vendor/symfony/security-acl/Dbal/MutableAclProvider.php line 43

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Acl\Dbal;
  14. use Doctrine\DBAL\Connection;
  15. use Doctrine\Persistence\PropertyChangedListener;
  16. use Symfony\Component\Security\Acl\Domain\Acl;
  17. use Symfony\Component\Security\Acl\Domain\Entry;
  18. use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity;
  19. use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
  20. use Symfony\Component\Security\Acl\Exception\AclAlreadyExistsException;
  21. use Symfony\Component\Security\Acl\Exception\ConcurrentModificationException;
  22. use Symfony\Component\Security\Acl\Model\AclCacheInterface;
  23. use Symfony\Component\Security\Acl\Model\AclInterface;
  24. use Symfony\Component\Security\Acl\Model\EntryInterface;
  25. use Symfony\Component\Security\Acl\Model\MutableAclInterface;
  26. use Symfony\Component\Security\Acl\Model\MutableAclProviderInterface;
  27. use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface;
  28. use Symfony\Component\Security\Acl\Model\PermissionGrantingStrategyInterface;
  29. use Symfony\Component\Security\Acl\Model\SecurityIdentityInterface;
  31. /**
  32. * An implementation of the MutableAclProviderInterface using Doctrine DBAL.
  33. *
  34. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  35. */
  36. class MutableAclProvider extends AclProvider implements MutableAclProviderInterface, PropertyChangedListener
  37. {
  38. private $propertyChanges;
  40. /**
  41. * {@inheritdoc}
  42. */
  43. public function __construct(Connection $connection, PermissionGrantingStrategyInterface $permissionGrantingStrategy, array $options, AclCacheInterface $cache = null)
  44. {
  45. parent::__construct($connection, $permissionGrantingStrategy, $options, $cache);
  47. $this->propertyChanges = new \SplObjectStorage();
  48. }
  50. /**
  51. * {@inheritdoc}
  52. */
  53. public function createAcl(ObjectIdentityInterface $oid)
  54. {
  55. if (false !== $this->retrieveObjectIdentityPrimaryKey($oid)) {
  56. $objectName = method_exists($oid, '__toString') ? $oid : \get_class($oid);
  57. throw new AclAlreadyExistsException(sprintf('%s is already associated with an ACL.', $objectName));
  58. }
  60. $this->connection->beginTransaction();
  61. try {
  62. $this->createObjectIdentity($oid);
  64. $pk = $this->retrieveObjectIdentityPrimaryKey($oid);
  65. $this->connection->executeStatement($this->getInsertObjectIdentityRelationSql($pk, $pk));
  67. $this->connection->commit();
  68. } catch (\Exception $e) {
  69. $this->connection->rollBack();
  71. throw $e;
  72. }
  74. // re-read the ACL from the database to ensure proper caching, etc.
  75. return $this->findAcl($oid);
  76. }
  78. /**
  79. * {@inheritdoc}
  80. */
  81. public function deleteAcl(ObjectIdentityInterface $oid)
  82. {
  83. $this->connection->beginTransaction();
  84. try {
  85. foreach ($this->findChildren($oid, true) as $childOid) {
  86. $this->deleteAcl($childOid);
  87. }
  89. $oidPK = $this->retrieveObjectIdentityPrimaryKey($oid);
  91. $this->deleteAccessControlEntries($oidPK);
  92. $this->deleteObjectIdentityRelations($oidPK);
  93. $this->deleteObjectIdentity($oidPK);
  95. $this->connection->commit();
  96. } catch (\Exception $e) {
  97. $this->connection->rollBack();
  99. throw $e;
  100. }
  102. // evict the ACL from the in-memory identity map
  103. if (isset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()])) {
  104. $this->propertyChanges->offsetUnset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()]);
  105. unset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()]);
  106. }
  108. // evict the ACL from any caches
  109. if (null !== $this->cache) {
  110. $this->cache->evictFromCacheByIdentity($oid);
  111. }
  112. }
  114. /**
  115. * Deletes the security identity from the database.
  116. * ACL entries have the CASCADE option on their foreign key so they will also get deleted.
