\Persistence\User\Handler $userHandler
     * @param \eZ\Publish\API\Repository\Values\User\UserReference $userReference
     * @param \eZ\Publish\API\Repository\Values\User\User $user
     */
    public function __construct(
        RepositoryInterface $repository,
        UserServiceInterface $userService,
        RoleDomainMapper $roleDomainMapper,
        LimitationService $limitationService,
        UserHandler $userHandler,
        APIUserReference $userReference,
        User $user = null
    ) {
        $this->repository = $repository;
        $this->userService = $userService;
        $this->roleDomainMapper = $roleDomainMapper;
        $this->limitationService = $limitationService;
        $this->userHandler = $userHandler;
        $this->currentUserRef = $userReference;
        $this->currentUser = $user;
    }

    public function getCurrentUser()
    {
        if ($this->currentUser === null) {
            $this->currentUser = $this->userService->loadUser(
                $this->currentUserRef->getUserId()
            );
        }

        return $this->currentUser;
    }

    public function getCurrentUserReference()
    {
        return $this->currentUserRef;
    }

    public function setCurrentUserReference(APIUserReference $user)
    {
        $id = $user->getUserId();
        if (!$id) {
            throw new InvalidArgumentValue('$user->getUserId()', $id);
        }

        if ($user instanceof User) {
            $this->currentUser = $user;
            $this->currentUserRef = new UserReference($id);
        } else {
            $this->currentUser = null;
            $this->currentUserRef = $user;
        }
    }

    public function hasAccess($module, $function, APIUserReference $user = null)
    {
        // Full access if sudo nesting level is set by {@see sudo()}
        if ($this->sudoNestingLevel > 0) {
            return true;
        }

        if ($user === null) {
            $user = $this->getCurrentUserReference();
        }

        // Uses SPI to avoid triggering permission checks in Role/User service
        $permissionSets = array();
        $spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($user->getUserId(), true);
        foreach ($spiRoleAssignments as $spiRoleAssignment) {
            $permissionSet = array('limitation' => null, 'policies' => array());

            $spiRole = $this->userHandler->loadRole($spiRoleAssignment->roleId);
            foreach ($spiRole->policies as $spiPolicy) {
                if ($spiPolicy->module === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                    return true;
                }

                if ($spiPolicy->module !== $module && $spiPolicy->module !== '*') {
                    continue;
                }

                if ($spiPolicy->function === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                    return true;
                }

                if ($spiPolicy->function !== $function && $spiPolicy->function !== '*') {
                    continue;
                }

                if ($spiPolicy->limitations === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                    return true;
                }

                $permissionSet['policies'][] = $this->roleDomainMapper->buildDomainPolicyObject($spiPolicy);
            }

            if (!empty($permissionSet['policies'])) {
                if ($spiRoleAssignment->limitationIdentifier !== null) {
                    $permissionSet['limitation'] = $this->limitationService
                        ->getLimitationType($spiRoleAssignment->limitationIdentifier)
                        ->buildValue($spiRoleAssignment->values);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
                }

                $permissionSets[] = $permissionSet;
            }
        }

        if (!empty($permissionSets)) {
            return $permissionSets;
        }

        return false;// No policies matching $module and $function, or they contained limitations
    }

    public function canUser($module, $function, ValueObject $object, $targets = null)
    {
        $permissionSets = $this->hasAccess($module, $function);
        if ($permissionSets === false || $permissionSets === true) {
            return $permissionSets;
        }

        if ($targets instanceof ValueObject) {
            $targets = array($targets);
        } elseif ($targets !== null && !is_array($targets)) {
            throw new InvalidArgumentType(
                '$targets',
                'null|\\eZ\\Publish\\API\\Repository\\Values\\ValueObject|\\eZ\\Publish\\API\\Repository\\Values\\ValueObject[]',
                $targets
            );
        }

