filter = $filter; return $this; } /** * @param User $user * @param $controller * @param $action * @param $requestParameters * * @return bool * * @see \oat\tao\model\accessControl\AccessControl::hasAccess() */ public function hasAccess(User $user, $controller, $action, $requestParameters) { $required = []; try { $requiredRights = ControllerHelper::getRequiredRights($controller, $action); $uris = $this->getParameterFilter()->filter($requestParameters, array_keys($requiredRights)); foreach ($uris as $name => $urisValue) { $required[] = array_fill_keys($urisValue, $requiredRights[$name]); } } catch (ActionNotFoundException $e) { return false; } return empty($required) ? true : $this->hasPrivileges($user, array_merge(...$required)); } /** * Whenever or not the user has the required rights * * required takes the form of: * resourceId => $right * * @param User $user * @param array $required * @return boolean * */ public function hasPrivileges(User $user, array $required) { foreach ($required as $resourceId => $right) { if ($right === 'WRITE' && !$this->hasWritePrivilege($user, $resourceId)) { common_Logger::d('User \'' . $user->getIdentifier() . '\' does not have lock for resource \'' . $resourceId . '\''); return false; } if (!in_array($right, $this->getPermissionProvider()->getSupportedRights())) { $required[$resourceId] = PermissionInterface::RIGHT_UNSUPPORTED; } } $permissions = $this->getPermissionProvider()->getPermissions($user, array_keys($required)); foreach ($required as $id => $right) { if (!isset($permissions[$id]) || !in_array($right, $permissions[$id])) { common_Logger::d('User \'' . $user->getIdentifier() . '\' does not have \'' . $right . '\' permission for resource \'' . $id . '\''); return false; } } return true; } private function hasWritePrivilege(User $user, $resourceId) { $resource = new \core_kernel_classes_Resource($resourceId); $lock = LockManager::getImplementation()->getLockData($resource); return is_null($lock) || $lock->getOwnerId() == $user->getIdentifier(); } public function getPermissionProvider() { return PermissionManager::getPermissionModel(); } private function getParameterFilter(): ParameterFilterInterface { if (!$this->filter) { $this->filter = new ParameterFilterProxy(); } return $this->filter; } }