  117. *
  118. * @throws \InvalidArgumentException
  119. */
  120. public function deleteSecurityIdentity(SecurityIdentityInterface $sid)
  121. {
  122. $this->connection->executeStatement($this->getDeleteSecurityIdentityIdSql($sid));
  123. }
  125. /**
  126. * {@inheritdoc}
  127. */
  128. public function findAcls(array $oids, array $sids = [])
  129. {
  130. $result = parent::findAcls($oids, $sids);
  132. foreach ($result as $oid) {
  133. $acl = $result->offsetGet($oid);
  135. if (false === $this->propertyChanges->contains($acl) && $acl instanceof MutableAclInterface) {
  136. $acl->addPropertyChangedListener($this);
  137. $this->propertyChanges->attach($acl, []);
  138. }
  140. $parentAcl = $acl->getParentAcl();
  141. while (null !== $parentAcl) {
  142. if (false === $this->propertyChanges->contains($parentAcl) && $acl instanceof MutableAclInterface) {
  143. $parentAcl->addPropertyChangedListener($this);
  144. $this->propertyChanges->attach($parentAcl, []);
  145. }
  147. $parentAcl = $parentAcl->getParentAcl();
  148. }
  149. }
  151. return $result;
  152. }
  154. /**
  155. * Implementation of PropertyChangedListener.
  156. *
  157. * This allows us to keep track of which values have been changed, so we don't
  158. * have to do a full introspection when ->updateAcl() is called.
  159. *
  160. * @param mixed $sender
  161. * @param string $propertyName
  162. * @param mixed $oldValue
  163. * @param mixed $newValue
  164. *
  165. * @return void
  166. *
  167. * @throws \InvalidArgumentException
  168. */
  169. public function propertyChanged($sender, $propertyName, $oldValue, $newValue)
  170. {
  171. if (!$sender instanceof MutableAclInterface && !$sender instanceof EntryInterface) {
  172. throw new \InvalidArgumentException('$sender must be an instance of MutableAclInterface, or EntryInterface.');
  173. }
  175. if ($sender instanceof EntryInterface) {
  176. if (null === $sender->getId()) {
  177. return;
  178. }
  180. $ace = $sender;
  181. $sender = $ace->getAcl();
  182. } else {
  183. $ace = null;
  184. }
  186. if (false === $this->propertyChanges->contains($sender)) {
  187. throw new \InvalidArgumentException('$sender is not being tracked by this provider.');
  188. }
  190. $propertyChanges = $this->propertyChanges->offsetGet($sender);
  191. if (null === $ace) {
  192. if (isset($propertyChanges[$propertyName])) {
  193. $oldValue = $propertyChanges[$propertyName][0];
  194. if ($oldValue === $newValue) {
  195. unset($propertyChanges[$propertyName]);
  196. } else {
  197. $propertyChanges[$propertyName] = [$oldValue, $newValue];
  198. }
  199. } else {
  200. $propertyChanges[$propertyName] = [$oldValue, $newValue];
  201. }
  202. } else {
  203. if (!isset($propertyChanges['aces'])) {
  204. $propertyChanges['aces'] = new \SplObjectStorage();
  205. }
  207. $acePropertyChanges = $propertyChanges['aces']->contains($ace) ? $propertyChanges['aces']->offsetGet($ace) : [];
  209. if (isset($acePropertyChanges[$propertyName])) {
  210. $oldValue = $acePropertyChanges[$propertyName][0];
  211. if ($oldValue === $newValue) {
  212. unset($acePropertyChanges[$propertyName]);
  213. } else {
  214. $acePropertyChanges[$propertyName] = [$oldValue, $newValue];
  215. }
  216. } else {
  217. $acePropertyChanges[$propertyName] = [$oldValue, $newValue];
  218. }
  220. if (\count($acePropertyChanges) > 0) {
  221. $propertyChanges['aces']->offsetSet($ace, $acePropertyChanges);
  222. } else {
  223. $propertyChanges['aces']->offsetUnset($ace);
  225. if (0 === \count($propertyChanges['aces'])) {
  226. unset($propertyChanges['aces']);
  227. }
  228. }
  229. }
  231. $this->propertyChanges->offsetSet($sender, $propertyChanges);
  232. }
  234. /**
  235. * {@inheritdoc}
  236. */
  237. public function updateAcl(MutableAclInterface $acl)
  238. {
  239. if (!$this->propertyChanges->contains($acl)) {
  240. throw new \InvalidArgumentException('$acl is not tracked by this provider.');
  241. }
  243. $propertyChanges = $this->propertyChanges->offsetGet($acl);
  244. // check if any changes were made to this ACL
  245. if (0 === \count($propertyChanges)) {
  246. return;
  247. }
  249. $sets = $sharedPropertyChanges = [];
  251. $this->connection->beginTransaction();
  252. try {
  253. if (isset($propertyChanges['entriesInheriting'])) {
  254. $sets[] = 'entries_inheriting = '.$this->connection->getDatabasePlatform()->convertBooleans($propertyChanges['entriesInheriting'][1]);
  255. }
  257. if (isset($propertyChanges['parentAcl'])) {
  258. if (null === $propertyChanges['parentAcl'][1]) {
