作者:arcany
项目:SSO-user-provider-bundl
public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
{
$secret = $token->getCredentials();
$userData = $this->session->getFlashBag()->get('arcanys_sso_auth.user_data');
if ($userData) {
// TODO create mapping config in the future
$username = reset($userData['uid']);
$email = reset($userData['email']);
$firstname = reset($userData['firstname']);
$lastname = reset($userData['lastname']);
$token = reset($userData['token']);
$roles = $userData['rights'];
if (!$roles) {
$roles = ['ROLE_USER'];
}
} else {
$this->saml2->login();
exit;
}
if (!$username) {
throw new AuthenticationException("Failed to authenticate from SSO");
}
$user = $userProvider->loadUserByUsername(['username' => $username, 'email' => $email, 'firstname' => $firstname, 'lastname' => $lastname, 'token' => $token, 'roles' => $roles]);
return new PreAuthenticatedToken($user, $secret, $providerKey, $user->getRoles($roles));
}
作者:bco-tre
项目:edonat
/**
* @var Ecedi\Donate\CoreBundle\Entity\User
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
// check if the voter is used correct, only allow one attribute
// this isn't a requirement, it's just one easy way for you to
// design your voter
if (1 !== count($attributes)) {
throw new \InvalidArgumentException('Only one attribute is allowed for VIEW, EDIT or DELETE');
}
// set the attribute to check against
$attribute = $attributes[0];
// check if the given attribute is covered by this voter
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
// get current logged in user
$currentUser = $token->getUser();
// make sure there is a user object (i.e. that the user is logged in)
if (!$currentUser instanceof UserInterface) {
return VoterInterface::ACCESS_DENIED;
}
switch ($attribute) {
case self::LIST_USERS:
if ($currentUser->hasRole('ROLE_ADMIN')) {
return VoterInterface::ACCESS_GRANTED;
}
//others cannot view others
break;
case self::CREATE_USERS:
if ($currentUser->hasRole('ROLE_ADMIN')) {
return VoterInterface::ACCESS_GRANTED;
}
break;
}
return VoterInterface::ACCESS_DENIED;
}
作者:Vidu
项目:tiremoidlaol
/**
* {@inheritdoc}
*/
protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
{
$user = $token->getUser();
$expires = time() + $this->options['lifetime'];
$value = $this->generateCookieValue(get_class($user), $user->getUsername(), $expires, $user->getPassword());
$response->headers->setCookie(new Cookie($this->options['name'], $value, $expires, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));
}
作者:loic42
项目:Syliu
function it_returns_locale_of_currently_logged_admin_user(TokenStorageInterface $tokenStorage, TokenInterface $token, AdminUserInterface $admin)
{
$admin->getLocaleCode()->willReturn('en_US');
$token->getUser()->willreturn($admin);
$tokenStorage->getToken()->willReturn($token);
$this->getLocaleCode()->shouldReturn('en_US');
}
作者:xtrasma
项目:iinan
public function vote(TokenInterface $token, $object, array $attributes)
{
// check if the voter is used correct, only allow one attribute
// this isn't a requirement, it's just one easy way for you to
// design your voter
if (1 !== count($attributes)) {
throw new \InvalidArgumentException('Only one attribute is allowed for TicketVoter');
}
// set the attribute to check against
$attribute = $attributes[0];
// check if the given attribute is covered by this voter
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
// get current logged in user
$user = $token->getUser();
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof Netizen) {
return VoterInterface::ACCESS_DENIED;
}
if ($this->freeAccess || $this->hasFreeAccess($user)) {
return VoterInterface::ACCESS_GRANTED;
}
if ($user->hasValidTicket()) {
return VoterInterface::ACCESS_GRANTED;
}
// if everything else fails:
return VoterInterface::ACCESS_DENIED;
}
作者:zenmagic
项目:zenmagic
/**
* {@inheritDoc}
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token)
{
$session = $request->getSession();
$user = $token->getUser();
$session->registerAccount($user, $request, $this);
return parent::onAuthenticationSuccess($request, $token);
}
作者:bakicd
项目:EDBlogBundl
/**
* Returns the vote for the given parameters.
