|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
declare(strict_types=1); |
|
4
|
|
|
|
|
5
|
|
|
namespace Application\Acl; |
|
6
|
|
|
|
|
7
|
|
|
use Application\Acl\Assertion\CanUpdateCard; |
|
8
|
|
|
use Application\Acl\Assertion\IsCreator; |
|
9
|
|
|
use Application\Acl\Assertion\IsNotSuggestion; |
|
10
|
|
|
use Application\Acl\Assertion\IsOwnerOrResponsible; |
|
11
|
|
|
use Application\Acl\Assertion\IsSuggestion; |
|
12
|
|
|
use Application\Acl\Assertion\SameSite; |
|
13
|
|
|
use Application\Acl\Assertion\Visibility; |
|
14
|
|
|
use Application\Enum\CollectionVisibility; |
|
15
|
|
|
use Application\Model\AntiqueName; |
|
16
|
|
|
use Application\Model\Artist; |
|
17
|
|
|
use Application\Model\Card; |
|
18
|
|
|
use Application\Model\Change; |
|
19
|
|
|
use Application\Model\Collection; |
|
20
|
|
|
use Application\Model\Country; |
|
21
|
|
|
use Application\Model\Dating; |
|
22
|
|
|
use Application\Model\DocumentType; |
|
23
|
|
|
use Application\Model\Domain; |
|
24
|
|
|
use Application\Model\Export; |
|
25
|
|
|
use Application\Model\File; |
|
26
|
|
|
use Application\Model\Institution; |
|
27
|
|
|
use Application\Model\Material; |
|
28
|
|
|
use Application\Model\News; |
|
29
|
|
|
use Application\Model\Period; |
|
30
|
|
|
use Application\Model\Statistic; |
|
31
|
|
|
use Application\Model\Tag; |
|
32
|
|
|
use Application\Model\User; |
|
33
|
|
|
use Ecodev\Felix\Acl\Assertion\All; |
|
34
|
|
|
use Ecodev\Felix\Acl\Assertion\IsMyself; |
|
35
|
|
|
use Ecodev\Felix\Acl\Assertion\One; |
|
36
|
|
|
|
|
37
|
|
|
class Acl extends \Ecodev\Felix\Acl\Acl |
|
38
|
|
|
{ |
|
39
|
35 |
|
public function __construct() |
|
40
|
|
|
{ |
|
41
|
35 |
|
parent::__construct(); |
|
42
|
|
|
|
|
43
|
35 |
|
$this->addRole(User::ROLE_ANONYMOUS); |
|
44
|
35 |
|
$this->addRole(User::ROLE_STUDENT, User::ROLE_ANONYMOUS); |
|
45
|
35 |
|
$this->addRole(User::ROLE_JUNIOR, User::ROLE_STUDENT); |
|
46
|
35 |
|
$this->addRole(User::ROLE_SENIOR, User::ROLE_JUNIOR); |
|
47
|
35 |
|
$this->addRole(User::ROLE_MAJOR, User::ROLE_SENIOR); |
|
48
|
35 |
|
$this->addRole(User::ROLE_ADMINISTRATOR, User::ROLE_ANONYMOUS); |
|
49
|
|
|
|
|
50
|
35 |
|
$artist = $this->createModelResource(Artist::class); |
|
51
|
35 |
|
$card = $this->createModelResource(Card::class); |
|
52
|
35 |
|
$change = $this->createModelResource(Change::class); |
|
53
|
35 |
|
$collection = $this->createModelResource(Collection::class); |
|
54
|
35 |
|
$country = $this->createModelResource(Country::class); |
|
55
|
35 |
|
$dating = $this->createModelResource(Dating::class); |
|
56
|
35 |
|
$institution = $this->createModelResource(Institution::class); |
|
57
|
35 |
|
$tag = $this->createModelResource(Tag::class); |
|
58
|
35 |
|
$user = $this->createModelResource(User::class); |
|
59
|
35 |
|
$file = $this->createModelResource(File::class); |
|
60
|
35 |
|
$export = $this->createModelResource(Export::class); |
|
61
|
|
|
|
|
62
|
35 |
|
$documentType = $this->createModelResource(DocumentType::class); |
|
63
|
35 |
|
$domain = $this->createModelResource(Domain::class); |
|
64
|
35 |
|
$material = $this->createModelResource(Material::class); |
|
65
|
35 |
|
$antiqueName = $this->createModelResource(AntiqueName::class); |
|
66
|
35 |
|
$news = $this->createModelResource(News::class); |
|
67
|
35 |
|
$period = $this->createModelResource(Period::class); |
|
68
|
35 |
|
$statistic = $this->createModelResource(Statistic::class); |
|
69
|
|
|
|
|
70
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $artist, 'read'); |
|
71
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $card, 'read'); |
|
72
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $country, 'read'); |
|
73
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $dating, 'read'); |
|
74
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $institution, 'read'); |
|
75
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $tag, 'read'); |
|
76
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $documentType, 'read'); |
|
77
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $domain, 'read'); |
|
78
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $material, 'read'); |
|
79
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $antiqueName, 'read'); |
|
80
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $news, 'read'); |
|
81
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $period, 'read'); |
|
82
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $file, 'read'); |
|
83
|
35 |
|
$this->allow(User::ROLE_ANONYMOUS, $export, ['read', 'create']); |
|
84
|
|
|
|
|
85
|
35 |
|
$this->allow(User::ROLE_STUDENT, $artist, 'create', new SameSite()); |
