From 7d06eb923a3125381eea75b6a446e58a2c12e46c Mon Sep 17 00:00:00 2001 From: Jeroen Thora Date: Fri, 25 Mar 2022 15:39:45 +0100 Subject: [PATCH] [AllBundle] Add compatibility for new PUBLIC_ACCESS role --- .../AdminBundle/Helper/Security/Acl/AclHelper.php | 2 +- .../AdminBundle/Helper/Security/Acl/AclNativeHelper.php | 2 +- .../Tests/Helper/Security/Acl/AclHelperTest.php | 2 ++ .../Tests/Helper/Security/Acl/AclNativeHelperTest.php | 2 ++ .../GeneratorBundle/DataFixtures/ORM/GroupFixtures.php | 8 +++++--- .../GeneratorBundle/DataFixtures/ORM/RoleFixtures.php | 9 +++++++++ src/Kunstmaan/NodeBundle/Command/InitAclCommand.php | 6 ++++++ .../Helper/Services/ACLPermissionCreatorService.php | 6 ++++++ .../Configuration/NodePagesConfiguration.php | 9 +++++++++ src/Kunstmaan/NodeSearchBundle/Search/NodeSearcher.php | 6 ++++++ 10 files changed, 47 insertions(+), 5 deletions(-) diff --git a/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclHelper.php b/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclHelper.php index 61503bde9c..4b11218620 100644 --- a/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclHelper.php +++ b/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclHelper.php @@ -151,7 +151,7 @@ private function getPermittedAclIdsSQLForUser(Query $query): string } // Security context does not provide anonymous role automatically. - $uR = [$databasePlatform->quoteStringLiteral('IS_AUTHENTICATED_ANONYMOUSLY')]; + $uR = [$databasePlatform->quoteStringLiteral('IS_AUTHENTICATED_ANONYMOUSLY'), $databasePlatform->quoteStringLiteral('PUBLIC_ACCESS')]; foreach ($userRoles as $role) { // The reason we ignore this is because by default FOSUserBundle adds ROLE_USER for every user diff --git a/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclNativeHelper.php b/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclNativeHelper.php index 6e6fdea6cf..d593650508 100644 --- a/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclNativeHelper.php +++ b/src/Kunstmaan/AdminBundle/Helper/Security/Acl/AclNativeHelper.php @@ -87,7 +87,7 @@ public function apply(QueryBuilder $queryBuilder, PermissionDefinition $permissi } // Security context does not provide anonymous role automatically. - $uR = [$databasePlatform->quoteStringLiteral('IS_AUTHENTICATED_ANONYMOUSLY')]; + $uR = [$databasePlatform->quoteStringLiteral('IS_AUTHENTICATED_ANONYMOUSLY'), $databasePlatform->quoteStringLiteral('PUBLIC_ACCESS')]; foreach ($userRoles as $role) { // The reason we ignore this is because by default FOSUserBundle adds ROLE_USER for every user diff --git a/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclHelperTest.php b/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclHelperTest.php index 947711af93..5b76afa989 100644 --- a/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclHelperTest.php +++ b/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclHelperTest.php @@ -188,6 +188,7 @@ public function testApply() $this->assertStringContainsString('ROLE_SUBJECT', $aclQuery); $this->assertStringContainsString('ROLE_KING', $aclQuery); $this->assertStringContainsString('IS_AUTHENTICATED_ANONYMOUSLY', $aclQuery); + $this->assertStringContainsString('PUBLIC_ACCESS', $aclQuery); $this->assertStringContainsString('MyUser', $aclQuery); } @@ -239,6 +240,7 @@ public function testApplyAnonymous() $aclQuery = $query->getHint('acl.extra.query'); $this->assertStringContainsString('IS_AUTHENTICATED_ANONYMOUSLY', $aclQuery); + $this->assertStringContainsString('PUBLIC_ACCESS', $aclQuery); } public function testGetAllowedEntityIds() diff --git a/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclNativeHelperTest.php b/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclNativeHelperTest.php index e6104ec2eb..a424890c5c 100644 --- a/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclNativeHelperTest.php +++ b/src/Kunstmaan/AdminBundle/Tests/Helper/Security/Acl/AclNativeHelperTest.php @@ -143,6 +143,7 @@ public function