881 lines
32 KiB
PHP
881 lines
32 KiB
PHP
<?php
|
|
|
|
/*
|
|
* This file is part of the Symfony package.
|
|
*
|
|
* (c) Fabien Potencier <fabien@symfony.com>
|
|
*
|
|
* For the full copyright and license information, please view the LICENSE
|
|
* file that was distributed with this source code.
|
|
*/
|
|
|
|
namespace Symfony\Component\Security\Acl\Dbal;
|
|
|
|
use Doctrine\Common\PropertyChangedListener;
|
|
use Doctrine\DBAL\Driver\Connection;
|
|
use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity;
|
|
use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
|
|
use Symfony\Component\Security\Acl\Exception\AclAlreadyExistsException;
|
|
use Symfony\Component\Security\Acl\Exception\ConcurrentModificationException;
|
|
use Symfony\Component\Security\Acl\Model\AclCacheInterface;
|
|
use Symfony\Component\Security\Acl\Model\AclInterface;
|
|
use Symfony\Component\Security\Acl\Model\EntryInterface;
|
|
use Symfony\Component\Security\Acl\Model\MutableAclInterface;
|
|
use Symfony\Component\Security\Acl\Model\MutableAclProviderInterface;
|
|
use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface;
|
|
use Symfony\Component\Security\Acl\Model\PermissionGrantingStrategyInterface;
|
|
use Symfony\Component\Security\Acl\Model\SecurityIdentityInterface;
|
|
|
|
/**
|
|
* An implementation of the MutableAclProviderInterface using Doctrine DBAL.
|
|
*
|
|
* @author Johannes M. Schmitt <schmittjoh@gmail.com>
|
|
*/
|
|
class MutableAclProvider extends AclProvider implements MutableAclProviderInterface, PropertyChangedListener
|
|
{
|
|
private $propertyChanges;
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public function __construct(Connection $connection, PermissionGrantingStrategyInterface $permissionGrantingStrategy, array $options, AclCacheInterface $cache = null)
|
|
{
|
|
parent::__construct($connection, $permissionGrantingStrategy, $options, $cache);
|
|
|
|
$this->propertyChanges = new \SplObjectStorage();
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public function createAcl(ObjectIdentityInterface $oid)
|
|
{
|
|
if (false !== $this->retrieveObjectIdentityPrimaryKey($oid)) {
|
|
throw new AclAlreadyExistsException(sprintf('%s is already associated with an ACL.', $oid));
|
|
}
|
|
|
|
$this->connection->beginTransaction();
|
|
try {
|
|
$this->createObjectIdentity($oid);
|
|
|
|
$pk = $this->retrieveObjectIdentityPrimaryKey($oid);
|
|
$this->connection->executeQuery($this->getInsertObjectIdentityRelationSql($pk, $pk));
|
|
|
|
$this->connection->commit();
|
|
} catch (\Exception $failed) {
|
|
$this->connection->rollBack();
|
|
|
|
throw $failed;
|
|
}
|
|
|
|
// re-read the ACL from the database to ensure proper caching, etc.
|
|
return $this->findAcl($oid);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public function deleteAcl(ObjectIdentityInterface $oid)
|
|
{
|
|
$this->connection->beginTransaction();
|
|
try {
|
|
foreach ($this->findChildren($oid, true) as $childOid) {
|
|
$this->deleteAcl($childOid);
|
|
}
|
|
|
|
$oidPK = $this->retrieveObjectIdentityPrimaryKey($oid);
|
|
|
|
$this->deleteAccessControlEntries($oidPK);
|
|
$this->deleteObjectIdentityRelations($oidPK);
|
|
$this->deleteObjectIdentity($oidPK);
|
|
|
|
$this->connection->commit();
|
|
} catch (\Exception $failed) {
|
|
$this->connection->rollBack();
|
|
|
|
throw $failed;
|
|
}
|
|
|
|
// evict the ACL from the in-memory identity map
|
|
if (isset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()])) {
|
|
$this->propertyChanges->offsetUnset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()]);
|
|
unset($this->loadedAcls[$oid->getType()][$oid->getIdentifier()]);
|
|
}
|
|
|
|
// evict the ACL from any caches
|
|
if (null !== $this->cache) {
|
|
$this->cache->evictFromCacheByIdentity($oid);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public function findAcls(array $oids, array $sids = array())
|
|
{
|
|
$result = parent::findAcls($oids, $sids);
|
|
|
|
foreach ($result as $oid) {
|
|
$acl = $result->offsetGet($oid);
|
|
|
|
if (false === $this->propertyChanges->contains($acl) && $acl instanceof MutableAclInterface) {
|
|
$acl->addPropertyChangedListener($this);
|
|
$this->propertyChanges->attach($acl, array());
|
|
}
|
|
|
|
$parentAcl = $acl->getParentAcl();
|
|
while (null !== $parentAcl) {
|
|
if (false === $this->propertyChanges->contains($parentAcl) && $acl instanceof MutableAclInterface) {
|
|
$parentAcl->addPropertyChangedListener($this);
|
|
$this->propertyChanges->attach($parentAcl, array());
|
|
}
|
|
|
|
$parentAcl = $parentAcl->getParentAcl();
|
|
}
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
|
|
/**
|
|
* Implementation of PropertyChangedListener
|
|
*
|
|
* This allows us to keep track of which values have been changed, so we don't
|
|
* have to do a full introspection when ->updateAcl() is called.
