PermissionResolver::lookup() - Code Metrics - Inspection of "EZP-26000: add unit tests for PermisionResolver::l..." - ezsystems/ezpublish-kernel - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — impl-EZP-26000-permission-look... ( ee4870 )

unknown

created 2016-11-17 08:55 UTC

PermissionResolver::lookup() F

↳ Parent: PermissionResolver

Complexity

Conditions	21
Paths	1472

Size

Total Lines	149
Code Lines	70

Duplication

Lines	29
Ratio	19.46 %

Importance

Changes

Metric	Value
dl	29
loc	149
c	0
b	0
f	0
cc	21
eloc	70
nc	1472
nop	4
rs	2

How to fix Long Method Complexity

<?php

/**
 * @copyright Copyright (C) eZ Systems AS. All rights reserved.
 * @license For full copyright and license information view LICENSE file distributed with this source code.
 */
namespace eZ\Publish\Core\Repository\Permission;

use eZ\Publish\API\Repository\PermissionResolver as PermissionResolverInterface;
use eZ\Publish\API\Repository\Repository as RepositoryInterface;
use eZ\Publish\API\Repository\Values\User\Limitation;
use eZ\Publish\API\Repository\Values\User\UserReference as APIUserReference;
use eZ\Publish\API\Repository\Values\ValueObject;
use eZ\Publish\Core\Base\Exceptions\InvalidArgumentValue;
use eZ\Publish\Core\Repository\Helper\LimitationService;
use eZ\Publish\Core\Repository\Helper\RoleDomainMapper;
use eZ\Publish\API\Repository\Values\User\PermissionInfo;
use eZ\Publish\SPI\Limitation\Type as LimitationType;
use eZ\Publish\SPI\Persistence\User\Handler as UserHandler;
use Exception;

/**
 * Core implementation of PermissionResolver interface.
 */
class PermissionResolver implements PermissionResolverInterface
{
    /**
     * Counter for the current sudo nesting level {@see sudo()}.
     *
     * @var int
     */
    private $sudoNestingLevel = 0;

    /**
     * @var \eZ\Publish\Core\Repository\Helper\RoleDomainMapper
     */
    private $roleDomainMapper;

    /**
     * @var \eZ\Publish\Core\Repository\Helper\LimitationService
     */
    private $limitationService;

    /**
     * @var \eZ\Publish\SPI\Persistence\User\Handler
     */
    private $userHandler;

    /**
     * Currently logged in user reference for permission purposes.
     *
     * @var \eZ\Publish\API\Repository\Values\User\UserReference
     */
    private $currentUserRef;

    /**
     * @param \eZ\Publish\Core\Repository\Helper\RoleDomainMapper $roleDomainMapper
     * @param \eZ\Publish\Core\Repository\Helper\LimitationService $limitationService
     * @param \eZ\Publish\SPI\Persistence\User\Handler $userHandler
     * @param \eZ\Publish\API\Repository\Values\User\UserReference $userReference
     */
    public function __construct(
        RoleDomainMapper $roleDomainMapper,
        LimitationService $limitationService,
        UserHandler $userHandler,
        APIUserReference $userReference
    ) {
        $this->roleDomainMapper = $roleDomainMapper;
        $this->limitationService = $limitationService;
        $this->userHandler = $userHandler;
        $this->currentUserRef = $userReference;
    }

    public function getCurrentUserReference()
    {
        return $this->currentUserRef;
    }

    public function setCurrentUserReference(APIUserReference $userReference)
    {
        $id = $userReference->getUserId();
        if (!$id) {
            throw new InvalidArgumentValue('$user->getUserId()', $id);
        }

        $this->currentUserRef = $userReference;
    }

    public function hasAccess($module, $function, APIUserReference $userReference = null)
    {
        // Full access if sudo nesting level is set by {@see sudo()}
        if ($this->sudoNestingLevel > 0) {
            return true;
        }

        if ($userReference === null) {
            $userReference = $this->getCurrentUserReference();
        }