  259. $sets[] = 'parent_object_identity_id = NULL';
  260. } else {
  261. $sets[] = 'parent_object_identity_id = '.(int) $propertyChanges['parentAcl'][1]->getId();
  262. }
  264. $this->regenerateAncestorRelations($acl);
  265. $childAcls = $this->findAcls($this->findChildren($acl->getObjectIdentity(), false));
  266. foreach ($childAcls as $childOid) {
  267. $this->regenerateAncestorRelations($childAcls[$childOid]);
  268. }
  269. }
  271. // check properties for deleted, and created ACEs, and perform deletions
  272. // we need to perform deletions before updating existing ACEs, in order to
  273. // preserve uniqueness of the order field
  274. if (isset($propertyChanges['classAces'])) {
  275. $this->updateOldAceProperty('classAces', $propertyChanges['classAces']);
  276. }
  277. if (isset($propertyChanges['classFieldAces'])) {
  278. $this->updateOldFieldAceProperty('classFieldAces', $propertyChanges['classFieldAces']);
  279. }
  280. if (isset($propertyChanges['objectAces'])) {
  281. $this->updateOldAceProperty('objectAces', $propertyChanges['objectAces']);
  282. }
  283. if (isset($propertyChanges['objectFieldAces'])) {
  284. $this->updateOldFieldAceProperty('objectFieldAces', $propertyChanges['objectFieldAces']);
  285. }
  287. // this includes only updates of existing ACEs, but neither the creation, nor
  288. // the deletion of ACEs; these are tracked by changes to the ACL's respective
  289. // properties (classAces, classFieldAces, objectAces, objectFieldAces)
  290. if (isset($propertyChanges['aces'])) {
  291. $this->updateAces($propertyChanges['aces']);
  292. }
  294. // check properties for deleted, and created ACEs, and perform creations
  295. if (isset($propertyChanges['classAces'])) {
  296. $this->updateNewAceProperty('classAces', $propertyChanges['classAces']);
  297. $sharedPropertyChanges['classAces'] = $propertyChanges['classAces'];
  298. }
  299. if (isset($propertyChanges['classFieldAces'])) {
  300. $this->updateNewFieldAceProperty('classFieldAces', $propertyChanges['classFieldAces']);
  301. $sharedPropertyChanges['classFieldAces'] = $propertyChanges['classFieldAces'];
  302. }
  303. if (isset($propertyChanges['objectAces'])) {
  304. $this->updateNewAceProperty('objectAces', $propertyChanges['objectAces']);
  305. }
  306. if (isset($propertyChanges['objectFieldAces'])) {
  307. $this->updateNewFieldAceProperty('objectFieldAces', $propertyChanges['objectFieldAces']);
  308. }
  310. // if there have been changes to shared properties, we need to synchronize other
  311. // ACL instances for object identities of the same type that are already in-memory
  312. if (\count($sharedPropertyChanges) > 0) {
  313. $classAcesProperty = new \ReflectionProperty(Acl::class, 'classAces');
  314. $classAcesProperty->setAccessible(true);
  315. $classFieldAcesProperty = new \ReflectionProperty(Acl::class, 'classFieldAces');
  316. $classFieldAcesProperty->setAccessible(true);
  318. foreach ($this->loadedAcls[$acl->getObjectIdentity()->getType()] as $sameTypeAcl) {
  319. if (isset($sharedPropertyChanges['classAces'])) {
  320. if ($acl !== $sameTypeAcl && $classAcesProperty->getValue($sameTypeAcl) !== $sharedPropertyChanges['classAces'][0]) {
  321. throw new ConcurrentModificationException('The "classAces" property has been modified concurrently.');
  322. }
  324. $classAcesProperty->setValue($sameTypeAcl, $sharedPropertyChanges['classAces'][1]);
  325. }
  327. if (isset($sharedPropertyChanges['classFieldAces'])) {
  328. if ($acl !== $sameTypeAcl && $classFieldAcesProperty->getValue($sameTypeAcl) !== $sharedPropertyChanges['classFieldAces'][0]) {
  329. throw new ConcurrentModificationException('The "classFieldAces" property has been modified concurrently.');
  330. }
  332. $classFieldAcesProperty->setValue($sameTypeAcl, $sharedPropertyChanges['classFieldAces'][1]);
  333. }
  334. }
  335. }
  337. // persist any changes to the acl_object_identities table
  338. if (\count($sets) > 0) {
  339. $this->connection->executeStatement($this->getUpdateObjectIdentitySql($acl->getId(), $sets));
  340. }
  342. $this->connection->commit();
  343. } catch (\Exception $e) {
  344. $this->connection->rollBack();
  346. throw $e;
  347. }
  349. $this->propertyChanges->offsetSet($acl, []);
  351. if (null !== $this->cache) {
  352. if (\count($sharedPropertyChanges) > 0) {
  353. // FIXME: Currently, there is no easy way to clear the cache for ACLs
  354. // of a certain type. The problem here is that we need to make
  355. // sure to clear the cache of all child ACLs as well, and these
  356. // child ACLs might be of a different class type.