|
|
*
|
|
* @param mixed $sender
|
|
* @param string $propertyName
|
|
* @param mixed $oldValue
|
|
* @param mixed $newValue
|
|
*/
|
|
public function propertyChanged($sender, $propertyName, $oldValue, $newValue)
|
|
{
|
|
if (!$sender instanceof MutableAclInterface && !$sender instanceof EntryInterface) {
|
|
throw new \InvalidArgumentException('$sender must be an instance of MutableAclInterface, or EntryInterface.');
|
|
}
|
|
|
|
if ($sender instanceof EntryInterface) {
|
|
if (null === $sender->getId()) {
|
|
return;
|
|
}
|
|
|
|
$ace = $sender;
|
|
$sender = $ace->getAcl();
|
|
} else {
|
|
$ace = null;
|
|
}
|
|
|
|
if (false === $this->propertyChanges->contains($sender)) {
|
|
throw new \InvalidArgumentException('$sender is not being tracked by this provider.');
|
|
}
|
|
|
|
$propertyChanges = $this->propertyChanges->offsetGet($sender);
|
|
if (null === $ace) {
|
|
if (isset($propertyChanges[$propertyName])) {
|
|
$oldValue = $propertyChanges[$propertyName][0];
|
|
if ($oldValue === $newValue) {
|
|
unset($propertyChanges[$propertyName]);
|
|
} else {
|
|
$propertyChanges[$propertyName] = array($oldValue, $newValue);
|
|
}
|
|
} else {
|
|
$propertyChanges[$propertyName] = array($oldValue, $newValue);
|
|
}
|
|
} else {
|
|
if (!isset($propertyChanges['aces'])) {
|
|
$propertyChanges['aces'] = new \SplObjectStorage();
|
|
}
|
|
|
|
$acePropertyChanges = $propertyChanges['aces']->contains($ace)? $propertyChanges['aces']->offsetGet($ace) : array();
|
|
|
|
if (isset($acePropertyChanges[$propertyName])) {
|
|
$oldValue = $acePropertyChanges[$propertyName][0];
|
|
if ($oldValue === $newValue) {
|
|
unset($acePropertyChanges[$propertyName]);
|
|
} else {
|
|
$acePropertyChanges[$propertyName] = array($oldValue, $newValue);
|
|
}
|
|
} else {
|
|
$acePropertyChanges[$propertyName] = array($oldValue, $newValue);
|
|
}
|
|
|
|
if (count($acePropertyChanges) > 0) {
|
|
$propertyChanges['aces']->offsetSet($ace, $acePropertyChanges);
|
|
} else {
|
|
$propertyChanges['aces']->offsetUnset($ace);
|
|
|
|
if (0 === count($propertyChanges['aces'])) {
|
|
unset($propertyChanges['aces']);
|
|
}
|
|
}
|
|
}
|
|
|
|
$this->propertyChanges->offsetSet($sender, $propertyChanges);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public function updateAcl(MutableAclInterface $acl)
|
|
{
|
|
if (!$this->propertyChanges->contains($acl)) {
|
|
throw new \InvalidArgumentException('$acl is not tracked by this provider.');
|
|
}
|
|
|
|
$propertyChanges = $this->propertyChanges->offsetGet($acl);
|
|
// check if any changes were made to this ACL
|
|
if (0 === count($propertyChanges)) {
|
|
return;
|
|
}
|
|
|
|
$sets = $sharedPropertyChanges = array();
|
|
|
|
$this->connection->beginTransaction();
|
|
try {
|
|
if (isset($propertyChanges['entriesInheriting'])) {
|
|
$sets[] = 'entries_inheriting = '.$this->connection->getDatabasePlatform()->convertBooleans($propertyChanges['entriesInheriting'][1]);
|
|
}
|
|
|
|
if (isset($propertyChanges['parentAcl'])) {
|
|
if (null === $propertyChanges['parentAcl'][1]) {
|
|
$sets[] = 'parent_object_identity_id = NULL';
|
|
} else {
|
|
$sets[] = 'parent_object_identity_id = '.intval($propertyChanges['parentAcl'][1]->getId());
|
|
}
|
|
|
|
$this->regenerateAncestorRelations($acl);
|
|
$childAcls = $this->findAcls($this->findChildren($acl->getObjectIdentity(), false));
|
|
foreach ($childAcls as $childOid) {