        // Uses SPI to avoid triggering permission checks in Role/User service
        $permissionSets = array();
        $spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userReference->getUserId(), true);
        foreach ($spiRoleAssignments as $spiRoleAssignment) {
            $permissionSet = array('limitation' => null, 'policies' => array());

            $spiRole = $this->userHandler->loadRole($spiRoleAssignment->roleId);
            foreach ($spiRole->policies as $spiPolicy) {
                if ($spiPolicy->module === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                    return true;
                }

                if ($spiPolicy->module !== $module && $spiPolicy->module !== '*') {
                    continue;
                }

                if ($spiPolicy->function === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                    return true;
                }

                if ($spiPolicy->function !== $function && $spiPolicy->function !== '*') {
                    continue;
                }

                if ($spiPolicy->limitations === '*' && $spiRoleAssignment->limitationIdentifier === null) {
                    return true;
                }

                $permissionSet['policies'][] = $this->roleDomainMapper->buildDomainPolicyObject($spiPolicy);
            }

            if (!empty($permissionSet['policies'])) {
                if ($spiRoleAssignment->limitationIdentifier !== null) {
                    $permissionSet['limitation'] = $this->limitationService
                        ->getLimitationType($spiRoleAssignment->limitationIdentifier)
                        ->buildValue($spiRoleAssignment->values);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
                }

                $permissionSets[] = $permissionSet;
            }
        }

        if (!empty($permissionSets)) {
            return $permissionSets;
        }

        return false;// No policies matching $module and $function, or they contained limitations
    }

    public function canUser($module, $function, ValueObject $object, array $targets = [])
    {
        $permissionSets = $this->hasAccess($module, $function);
        if ($permissionSets === false || $permissionSets === true) {
            return $permissionSets;
        }

        if (empty($targets)) {
            $targets = null;
        }

        $currentUserRef = $this->getCurrentUserReference();
        foreach ($permissionSets as $permissionSet) {
$collection = json_decode($data, true);
if ( ! is_array($collection)) {
    throw new \RuntimeException('$collection must be an array.');
}

foreach ($collection as $item) { /** ... */ }
            /**
             * First deal with Role limitation if any.
             *
             * Here we accept ACCESS_GRANTED and ACCESS_ABSTAIN, the latter in cases where $object and $targets
             * are not supported by limitation.
             *
             * @var \eZ\Publish\API\Repository\Values\User\Limitation[]
             */
            if ($permissionSet['limitation'] instanceof Limitation) {
                $type = $this->limitationService->getLimitationType($permissionSet['limitation']->getIdentifier());
                $accessVote = $type->evaluate($permissionSet['limitation'], $currentUserRef, $object, $targets);

                if ($accessVote === LimitationType::ACCESS_DENIED) {
                    continue;
                }
            }

            /**
             * Loop over all policies.
             *
             * These are already filtered by hasAccess and given hasAccess did not return boolean
             * there must be some, so only return true if one of them says yes.
             *
             * @var \eZ\Publish\API\Repository\Values\User\Policy
             */
            foreach ($permissionSet['policies'] as $policy) {
                $limitations = $policy->getLimitations();

                /*
                 * Return true if policy gives full access (aka no limitations)
                 */
                if ($limitations === '*') {
                    return true;
                }

                /*
                 * Loop over limitations, all must return ACCESS_GRANTED for policy to pass.
                 * If limitations was empty array this means same as '*'
                 */
                $limitationsPass = true;
                foreach ($limitations as $limitation) {
                    $type = $this->limitationService->getLimitationType($limitation->getIdentifier());
                    $accessVote = $type->evaluate($limitation, $currentUserRef, $object, $targets);

