Spaces:
Sleeping
Sleeping
File size: 4,307 Bytes
07c3cdd | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 | <?php
namespace ProcessMaker\Policies;
use Luracast\Restler\iAuthenticate;
use Luracast\Restler\RestException;
use Luracast\Restler\Defaults;
use Luracast\Restler\Util;
use Luracast\Restler\Scope;
use OAuth2\Request;
use ProcessMaker\Services\OAuth2\Server;
use ProcessMaker\BusinessModel\User;
use RBAC;
class AccessControl implements iAuthenticate
{
public static $role;
public static $permission;
public static $className;
private $userUid = null;
private $oUser;
/**
* @var RBAC $rbac
*/
private $rbac;
const SYSTEM = 'PROCESSMAKER';
/**
* This method checks if an endpoint permission or permissions access
*
* @return bool
* @throws RestException
*/
public function __isAllowed()
{
$response = true;
$oServerOauth = new Server();
$this->oUser = new User();
$server = $oServerOauth->getServer();
$request = Request::createFromGlobals();
$allowed = $server->verifyResourceRequest($request);
$this->userUid = $oServerOauth->getUserId();
$this->oUser->loadUserRolePermission(self::SYSTEM, $this->userUid);
$this->loadRbacUser($this->userUid);
$metadata = Util::nestedValue($this->restler, 'apiMethodInfo', 'metadata');
$permissions = $this->getPermissions();
if ($allowed && !empty($this->userUid) && (!empty($metadata['access']) && $metadata['access'] == 'protected')) {
$parameters = Util::nestedValue($this->restler, 'apiMethodInfo', 'parameters');
if (!is_null(self::$className) && is_string(self::$className)) {
$authObj = Scope::get(self::$className);
$authObj->parameters = $parameters;
$authObj->permission = $permissions;
if (!method_exists($authObj, Defaults::$authenticationMethod)) {
throw new RestException (
500,
'Authentication Class should implement iAuthenticate');
} elseif (!$authObj->{Defaults::$authenticationMethod}()) {
throw new RestException(403, "You don't have permission to access this endpoint or resource on this server.");
}
} elseif (!$this->verifyAccess($permissions)) {
throw new RestException(401);
}
}
return $response;
}
/**
* @return string
*/
public function __getWWWAuthenticateString()
{
return '';
}
/**
* Verify the permissions required to access the endpoint.
*
* @param $permissions
* @return bool
*/
public function verifyAccess($permissions)
{
$response = false;
$access = -1;
if (!is_array($permissions)) {
$access = $this->userCanAccess($permissions);
} elseif (count($permissions) > 0) {
foreach ($permissions as $perm) {
$access = $this->userCanAccess($perm);
if ($access == 1) {
break;
}
}
}
if ($access == 1 || empty($permissions)) {
$response = true;
}
return $response;
}
/**
* Verify if the user has a right over the permission.
*
* @param string $perm
* @return int
*/
public function userCanAccess($perm)
{
return $this->rbac->userCanAccess($perm);
}
/**
* Get the required permission(s) of the endpoint.
*
* @return mixed
*/
private function getPermissions()
{
if (is_string(self::$permission)) {
$permission = trim(self::$permission);
} elseif (is_array(self::$permission)) {
$permission = [];
foreach (self::$permission as $perm) {
$permission[] = trim($perm);
}
} else {
$permission = self::$permission;
}
return $permission;
}
/**
* Load the RBAC object to validate the user permissions.
*
* @param string $userUid
*/
private function loadRbacUser($userUid)
{
$this->rbac = new RBAC;
$this->rbac->initRBAC();
$this->rbac->loadUserRolePermission(self::SYSTEM, $userUid);
}
}
|