|
|
$this->regenerateAncestorRelations($childAcls[$childOid]);
|
|
}
|
|
}
|
|
|
|
// this includes only updates of existing ACEs, but neither the creation, nor
|
|
// the deletion of ACEs; these are tracked by changes to the ACL's respective
|
|
// properties (classAces, classFieldAces, objectAces, objectFieldAces)
|
|
if (isset($propertyChanges['aces'])) {
|
|
$this->updateAces($propertyChanges['aces']);
|
|
}
|
|
|
|
// check properties for deleted, and created ACEs
|
|
if (isset($propertyChanges['classAces'])) {
|
|
$this->updateAceProperty('classAces', $propertyChanges['classAces']);
|
|
$sharedPropertyChanges['classAces'] = $propertyChanges['classAces'];
|
|
}
|
|
if (isset($propertyChanges['classFieldAces'])) {
|
|
$this->updateFieldAceProperty('classFieldAces', $propertyChanges['classFieldAces']);
|
|
$sharedPropertyChanges['classFieldAces'] = $propertyChanges['classFieldAces'];
|
|
}
|
|
if (isset($propertyChanges['objectAces'])) {
|
|
$this->updateAceProperty('objectAces', $propertyChanges['objectAces']);
|
|
}
|
|
if (isset($propertyChanges['objectFieldAces'])) {
|
|
$this->updateFieldAceProperty('objectFieldAces', $propertyChanges['objectFieldAces']);
|
|
}
|
|
|
|
// if there have been changes to shared properties, we need to synchronize other
|
|
// ACL instances for object identities of the same type that are already in-memory
|
|
if (count($sharedPropertyChanges) > 0) {
|
|
$classAcesProperty = new \ReflectionProperty('Symfony\Component\Security\Acl\Domain\Acl', 'classAces');
|
|
$classAcesProperty->setAccessible(true);
|
|
$classFieldAcesProperty = new \ReflectionProperty('Symfony\Component\Security\Acl\Domain\Acl', 'classFieldAces');
|
|
$classFieldAcesProperty->setAccessible(true);
|
|
|
|
foreach ($this->loadedAcls[$acl->getObjectIdentity()->getType()] as $sameTypeAcl) {
|
|
if (isset($sharedPropertyChanges['classAces'])) {
|
|
if ($acl !== $sameTypeAcl && $classAcesProperty->getValue($sameTypeAcl) !== $sharedPropertyChanges['classAces'][0]) {
|
|
throw new ConcurrentModificationException('The "classAces" property has been modified concurrently.');
|
|
}
|
|
|
|
$classAcesProperty->setValue($sameTypeAcl, $sharedPropertyChanges['classAces'][1]);
|
|
}
|
|
|
|
if (isset($sharedPropertyChanges['classFieldAces'])) {
|
|
if ($acl !== $sameTypeAcl && $classFieldAcesProperty->getValue($sameTypeAcl) !== $sharedPropertyChanges['classFieldAces'][0]) {
|
|
throw new ConcurrentModificationException('The "classFieldAces" property has been modified concurrently.');
|
|
}
|
|
|
|
$classFieldAcesProperty->setValue($sameTypeAcl, $sharedPropertyChanges['classFieldAces'][1]);
|
|
}
|
|
}
|
|
}
|
|
|
|
// persist any changes to the acl_object_identities table
|
|
if (count($sets) > 0) {
|
|
$this->connection->executeQuery($this->getUpdateObjectIdentitySql($acl->getId(), $sets));
|
|
}
|
|
|
|
$this->connection->commit();
|
|
} catch (\Exception $failed) {
|
|
$this->connection->rollBack();
|
|
|
|
throw $failed;
|
|
}
|
|
|
|
$this->propertyChanges->offsetSet($acl, array());
|
|
|
|
if (null !== $this->cache) {
|
|
if (count($sharedPropertyChanges) > 0) {
|
|
// FIXME: Currently, there is no easy way to clear the cache for ACLs
|
|
// of a certain type. The problem here is that we need to make
|
|
// sure to clear the cache of all child ACLs as well, and these
|
|
// child ACLs might be of a different class type.