                    /*
                     * For policy limitation atm only support ACCESS_GRANTED
                     *
                     * Reasoning: Right now, use of a policy limitation not valid for a policy is per definition a
                     * BadState. To reach this you would have to configure the "policyMap" wrongly, like using
                     * Node (Location) limitation on state/assign. So in this case Role Limitations will return
                     * ACCESS_ABSTAIN (== no access here), and other limitations will throw InvalidArgument above,
                     * both cases forcing dev to investigate to find miss configuration. This might be relaxed in
                     * the future if valid use cases for ACCESS_ABSTAIN on policy limitations becomes known.
                     */
                    if ($accessVote !== LimitationType::ACCESS_GRANTED) {
                        $limitationsPass = false;
                        break;// Break to next policy, all limitations must pass
                    }
                }
                if ($limitationsPass) {
                    return true;
                }
            }
        }

        return false;// None of the limitation sets wanted to let you in, sorry!
    }

    /**
     * @internal For internal use only, do not depend on this method.
     *
     * Allows API execution to be performed with full access sand-boxed.
     *
     * The closure sandbox will do a catch all on exceptions and rethrow after
     * re-setting the sudo flag.
     *
     * Example use:
     *     $location = $repository->sudo(
     *         function ( Repository $repo ) use ( $locationId )
     *         {
     *             return $repo->getLocationService()->loadLocation( $locationId )
     *         }
     *     );
     *
     *
     * @param \Closure $callback
     * @param \eZ\Publish\API\Repository\Repository $outerRepository
     *
     * @throws \RuntimeException Thrown on recursive sudo() use.
     * @throws \Exception Re throws exceptions thrown inside $callback
     *
     * @return mixed
     */
    public function sudo(\Closure $callback, RepositoryInterface $outerRepository)
    {
        ++$this->sudoNestingLevel;
        try {
            $returnValue = $callback($outerRepository);
        } catch (Exception $e) {
            --$this->sudoNestingLevel;
            throw $e;
        }

        --$this->sudoNestingLevel;

        return $returnValue;
    }

    public function lookup(
        $module,
        $function,
        array $limitations = [],
        APIUserReference $userReference = null
    ) {
        $limitationSets = [];
        $permissionSets = $this->hasAccess($module, $function, $userReference);

        if ($permissionSets === true) {
            return new PermissionInfo(['access' => PermissionInfo::ACCESS_GRANTED]);
        }

        if ($permissionSets === false) {
            return new PermissionInfo(['access' => PermissionInfo::ACCESS_DENIED]);
        }

        /** @var \eZ\Publish\API\Repository\Values\User\Limitation[] $queryLimitationMap */
        $queryLimitationMap = [];
        foreach ($limitations as $limitation) {
            $queryLimitationMap[$limitation->getIdentifier()] = $limitation;
        }

        $setPasses = false;

        foreach ($permissionSets as $permissionSet) {
$collection = json_decode($data, true);
if ( ! is_array($collection)) {
    throw new \RuntimeException('$collection must be an array.');
}

foreach ($collection as $item) { /** ... */ }
            $roleLimitations = [];

            /**
             * First deal with Role limitation if any.
             *
             * Here we accept ACCESS_GRANTED and ACCESS_ABSTAIN, the latter in cases where $object and $targets
             * are not supported by limitation.
             *
             * @var \eZ\Publish\API\Repository\Values\User\Limitation[]
             */
            if ($permissionSet['limitation'] instanceof Limitation) {
                $limitation = $permissionSet['limitation'];
                $identifier = $limitation->getIdentifier();

                if (isset($queryLimitationMap[$identifier])) {

                    $value = reset($queryLimitationMap[$identifier]->limitationValues);
                    $type = $this->limitationService->getLimitationType($identifier);

                    // Try with next role permission set
                    if (!$type->evaluateSingle($limitation, $value)) {
                        continue;
                    }
                } else {
                    // todo How to decide if this is at all relevant for module/function?
                    // ACCESS_ABSTAIN is returned by evaluate().
                    // Maybe it could be modelled on the permission map instead?
                    $roleLimitations[] = $limitation;
                }
            }

            $policyLimitationSet = [];

            $policiesPass = false;

