Merge branch '6.x' into 7.0

* 6.x: [AllBundle] Add compatibility for new PUBLIC_ACCESS role
Kunstmaan · Dec 21, 2023 · 30b2225 · 30b2225
2 parents bfdf1ce + 0316c83
commit 30b2225
Show file tree

Hide file tree

Showing 10 changed files with 47 additions and 5 deletions.
diff --git a/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclHelper.php b/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclHelper.php
@@ -151,7 +151,7 @@ private function getPermittedAclIdsSQLForUser(Query $query): string
         }
 
         // Security context does not provide anonymous role automatically.
-        $uR = [$databasePlatform->quoteStringLiteral('IS_AUTHENTICATED_ANONYMOUSLY')];
+        $uR = [$databasePlatform->quoteStringLiteral('IS_AUTHENTICATED_ANONYMOUSLY'), $databasePlatform->quoteStringLiteral('PUBLIC_ACCESS')];
 
         foreach ($userRoles as $role) {
             // The reason we ignore this is because by default FOSUserBundle adds ROLE_USER for every user

diff --git a/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclNativeHelper.php b/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclNativeHelper.php
@@ -87,7 +87,7 @@ public function apply(QueryBuilder $queryBuilder, PermissionDefinition $permissi
         }
 
         // Security context does not provide anonymous role automatically.
-        $uR = [$databasePlatform->quoteStringLiteral('IS_AUTHENTICATED_ANONYMOUSLY')];
+        $uR = [$databasePlatform->quoteStringLiteral('IS_AUTHENTICATED_ANONYMOUSLY'), $databasePlatform->quoteStringLiteral('PUBLIC_ACCESS')];
 
         foreach ($userRoles as $role) {
             // The reason we ignore this is because by default FOSUserBundle adds ROLE_USER for every user

diff --git a/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclHelperTest.php b/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclHelperTest.php
@@ -188,6 +188,7 @@ public function testApply()
         $this->assertStringContainsString('ROLE_SUBJECT', $aclQuery);
         $this->assertStringContainsString('ROLE_KING', $aclQuery);
         $this->assertStringContainsString('IS_AUTHENTICATED_ANONYMOUSLY', $aclQuery);
+        $this->assertStringContainsString('PUBLIC_ACCESS', $aclQuery);
         $this->assertStringContainsString('MyUser', $aclQuery);
     }
 
@@ -239,6 +240,7 @@ public function testApplyAnonymous()
 
         $aclQuery = $query->getHint('acl.extra.query');
         $this->assertStringContainsString('IS_AUTHENTICATED_ANONYMOUSLY', $aclQuery);
+        $this->assertStringContainsString('PUBLIC_ACCESS', $aclQuery);
     }
 
     public function testGetAllowedEntityIds()

diff --git a/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclNativeHelperTest.php b/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclNativeHelperTest.php
@@ -143,6 +143,7 @@ public function testApply()
         $this->assertStringContainsString('ROLE_SUBJECT', $query);
         $this->assertStringContainsString('ROLE_KING', $query);
         $this->assertStringContainsString('IS_AUTHENTICATED_ANONYMOUSLY', $query);
+        $this->assertStringContainsString('PUBLIC_ACCESS', $query);
         $this->assertStringContainsString('MyUser', $query);
     }
 
@@ -181,6 +182,7 @@ public function testApplyAnonymous()
         $query = $qb->getSQL();
 
         $this->assertStringContainsString('IS_AUTHENTICATED_ANONYMOUSLY', $query);
+        $this->assertStringContainsString('PUBLIC_ACCESS', $query);
     }
 
     public function testGetTokenStorage()

diff --git a/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/GroupFixtures.php b/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/GroupFixtures.php
@@ -26,9 +26,11 @@ public function load(ObjectManager $manager)
             $this->getReference(RoleFixtures::REFERENCE_ADMIN_ROLE),
         ]);
 