*
* This method must return one of the following constants:
* ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN.
*
* @param TokenInterface $token A TokenInterface instance
* @param object|null $object The object to secure
* @param array $attributes An array of attributes associated with the method being invoked
*
* @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
$class = get_class($object);
if (!$this->supportsClass($class)) {
return self::ACCESS_ABSTAIN;
}
$user = $token->getUser();
if ($user === 'anon.') {
return self::ACCESS_ABSTAIN;
} else {
if (in_array('ADMINISTRATE_BLOG', $attributes) || in_array('SWITCH_ARTICLE_AUTHOR', $attributes)) {
if ($user->hasRole('ROLE_BLOG_ADMIN')) {
return self::ACCESS_GRANTED;
} else {
return self::ACCESS_DENIED;
}
} elseif (in_array('ADMINISTRATE_COMMENTS', $attributes)) {
if ($user->hasRole('ROLE_BLOG_ADMIN') || $user->hasRole('ROLE_BLOG_EDITOR')) {
return self::ACCESS_GRANTED;
} else {
return self::ACCESS_DENIED;
}
}
return self::ACCESS_ABSTAIN;
}
}
作者:Maksol
项目:platfor
/**
* {@inheritDoc}
*/
public function vote(TokenInterface $token, $object, array $attributes)
{
if (!$object || !is_object($object)) {
return self::ACCESS_ABSTAIN;
}
$objectClass = ClassUtils::getClass($object);
if (!$this->supportsClass($objectClass)) {
return self::ACCESS_ABSTAIN;
}
foreach ($attributes as $attribute) {
if (!$this->supportsAttribute($attribute)) {
return self::ACCESS_ABSTAIN;
}
}
$object = $this->convertToSupportedObject($object, $objectClass);
/** @var EmailUser[] $emailUsers */
$emailUsers = $object->getEmailUsers();
foreach ($attributes as $attribute) {
foreach ($emailUsers as $emailUser) {
if ($this->container->get('oro_security.security_facade')->isGranted($attribute, $emailUser)) {
return self::ACCESS_GRANTED;
}
if ($mailbox = $emailUser->getMailboxOwner() !== null && $token instanceof UsernamePasswordOrganizationToken) {
$repo = $this->container->get('doctrine')->getRepository('OroEmailBundle:Mailbox');
$mailboxes = $repo->findAvailableMailboxes($token->getUser(), $token->getOrganizationContext());
if (in_array($mailbox, $mailboxes)) {
return self::ACCESS_GRANTED;
}
}
}
}
return self::ACCESS_DENIED;
}
作者:enhav
项目:enhav
public function vote(TokenInterface $token, $transition, array $attributes)
{
if (in_array('WORKFLOW_TRANSITION', $attributes)) {
//check if the current user is allowed to use the transition
$user = $token->getUser();
$userGroupsCol = $user->getGroups();
//make array of collection
$userGroups = array();
foreach ($userGroupsCol as $userGroup) {
$userGroups[] = $userGroup;
}
$transitionGroupsCol = $transition->getGroups();
//make array of collection
$transitionGroups = array();
foreach ($transitionGroupsCol as $transitionGroup) {
$transitionGroups[] = $transitionGroup;
}
foreach ($userGroups as $userGroup) {
if (in_array($userGroup, $transitionGroups)) {
return self::ACCESS_GRANTED;
}
}
return self::ACCESS_DENIED;
}
return self::ACCESS_ABSTAIN;
}
作者:stopfsted
项目:ilio
/**
* @param string $attribute
* @param CourseLearningMaterialInterface $material
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $material, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
$course = $material->getCourse();
if (!$course) {
return false;
}
switch ($attribute) {
case self::VIEW:
$granted = $this->isViewGranted($course->getId(), $course->getSchool()->getId(), $user);
// prevent access if associated LM is in draft, and the current user has no elevated privileges.