            /**
             * Loop over all policies.
             *
             * These are already filtered by hasAccess and given hasAccess did not return boolean
             * there must be some, so only return true if one of them says yes.
             *
             * @var \eZ\Publish\API\Repository\Values\User\Policy $policy
             */
            foreach ($permissionSet['policies'] as $policy) {
                $policyLimitations = [];

                $limitations = $policy->getLimitations();
                if ($limitations === '*') {
                    $limitations = [];
                }

                /** @var \eZ\Publish\API\Repository\Values\User\Limitation[] $limitations */
                foreach ($limitations as $limitation) {
                    $identifier = $limitation->getIdentifier();

                    if (isset($queryLimitationMap[$identifier])) {

                        $value = reset($queryLimitationMap[$identifier]->limitationValues);
                        $type = $this->limitationService->getLimitationType($identifier);

                        if ($type->evaluateSingle($limitation, $value)) {
                            // Continue evaluating
                            continue;
                        } else {
                            // Break to next policy, all limitations must either pass or record
                            break 2;
                        }
                    } else {
                        // Record limitation for return
                        $policyLimitations[] = $limitation;
                    }
                }

                $policiesPass = true;

                // Break if a policy allows access without limitation
                if (empty($policyLimitations)) {
                    $policyLimitationSet = [];
                    break;
                }

                // Else, add limitation to policy set
                $policyLimitationSet[] = $policyLimitations;
            }

            // Try with next role permission set
            if (!$policiesPass) {
                continue;
            }

            $setPasses = true;
            $setLimitations = [];

            foreach ($policyLimitationSet as $policyLimitations) {
                $setLimitations = array_merge($policyLimitations, $roleLimitations);
            }

            if (empty($setLimitations) && !empty($roleLimitations)) {
                $setLimitations = $roleLimitations;
            }

            // Break if a set allows access without limitation
            if (empty($setLimitations)) {
                $limitationSets = [];
                break;
            }

            $limitationSets = array_merge($limitationSets, [$setLimitations]);
        }

        $access = PermissionInfo::ACCESS_LIMITED;

        if (!$setPasses) {
            $access = PermissionInfo::ACCESS_DENIED;
        } else if (empty($limitationSets)) {
            $access = PermissionInfo::ACCESS_GRANTED;
        }

        return new PermissionInfo(
            [
                'access' => $access,
                'limitationSets' => $limitationSets,
            ]
        );
    }
}