  357. $this->cache->clearCache();
  358. } else {
  359. // if there are no shared property changes, it's sufficient to just delete
  360. // the cache for this ACL
  361. $this->cache->evictFromCacheByIdentity($acl->getObjectIdentity());
  363. foreach ($this->findChildren($acl->getObjectIdentity()) as $childOid) {
  364. $this->cache->evictFromCacheByIdentity($childOid);
  365. }
  366. }
  367. }
  368. }
  370. /**
  371. * Updates a user security identity when the user's username changes.
  372. *
  373. * @param string $oldUsername
  374. */
  375. public function updateUserSecurityIdentity(UserSecurityIdentity $usid, $oldUsername)
  376. {
  377. $this->connection->executeStatement($this->getUpdateUserSecurityIdentitySql($usid, $oldUsername));
  378. }
  380. /**
  381. * Constructs the SQL for deleting access control entries.
  382. *
  383. * @param int $oidPK
  384. *
  385. * @return string
  386. */
  387. protected function getDeleteAccessControlEntriesSql($oidPK)
  388. {
  389. return sprintf(
  390. 'DELETE FROM %s WHERE object_identity_id = %d',
  391. $this->options['entry_table_name'],
  392. $oidPK
  393. );
  394. }
  396. /**
  397. * Constructs the SQL for deleting a specific ACE.
  398. *
  399. * @param int $acePK
  400. *
  401. * @return string
  402. */
  403. protected function getDeleteAccessControlEntrySql($acePK)
  404. {
  405. return sprintf(
  406. 'DELETE FROM %s WHERE id = %d',
  407. $this->options['entry_table_name'],
  408. $acePK
  409. );
  410. }
  412. /**
  413. * Constructs the SQL for deleting an object identity.
  414. *
  415. * @param int $pk
  416. *
  417. * @return string
  418. */
  419. protected function getDeleteObjectIdentitySql($pk)
  420. {
  421. return sprintf(
  422. 'DELETE FROM %s WHERE id = %d',
  423. $this->options['oid_table_name'],
  424. $pk
  425. );
  426. }
  428. /**
  429. * Constructs the SQL for deleting relation entries.
  430. *
  431. * @param int $pk
  432. *
  433. * @return string
  434. */
  435. protected function getDeleteObjectIdentityRelationsSql($pk)
  436. {
  437. return sprintf(
  438. 'DELETE FROM %s WHERE object_identity_id = %d',
  439. $this->options['oid_ancestors_table_name'],
  440. $pk
  441. );
  442. }
  444. /**
  445. * Constructs the SQL for inserting an ACE.
  446. *
  447. * @param int $classId
  448. * @param int|null $objectIdentityId
  449. * @param string|null $field
  450. * @param int $aceOrder
  451. * @param int $securityIdentityId
  452. * @param string $strategy
  453. * @param int $mask
  454. * @param bool $granting
  455. * @param bool $auditSuccess
  456. * @param bool $auditFailure
  457. *
  458. * @return string
  459. */
  460. protected function getInsertAccessControlEntrySql($classId, $objectIdentityId, $field, $aceOrder, $securityIdentityId, $strategy, $mask, $granting, $auditSuccess, $auditFailure)
  461. {
  462. $query = <<<QUERY
  463. INSERT INTO %s (
  464. class_id,
  465. object_identity_id,
  466. field_name,
  467. ace_order,
  468. security_identity_id,
  469. mask,
  470. granting,
  471. granting_strategy,
  472. audit_success,
  473. audit_failure
  474. )
  475. VALUES (%d, %s, %s, %d, %d, %d, %s, %s, %s, %s)
  476. QUERY;
  478. return sprintf(
  479. $query,
  480. $this->options['entry_table_name'],
  481. $classId,
  482. null === $objectIdentityId ? 'NULL' : (int) $objectIdentityId,
  483. null === $field ? 'NULL' : $this->connection->quote($field),
  484. $aceOrder,
  485. $securityIdentityId,
  486. $mask,
  487. $this->connection->getDatabasePlatform()->convertBooleans($granting),
  488. $this->connection->quote($strategy),
  489. $this->connection->getDatabasePlatform()->convertBooleans($auditSuccess),
  490. $this->connection->getDatabasePlatform()->convertBooleans($auditFailure)
  491. );
  492. }
  494. /**
  495. * Constructs the SQL for inserting a new class type.