        $currentUserRef = $this->getCurrentUserReference();
        foreach ($permissionSets as $permissionSet) {
$collection = json_decode($data, true);
if ( ! is_array($collection)) {
    throw new \RuntimeException('$collection must be an array.');
}

foreach ($collection as $item) { /** ... */ }
            /**
             * First deal with Role limitation if any.
             *
             * Here we accept ACCESS_GRANTED and ACCESS_ABSTAIN, the latter in cases where $object and $targets
             * are not supported by limitation.
             *
             * @var \eZ\Publish\API\Repository\Values\User\Limitation[]
             */
            if ($permissionSet['limitation'] instanceof Limitation) {
                $type = $this->limitationService->getLimitationType($permissionSet['limitation']->getIdentifier());
                $accessVote = $type->evaluate($permissionSet['limitation'], $currentUserRef, $object, $targets);

                if ($accessVote === LimitationType::ACCESS_DENIED) {
                    continue;
                }
            }

            /**
             * Loop over all policies.
             *
             * These are already filtered by hasAccess and given hasAccess did not return boolean
             * there must be some, so only return true if one of them says yes.
             *
             * @var \eZ\Publish\API\Repository\Values\User\Policy
             */
            foreach ($permissionSet['policies'] as $policy) {
                $limitations = $policy->getLimitations();

                /*
                 * Return true if policy gives full access (aka no limitations)
                 */
                if ($limitations === '*') {
                    return true;
                }

                /*
                 * Loop over limitations, all must return ACCESS_GRANTED for policy to pass.
                 * If limitations was empty array this means same as '*'
                 */
                $limitationsPass = true;
                foreach ($limitations as $limitation) {
                    $type = $this->limitationService->getLimitationType($limitation->getIdentifier());
                    $accessVote = $type->evaluate($limitation, $currentUserRef, $object, $targets);

                    /*
                     * For policy limitation atm only support ACCESS_GRANTED
                     *
                     * Reasoning: Right now, use of a policy limitation not valid for a policy is per definition a
                     * BadState. To reach this you would have to configure the "policyMap" wrongly, like using
                     * Node (Location) limitation on state/assign. So in this case Role Limitations will return
                     * ACCESS_ABSTAIN (== no access here), and other limitations will throw InvalidArgument above,
                     * both cases forcing dev to investigate to find miss configuration. This might be relaxed in
                     * the future if valid use cases for ACCESS_ABSTAIN on policy limitations becomes known.
                     */
                    if ($accessVote !== LimitationType::ACCESS_GRANTED) {
                        $limitationsPass = false;
                        break;// Break to next policy, all limitations must pass
                    }
                }
                if ($limitationsPass) {
                    return true;
                }
            }
        }

        return false;// None of the limitation sets wanted to let you in, sorry!
    }

    /**
     * Allows API execution to be performed with full access sand-boxed.
     *
     * The closure sandbox will do a catch all on exceptions and rethrow after
     * re-setting the sudo flag.
     *
     * Example use:
     *     $location = $repository->sudo(
     *         function ( Repository $repo ) use ( $locationId )
     *         {
     *             return $repo->getLocationService()->loadLocation( $locationId )
     *         }
     *     );
     *
     *
     * @param \Closure $callback
     * @param \eZ\Publish\API\Repository\Repository $outerRepository
     *
     * @throws \RuntimeException Thrown on recursive sudo() use.
     * @throws \Exception Re throws exceptions thrown inside $callback
     *
     * @return mixed
     */
    public function sudo(\Closure $callback, RepositoryInterface $outerRepository = null)
    {
        ++$this->sudoNestingLevel;
        try {
            $returnValue = $callback($outerRepository !== null ? $outerRepository : $this->repository);
        } catch (Exception $e) {
            --$this->sudoNestingLevel;
            throw $e;
        }

        --$this->sudoNestingLevel;