1		<?php
2
3		/**
4		* @copyright Copyright (C) eZ Systems AS. All rights reserved.
5		* @license For full copyright and license information view LICENSE file distributed with this source code.
6		*/
7		namespace eZ\Publish\Core\Repository\Permission;
8
9		use eZ\Publish\API\Repository\PermissionResolver as PermissionResolverInterface;
10		use eZ\Publish\API\Repository\Repository as RepositoryInterface;
11		use eZ\Publish\API\Repository\Values\User\Limitation;
12		use eZ\Publish\API\Repository\Values\User\UserReference as APIUserReference;
13		use eZ\Publish\API\Repository\Values\ValueObject;
14		use eZ\Publish\Core\Base\Exceptions\InvalidArgumentValue;
15		use eZ\Publish\Core\Repository\Helper\LimitationService;
16		use eZ\Publish\Core\Repository\Helper\RoleDomainMapper;
17		use eZ\Publish\API\Repository\Values\User\PermissionInfo;
18		use eZ\Publish\SPI\Limitation\Type as LimitationType;
19		use eZ\Publish\SPI\Persistence\User\Handler as UserHandler;
20		use Exception;
21
22		/**
23		* Core implementation of PermissionResolver interface.
24		*/
25		class PermissionResolver implements PermissionResolverInterface
26		{
27		/**
28		* Counter for the current sudo nesting level {@see sudo()}.
29		*
30		* @var int
31		*/
32		private $sudoNestingLevel = 0;
33
34		/**
35		* @var \eZ\Publish\Core\Repository\Helper\RoleDomainMapper
36		*/
37		private $roleDomainMapper;
38
39		/**
40		* @var \eZ\Publish\Core\Repository\Helper\LimitationService
41		*/
42		private $limitationService;
43
44		/**
45		* @var \eZ\Publish\SPI\Persistence\User\Handler
46		*/
47		private $userHandler;
48
49		/**
50		* Currently logged in user reference for permission purposes.
51		*
52		* @var \eZ\Publish\API\Repository\Values\User\UserReference
53		*/
54		private $currentUserRef;
55
56		/**
57		* @param \eZ\Publish\Core\Repository\Helper\RoleDomainMapper $roleDomainMapper
58		* @param \eZ\Publish\Core\Repository\Helper\LimitationService $limitationService
59		* @param \eZ\Publish\SPI\Persistence\User\Handler $userHandler
60		* @param \eZ\Publish\API\Repository\Values\User\UserReference $userReference
61		*/
62		public function __construct(
63		RoleDomainMapper $roleDomainMapper,
64		LimitationService $limitationService,
65		UserHandler $userHandler,
66		APIUserReference $userReference
67		) {
68		$this->roleDomainMapper = $roleDomainMapper;
69		$this->limitationService = $limitationService;
70		$this->userHandler = $userHandler;
71		$this->currentUserRef = $userReference;
72		}
73
74		public function getCurrentUserReference()
75		{
76		return $this->currentUserRef;
77		}
78
79		public function setCurrentUserReference(APIUserReference $userReference)
80		{
81		$id = $userReference->getUserId();
82		if (!$id) {
83		throw new InvalidArgumentValue('$user->getUserId()', $id);
84		}
85
86		$this->currentUserRef = $userReference;
87		}
88
89		public function hasAccess($module, $function, APIUserReference $userReference = null)
90		{
91		// Full access if sudo nesting level is set by {@see sudo()}
92		if ($this->sudoNestingLevel > 0) {
93		return true;
94		}
95
96		if ($userReference === null) {
97		$userReference = $this->getCurrentUserReference();
98		}
99
100		// Uses SPI to avoid triggering permission checks in Role/User service
101		$permissionSets = array();
102		$spiRoleAssignments = $this->userHandler->loadRoleAssignmentsByGroupId($userReference->getUserId(), true);
103		foreach ($spiRoleAssignments as $spiRoleAssignment) {
104		$permissionSet = array('limitation' => null, 'policies' => array());
105
106		$spiRole = $this->userHandler->loadRole($spiRoleAssignment->roleId);
107		foreach ($spiRole->policies as $spiPolicy) {
108		if ($spiPolicy->module === '*' && $spiRoleAssignment->limitationIdentifier === null) {
109		return true;
110		}
111
112		if ($spiPolicy->module !== $module && $spiPolicy->module !== '*') {
113		continue;
114		}
115
116		if ($spiPolicy->function === '*' && $spiRoleAssignment->limitationIdentifier === null) {
117		return true;
118		}
119
120		if ($spiPolicy->function !== $function && $spiPolicy->function !== '*') {
121		continue;
122		}
123
124		if ($spiPolicy->limitations === '*' && $spiRoleAssignment->limitationIdentifier === null) {
125		return true;
126		}
127
128		$permissionSet['policies'][] = $this->roleDomainMapper->buildDomainPolicyObject($spiPolicy);