  496. *
  497. * @param string $classType
  498. *
  499. * @return string
  500. */
  501. protected function getInsertClassSql($classType)
  502. {
  503. return sprintf(
  504. 'INSERT INTO %s (class_type) VALUES (%s)',
  505. $this->options['class_table_name'],
  506. $this->connection->quote($classType)
  507. );
  508. }
  510. /**
  511. * Constructs the SQL for inserting a relation entry.
  512. *
  513. * @param int $objectIdentityId
  514. * @param int $ancestorId
  515. *
  516. * @return string
  517. */
  518. protected function getInsertObjectIdentityRelationSql($objectIdentityId, $ancestorId)
  519. {
  520. return sprintf(
  521. 'INSERT INTO %s (object_identity_id, ancestor_id) VALUES (%d, %d)',
  522. $this->options['oid_ancestors_table_name'],
  523. $objectIdentityId,
  524. $ancestorId
  525. );
  526. }
  528. /**
  529. * Constructs the SQL for inserting an object identity.
  530. *
  531. * @param string $identifier
  532. * @param int $classId
  533. * @param bool $entriesInheriting
  534. *
  535. * @return string
  536. */
  537. protected function getInsertObjectIdentitySql($identifier, $classId, $entriesInheriting)
  538. {
  539. $query = <<<QUERY
  540. INSERT INTO %s (class_id, object_identifier, entries_inheriting)
  541. VALUES (%d, %s, %s)
  542. QUERY;
  544. return sprintf(
  545. $query,
  546. $this->options['oid_table_name'],
  547. $classId,
  548. $this->connection->quote($identifier),
  549. $this->connection->getDatabasePlatform()->convertBooleans($entriesInheriting)
  550. );
  551. }
  553. /**
  554. * Constructs the SQL for inserting a security identity.
  555. *
  556. * @return string
  557. *
  558. * @throws \InvalidArgumentException
  559. */
  560. protected function getInsertSecurityIdentitySql(SecurityIdentityInterface $sid)
  561. {
  562. if ($sid instanceof UserSecurityIdentity) {
  563. $identifier = $sid->getClass().'-'.$sid->getUsername();
  564. $username = true;
  565. } elseif ($sid instanceof RoleSecurityIdentity) {
  566. $identifier = $sid->getRole();
  567. $username = false;
  568. } else {
  569. throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.');
  570. }
  572. return sprintf(
  573. 'INSERT INTO %s (identifier, username) VALUES (%s, %s)',
  574. $this->options['sid_table_name'],
  575. $this->connection->quote($identifier),
  576. $this->connection->getDatabasePlatform()->convertBooleans($username)
  577. );
  578. }
  580. /**
  581. * Constructs the SQL for selecting an ACE.
  582. *
  583. * @param int $classId
  584. * @param int|null $oid
  585. * @param string|null $field
  586. * @param int $order
  587. *
  588. * @return string
  589. */
  590. protected function getSelectAccessControlEntryIdSql($classId, $oid, $field, $order)
  591. {
  592. return sprintf(
  593. 'SELECT id FROM %s WHERE class_id = %d AND object_identity_id %s AND field_name %s AND ace_order = %d',
  594. $this->options['entry_table_name'],
  595. $classId,
  596. null === $oid
  597. ? 'IS NULL'
  598. : '= '.(int) $oid,
  599. null === $field
  600. ? 'IS NULL'
  601. : '= '.$this->connection->quote($field),
  602. $order
  603. );
  604. }
  606. /**
  607. * Constructs the SQL for selecting the primary key associated with
  608. * the passed class type.
  609. *
  610. * @param string $classType
  611. *
  612. * @return string
  613. */
  614. protected function getSelectClassIdSql($classType)
  615. {
  616. return sprintf(
  617. 'SELECT id FROM %s WHERE class_type = %s',
  618. $this->options['class_table_name'],
  619. $this->connection->quote($classType)
  620. );
  621. }
  623. /**
  624. * Constructs the SQL for selecting the primary key of a security identity.
  625. *
  626. * @return string
  627. *
  628. * @throws \InvalidArgumentException
  629. */
  630. protected function getSelectSecurityIdentityIdSql(SecurityIdentityInterface $sid)
  631. {
  632. if ($sid instanceof UserSecurityIdentity) {
  633. $identifier = $sid->getClass().'-'.$sid->getUsername();
  634. $username = true;
  635. } elseif ($sid instanceof RoleSecurityIdentity) {
  636. $identifier = $sid->getRole();
  637. $username = false;
  638. } else {
  639. throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.');
  640. }
  642. return sprintf(
  643. 'SELECT id FROM %s WHERE identifier = %s AND username = %s',
  644. $this->options['sid_table_name'],
  645. $this->connection->quote($identifier),
  646. $this->connection->getDatabasePlatform()->convertBooleans($username)
  647. );
  648. }
  650. /**
  651. * Constructs the SQL to delete a security identity.