|
|
$this->cache->clearCache();
|
|
} else {
|
|
// if there are no shared property changes, it's sufficient to just delete
|
|
// the cache for this ACL
|
|
$this->cache->evictFromCacheByIdentity($acl->getObjectIdentity());
|
|
|
|
foreach ($this->findChildren($acl->getObjectIdentity()) as $childOid) {
|
|
$this->cache->evictFromCacheByIdentity($childOid);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for deleting access control entries.
|
|
*
|
|
* @param integer $oidPK
|
|
* @return string
|
|
*/
|
|
protected function getDeleteAccessControlEntriesSql($oidPK)
|
|
{
|
|
return sprintf(
|
|
'DELETE FROM %s WHERE object_identity_id = %d',
|
|
$this->options['entry_table_name'],
|
|
$oidPK
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for deleting a specific ACE.
|
|
*
|
|
* @param integer $acePK
|
|
* @return string
|
|
*/
|
|
protected function getDeleteAccessControlEntrySql($acePK)
|
|
{
|
|
return sprintf(
|
|
'DELETE FROM %s WHERE id = %d',
|
|
$this->options['entry_table_name'],
|
|
$acePK
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for deleting an object identity.
|
|
*
|
|
* @param integer $pk
|
|
* @return string
|
|
*/
|
|
protected function getDeleteObjectIdentitySql($pk)
|
|
{
|
|
return sprintf(
|
|
'DELETE FROM %s WHERE id = %d',
|
|
$this->options['oid_table_name'],
|
|
$pk
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for deleting relation entries.
|
|
*
|
|
* @param integer $pk
|
|
* @return string
|
|
*/
|
|
protected function getDeleteObjectIdentityRelationsSql($pk)
|
|
{
|
|
return sprintf(
|
|
'DELETE FROM %s WHERE object_identity_id = %d',
|
|
$this->options['oid_ancestors_table_name'],
|
|
$pk
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for inserting an ACE.
|
|
*
|
|
* @param integer $classId
|
|
* @param integer|null $objectIdentityId
|
|
* @param string|null $field
|
|
* @param integer $aceOrder
|
|
* @param integer $securityIdentityId
|
|
* @param string $strategy
|
|
* @param integer $mask
|
|
* @param Boolean $granting
|
|
* @param Boolean $auditSuccess
|
|
* @param Boolean $auditFailure
|
|
* @return string
|
|
*/
|
|
protected function getInsertAccessControlEntrySql($classId, $objectIdentityId, $field, $aceOrder, $securityIdentityId, $strategy, $mask, $granting, $auditSuccess, $auditFailure)
|
|
{
|
|
$query = <<<QUERY
|
|
INSERT INTO %s (
|
|
class_id,
|
|
object_identity_id,
|
|
field_name,
|
|
ace_order,
|
|
security_identity_id,
|
|
mask,
|
|
granting,
|
|
granting_strategy,
|
|
audit_success,
|
|
audit_failure
|
|
)
|
|
VALUES (%d, %s, %s, %d, %d, %d, %s, %s, %s, %s)
|
|
QUERY;
|
|
|
|
return sprintf(
|
|
$query,
|
|
$this->options['entry_table_name'],
|
|
$classId,
|
|
null === $objectIdentityId? 'NULL' : intval($objectIdentityId),
|
|
null === $field? 'NULL' : $this->connection->quote($field),
|
|
$aceOrder,
|
|
$securityIdentityId,
|
|
$mask,
|
|
$this->connection->getDatabasePlatform()->convertBooleans($granting),
|
|
$this->connection->quote($strategy),
|
|
$this->connection->getDatabasePlatform()->convertBooleans($auditSuccess),
|
|
$this->connection->getDatabasePlatform()->convertBooleans($auditFailure)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for inserting a new class type.