if ($granted) {
$granted = $this->userHasRole($token->getUser(), ['Faculty', 'Course Director', 'Developer']) || LearningMaterialStatusInterface::IN_DRAFT !== $material->getLearningMaterial()->getStatus()->getId();
}
return $granted;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// prevent any sort of write operation (create/edit/delete) if the parent course is locked or archived.
if ($course->isLocked() || $course->isArchived()) {
return false;
}
return $this->isWriteGranted($course->getId(), $course->getSchool()->getId(), $user);
break;
}
return false;
}
作者:xamin12
项目:platfor
/**
* Get valid UserApi for given token
*
* @param TokenInterface $token
* @param PersistentCollection $secrets
* @param User $user
*
* @return bool|UserApi
*/
protected function getValidUserApi(TokenInterface $token, PersistentCollection $secrets, User $user)
{
$currentIteration = 0;
$nonce = $token->getAttribute('nonce');
$secretsCount = $secrets->count();
/** @var UserApi $userApi */
foreach ($secrets as $userApi) {
$currentIteration++;
$isSecretValid = $this->validateDigest($token->getAttribute('digest'), $nonce, $token->getAttribute('created'), $userApi->getApiKey(), $this->getSalt($user));
if ($isSecretValid && !$userApi->getUser()->getOrganizations()->contains($userApi->getOrganization())) {
throw new BadCredentialsException('Wrong API key.');
}
if ($isSecretValid && !$userApi->getOrganization()->isEnabled()) {
throw new BadCredentialsException('Organization is not active.');
}
// delete nonce from cache because user have another api keys
if (!$isSecretValid && $secretsCount !== $currentIteration) {
$this->getNonceCache()->delete($nonce);
}
if ($isSecretValid) {
return $userApi;
}
}
return false;
}
作者:xavier-dubreui
项目:PassVaul
function vote(TokenInterface $token, $node, array $attributes)
{
if (!$node instanceof Node) {
return self::ACCESS_ABSTAIN;
}
if (!in_array($attributes[0], array_keys($this->roles))) {
return self::ACCESS_ABSTAIN;
}
$user = $token->getUser();
$parent = $node->getParent();
if (!is_null($parent) && !$this->container->get('security.authorization_checker')->isGranted($attributes, $parent)) {
return self::ACCESS_DENIED;
}
if (method_exists($node, 'getInherit') && $node->getInherit()) {
return self::ACCESS_GRANTED;
}
if ($node->getOwner() == $user) {
return self::ACCESS_GRANTED;
}
foreach ($node->getUsers() as $nodeUser) {
if ($nodeUser->getUser() == $user && $this->roles[$nodeUser->getRole()] >= $this->roles[$attributes[0]]) {
return self::ACCESS_GRANTED;
}
}
foreach ($user->getAssocTeams() as $team) {
foreach ($node->getTeams() as $nodeTeam) {
if ($nodeTeam->getTeam() == $team->getTeam() && $this->roles[$nodeTeam->getRole()] >= $this->roles[$attributes[0]]) {
return self::ACCESS_GRANTED;
}
}
}
return self::ACCESS_DENIED;
}
作者:syrotchukandre
项目:rainbo
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Estate */
$estate = $subject;
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MANAGER'))) {
return true;
}
break;
case self::CREATE:
if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MANAGER'))) {
return true;
}
break;
case self::EDIT:
if ($user->getUsername() === $estate->getCreatedBy() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
case self::REMOVE:
if ($user->getUsername() === $estate->getCreatedBy() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
}
return false;
}
作者:stopfsted
项目:ilio
/**
* @param string $attribute
* @param ObjectiveInterface $objective
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $objective, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// Any authenticated user can see all objectives.
return true;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// Well...poop.
// The rules for granting access hinge on the ownership context of the given objective.
// Is this a course objective? or a program year object? perhaps a session objective?
// No easy way of telling.
// So really, this is three voters in one.