  652. *
  653. * @return string
  654. *
  655. * @throws \InvalidArgumentException
  656. */
  657. protected function getDeleteSecurityIdentityIdSql(SecurityIdentityInterface $sid)
  658. {
  659. $select = $this->getSelectSecurityIdentityIdSql($sid);
  660. $delete = preg_replace('/^SELECT id FROM/', 'DELETE FROM', $select);
  662. return $delete;
  663. }
  665. /**
  666. * Constructs the SQL for updating an object identity.
  667. *
  668. * @param int $pk
  669. *
  670. * @return string
  671. *
  672. * @throws \InvalidArgumentException
  673. */
  674. protected function getUpdateObjectIdentitySql($pk, array $changes)
  675. {
  676. if (0 === \count($changes)) {
  677. throw new \InvalidArgumentException('There are no changes.');
  678. }
  680. return sprintf(
  681. 'UPDATE %s SET %s WHERE id = %d',
  682. $this->options['oid_table_name'],
  683. implode(', ', $changes),
  684. $pk
  685. );
  686. }
  688. /**
  689. * Constructs the SQL for updating a user security identity.
  690. *
  691. * @param string $oldUsername
  692. *
  693. * @return string
  694. */
  695. protected function getUpdateUserSecurityIdentitySql(UserSecurityIdentity $usid, $oldUsername)
  696. {
  697. if ($usid->getUsername() == $oldUsername) {
  698. throw new \InvalidArgumentException('There are no changes.');
  699. }
  701. $oldIdentifier = $usid->getClass().'-'.$oldUsername;
  702. $newIdentifier = $usid->getClass().'-'.$usid->getUsername();
  704. return sprintf(
  705. 'UPDATE %s SET identifier = %s WHERE identifier = %s AND username = %s',
  706. $this->options['sid_table_name'],
  707. $this->connection->quote($newIdentifier),
  708. $this->connection->quote($oldIdentifier),
  709. $this->connection->getDatabasePlatform()->convertBooleans(true)
  710. );
  711. }
  713. /**
  714. * Constructs the SQL for updating an ACE.
  715. *
  716. * @param int $pk
  717. *
  718. * @return string
  719. *
  720. * @throws \InvalidArgumentException
  721. */
  722. protected function getUpdateAccessControlEntrySql($pk, array $sets)
  723. {
  724. if (0 === \count($sets)) {
  725. throw new \InvalidArgumentException('There are no changes.');
  726. }
  728. return sprintf(
  729. 'UPDATE %s SET %s WHERE id = %d',
  730. $this->options['entry_table_name'],
  731. implode(', ', $sets),
  732. $pk
  733. );
  734. }
  736. /**
  737. * Creates the ACL for the passed object identity.
  738. */
  739. private function createObjectIdentity(ObjectIdentityInterface $oid)
  740. {
  741. $classId = $this->createOrRetrieveClassId($oid->getType());
  743. $this->connection->executeStatement($this->getInsertObjectIdentitySql($oid->getIdentifier(), $classId, true));
  744. }
  746. /**
  747. * Returns the primary key for the passed class type.
  748. *
  749. * If the type does not yet exist in the database, it will be created.
  750. *
  751. * @param string $classType
  752. *
  753. * @return int
  754. */
  755. private function createOrRetrieveClassId($classType)
  756. {
  757. if (false !== $id = $this->connection->executeQuery($this->getSelectClassIdSql($classType))->fetchOne()) {
  758. return $id;
  759. }
  761. $this->connection->executeStatement($this->getInsertClassSql($classType));
  763. return $this->connection->executeQuery($this->getSelectClassIdSql($classType))->fetchOne();
  764. }
  766. /**
  767. * Returns the primary key for the passed security identity.
  768. *
  769. * If the security identity does not yet exist in the database, it will be
  770. * created.
  771. *
  772. * @return int
  773. */
  774. private function createOrRetrieveSecurityIdentityId(SecurityIdentityInterface $sid)
  775. {
  776. if (false !== $id = $this->connection->executeQuery($this->getSelectSecurityIdentityIdSql($sid))->fetchOne()) {
  777. return $id;
  778. }
  780. $this->connection->executeStatement($this->getInsertSecurityIdentitySql($sid));
  782. return $this->connection->executeQuery($this->getSelectSecurityIdentityIdSql($sid))->fetchOne();
  783. }
  785. /**
  786. * Deletes all ACEs for the given object identity primary key.