-        $group2 = $this->createGroup($manager, 'Guests', [
-            $this->getReference(RoleFixtures::REFERENCE_GUEST_ROLE),
-        ]);
+        $guestRoles = [$this->getReference(RoleFixtures::REFERENCE_GUEST_ROLE)];
+        if ($this->hasReference(RoleFixtures::REFERENCE_PUBLIC_ACCESS_ROLE)) {
+            $guestRoles[] = $this->getReference(RoleFixtures::REFERENCE_PUBLIC_ACCESS_ROLE);
+        }
+        $group2 = $this->createGroup($manager, 'Guests', $guestRoles);
 
         $group3 = $this->createGroup($manager, 'Super administrators', [
             $this->getReference(RoleFixtures::REFERENCE_PERMISSIONMANAGER_ROLE),

diff --git a/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/RoleFixtures.php b/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/RoleFixtures.php
@@ -6,6 +6,7 @@
 use Doctrine\Common\DataFixtures\OrderedFixtureInterface;
 use Doctrine\Persistence\ObjectManager;
 use Kunstmaan\AdminBundle\Entity\Role;
+use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 
 /**
  * Fixture for creation the basic roles
@@ -16,6 +17,7 @@ class RoleFixtures extends AbstractFixture implements OrderedFixtureInterface
     const REFERENCE_ADMIN_ROLE = 'admin-role';
     const REFERENCE_SUPERADMIN_ROLE = 'superadmin-role';
     const REFERENCE_GUEST_ROLE = 'guest-role';
+    const REFERENCE_PUBLIC_ACCESS_ROLE = 'public-role';
 
     /**
      * Load data fixtures with the passed EntityManager
@@ -26,13 +28,20 @@ public function load(ObjectManager $manager)
         $role2 = $this->createRole($manager, 'ROLE_ADMIN');
         $role3 = $this->createRole($manager, 'ROLE_SUPER_ADMIN');
         $role4 = $this->createRole($manager, 'IS_AUTHENTICATED_ANONYMOUSLY');
+        $role5 = null;
+        if (defined(AuthenticatedVoter::PUBLIC_ACCESS)) {
+            $role5 = $this->createRole($manager, AuthenticatedVoter::PUBLIC_ACCESS);
+        }
 
         $manager->flush();
 
         $this->addReference(self::REFERENCE_PERMISSIONMANAGER_ROLE, $role1);
         $this->addReference(self::REFERENCE_ADMIN_ROLE, $role2);
         $this->addReference(self::REFERENCE_SUPERADMIN_ROLE, $role3);
         $this->addReference(self::REFERENCE_GUEST_ROLE, $role4);
+        if (null !== $role5) {
+            $this->addReference(self::REFERENCE_PUBLIC_ACCESS_ROLE, $role5);
+        }
     }
 
     /**

diff --git a/src/Kunstmaan/NodeBundle/Command/InitAclCommand.php b/src/Kunstmaan/NodeBundle/Command/InitAclCommand.php
@@ -14,6 +14,7 @@
 use Symfony\Component\Security\Acl\Exception\AclNotFoundException;
 use Symfony\Component\Security\Acl\Model\MutableAclProviderInterface;
 use Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 
 /**
  * Basic initialization of ACL entries for all nodes.
@@ -71,6 +72,11 @@ protected function execute(InputInterface $input, OutputInterface $output): int
             $securityIdentity = new RoleSecurityIdentity('IS_AUTHENTICATED_ANONYMOUSLY');
             $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_VIEW);
 