testApply() $this->assertStringContainsString('ROLE_SUBJECT', $query); $this->assertStringContainsString('ROLE_KING', $query); $this->assertStringContainsString('IS_AUTHENTICATED_ANONYMOUSLY', $query); + $this->assertStringContainsString('PUBLIC_ACCESS', $query); $this->assertStringContainsString('MyUser', $query); } @@ -181,6 +182,7 @@ public function testApplyAnonymous() $query = $qb->getSQL(); $this->assertStringContainsString('IS_AUTHENTICATED_ANONYMOUSLY', $query); + $this->assertStringContainsString('PUBLIC_ACCESS', $query); } public function testGetTokenStorage() diff --git a/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/GroupFixtures.php b/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/GroupFixtures.php index 93d478b368..7d64a2db7d 100644 --- a/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/GroupFixtures.php +++ b/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/GroupFixtures.php @@ -26,9 +26,11 @@ public function load(ObjectManager $manager) $this->getReference(RoleFixtures::REFERENCE_ADMIN_ROLE), ]); - $group2 = $this->createGroup($manager, 'Guests', [ - $this->getReference(RoleFixtures::REFERENCE_GUEST_ROLE), - ]); + $guestRoles = [$this->getReference(RoleFixtures::REFERENCE_GUEST_ROLE)]; + if ($this->hasReference(RoleFixtures::REFERENCE_PUBLIC_ACCESS_ROLE)) { + $guestRoles[] = $this->getReference(RoleFixtures::REFERENCE_PUBLIC_ACCESS_ROLE); + } + $group2 = $this->createGroup($manager, 'Guests', $guestRoles); $group3 = $this->createGroup($manager, 'Super administrators', [ $this->getReference(RoleFixtures::REFERENCE_PERMISSIONMANAGER_ROLE), diff --git a/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/RoleFixtures.php b/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/RoleFixtures.php index 2afb9ae2b1..5cab7371bc 100644 --- a/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/RoleFixtures.php +++ b/src/Kunstmaan/GeneratorBundle/DataFixtures/ORM/RoleFixtures.php @@ -6,6 +6,7 @@ use Doctrine\Common\DataFixtures\OrderedFixtureInterface; use Doctrine\Persistence\ObjectManager; use Kunstmaan\AdminBundle\Entity\Role; +use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter; /** * Fixture for creation the basic roles @@ -16,6 +17,7 @@ class RoleFixtures extends AbstractFixture implements OrderedFixtureInterface const REFERENCE_ADMIN_ROLE = 'admin-role'; const REFERENCE_SUPERADMIN_ROLE = 'superadmin-role'; const REFERENCE_GUEST_ROLE = 'guest-role'; + const REFERENCE_PUBLIC_ACCESS_ROLE = 'public-role'; /** * Load data fixtures with the passed EntityManager @@ -26,6 +28,10 @@ public function load(ObjectManager $manager) $role2 = $this->createRole($manager, 'ROLE_ADMIN'); $role3 = $this->createRole($manager, 'ROLE_SUPER_ADMIN'); $role4 = $this->createRole($manager, 'IS_AUTHENTICATED_ANONYMOUSLY'); + $role5 = null; + if (defined(AuthenticatedVoter::PUBLIC_ACCESS)) { + $role5 = $this->createRole($manager, AuthenticatedVoter::PUBLIC_ACCESS); + } $manager->flush(); @@ -33,6 +39,9 @@ public function load(ObjectManager $manager) $this->addReference(self::REFERENCE_ADMIN_ROLE, $role2); $this->addReference(self::REFERENCE_SUPERADMIN_ROLE, $role3); $this->addReference(self::REFERENCE_GUEST_ROLE, $role4); + if (null !== $role5) { + $this->addReference(self::REFERENCE_PUBLIC_ACCESS_ROLE, $role5); + } } /** diff --git a/src/Kunstmaan/NodeBundle/Command/InitAclCommand.php b/src/Kunstmaan/NodeBundle/Command/InitAclCommand.php index 2be96f7904..2ac47c3d8c 100644 --- a/src/Kunstmaan/NodeBundle/Command/InitAclCommand.php +++ b/src/Kunstmaan/NodeBundle/Command/InitAclCommand.php @@ -14,6 +14,7 @@ use Symfony\Component\Security\Acl\Exception\AclNotFoundException; use Symfony\Component\Security\Acl\Model\MutableAclProviderInterface; use Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface; +use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter; /** * Basic initialization of ACL entries for all nodes. @@ -71,6 +72,11 @@ protected function execute(InputInterface $input, OutputInterface $output): int $securityIdentity = new RoleSecurityIdentity('IS_AUTHENTICATED_ANONYMOUSLY'); $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_VIEW); + if (defined(AuthenticatedVoter::PUBLIC_ACCESS)) { + $securityIdentity = new RoleSecurityIdentity(AuthenticatedVoter::PUBLIC_ACCESS); + $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_VIEW); + } + $securityIdentity = new RoleSecurityIdentity('ROLE_ADMIN'); $acl->insertObjectAce( $securityIdentity, diff --git a/src/Kunstmaan/NodeBundle/Helper/Services/ACLPermissionCreatorService.php b/src/Kunstmaan/NodeBundle/Helper/Services/ACLPermissionCreatorService.php index 9182d25e18..34dfa8dd90 100644 --- a/src/Kunstmaan/NodeBundle/Helper/Services/ACLPermissionCreatorService.php +++ b/src/Kunstmaan/NodeBundle/Helper/Services/ACLPermissionCreatorService.php @@ -7,6 +7,7 @@ use Symfony\Component\Security\Acl\Exception\AclNotFoundException; use Symfony\Component\Security\Acl\Model\MutableAclProviderInterface; use Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface; +use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter; /** * Service to add the correct permissions to new HasNodeInterface objects. @@ -48,6 +49,11 @@ public function createPermission($object) $securityIdentity = new RoleSecurityIdentity('IS_AUTHENTICATED_ANONYMOUSLY'); $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_VIEW); + if (defined(AuthenticatedVoter::PUBLIC_ACCESS)) { + $securityIdentity = new RoleSecurityIdentity(AuthenticatedVoter::PUBLIC_ACCESS); + $acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_VIEW); + } + $securityIdentity = new RoleSecurityIdentity('ROLE_ADMIN'); $acl->insertObjectAce( $securityIdentity, diff --git a/src/Kunstmaan/NodeSearchBundle/Configuration/NodePagesConfiguration.php b/src/Kunstmaan/NodeSearchBundle/Configuration/NodePagesConfiguration.php index 2028b8260a..f28b8cc3f6 100644 --- a/src/Kunstmaan/NodeSearchBundle/Configuration/NodePagesConfiguration.php +++ b/src/Kunstmaan/NodeSearchBundle/Configuration/NodePagesConfiguration.php @@ -28,6 +28,7 @@ use Symfony\Component\Security\Acl\Model\AclInterface; use Symfony\Component\Security\Acl\Model\AclProviderInterface; use Symfony\Component\Security\Acl\Model\AuditableEntryInterface; +use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter; class NodePagesConfiguration implements SearchConfigurationInterface { @@ -444,7 +445,11 @@ protected function addPermissions(Node $node, &$doc) $roles = $this->getAclPermissions($node); } else { // Fallback when no ACL available / assume everything is accessible... + // NEXT_MAJOR cleanup old security role $roles = ['IS_AUTHENTICATED_ANONYMOUSLY']; + if (defined(AuthenticatedVoter::PUBLIC_ACCESS)) { + $roles[] = AuthenticatedVoter::PUBLIC_ACCESS; + } } $doc['view_roles'] = $roles; } @@ -611,7 +616,11 @@ protected function getAclPermissions($object) } } catch (AclNotFoundException $e) { // No ACL found... assume default + // NEXT_MAJOR cleanup old security role $roles = ['IS_AUTHENTICATED_ANONYMOUSLY']; + if (defined(AuthenticatedVoter::PUBLIC_ACCESS)) { + $roles[] = AuthenticatedVoter::PUBLIC_ACCESS; + } } return $roles; diff --git a/src/Kunstmaan/NodeSearchBundle/Search/NodeSearcher.php b/src/Kunstmaan/NodeSearchBundle/Search/NodeSearcher.php index eb68c48f40..6bc3e4652c 100644 --- a/src/Kunstmaan/NodeSearchBundle/Search/NodeSearcher.php +++ b/src/Kunstmaan/NodeSearchBundle/Search/NodeSearcher.php @@ -16,6 +16,7 @@ use Kunstmaan\NodeSearchBundle\Helper\SearchBoostInterface; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter; /** * Default node searcher implementation @@ -162,10 +163,15 @@ protected function getCurrentUserRoles() } // Anonymous access should always be available for both anonymous & logged in users + // NEXT_MAJOR cleanup old security role if (!\in_array('IS_AUTHENTICATED_ANONYMOUSLY', $roles, true)) { $roles[] = 'IS_AUTHENTICATED_ANONYMOUSLY'; } + if (defined(AuthenticatedVoter::PUBLIC_ACCESS) && !\in_array(AuthenticatedVoter::PUBLIC_ACCESS, $roles, true)) { + $roles[] = AuthenticatedVoter::PUBLIC_ACCESS; + } + // Return a re-indexed array to make sure the array keys are incremental and don't skip a number. Otherwise // this causes issues in ES7. return array_values($roles);