  787. *
  788. * @param int $oidPK
  789. */
  790. private function deleteAccessControlEntries($oidPK)
  791. {
  792. $this->connection->executeStatement($this->getDeleteAccessControlEntriesSql($oidPK));
  793. }
  795. /**
  796. * Deletes the object identity from the database.
  797. *
  798. * @param int $pk
  799. */
  800. private function deleteObjectIdentity($pk)
  801. {
  802. $this->connection->executeStatement($this->getDeleteObjectIdentitySql($pk));
  803. }
  805. /**
  806. * Deletes all entries from the relations table from the database.
  807. *
  808. * @param int $pk
  809. */
  810. private function deleteObjectIdentityRelations($pk)
  811. {
  812. $this->connection->executeStatement($this->getDeleteObjectIdentityRelationsSql($pk));
  813. }
  815. /**
  816. * This regenerates the ancestor table which is used for fast read access.
  817. */
  818. private function regenerateAncestorRelations(AclInterface $acl)
  819. {
  820. $pk = $acl->getId();
  821. $this->connection->executeStatement($this->getDeleteObjectIdentityRelationsSql($pk));
  822. $this->connection->executeStatement($this->getInsertObjectIdentityRelationSql($pk, $pk));
  824. $parentAcl = $acl->getParentAcl();
  825. while (null !== $parentAcl) {
  826. $this->connection->executeStatement($this->getInsertObjectIdentityRelationSql($pk, $parentAcl->getId()));
  828. $parentAcl = $parentAcl->getParentAcl();
  829. }
  830. }
  832. /**
  833. * This processes new entries changes on an ACE related property (classFieldAces, or objectFieldAces).
  834. *
  835. * @param string $name
  836. */
  837. private function updateNewFieldAceProperty($name, array $changes)
  838. {
  839. $sids = new \SplObjectStorage();
  840. $classIds = new \SplObjectStorage();
  841. foreach ($changes[1] as $field => $new) {
  842. for ($i = 0, $c = \count($new); $i < $c; ++$i) {
  843. $ace = $new[$i];
  845. if (null === $ace->getId()) {
  846. if ($sids->contains($ace->getSecurityIdentity())) {
  847. $sid = $sids->offsetGet($ace->getSecurityIdentity());
  848. } else {
  849. $sid = $this->createOrRetrieveSecurityIdentityId($ace->getSecurityIdentity());
  850. }
  852. $oid = $ace->getAcl()->getObjectIdentity();
  853. if ($classIds->contains($oid)) {
  854. $classId = $classIds->offsetGet($oid);
  855. } else {
  856. $classId = $this->createOrRetrieveClassId($oid->getType());
  857. }
  859. $objectIdentityId = 'classFieldAces' === $name ? null : $ace->getAcl()->getId();
  861. $this->connection->executeStatement($this->getInsertAccessControlEntrySql($classId, $objectIdentityId, $field, $i, $sid, $ace->getStrategy(), $ace->getMask(), $ace->isGranting(), $ace->isAuditSuccess(), $ace->isAuditFailure()));
  862. $aceId = $this->connection->executeQuery($this->getSelectAccessControlEntryIdSql($classId, $objectIdentityId, $field, $i))->fetchOne();
  863. $this->loadedAces[$aceId] = $ace;
  865. $aceIdProperty = new \ReflectionProperty(Entry::class, 'id');
  866. $aceIdProperty->setAccessible(true);
  867. $aceIdProperty->setValue($ace, (int) $aceId);
  868. }
  869. }
  870. }
  871. }
  873. /**
  874. * This processes old entries changes on an ACE related property (classFieldAces, or objectFieldAces).
  875. *
  876. * @param string $name
  877. */
  878. private function updateOldFieldAceProperty($name, array $changes)
  879. {
  880. $currentIds = [];
  881. foreach ($changes[1] as $field => $new) {
  882. for ($i = 0, $c = \count($new); $i < $c; ++$i) {
  883. $ace = $new[$i];
  885. if (null !== $ace->getId()) {
  886. $currentIds[$ace->getId()] = true;
  887. }
  888. }
  889. }
  891. foreach ($changes[0] as $old) {
  892. for ($i = 0, $c = \count($old); $i < $c; ++$i) {
  893. $ace = $old[$i];
  895. if (!isset($currentIds[$ace->getId()])) {
  896. $this->connection->executeStatement($this->getDeleteAccessControlEntrySql($ace->getId()));
  897. unset($this->loadedAces[$ace->getId()]);
  898. }
  899. }
  900. }
  901. }
  903. /**
  904. * This processes new entries changes on an ACE related property (classAces, or objectAces).