|
|
*
|
|
* @param string $classType
|
|
* @return string
|
|
*/
|
|
protected function getInsertClassSql($classType)
|
|
{
|
|
return sprintf(
|
|
'INSERT INTO %s (class_type) VALUES (%s)',
|
|
$this->options['class_table_name'],
|
|
$this->connection->quote($classType)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for inserting a relation entry.
|
|
*
|
|
* @param integer $objectIdentityId
|
|
* @param integer $ancestorId
|
|
* @return string
|
|
*/
|
|
protected function getInsertObjectIdentityRelationSql($objectIdentityId, $ancestorId)
|
|
{
|
|
return sprintf(
|
|
'INSERT INTO %s (object_identity_id, ancestor_id) VALUES (%d, %d)',
|
|
$this->options['oid_ancestors_table_name'],
|
|
$objectIdentityId,
|
|
$ancestorId
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for inserting an object identity.
|
|
*
|
|
* @param string $identifier
|
|
* @param integer $classId
|
|
* @param Boolean $entriesInheriting
|
|
* @return string
|
|
*/
|
|
protected function getInsertObjectIdentitySql($identifier, $classId, $entriesInheriting)
|
|
{
|
|
$query = <<<QUERY
|
|
INSERT INTO %s (class_id, object_identifier, entries_inheriting)
|
|
VALUES (%d, %s, %s)
|
|
QUERY;
|
|
|
|
return sprintf(
|
|
$query,
|
|
$this->options['oid_table_name'],
|
|
$classId,
|
|
$this->connection->quote($identifier),
|
|
$this->connection->getDatabasePlatform()->convertBooleans($entriesInheriting)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for inserting a security identity.
|
|
*
|
|
* @param SecurityIdentityInterface $sid
|
|
* @throws \InvalidArgumentException
|
|
* @return string
|
|
*/
|
|
protected function getInsertSecurityIdentitySql(SecurityIdentityInterface $sid)
|
|
{
|
|
if ($sid instanceof UserSecurityIdentity) {
|
|
$identifier = $sid->getClass().'-'.$sid->getUsername();
|
|
$username = true;
|
|
} elseif ($sid instanceof RoleSecurityIdentity) {
|
|
$identifier = $sid->getRole();
|
|
$username = false;
|
|
} else {
|
|
throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.');
|
|
}
|
|
|
|
return sprintf(
|
|
'INSERT INTO %s (identifier, username) VALUES (%s, %s)',
|
|
$this->options['sid_table_name'],
|
|
$this->connection->quote($identifier),
|
|
$this->connection->getDatabasePlatform()->convertBooleans($username)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for selecting an ACE.
|
|
*
|
|
* @param integer $classId
|
|
* @param integer $oid
|
|
* @param string $field
|
|
* @param integer $order
|
|
* @return string
|
|
*/
|
|
protected function getSelectAccessControlEntryIdSql($classId, $oid, $field, $order)
|
|
{
|
|
return sprintf(
|
|
'SELECT id FROM %s WHERE class_id = %d AND %s AND %s AND ace_order = %d',
|
|
$this->options['entry_table_name'],
|
|
$classId,
|
|
null === $oid ?
|
|
$this->connection->getDatabasePlatform()->getIsNullExpression('object_identity_id')
|
|
: 'object_identity_id = '.intval($oid),
|
|
null === $field ?
|
|
$this->connection->getDatabasePlatform()->getIsNullExpression('field_name')
|
|
: 'field_name = '.$this->connection->quote($field),
|
|
$order
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for selecting the primary key associated with
|
|
* the passed class type.