+            if (defined(AuthenticatedVoter::PUBLIC_ACCESS)) {
+                $securityIdentity = new RoleSecurityIdentity(AuthenticatedVoter::PUBLIC_ACCESS);
+                $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_VIEW);
+            }
+
             $securityIdentity = new RoleSecurityIdentity('ROLE_ADMIN');
             $acl->insertObjectAce(
                 $securityIdentity,

diff --git a/src/Kunstmaan/NodeBundle/Helper/Services/ACLPermissionCreatorService.php b/src/Kunstmaan/NodeBundle/Helper/Services/ACLPermissionCreatorService.php
@@ -7,6 +7,7 @@
 use Symfony\Component\Security\Acl\Exception\AclNotFoundException;
 use Symfony\Component\Security\Acl\Model\MutableAclProviderInterface;
 use Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 
 /**
  * Service to add the correct permissions to new HasNodeInterface objects.
@@ -48,6 +49,11 @@ public function createPermission($object)
         $securityIdentity = new RoleSecurityIdentity('IS_AUTHENTICATED_ANONYMOUSLY');
         $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_VIEW);
 
+        if (defined(AuthenticatedVoter::PUBLIC_ACCESS)) {
+            $securityIdentity = new RoleSecurityIdentity(AuthenticatedVoter::PUBLIC_ACCESS);
+            $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_VIEW);
+        }
+
         $securityIdentity = new RoleSecurityIdentity('ROLE_ADMIN');
         $acl->insertObjectAce(
             $securityIdentity,

diff --git a/src/Kunstmaan/NodeSearchBundle/Configuration/NodePagesConfiguration.php b/src/Kunstmaan/NodeSearchBundle/Configuration/NodePagesConfiguration.php
@@ -28,6 +28,7 @@
 use Symfony\Component\Security\Acl\Model\AclInterface;
 use Symfony\Component\Security\Acl\Model\AclProviderInterface;
 use Symfony\Component\Security\Acl\Model\AuditableEntryInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 
 class NodePagesConfiguration implements SearchConfigurationInterface
 {
@@ -444,7 +445,11 @@ protected function addPermissions(Node $node, &$doc)
             $roles = $this->getAclPermissions($node);
         } else {
             // Fallback when no ACL available / assume everything is accessible...
+            // NEXT_MAJOR cleanup old security role
             $roles = ['IS_AUTHENTICATED_ANONYMOUSLY'];
+            if (defined(AuthenticatedVoter::PUBLIC_ACCESS)) {
+                $roles[] = AuthenticatedVoter::PUBLIC_ACCESS;
+            }
         }
         $doc['view_roles'] = $roles;
     }
@@ -611,7 +616,11 @@ protected function getAclPermissions($object)
             }
         } catch (AclNotFoundException $e) {
             // No ACL found... assume default
+            // NEXT_MAJOR cleanup old security role
             $roles = ['IS_AUTHENTICATED_ANONYMOUSLY'];
+            if (defined(AuthenticatedVoter::PUBLIC_ACCESS)) {
+                $roles[] = AuthenticatedVoter::PUBLIC_ACCESS;
+            }
         }
 
         return $roles;

diff --git a/src/Kunstmaan/NodeSearchBundle/Search/NodeSearcher.php b/src/Kunstmaan/NodeSearchBundle/Search/NodeSearcher.php
@@ -16,6 +16,7 @@
 use Kunstmaan\NodeSearchBundle\Helper\SearchBoostInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 
 /**
  * Default node searcher implementation
@@ -162,10 +163,15 @@ protected function getCurrentUserRoles()
         }
 
         // Anonymous access should always be available for both anonymous & logged in users
+        // NEXT_MAJOR cleanup old security role
         if (!\in_array('IS_AUTHENTICATED_ANONYMOUSLY', $roles, true)) {
             $roles[] = 'IS_AUTHENTICATED_ANONYMOUSLY';
         }
 
+        if (defined(AuthenticatedVoter::PUBLIC_ACCESS) && !\in_array(AuthenticatedVoter::PUBLIC_ACCESS, $roles, true)) {
+            $roles[] = AuthenticatedVoter::PUBLIC_ACCESS;
+        }
+
         // Return a re-indexed array to make sure the array keys are incremental and don't skip a number. Otherwise
         // this causes issues in ES7.
         return array_values($roles);