  905. *
  906. * @param string $name
  907. */
  908. private function updateNewAceProperty($name, array $changes)
  909. {
  910. [$old, $new] = $changes;
  912. $sids = new \SplObjectStorage();
  913. $classIds = new \SplObjectStorage();
  914. for ($i = 0, $c = \count($new); $i < $c; ++$i) {
  915. $ace = $new[$i];
  917. if (null === $ace->getId()) {
  918. if ($sids->contains($ace->getSecurityIdentity())) {
  919. $sid = $sids->offsetGet($ace->getSecurityIdentity());
  920. } else {
  921. $sid = $this->createOrRetrieveSecurityIdentityId($ace->getSecurityIdentity());
  922. }
  924. $oid = $ace->getAcl()->getObjectIdentity();
  925. if ($classIds->contains($oid)) {
  926. $classId = $classIds->offsetGet($oid);
  927. } else {
  928. $classId = $this->createOrRetrieveClassId($oid->getType());
  929. }
  931. $objectIdentityId = 'classAces' === $name ? null : $ace->getAcl()->getId();
  933. $this->connection->executeStatement($this->getInsertAccessControlEntrySql($classId, $objectIdentityId, null, $i, $sid, $ace->getStrategy(), $ace->getMask(), $ace->isGranting(), $ace->isAuditSuccess(), $ace->isAuditFailure()));
  934. $aceId = $this->connection->executeQuery($this->getSelectAccessControlEntryIdSql($classId, $objectIdentityId, null, $i))->fetchOne();
  935. $this->loadedAces[$aceId] = $ace;
  937. $aceIdProperty = new \ReflectionProperty($ace, 'id');
  938. $aceIdProperty->setAccessible(true);
  939. $aceIdProperty->setValue($ace, (int) $aceId);
  940. }
  941. }
  942. }
  944. /**
  945. * This processes old entries changes on an ACE related property (classAces, or objectAces).
  946. *
  947. * @param string $name
  948. */
  949. private function updateOldAceProperty($name, array $changes)
  950. {
  951. [$old, $new] = $changes;
  952. $currentIds = [];
  954. for ($i = 0, $c = \count($new); $i < $c; ++$i) {
  955. $ace = $new[$i];
  957. if (null !== $ace->getId()) {
  958. $currentIds[$ace->getId()] = true;
  959. }
  960. }
  962. for ($i = 0, $c = \count($old); $i < $c; ++$i) {
  963. $ace = $old[$i];
  965. if (!isset($currentIds[$ace->getId()])) {
  966. $this->connection->executeStatement($this->getDeleteAccessControlEntrySql($ace->getId()));
  967. unset($this->loadedAces[$ace->getId()]);
  968. }
  969. }
  970. }
  972. /**
  973. * Persists the changes which were made to ACEs to the database.
  974. */
  975. private function updateAces(\SplObjectStorage $aces)
  976. {
  977. foreach ($aces as $ace) {
  978. $this->updateAce($aces, $ace);
  979. }
  980. }
  982. private function updateAce(\SplObjectStorage $aces, $ace)
  983. {
  984. $propertyChanges = $aces->offsetGet($ace);
  985. $sets = [];
  987. if (isset($propertyChanges['aceOrder'])
  988. && $propertyChanges['aceOrder'][1] > $propertyChanges['aceOrder'][0]
  989. && $propertyChanges == $aces->offsetGet($ace)) {
  990. $aces->next();
  991. if ($aces->valid()) {
  992. $this->updateAce($aces, $aces->current());
  993. }
  994. }
  996. if (isset($propertyChanges['mask'])) {
  997. $sets[] = sprintf('mask = %d', $propertyChanges['mask'][1]);
  998. }
  999. if (isset($propertyChanges['strategy'])) {
  1000. $sets[] = sprintf('granting_strategy = %s', $this->connection->quote($propertyChanges['strategy']));
  1001. }
  1002. if (isset($propertyChanges['aceOrder'])) {
  1003. $sets[] = sprintf('ace_order = %d', $propertyChanges['aceOrder'][1]);
  1004. }
  1005. if (isset($propertyChanges['auditSuccess'])) {
  1006. $sets[] = sprintf('audit_success = %s', $this->connection->getDatabasePlatform()->convertBooleans($propertyChanges['auditSuccess'][1]));
  1007. }
  1008. if (isset($propertyChanges['auditFailure'])) {
  1009. $sets[] = sprintf('audit_failure = %s', $this->connection->getDatabasePlatform()->convertBooleans($propertyChanges['auditFailure'][1]));
  1010. }
  1012. $this->connection->executeStatement($this->getUpdateAccessControlEntrySql($ace->getId(), $sets));
  1013. }
  1014. }