|
|
*
|
|
* @param string $classType
|
|
* @return string
|
|
*/
|
|
protected function getSelectClassIdSql($classType)
|
|
{
|
|
return sprintf(
|
|
'SELECT id FROM %s WHERE class_type = %s',
|
|
$this->options['class_table_name'],
|
|
$this->connection->quote($classType)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for selecting the primary key of a security identity.
|
|
*
|
|
* @param SecurityIdentityInterface $sid
|
|
* @throws \InvalidArgumentException
|
|
* @return string
|
|
*/
|
|
protected function getSelectSecurityIdentityIdSql(SecurityIdentityInterface $sid)
|
|
{
|
|
if ($sid instanceof UserSecurityIdentity) {
|
|
$identifier = $sid->getClass().'-'.$sid->getUsername();
|
|
$username = true;
|
|
} elseif ($sid instanceof RoleSecurityIdentity) {
|
|
$identifier = $sid->getRole();
|
|
$username = false;
|
|
} else {
|
|
throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.');
|
|
}
|
|
|
|
return sprintf(
|
|
'SELECT id FROM %s WHERE identifier = %s AND username = %s',
|
|
$this->options['sid_table_name'],
|
|
$this->connection->quote($identifier),
|
|
$this->connection->getDatabasePlatform()->convertBooleans($username)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for updating an object identity.
|
|
*
|
|
* @param integer $pk
|
|
* @param array $changes
|
|
* @throws \InvalidArgumentException
|
|
* @return string
|
|
*/
|
|
protected function getUpdateObjectIdentitySql($pk, array $changes)
|
|
{
|
|
if (0 === count($changes)) {
|
|
throw new \InvalidArgumentException('There are no changes.');
|
|
}
|
|
|
|
return sprintf(
|
|
'UPDATE %s SET %s WHERE id = %d',
|
|
$this->options['oid_table_name'],
|
|
implode(', ', $changes),
|
|
$pk
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Constructs the SQL for updating an ACE.
|
|
*
|
|
* @param integer $pk
|
|
* @param array $sets
|
|
* @throws \InvalidArgumentException
|
|
* @return string
|
|
*/
|
|
protected function getUpdateAccessControlEntrySql($pk, array $sets)
|
|
{
|
|
if (0 === count($sets)) {
|
|
throw new \InvalidArgumentException('There are no changes.');
|
|
}
|
|
|
|
return sprintf(
|
|
'UPDATE %s SET %s WHERE id = %d',
|
|
$this->options['entry_table_name'],
|
|
implode(', ', $sets),
|
|
$pk
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Creates the ACL for the passed object identity
|
|
*
|
|
* @param ObjectIdentityInterface $oid
|
|
*/
|
|
private function createObjectIdentity(ObjectIdentityInterface $oid)
|
|
{
|
|
$classId = $this->createOrRetrieveClassId($oid->getType());
|
|
|
|
$this->connection->executeQuery($this->getInsertObjectIdentitySql($oid->getIdentifier(), $classId, true));
|
|
}
|
|
|
|
/**
|
|
* Returns the primary key for the passed class type.
|
|
*
|
|
* If the type does not yet exist in the database, it will be created.
|
|
*
|
|
* @param string $classType
|
|
* @return integer
|
|
*/
|
|
private function createOrRetrieveClassId($classType)
|
|
{
|
|
if (false !== $id = $this->connection->executeQuery($this->getSelectClassIdSql($classType))->fetchColumn()) {
|
|
return $id;
|
|
}
|
|
|
|
$this->connection->executeQuery($this->getInsertClassSql($classType));
|
|
|
|
return $this->connection->executeQuery($this->getSelectClassIdSql($classType))->fetchColumn();
|
|
}
|
|
|
|
/**
|
|
* Returns the primary key for the passed security identity.
|
|
*
|
|
* If the security identity does not yet exist in the database, it will be
|
|
* created.
|
|
*
|
|
* @param SecurityIdentityInterface $sid
|
|
* @return integer
|
|
*/
|
|
private function createOrRetrieveSecurityIdentityId(SecurityIdentityInterface $sid)
|
|
{
|
|
if (false !== $id = $this->connection->executeQuery($this->getSelectSecurityIdentityIdSql($sid))->fetchColumn()) {
|
|
return $id;
|
|
}
|
|
|
|
$this->connection->executeQuery($this->getInsertSecurityIdentitySql($sid));
|
|
|
|
return $this->connection->executeQuery($this->getSelectSecurityIdentityIdSql($sid))->fetchColumn();
|
|
}
|
|
|
|
/**
|
|
* Deletes all ACEs for the given object identity primary key.