129		}
130
131		if (!empty($permissionSet['policies'])) {
132		if ($spiRoleAssignment->limitationIdentifier !== null) {
133		$permissionSet['limitation'] = $this->limitationService
134		->getLimitationType($spiRoleAssignment->limitationIdentifier)
135		->buildValue($spiRoleAssignment->values);
		0 ignored issues – show Bug introduced 2016-09-05 14:20 UTC by Report Bug Copy Issue Report It seems like `$spiRoleAssignment->values` can also be of type `null`; however, `eZ\Publish\SPI\Limitation\Type::buildValue()` does only seem to accept `array<integer,>`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /* * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
136		}
137
138		$permissionSets[] = $permissionSet;
139		}
140		}
141
142		if (!empty($permissionSets)) {
143		return $permissionSets;
144		}
145
146		return false;// No policies matching $module and $function, or they contained limitations
147		}
148
149		public function canUser($module, $function, ValueObject $object, array $targets = [])
150		{
151		$permissionSets = $this->hasAccess($module, $function);
152		if ($permissionSets === false \|\| $permissionSets === true) {
153		return $permissionSets;
154		}
155
156		if (empty($targets)) {
157		$targets = null;
158		}
159
160		$currentUserRef = $this->getCurrentUserReference();
161		foreach ($permissionSets as $permissionSet) {
		0 ignored issues – show Bug introduced 2016-09-05 14:20 UTC by Report Bug Copy Issue Report The expression `$permissionSets` of type `boolean\|array` is not guaranteed to be traversable. How about adding an additional type check? There are different options of fixing this problem. If you want to be on the safe side, you can add an additional type-check: $collection = json_decode($data, true); if ( ! is_array($collection)) { throw new \RuntimeException('$collection must be an array.'); } foreach ($collection as $item) { /** ... / } If you are sure that the expression is traversable, you might want to add a doc comment cast* to improve IDE auto-completion and static analysis: /** @var array $collection / $collection = json_decode($data, true); foreach ($collection as $item) { /* .. / } Mark the issue as a false-positive*: Just hover the remove button, in the top-right corner of this issue for more options. Loading history...
162		/**
163		* First deal with Role limitation if any.
164		*
165		* Here we accept ACCESS_GRANTED and ACCESS_ABSTAIN, the latter in cases where $object and $targets
166		* are not supported by limitation.
167		*
168		* @var \eZ\Publish\API\Repository\Values\User\Limitation[]
169		*/
170		if ($permissionSet['limitation'] instanceof Limitation) {
171		$type = $this->limitationService->getLimitationType($permissionSet['limitation']->getIdentifier());
172		$accessVote = $type->evaluate($permissionSet['limitation'], $currentUserRef, $object, $targets);
		0 ignored issues – show Bug introduced 2016-09-05 14:20 UTC by Report Bug Copy Issue Report It seems like `$targets` defined by parameter `$targets` on line 149 can also be of type `array`; however, `eZ\Publish\SPI\Limitation\Type::evaluate()` does only seem to accept `null\|array<integer,objec...ry\Values\ValueObject>>`, maybe add an additional type check? This check looks at variables that have been passed in as parameters and are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
173		if ($accessVote === LimitationType::ACCESS_DENIED) {
174		continue;
175		}
176		}
177
178		/**
179		* Loop over all policies.
180		*
181		* These are already filtered by hasAccess and given hasAccess did not return boolean
182		* there must be some, so only return true if one of them says yes.
183		*
184		* @var \eZ\Publish\API\Repository\Values\User\Policy
185		*/
186		foreach ($permissionSet['policies'] as $policy) {
187		$limitations = $policy->getLimitations();
188
189		/*
190		* Return true if policy gives full access (aka no limitations)
191		*/
192		if ($limitations === '*') {
193		return true;
194		}
195
196		/*
197		* Loop over limitations, all must return ACCESS_GRANTED for policy to pass.
198		* If limitations was empty array this means same as '*'
199		*/
200		$limitationsPass = true;
201		foreach ($limitations as $limitation) {
202		$type = $this->limitationService->getLimitationType($limitation->getIdentifier());