|
86
|
35 |
|
$this->allow(User::ROLE_STUDENT, $card, 'create', new SameSite()); |
|
87
|
35 |
|
$this->allow(User::ROLE_STUDENT, $card, ['update'], new All(new IsSuggestion(), new IsOwnerOrResponsible(), new SameSite())); |
|
88
|
35 |
|
$this->allow(User::ROLE_STUDENT, $file, ['create', 'update', 'delete'], new CanUpdateCard()); |
|
89
|
35 |
|
$this->allow(User::ROLE_STUDENT, $collection, 'read'); |
|
90
|
35 |
|
$this->allow(User::ROLE_STUDENT, $change, 'read', new IsOwnerOrResponsible()); |
|
91
|
35 |
|
$this->allow(User::ROLE_STUDENT, $change, 'create', new SameSite()); |
|
92
|
35 |
|
$this->allow(User::ROLE_STUDENT, $collection, 'create', new SameSite()); |
|
93
|
35 |
|
$this->allow(User::ROLE_STUDENT, $collection, ['update', 'delete', 'linkCard'], new All(new IsOwnerOrResponsible(), new SameSite())); |
|
94
|
35 |
|
$this->allow(User::ROLE_STUDENT, $institution, 'create', new SameSite()); |
|
95
|
35 |
|
$this->allow(User::ROLE_STUDENT, $tag, 'create', new SameSite()); |
|
96
|
35 |
|
$this->allow(User::ROLE_STUDENT, $user, 'read'); |
|
97
|
35 |
|
$this->allow(User::ROLE_STUDENT, $user, ['update', 'delete'], new All(new IsMyself(), new SameSite())); |
|
98
|
|
|
|
|
99
|
35 |
|
$this->allow(User::ROLE_JUNIOR, $card, ['update'], new All(new IsOwnerOrResponsible(), new SameSite())); |
|
100
|
35 |
|
$this->allow(User::ROLE_JUNIOR, $card, ['delete'], new All(new IsNotSuggestion(), new IsOwnerOrResponsible(), new SameSite())); |
|
101
|
|
|
|
|
102
|
35 |
|
$this->allow(User::ROLE_SENIOR, $card, ['delete'], new All(new IsOwnerOrResponsible(), new SameSite())); |
|
103
|
|
|
|
|
104
|
35 |
|
$this->allow(User::ROLE_MAJOR, $collection, 'delete', new All(new IsOwnerOrResponsible(), new SameSite())); |
|
105
|
35 |
|
$this->allow(User::ROLE_MAJOR, $collection, ['linkCard'], new SameSite()); |
|
106
|
|
|
|
|
107
|
|
|
// Administrator inherits only read from anonymous, and is allowed **almost** all other privileges |
|
108
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $artist, null, new SameSite()); |
|
109
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $card, 'read'); |
|
110
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $card, null, new SameSite()); |
|
111
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $change, null, new SameSite()); |
|
112
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $collection, 'create', new SameSite()); |
|
113
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $collection, null, new All(new One(new IsOwnerOrResponsible(), new IsCreator(), new Visibility([CollectionVisibility::Member, CollectionVisibility::Administrator])), new SameSite())); |
|
114
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $institution, 'read'); |
|
115
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $institution, null, new SameSite()); |
|
116
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $tag, 'read'); |
|
117
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $tag, null, new SameSite()); |
|
118
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $user, 'read'); |
|
119
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $user, null, new SameSite()); |
|
120
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $news, null, new SameSite()); |
|
121
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $documentType, 'read'); |
|
122
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $documentType, null, new SameSite()); |
|
123
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $domain, 'read'); |
|
124
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $domain, null, new SameSite()); |
|
125
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $material, 'read'); |
|
126
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $material, null, new SameSite()); |
|
127
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $antiqueName, 'read'); |
|
128
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $antiqueName, null, new SameSite()); |
|
129
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $news, 'read'); |
|
130
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $news, null, new SameSite()); |
|
131
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $period, 'read'); |
|
132
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $period, null, new SameSite()); |
|
133
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $statistic, 'read'); |
|
134
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $file, 'read'); |
|
135
|
35 |
|
$this->allow(User::ROLE_ADMINISTRATOR, $file, ['create', 'update', 'delete'], new CanUpdateCard()); |
|
136
|
|
|
} |
|
137
|
|
|
} |
|
138
|
|
|
|
unil-lettres /
dilps-tiresias