|
|
*
|
|
* @param integer $oidPK
|
|
*/
|
|
private function deleteAccessControlEntries($oidPK)
|
|
{
|
|
$this->connection->executeQuery($this->getDeleteAccessControlEntriesSql($oidPK));
|
|
}
|
|
|
|
/**
|
|
* Deletes the object identity from the database.
|
|
*
|
|
* @param integer $pk
|
|
*/
|
|
private function deleteObjectIdentity($pk)
|
|
{
|
|
$this->connection->executeQuery($this->getDeleteObjectIdentitySql($pk));
|
|
}
|
|
|
|
/**
|
|
* Deletes all entries from the relations table from the database.
|
|
*
|
|
* @param integer $pk
|
|
*/
|
|
private function deleteObjectIdentityRelations($pk)
|
|
{
|
|
$this->connection->executeQuery($this->getDeleteObjectIdentityRelationsSql($pk));
|
|
}
|
|
|
|
/**
|
|
* This regenerates the ancestor table which is used for fast read access.
|
|
*
|
|
* @param AclInterface $acl
|
|
*/
|
|
private function regenerateAncestorRelations(AclInterface $acl)
|
|
{
|
|
$pk = $acl->getId();
|
|
$this->connection->executeQuery($this->getDeleteObjectIdentityRelationsSql($pk));
|
|
$this->connection->executeQuery($this->getInsertObjectIdentityRelationSql($pk, $pk));
|
|
|
|
$parentAcl = $acl->getParentAcl();
|
|
while (null !== $parentAcl) {
|
|
$this->connection->executeQuery($this->getInsertObjectIdentityRelationSql($pk, $parentAcl->getId()));
|
|
|
|
$parentAcl = $parentAcl->getParentAcl();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* This processes changes on an ACE related property (classFieldAces, or objectFieldAces).
|
|
*
|
|
* @param string $name
|
|
* @param array $changes
|
|
*/
|
|
private function updateFieldAceProperty($name, array $changes)
|
|
{
|
|
$sids = new \SplObjectStorage();
|
|
$classIds = new \SplObjectStorage();
|
|
$currentIds = array();
|
|
foreach ($changes[1] as $field => $new) {
|
|
for ($i=0,$c=count($new); $i<$c; $i++) {
|
|
$ace = $new[$i];
|
|
|
|
if (null === $ace->getId()) {
|
|
if ($sids->contains($ace->getSecurityIdentity())) {
|
|
$sid = $sids->offsetGet($ace->getSecurityIdentity());
|
|
} else {
|
|
$sid = $this->createOrRetrieveSecurityIdentityId($ace->getSecurityIdentity());
|
|
}
|
|
|
|
$oid = $ace->getAcl()->getObjectIdentity();
|
|
if ($classIds->contains($oid)) {
|
|
$classId = $classIds->offsetGet($oid);
|
|
} else {
|
|
$classId = $this->createOrRetrieveClassId($oid->getType());
|
|
}
|
|
|
|
$objectIdentityId = $name === 'classFieldAces' ? null : $ace->getAcl()->getId();
|
|
|
|
$this->connection->executeQuery($this->getInsertAccessControlEntrySql($classId, $objectIdentityId, $field, $i, $sid, $ace->getStrategy(), $ace->getMask(), $ace->isGranting(), $ace->isAuditSuccess(), $ace->isAuditFailure()));
|
|
$aceId = $this->connection->executeQuery($this->getSelectAccessControlEntryIdSql($classId, $objectIdentityId, $field, $i))->fetchColumn();
|
|
$this->loadedAces[$aceId] = $ace;
|
|
|
|
$aceIdProperty = new \ReflectionProperty('Symfony\Component\Security\Acl\Domain\Entry', 'id');
|
|
$aceIdProperty->setAccessible(true);
|
|
$aceIdProperty->setValue($ace, intval($aceId));
|
|
} else {
|
|
$currentIds[$ace->getId()] = true;
|
|
}
|
|
}
|
|
}
|
|
|
|
foreach ($changes[0] as $old) {
|
|
for ($i=0,$c=count($old); $i<$c; $i++) {
|
|
$ace = $old[$i];
|
|
|
|
if (!isset($currentIds[$ace->getId()])) {
|
|
$this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId()));
|
|
unset($this->loadedAces[$ace->getId()]);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* This processes changes on an ACE related property (classAces, or objectAces).