203		$accessVote = $type->evaluate($limitation, $currentUserRef, $object, $targets);
		0 ignored issues – show Bug introduced 2016-09-05 14:20 UTC by Report Bug Copy Issue Report It seems like `$targets` defined by parameter `$targets` on line 149 can also be of type `array`; however, `eZ\Publish\SPI\Limitation\Type::evaluate()` does only seem to accept `null\|array<integer,objec...ry\Values\ValueObject>>`, maybe add an additional type check? This check looks at variables that have been passed in as parameters and are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
204		/*
205		* For policy limitation atm only support ACCESS_GRANTED
206		*
207		* Reasoning: Right now, use of a policy limitation not valid for a policy is per definition a
208		* BadState. To reach this you would have to configure the "policyMap" wrongly, like using
209		* Node (Location) limitation on state/assign. So in this case Role Limitations will return
210		* ACCESS_ABSTAIN (== no access here), and other limitations will throw InvalidArgument above,
211		* both cases forcing dev to investigate to find miss configuration. This might be relaxed in
212		* the future if valid use cases for ACCESS_ABSTAIN on policy limitations becomes known.
213		*/
214		if ($accessVote !== LimitationType::ACCESS_GRANTED) {
215		$limitationsPass = false;
216		break;// Break to next policy, all limitations must pass
217		}
218		}
219		if ($limitationsPass) {
220		return true;
221		}
222		}
223		}
224
225		return false;// None of the limitation sets wanted to let you in, sorry!
226		}
227
228		/**
229		* @internal For internal use only, do not depend on this method.
230		*
231		* Allows API execution to be performed with full access sand-boxed.
232		*
233		* The closure sandbox will do a catch all on exceptions and rethrow after
234		* re-setting the sudo flag.
235		*
236		* Example use:
237		* $location = $repository->sudo(
238		* function ( Repository $repo ) use ( $locationId )
239		* {
240		* return $repo->getLocationService()->loadLocation( $locationId )
241		* }
242		* );
243		*
244		*
245		* @param \Closure $callback
246		* @param \eZ\Publish\API\Repository\Repository $outerRepository
247		*
248		* @throws \RuntimeException Thrown on recursive sudo() use.
249		* @throws \Exception Re throws exceptions thrown inside $callback
250		*
251		* @return mixed
252		*/
253		public function sudo(\Closure $callback, RepositoryInterface $outerRepository)
254		{
255		++$this->sudoNestingLevel;
256		try {
257		$returnValue = $callback($outerRepository);
258		} catch (Exception $e) {
259		--$this->sudoNestingLevel;
260		throw $e;
261		}
262
263		--$this->sudoNestingLevel;
264
265		return $returnValue;
266		}
267
268		public function lookup(
269		$module,
270		$function,
271		array $limitations = [],
272		APIUserReference $userReference = null
273		) {
274		$limitationSets = [];
275		$permissionSets = $this->hasAccess($module, $function, $userReference);
276
277		if ($permissionSets === true) {
278		return new PermissionInfo(['access' => PermissionInfo::ACCESS_GRANTED]);
279		}
280
281		if ($permissionSets === false) {
282		return new PermissionInfo(['access' => PermissionInfo::ACCESS_DENIED]);
283		}
284
285		/** @var \eZ\Publish\API\Repository\Values\User\Limitation[] $queryLimitationMap */
286		$queryLimitationMap = [];
287		foreach ($limitations as $limitation) {
288		$queryLimitationMap[$limitation->getIdentifier()] = $limitation;
289		}
290
291		$setPasses = false;
292
293		foreach ($permissionSets as $permissionSet) {
		0 ignored issues – show Bug introduced 2016-11-17 09:10 UTC by Report Bug Copy Issue Report The expression `$permissionSets` of type `boolean\|array` is not guaranteed to be traversable. How about adding an additional type check? There are different options of fixing this problem. If you want to be on the safe side, you can add an additional type-check: $collection = json_decode($data, true); if ( ! is_array($collection)) { throw new \RuntimeException('$collection must be an array.'); } foreach ($collection as $item) { /** ... / } If you are sure that the expression is traversable, you might want to add a doc comment cast* to improve IDE auto-completion and static analysis: /** @var array $collection / $collection = json_decode($data, true); foreach ($collection as $item) { /* .. / } Mark the issue as a false-positive*: Just hover the remove button, in the top-right corner of this issue for more options. Loading history...