// TODO: Clean this mess up. [ST 2015/08/05]
if (!$objective->getCourses()->isEmpty()) {
// got courses? if so, it's a course objective.
return $this->isCreateEditDeleteGrantedForCourseObjective($objective, $user);
} elseif (!$objective->getSessions()->isEmpty()) {
// and so on..
return $this->isCreateEditDeleteGrantedForSessionObjective($objective, $user);
} elseif (!$objective->getProgramYears()->isEmpty()) {
// and so on ..
return $this->isCreateEditDeleteGrantedForProgramYearObjective($objective, $user);
}
break;
}
return false;
}
作者:jimmi4
项目:hateoas-bundle-exampl
/**
* @param TokenInterface $post
* @param mixed $post
* @param array $attributes
* @return integer
*/
public function vote(TokenInterface $token, $post, array $attributes)
{
if (!$this->supportsClass(get_class($post))) {
return VoterInterface::ACCESS_ABSTAIN;
}
if (1 !== count($attributes)) {
throw new \InvalidArgumentException('Only one attribute is allowed for VIEW or EDIT');
}
$attribute = $attributes[0];
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return VoterInterface::ACCESS_DENIED;
}
switch ($attribute) {
case self::VIEW:
return VoterInterface::ACCESS_GRANTED;
break;
case self::EDIT:
case self::DELETE:
if ($user->getId() === $post->getOwner()->getId()) {
return VoterInterface::ACCESS_GRANTED;
}
break;
}
return VoterInterface::ACCESS_DENIED;
}
作者:syrotchukandre
项目:blo
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Comment */
$comment = $subject;
// $subject must be a Comment instance, thanks to the supports method
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::CREATE:
// if the user is an admin, allow them to create new comments
if ($this->decisionManager->decide($token, array('ROLE_ADMIN', 'ROLE_MODERATOR', 'ROLE_USER'))) {
return true;
}
break;
case self::EDIT:
// if the user is the author of the comment or admin or moderator, allow them to edit the comments
if ($comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_ADMIN')) && $comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_MODERATOR')) && $this->canYouDoIt($comment, $user)) {
return true;
}
break;
case self::REMOVE:
// if the user is the author of the comment or admin or moderator, allow them to remove the posts in the some order
if ($comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_ADMIN')) && $comment->isAuthor($user) || $this->decisionManager->decide($token, array('ROLE_MODERATOR')) && $this->canYouDoIt($comment, $user)) {
return true;
}
break;
}
return false;
}
作者:Tekstov
项目:Tekstove-ap
/**
* @return boolean
*/
public function supportsToken(TokenInterface $token, $providerKey)
{
if (!$token instanceof PreAuthenticatedToken) {
return false;
}
return $token->getProviderKey() === $providerKey;
}
作者:0TshELn1c
项目:blo
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
/** @var Post */
$post = $subject;
// $subject must be a Post instance, thanks to the supports method
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::CREATE:
// if the user is an admin, allow them to create new posts
if ($this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
case self::EDIT:
// if the user is the author of the post, allow them to edit the posts
if ($user->getEmail() === $post->getAuthorEmail() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
case self::REMOVE:
// if the user is the author of the post, allow them to edit the posts
if ($user->getEmail() === $post->getAuthorEmail() || $this->decisionManager->decide($token, array('ROLE_ADMIN'))) {
return true;
}
break;
}
return false;
}
作者:rickogde
项目:craftbeeru
public function vote(TokenInterface $token, Location $object, array $attributes)
{
if (in_array('ROLE_LOCATION_MODERATOR', $token->getRoles())) {
return VoterInterface::ACCESS_GRANTED;
}
return VoterInterface::ACCESS_ABSTAIN;
}
作者:stopfsted
项目:ilio
/**
* @param string $attribute
* @param ProgramInterface $program
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $program, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// do not enforce special views permissions on programs.
return true;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// the given user is granted CREATE, EDIT and DELETE permissions on the given program
// when at least one of the following statements is true
// 1. The user's primary school is the same as the program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 2. The user has WRITE permissions on the program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 3. The user has WRITE permissions on the program.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($program->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $program->getSchool()->getId())) || $this->permissionManager->userHasWritePermissionToProgram($user, $program);
break;
}
return false;
}
