|
| 1 | +<?php |
| 2 | +namespace Teams\Mvc\Controller\Plugin; |
| 3 | + |
| 4 | +use Doctrine\ORM\EntityManager; |
| 5 | +use Laminas\Mvc\Controller\Plugin\AbstractPlugin; |
| 6 | + |
| 7 | +/** |
| 8 | + * Controller plugin for authorize the current user. |
| 9 | + */ |
| 10 | +class TeamAuth extends AbstractPlugin |
| 11 | +{ |
| 12 | + public $actions = ['add', 'delete', 'update']; |
| 13 | + public $domains = ['resource', 'team', 'site', 'team_user', 'role']; |
| 14 | + |
| 15 | + /** |
| 16 | + * @var EntityManager |
| 17 | + */ |
| 18 | + protected $entityManager; |
| 19 | + |
| 20 | + /** |
| 21 | + * Construct the plugin. |
| 22 | + * |
| 23 | + * @param EntityManager $entityManager |
| 24 | + */ |
| 25 | + public function __construct(EntityManager $entityManager) |
| 26 | + { |
| 27 | + $this->entityManager = $entityManager; |
| 28 | + } |
| 29 | + |
| 30 | + public function user() |
| 31 | + { |
| 32 | + return $this->getController()->identity(); |
| 33 | + } |
| 34 | + |
| 35 | + public function isGlobAdmin() |
| 36 | + { |
| 37 | + return $this->user()->getRole() === 'global_admin'; |
| 38 | + } |
| 39 | + |
| 40 | + public function isSuper() |
| 41 | + { |
| 42 | + return ($this->isGlobAdmin() && $this->user()->getId() === 1); |
| 43 | + } |
| 44 | + |
| 45 | + public function teamAuthorized(string $action, string $domain) |
| 46 | + { |
| 47 | + //validate inputs |
| 48 | + if (!in_array($action, $this->actions)) { |
| 49 | + throw new InvalidArgumentException( |
| 50 | + sprintf( |
| 51 | + ' "%1$s" not a valid action for teamAuthorized().', |
| 52 | + $action |
| 53 | + ) |
| 54 | + ); |
| 55 | + } |
| 56 | + if (!in_array($domain, $this->domains)) { |
| 57 | + throw new InvalidArgumentException( |
| 58 | + sprintf( |
| 59 | + '"%1$s" not a valid domain for teamAuthorized().', |
| 60 | + $domain |
| 61 | + ) |
| 62 | + ); |
| 63 | + } |
| 64 | + |
| 65 | + //super admin should bypass team authority |
| 66 | + if ($this->isSuper()) { |
| 67 | + return true; |
| 68 | + } |
| 69 | + |
| 70 | + $em = $this->entityManager; |
| 71 | + $user_id = $this->user()->getId(); |
| 72 | + $authorized = false; |
| 73 | + |
| 74 | + |
| 75 | + //if the user has a current team |
| 76 | + if ($has_role = $em->getRepository('Teams\Entity\TeamUser') |
| 77 | + ->findOneBy(['is_current' => true, 'user'=>$user_id]) |
| 78 | + ) { |
| 79 | + $current_role = $has_role->getRole(); |
| 80 | + |
| 81 | + //go through each domain and determine if user is authorized for actions in that domain |
| 82 | + |
| 83 | + |
| 84 | + //only the global admin can create, delete or modify teams |
| 85 | + if ($domain == 'team' || $domain == 'role') { |
| 86 | + $authorized = $this->isGlobAdmin(); |
| 87 | + |
| 88 | + } |
| 89 | + |
| 90 | + //if they can manage users of the team (including their role) |
| 91 | + elseif ($domain == 'team_user') { |
| 92 | + $authorized = $current_role->getCanAddUsers(); |
| 93 | + } elseif ($domain == 'resource') { |
| 94 | + if ($action == 'add') { |
| 95 | + $authorized = $current_role->getCanAddItems(); |
| 96 | + } elseif ($action == 'update') { |
| 97 | + $authorized = $current_role->getCanModifyResources(); |
| 98 | + } elseif ($action == 'delete') { |
| 99 | + $authorized = $current_role->getCanDeleteResources(); |
| 100 | + } |
| 101 | + } elseif ($domain == 'site') { |
| 102 | + |
| 103 | + //only the global admin can add and delete sites |
| 104 | + if ($action == 'add' || $action == 'delete') { |
| 105 | + $authorized = $this->isGlobAdmin(); |
| 106 | + } elseif ($action == 'update') { |
| 107 | + $authorized = $current_role->getCanAddSitePages(); |
| 108 | + } |
| 109 | + } |
| 110 | + } |
| 111 | + return $authorized; |
| 112 | + } |
| 113 | + |
| 114 | +// public function __invoke($resource = null, $privilege = null) |
| 115 | +// { |
| 116 | +// return $this->userIsAllowed($resource, $privilege); |
| 117 | +// } |
| 118 | +} |
0 commit comments