vendor/sulu/sulu/src/Sulu/Bundle/SecurityBundle/EventListener/SuluSecurityListener.php line 49

  1. <?php
  3. /*
  4.  * This file is part of Sulu.
  5.  *
  6.  * (c) Sulu GmbH
  7.  *
  8.  * This source file is subject to the MIT license that is bundled
  9.  * with this source code in the file LICENSE.
  10.  */
  12. namespace Sulu\Bundle\SecurityBundle\EventListener;
  14. use Sulu\Component\Security\Authorization\AccessControl\SecuredObjectControllerInterface;
  15. use Sulu\Component\Security\Authorization\PermissionTypes;
  16. use Sulu\Component\Security\Authorization\SecurityCheckerInterface;
  17. use Sulu\Component\Security\Authorization\SecurityCondition;
  18. use Sulu\Component\Security\SecuredControllerInterface;
  19. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  20. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  21. use Symfony\Component\HttpKernel\KernelEvents;
  22. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  24. /**
  25.  * Listens on the kernel.controller event and checks if Sulu allows this action.
  26.  */
  27. class SuluSecurityListener implements EventSubscriberInterface
  28. {
  29.     /**
  30.      * @var SecurityCheckerInterface
  31.      */
  32.     private $securityChecker;
  34.     public function __construct(SecurityCheckerInterface $securityChecker)
  35.     {
  36.         $this->securityChecker $securityChecker;
  37.     }
  39.     public static function getSubscribedEvents(): array
  40.     {
  41.         return [KernelEvents::CONTROLLER => 'onKernelController'];
  42.     }
  44.     /**
  45.      * Checks if the action is allowed for the current user, and throws an Exception otherwise.
  46.      *
  47.      * @throws AccessDeniedException
  48.      */
  49.     public function onKernelController(ControllerEvent $event)
  50.     {
  51.         $controller $event->getController();
  52.         $action '__invoke';
  54.         if (\is_array($controller)) {
  55.             if (isset($controller[1])) {
  56.                 $action $controller[1];
  57.             }
  59.             if (isset($controller[0])) {
  60.                 $controller $controller[0];
  61.             }
  62.         }
  64.         if (
  65.             !$controller instanceof SecuredControllerInterface &&
  66.             !$controller instanceof SecuredObjectControllerInterface
  67.         ) {
  68.             return;
  69.         }
  71.         $request $event->getRequest();
  73.         // find appropriate permission type for request
  74.         $permission '';
  76.         switch ($request->getMethod()) {
  77.             case 'GET':
  78.                 $permission PermissionTypes::VIEW;
  79.                 break;
  80.             case 'POST':
  81.                 if (\in_array($action, ['postAction''__invoke'])) { // means that the ClassResourceInterface has to be used
  82.                     $permission PermissionTypes::ADD;
  83.                 } else {
  84.                     $permission PermissionTypes::EDIT;
  85.                 }
  86.                 break;
  87.             case 'PUT':
  88.             case 'PATCH':
  89.                 $permission PermissionTypes::EDIT;
  90.                 break;
  91.             case 'DELETE':
  92.                 $permission PermissionTypes::DELETE;
  93.                 break;
  94.         }
  96.         $securityContext null;
  97.         $locale $controller->getLocale($request);
  98.         $objectType null;
  99.         $objectId null;
  101.         if ($controller instanceof SecuredObjectControllerInterface) {
  102.             $objectType $controller->getSecuredClass();
  103.             $objectId $controller->getSecuredObjectId($request);
  104.         }
  106.         // check permission
  107.         if ($controller instanceof SecuredControllerInterface) {
  108.             $securityContext $controller->getSecurityContext();
  109.         }
  111.         if (null !== $securityContext) {
  112.             $this->securityChecker->checkPermission(
  113.                 new SecurityCondition($securityContext$locale$objectType$objectId),
  114.                 $permission
  115.             );
  116.         }
  117.     }
  118. }