        return $returnValue;
    }
}


1		<?php
2
3		/**
4		* @copyright Copyright (C) eZ Systems AS. All rights reserved.
5		* @license For full copyright and license information view LICENSE file distributed with this source code.
6		*/
7		namespace eZ\Publish\Core\Repository;
8
9		use eZ\Publish\API\Repository\PermissionService as PermissionServiceInterface;
10		use eZ\Publish\API\Repository\Repository as RepositoryInterface;
11		use eZ\Publish\API\Repository\UserService as UserServiceInterface;
12		use eZ\Publish\API\Repository\Values\User\User;
13		use eZ\Publish\API\Repository\Values\User\Limitation;
14		use eZ\Publish\API\Repository\Values\User\UserReference as APIUserReference;
15		use eZ\Publish\API\Repository\Values\ValueObject;
16		use eZ\Publish\Core\Base\Exceptions\InvalidArgumentType;
17		use eZ\Publish\Core\Base\Exceptions\InvalidArgumentValue;
18		use eZ\Publish\Core\Repository\Helper\LimitationService;
19		use eZ\Publish\Core\Repository\Helper\RoleDomainMapper;
20		use eZ\Publish\Core\Repository\Values\User\UserReference;
21		use eZ\Publish\SPI\Limitation\Type as LimitationType;
22		use eZ\Publish\SPI\Persistence\User\Handler as UserHandler;
23		use Exception;
24
25		/**
26		* Core implementation of PermissionsService interface.
27		*/
28		class PermissionService implements PermissionServiceInterface
29		{
30		/**
31		* Counter for the current sudo nesting level {@see sudo()}.
32		*
33		* @var int
34		*/
35		private $sudoNestingLevel = 0;
36
37		/**
38		* @var \eZ\Publish\API\Repository\Repository
39		*/
40		private $repository;
41
42		/**
43		* @var \eZ\Publish\API\Repository\UserService
44		*/
45		private $userService;
46
47		/**
48		* @var \eZ\Publish\Core\Repository\Helper\RoleDomainMapper
49		*/
50		private $roleDomainMapper;
51
52		/**
53		* @var \eZ\Publish\Core\Repository\Helper\LimitationService
54		*/
55		private $limitationService;
56
57		/**
58		* @var \eZ\Publish\SPI\Persistence\User\Handler
59		*/
60		private $userHandler;
61
62		/**
63		* Currently logged in user object if already loaded.
64		*
65		* @var \eZ\Publish\API\Repository\Values\User\User\|null
66		*/
67		private $currentUser;
68
69		/**
70		* Currently logged in user reference for permission purposes.
71		*
72		* @var \eZ\Publish\API\Repository\Values\User\UserReference
73		*/
74		private $currentUserRef;
75
76		/**
77		* @param \eZ\Publish\API\Repository\Repository $repository
78		* @param \eZ\Publish\API\Repository\UserService $userService
79		* @param \eZ\Publish\Core\Repository\Helper\RoleDomainMapper $roleDomainMapper
80		* @param \eZ\Publish\Core\Repository\Helper\LimitationService $limitationService
81		* @param \eZ\Publish\SPI\Persistence\User\Handler $userHandler
82		* @param \eZ\Publish\API\Repository\Values\User\UserReference $userReference
83		* @param \eZ\Publish\API\Repository\Values\User\User $user
84		*/
85		public function __construct(
86		RepositoryInterface $repository,
87		UserServiceInterface $userService,
88		RoleDomainMapper $roleDomainMapper,
89		LimitationService $limitationService,
90		UserHandler $userHandler,
91		APIUserReference $userReference,
92		User $user = null
93		) {
94		$this->repository = $repository;
95		$this->userService = $userService;
96		$this->roleDomainMapper = $roleDomainMapper;
97		$this->limitationService = $limitationService;
98		$this->userHandler = $userHandler;
99		$this->currentUserRef = $userReference;
100		$this->currentUser = $user;
101		}
102
103		public function getCurrentUser()
104		{
105		if ($this->currentUser === null) {
106		$this->currentUser = $this->userService->loadUser(
107		$this->currentUserRef->getUserId()
108		);
109		}
110
111		return $this->currentUser;
112		}
113
114		public function getCurrentUserReference()
115		{
116		return $this->currentUserRef;
117		}
118
119	View Code Duplication	public function setCurrentUserReference(APIUserReference $user)
120		{
121		$id = $user->getUserId();
122		if (!$id) {
123		throw new InvalidArgumentValue('$user->getUserId()', $id);
124		}
125
126		if ($user instanceof User) {
127		$this->currentUser = $user;
128		$this->currentUserRef = new UserReference($id);
129		} else {
130		$this->currentUser = null;
131		$this->currentUserRef = $user;
132		}
133		}
134
135		public function hasAccess($module, $function, APIUserReference $user = null)