|
|
*
|
|
* @param string $name
|
|
* @param array $changes
|
|
*/
|
|
private function updateAceProperty($name, array $changes)
|
|
{
|
|
list($old, $new) = $changes;
|
|
|
|
$sids = new \SplObjectStorage();
|
|
$classIds = new \SplObjectStorage();
|
|
$currentIds = array();
|
|
for ($i=0,$c=count($new); $i<$c; $i++) {
|
|
$ace = $new[$i];
|
|
|
|
if (null === $ace->getId()) {
|
|
if ($sids->contains($ace->getSecurityIdentity())) {
|
|
$sid = $sids->offsetGet($ace->getSecurityIdentity());
|
|
} else {
|
|
$sid = $this->createOrRetrieveSecurityIdentityId($ace->getSecurityIdentity());
|
|
}
|
|
|
|
$oid = $ace->getAcl()->getObjectIdentity();
|
|
if ($classIds->contains($oid)) {
|
|
$classId = $classIds->offsetGet($oid);
|
|
} else {
|
|
$classId = $this->createOrRetrieveClassId($oid->getType());
|
|
}
|
|
|
|
$objectIdentityId = $name === 'classAces' ? null : $ace->getAcl()->getId();
|
|
|
|
$this->connection->executeQuery($this->getInsertAccessControlEntrySql($classId, $objectIdentityId, null, $i, $sid, $ace->getStrategy(), $ace->getMask(), $ace->isGranting(), $ace->isAuditSuccess(), $ace->isAuditFailure()));
|
|
$aceId = $this->connection->executeQuery($this->getSelectAccessControlEntryIdSql($classId, $objectIdentityId, null, $i))->fetchColumn();
|
|
$this->loadedAces[$aceId] = $ace;
|
|
|
|
$aceIdProperty = new \ReflectionProperty($ace, 'id');
|
|
$aceIdProperty->setAccessible(true);
|
|
$aceIdProperty->setValue($ace, intval($aceId));
|
|
} else {
|
|
$currentIds[$ace->getId()] = true;
|
|
}
|
|
}
|
|
|
|
for ($i=0,$c=count($old); $i<$c; $i++) {
|
|
$ace = $old[$i];
|
|
|
|
if (!isset($currentIds[$ace->getId()])) {
|
|
$this->connection->executeQuery($this->getDeleteAccessControlEntrySql($ace->getId()));
|
|
unset($this->loadedAces[$ace->getId()]);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Persists the changes which were made to ACEs to the database.
|
|
*
|
|
* @param \SplObjectStorage $aces
|
|
*/
|
|
private function updateAces(\SplObjectStorage $aces)
|
|
{
|
|
foreach ($aces as $ace) {
|
|
$propertyChanges = $aces->offsetGet($ace);
|
|
$sets = array();
|
|
|
|
if (isset($propertyChanges['mask'])) {
|
|
$sets[] = sprintf('mask = %d', $propertyChanges['mask'][1]);
|
|
}
|
|
if (isset($propertyChanges['strategy'])) {
|
|
$sets[] = sprintf('granting_strategy = %s', $this->connection->quote($propertyChanges['strategy']));
|
|
}
|
|
if (isset($propertyChanges['aceOrder'])) {
|
|
$sets[] = sprintf('ace_order = %d', $propertyChanges['aceOrder'][1]);
|
|
}
|
|
if (isset($propertyChanges['auditSuccess'])) {
|
|
$sets[] = sprintf('audit_success = %s', $this->connection->getDatabasePlatform()->convertBooleans($propertyChanges['auditSuccess'][1]));
|
|
}
|
|
if (isset($propertyChanges['auditFailure'])) {
|
|
$sets[] = sprintf('audit_failure = %s', $this->connection->getDatabasePlatform()->convertBooleans($propertyChanges['auditFailure'][1]));
|
|
}
|
|
|
|
$this->connection->executeQuery($this->getUpdateAccessControlEntrySql($ace->getId(), $sets));
|
|
}
|
|
}
|
|
}
|