294		$roleLimitations = [];
295
296		/**
297		* First deal with Role limitation if any.
298		*
299		* Here we accept ACCESS_GRANTED and ACCESS_ABSTAIN, the latter in cases where $object and $targets
300		* are not supported by limitation.
301		*
302		* @var \eZ\Publish\API\Repository\Values\User\Limitation[]
303		*/
304		if ($permissionSet['limitation'] instanceof Limitation) {
305		$limitation = $permissionSet['limitation'];
306		$identifier = $limitation->getIdentifier();
307
308	View Code Duplication	if (isset($queryLimitationMap[$identifier])) {
		0 ignored issues – show Duplication introduced 2016-11-17 09:10 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
309		$value = reset($queryLimitationMap[$identifier]->limitationValues);
310		$type = $this->limitationService->getLimitationType($identifier);
311
312		// Try with next role permission set
313		if (!$type->evaluateSingle($limitation, $value)) {
314		continue;
315		}
316		} else {
317		// todo How to decide if this is at all relevant for module/function?
318		// ACCESS_ABSTAIN is returned by evaluate().
319		// Maybe it could be modelled on the permission map instead?
320		$roleLimitations[] = $limitation;
321		}
322		}
323
324		$policyLimitationSet = [];
325
326		$policiesPass = false;
327
328		/**
329		* Loop over all policies.
330		*
331		* These are already filtered by hasAccess and given hasAccess did not return boolean
332		* there must be some, so only return true if one of them says yes.
333		*
334		* @var \eZ\Publish\API\Repository\Values\User\Policy $policy
335		*/
336		foreach ($permissionSet['policies'] as $policy) {
337		$policyLimitations = [];
338
339		$limitations = $policy->getLimitations();
340		if ($limitations === '*') {
341		$limitations = [];
342		}
343
344		/** @var \eZ\Publish\API\Repository\Values\User\Limitation[] $limitations */
345		foreach ($limitations as $limitation) {
346		$identifier = $limitation->getIdentifier();
347
348	View Code Duplication	if (isset($queryLimitationMap[$identifier])) {
		0 ignored issues – show Duplication introduced 2016-11-17 09:10 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
349		$value = reset($queryLimitationMap[$identifier]->limitationValues);
350		$type = $this->limitationService->getLimitationType($identifier);
351
352		if ($type->evaluateSingle($limitation, $value)) {
353		// Continue evaluating
354		continue;
355		} else {
356		// Break to next policy, all limitations must either pass or record
357		break 2;
358		}
359		} else {
360		// Record limitation for return
361		$policyLimitations[] = $limitation;
362		}
363		}
364
365		$policiesPass = true;
366
367		// Break if a policy allows access without limitation
368		if (empty($policyLimitations)) {
369		$policyLimitationSet = [];
370		break;
371		}
372
373		// Else, add limitation to policy set
374		$policyLimitationSet[] = $policyLimitations;
375		}
376
377		// Try with next role permission set
378		if (!$policiesPass) {
379		continue;
380		}
381
382		$setPasses = true;
383		$setLimitations = [];
384
385		foreach ($policyLimitationSet as $policyLimitations) {
386		$setLimitations = array_merge($policyLimitations, $roleLimitations);
387		}
388
389		if (empty($setLimitations) && !empty($roleLimitations)) {
390		$setLimitations = $roleLimitations;
391		}
392
393		// Break if a set allows access without limitation
394		if (empty($setLimitations)) {
395		$limitationSets = [];
396		break;
397		}
398
399		$limitationSets = array_merge($limitationSets, [$setLimitations]);
400		}
401
402		$access = PermissionInfo::ACCESS_LIMITED;
403
404		if (!$setPasses) {
405		$access = PermissionInfo::ACCESS_DENIED;
406		} else if (empty($limitationSets)) {
407		$access = PermissionInfo::ACCESS_GRANTED;
408		}
409
410		return new PermissionInfo(
411		[
412		'access' => $access,
413		'limitationSets' => $limitationSets,
414		]
415		);
416		}
417		}
418

ezsystems / ezpublish-kernel

Push — impl-EZP-26000-permission-look... ( ee4870 )

PermissionResolver::lookup() F

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like