136		{
137		// Full access if sudo nesting level is set by {@see sudo()}
138		if ($this->sudoNestingLevel > 0) {
139		return true;
140		}
141
142		if ($user === null) {
143		$user = $this->getCurrentUserReference();
144		}
145
146		// Uses SPI to avoid triggering permission checks in Role/User service
147		$permissionSets = array();
148		$spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($user->getUserId(), true);
149		foreach ($spiRoleAssignments as $spiRoleAssignment) {
150		$permissionSet = array('limitation' => null, 'policies' => array());
151
152		$spiRole = $this->userHandler->loadRole($spiRoleAssignment->roleId);
153		foreach ($spiRole->policies as $spiPolicy) {
154		if ($spiPolicy->module === '*' && $spiRoleAssignment->limitationIdentifier === null) {
155		return true;
156		}
157
158		if ($spiPolicy->module !== $module && $spiPolicy->module !== '*') {
159		continue;
160		}
161
162		if ($spiPolicy->function === '*' && $spiRoleAssignment->limitationIdentifier === null) {
163		return true;
164		}
165
166		if ($spiPolicy->function !== $function && $spiPolicy->function !== '*') {
167		continue;
168		}
169
170		if ($spiPolicy->limitations === '*' && $spiRoleAssignment->limitationIdentifier === null) {
171		return true;
172		}
173
174		$permissionSet['policies'][] = $this->roleDomainMapper->buildDomainPolicyObject($spiPolicy);
175		}
176
177		if (!empty($permissionSet['policies'])) {
178		if ($spiRoleAssignment->limitationIdentifier !== null) {
179		$permissionSet['limitation'] = $this->limitationService
180		->getLimitationType($spiRoleAssignment->limitationIdentifier)
181		->buildValue($spiRoleAssignment->values);
		0 ignored issues – show Bug introduced 2016-07-11 13:25 UTC by Report Bug Copy Issue Report It seems like `$spiRoleAssignment->values` can also be of type `null`; however, `eZ\Publish\SPI\Limitation\Type::buildValue()` does only seem to accept `array<integer,>`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /* * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
182		}
183
184		$permissionSets[] = $permissionSet;
185		}
186		}
187
188		if (!empty($permissionSets)) {
189		return $permissionSets;
190		}
191
192		return false;// No policies matching $module and $function, or they contained limitations
193		}
194
195		public function canUser($module, $function, ValueObject $object, $targets = null)
196		{
197		$permissionSets = $this->hasAccess($module, $function);
198		if ($permissionSets === false \|\| $permissionSets === true) {
199		return $permissionSets;
200		}
201
202		if ($targets instanceof ValueObject) {
203		$targets = array($targets);
204		} elseif ($targets !== null && !is_array($targets)) {
205		throw new InvalidArgumentType(
206		'$targets',
207		'null\|\\eZ\\Publish\\API\\Repository\\Values\\ValueObject\|\\eZ\\Publish\\API\\Repository\\Values\\ValueObject[]',
208		$targets
209		);
210		}
211
212		$currentUserRef = $this->getCurrentUserReference();
213		foreach ($permissionSets as $permissionSet) {
		0 ignored issues – show Bug introduced 2016-07-11 13:25 UTC by Report Bug Copy Issue Report The expression `$permissionSets` of type `boolean\|array` is not guaranteed to be traversable. How about adding an additional type check? There are different options of fixing this problem. If you want to be on the safe side, you can add an additional type-check: $collection = json_decode($data, true); if ( ! is_array($collection)) { throw new \RuntimeException('$collection must be an array.'); } foreach ($collection as $item) { /** ... / } If you are sure that the expression is traversable, you might want to add a doc comment cast* to improve IDE auto-completion and static analysis: /** @var array $collection / $collection = json_decode($data, true); foreach ($collection as $item) { /* .. / } Mark the issue as a false-positive*: Just hover the remove button, in the top-right corner of this issue for more options. Loading history...
214		/**
215		* First deal with Role limitation if any.
216		*
217		* Here we accept ACCESS_GRANTED and ACCESS_ABSTAIN, the latter in cases where $object and $targets
218		* are not supported by limitation.
219		*
220		* @var \eZ\Publish\API\Repository\Values\User\Limitation[]
221		*/
222		if ($permissionSet['limitation'] instanceof Limitation) {
