vendor/symfony/security-acl/Voter/AclVoter.php line 65

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Acl\Voter;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\Security\Acl\Exception\AclNotFoundException;
  16. use Symfony\Component\Security\Acl\Exception\NoAceFoundException;
  17. use Symfony\Component\Security\Acl\Model\AclProviderInterface;
  18. use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface;
  19. use Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface;
  20. use Symfony\Component\Security\Acl\Model\SecurityIdentityRetrievalStrategyInterface;
  21. use Symfony\Component\Security\Acl\Permission\PermissionMapInterface;
  22. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  23. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  25. if (class_exists(\Symfony\Component\Security\Core\Security::class)) {
  26. /**
  27. * @internal
  28. */
  29. trait AclVoterTrait
  30. {
  31. public function vote(TokenInterface $token, $subject, array $attributes)
  32. {
  33. return $this->doVote($token, $subject, $attributes);
  34. }
  35. }
  36. } else {
  37. /**
  38. * @internal
  39. */
  40. trait AclVoterTrait
  41. {
  42. public function vote(TokenInterface $token, mixed $subject, array $attributes): int
  43. {
  44. return $this->doVote($token, $subject, $attributes);
  45. }
  46. }
  47. }
  49. /**
  50. * This voter can be used as a base class for implementing your own permissions.
  51. *
  52. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  53. */
  54. class AclVoter implements VoterInterface
  55. {
  56. use AclVoterTrait;
  58. private $aclProvider;
  59. private $permissionMap;
  60. private $objectIdentityRetrievalStrategy;
  61. private $securityIdentityRetrievalStrategy;
  62. private $allowIfObjectIdentityUnavailable;
  63. private $logger;
  65. public function __construct(AclProviderInterface $aclProvider, ObjectIdentityRetrievalStrategyInterface $oidRetrievalStrategy, SecurityIdentityRetrievalStrategyInterface $sidRetrievalStrategy, PermissionMapInterface $permissionMap, LoggerInterface $logger = null, $allowIfObjectIdentityUnavailable = true)
  66. {
  67. $this->aclProvider = $aclProvider;
  68. $this->permissionMap = $permissionMap;
  69. $this->objectIdentityRetrievalStrategy = $oidRetrievalStrategy;
  70. $this->securityIdentityRetrievalStrategy = $sidRetrievalStrategy;
  71. $this->logger = $logger;
  72. $this->allowIfObjectIdentityUnavailable = $allowIfObjectIdentityUnavailable;
  73. }
  75. public function supportsAttribute($attribute)
  76. {
  77. return \is_string($attribute) && $this->permissionMap->contains($attribute);
  78. }
  80. private function doVote(TokenInterface $token, $subject, array $attributes): int
  81. {
  82. foreach ($attributes as $attribute) {
  83. if (!$this->supportsAttribute($attribute)) {
  84. continue;
  85. }
  87. if (null === $masks = $this->permissionMap->getMasks($attribute, $subject)) {
  88. continue;
  89. }
  91. if (null === $subject) {
  92. if (null !== $this->logger) {
  93. $this->logger->debug(sprintf('Object identity unavailable. Voting to %s.', $this->allowIfObjectIdentityUnavailable ? 'grant access' : 'abstain'));
  94. }
  96. return $this->allowIfObjectIdentityUnavailable ? self::ACCESS_GRANTED : self::ACCESS_ABSTAIN;
  97. } elseif ($subject instanceof FieldVote) {
  98. $field = $subject->getField();
  99. $subject = $subject->getDomainObject();
  100. } else {
  101. $field = null;
  102. }
  104. if ($subject instanceof ObjectIdentityInterface) {
  105. $oid = $subject;
  106. } elseif (null === $oid = $this->objectIdentityRetrievalStrategy->getObjectIdentity($subject)) {
  107. if (null !== $this->logger) {
  108. $this->logger->debug(sprintf('Object identity unavailable. Voting to %s.', $this->allowIfObjectIdentityUnavailable ? 'grant access' : 'abstain'));
  109. }
  111. return $this->allowIfObjectIdentityUnavailable ? self::ACCESS_GRANTED : self::ACCESS_ABSTAIN;
  112. }
  114. if (!$this->supportsClass($oid->getType())) {
  115. return self::ACCESS_ABSTAIN;
  116. }
  118. $sids = $this->securityIdentityRetrievalStrategy->getSecurityIdentities($token);
  120. try {
  121. $acl = $this->aclProvider->findAcl($oid, $sids);
  123. if (null === $field && $acl->isGranted($masks, $sids, false)) {
  124. if (null !== $this->logger) {
  125. $this->logger->debug('ACL found, permission granted. Voting to grant access.');
  126. }
  128. return self::ACCESS_GRANTED;
  129. } elseif (null !== $field && $acl->isFieldGranted($field, $masks, $sids, false)) {
  130. if (null !== $this->logger) {
  131. $this->logger->debug('ACL found, permission granted. Voting to grant access.');
  132. }
  134. return self::ACCESS_GRANTED;
  135. }
  137. if (null !== $this->logger) {
  138. $this->logger->debug('ACL found, insufficient permissions. Voting to deny access.');
  139. }
  141. return self::ACCESS_DENIED;
  142. } catch (AclNotFoundException $e) {
  143. if (null !== $this->logger) {
  144. $this->logger->debug('No ACL found for the object identity. Voting to deny access.');
  145. }
  147. return self::ACCESS_DENIED;
  148. } catch (NoAceFoundException $e) {
  149. if (null !== $this->logger) {
  150. $this->logger->debug('ACL found, no ACE applicable. Voting to deny access.');
  151. }
  153. return self::ACCESS_DENIED;
  154. }
  155. }
  157. // no attribute was supported
  158. return self::ACCESS_ABSTAIN;
  159. }
  161. /**
  162. * You can override this method when writing a voter for a specific domain
  163. * class.
  164. *
  165. * @param string $class The class name
  166. *
  167. * @return bool
  168. */
  169. public function supportsClass($class)
  170. {
  171. return true;
  172. }
  173. }