/
RequestAuthorizationChecker.php
76 lines (67 loc) · 2.74 KB
/
RequestAuthorizationChecker.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<?php
namespace Oro\Bundle\SecurityBundle\Authorization;
use Oro\Bundle\EntityBundle\ORM\EntityClassResolver;
use Oro\Bundle\SecurityBundle\Attribute\Acl as AclAttribute;
use Oro\Bundle\SecurityBundle\Metadata\AclAttributeProvider;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* Provides a set of methods to simplify checking access in controllers.
*/
class RequestAuthorizationChecker
{
private AuthorizationCheckerInterface $authorizationChecker;
private EntityClassResolver $entityClassResolver;
private AclAttributeProvider $attributeProvider;
public function __construct(
AuthorizationCheckerInterface $authorizationChecker,
EntityClassResolver $entityClassResolver,
AclAttributeProvider $attributeProvider
) {
$this->authorizationChecker = $authorizationChecker;
$this->entityClassResolver = $entityClassResolver;
$this->attributeProvider = $attributeProvider;
}
/**
* Checks if an access to the given object is granted for a controller action
* which was taken from the given request object.
*
* @param Request $request
* @param mixed $object
*
* @return int -1 if no access, 0 if can't decide, 1 if access is granted
*/
public function isRequestObjectIsGranted(Request $request, mixed $object): int
{
$aclAttribute = $this->getRequestAcl($request, true);
if ($aclAttribute) {
$class = $aclAttribute->getClass();
$permission = $aclAttribute->getPermission();
if ($permission && $class && is_a($object, $class)) {
return $this->authorizationChecker->isGranted($permission, $object) ? 1 : -1;
}
}
return 0;
}
/**
* Gets ACL attribute for a controller action which was taken from the given request object.
*/
public function getRequestAcl(Request $request, bool $convertClassName = false): ?AclAttribute
{
$controller = $request->attributes->get('_controller');
if (str_contains($controller, '::')) {
[$controllerClass, $controllerMethod] = explode('::', $controller);
} else {
$controllerClass = $controller;
$controllerMethod = '__invoke';
}
$attribute = $this->attributeProvider->findAttribute($controllerClass, $controllerMethod);
if ($convertClassName && null !== $attribute) {
$entityClass = $attribute->getClass();
if ($entityClass && $this->entityClassResolver->isEntity($entityClass)) {
$attribute->setClass($this->entityClassResolver->getEntityClass($entityClass));
}
}
return $attribute;
}
}