223		$type = $this->limitationService->getLimitationType($permissionSet['limitation']->getIdentifier());
224		$accessVote = $type->evaluate($permissionSet['limitation'], $currentUserRef, $object, $targets);
		0 ignored issues – show Bug introduced 2016-07-11 13:25 UTC by Report Bug Copy Issue Report It seems like `$targets` defined by parameter `$targets` on line 195 can also be of type `array`; however, `eZ\Publish\SPI\Limitation\Type::evaluate()` does only seem to accept `null\|array<integer,objec...ry\Values\ValueObject>>`, maybe add an additional type check? This check looks at variables that have been passed in as parameters and are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
225		if ($accessVote === LimitationType::ACCESS_DENIED) {
226		continue;
227		}
228		}
229
230		/**
231		* Loop over all policies.
232		*
233		* These are already filtered by hasAccess and given hasAccess did not return boolean
234		* there must be some, so only return true if one of them says yes.
235		*
236		* @var \eZ\Publish\API\Repository\Values\User\Policy
237		*/
238		foreach ($permissionSet['policies'] as $policy) {
239		$limitations = $policy->getLimitations();
240
241		/*
242		* Return true if policy gives full access (aka no limitations)
243		*/
244		if ($limitations === '*') {
245		return true;
246		}
247
248		/*
249		* Loop over limitations, all must return ACCESS_GRANTED for policy to pass.
250		* If limitations was empty array this means same as '*'
251		*/
252		$limitationsPass = true;
253		foreach ($limitations as $limitation) {
254		$type = $this->limitationService->getLimitationType($limitation->getIdentifier());
255		$accessVote = $type->evaluate($limitation, $currentUserRef, $object, $targets);
		0 ignored issues – show Bug introduced 2016-07-11 13:25 UTC by Report Bug Copy Issue Report It seems like `$targets` defined by parameter `$targets` on line 195 can also be of type `array`; however, `eZ\Publish\SPI\Limitation\Type::evaluate()` does only seem to accept `null\|array<integer,objec...ry\Values\ValueObject>>`, maybe add an additional type check? This check looks at variables that have been passed in as parameters and are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
256		/*
257		* For policy limitation atm only support ACCESS_GRANTED
258		*
259		* Reasoning: Right now, use of a policy limitation not valid for a policy is per definition a
260		* BadState. To reach this you would have to configure the "policyMap" wrongly, like using
261		* Node (Location) limitation on state/assign. So in this case Role Limitations will return
262		* ACCESS_ABSTAIN (== no access here), and other limitations will throw InvalidArgument above,
263		* both cases forcing dev to investigate to find miss configuration. This might be relaxed in
264		* the future if valid use cases for ACCESS_ABSTAIN on policy limitations becomes known.
265		*/
266		if ($accessVote !== LimitationType::ACCESS_GRANTED) {
267		$limitationsPass = false;
268		break;// Break to next policy, all limitations must pass
269		}
270		}
271		if ($limitationsPass) {
272		return true;
273		}
274		}
275		}
276
277		return false;// None of the limitation sets wanted to let you in, sorry!
278		}
279
280		/**
281		* Allows API execution to be performed with full access sand-boxed.
282		*
283		* The closure sandbox will do a catch all on exceptions and rethrow after
284		* re-setting the sudo flag.
285		*
286		* Example use:
287		* $location = $repository->sudo(
288		* function ( Repository $repo ) use ( $locationId )
289		* {
290		* return $repo->getLocationService()->loadLocation( $locationId )
291		* }
292		* );
293		*
294		*
295		* @param \Closure $callback
296		* @param \eZ\Publish\API\Repository\Repository $outerRepository
297		*
298		* @throws \RuntimeException Thrown on recursive sudo() use.
299		* @throws \Exception Re throws exceptions thrown inside $callback
300		*
301		* @return mixed
302		*/
303		public function sudo(\Closure $callback, RepositoryInterface $outerRepository = null)
304		{
305		++$this->sudoNestingLevel;
306		try {
307		$returnValue = $callback($outerRepository !== null ? $outerRepository : $this->repository);
308		} catch (Exception $e) {
309		--$this->sudoNestingLevel;
310		throw $e;
311		}
312
313		--$this->sudoNestingLevel;
314
315		return $returnValue;
316		}
317		}
318

ezsystems / ezpublish-kernel