2016-07-15 13:41:36 -04:00
|
|
|
<?php
|
|
|
|
|
namespace ProcessMaker\Policies;
|
|
|
|
|
|
2017-12-07 12:04:00 -04:00
|
|
|
use Luracast\Restler\iAuthenticate;
|
|
|
|
|
use Luracast\Restler\RestException;
|
|
|
|
|
use Luracast\Restler\Defaults;
|
|
|
|
|
use Luracast\Restler\Util;
|
|
|
|
|
use Luracast\Restler\Scope;
|
|
|
|
|
use OAuth2\Request;
|
|
|
|
|
use ProcessMaker\Services\OAuth2\Server;
|
|
|
|
|
use ProcessMaker\BusinessModel\User;
|
|
|
|
|
use RBAC;
|
2016-07-15 13:41:36 -04:00
|
|
|
|
|
|
|
|
class AccessControl implements iAuthenticate
|
|
|
|
|
{
|
|
|
|
|
public static $role;
|
|
|
|
|
public static $permission;
|
|
|
|
|
public static $className;
|
|
|
|
|
private $userUid = null;
|
|
|
|
|
private $oUser;
|
|
|
|
|
|
2017-12-07 12:04:00 -04:00
|
|
|
/**
|
|
|
|
|
* @var RBAC $rbac
|
|
|
|
|
*/
|
|
|
|
|
private $rbac;
|
|
|
|
|
|
|
|
|
|
const SYSTEM = 'PROCESSMAKER';
|
|
|
|
|
|
2016-07-15 13:41:36 -04:00
|
|
|
/**
|
|
|
|
|
* This method checks if an endpoint permission or permissions access
|
|
|
|
|
*
|
|
|
|
|
* @return bool
|
|
|
|
|
* @throws RestException
|
|
|
|
|
*/
|
|
|
|
|
public function __isAllowed()
|
|
|
|
|
{
|
|
|
|
|
$response = true;
|
|
|
|
|
$oServerOauth = new Server();
|
|
|
|
|
$this->oUser = new User();
|
|
|
|
|
$server = $oServerOauth->getServer();
|
|
|
|
|
$request = Request::createFromGlobals();
|
|
|
|
|
$allowed = $server->verifyResourceRequest($request);
|
|
|
|
|
$this->userUid = $oServerOauth->getUserId();
|
2017-12-07 12:04:00 -04:00
|
|
|
$this->oUser->loadUserRolePermission(self::SYSTEM, $this->userUid);
|
|
|
|
|
$this->loadRbacUser($this->userUid);
|
2016-07-15 13:41:36 -04:00
|
|
|
$metadata = Util::nestedValue($this->restler, 'apiMethodInfo', 'metadata');
|
2017-12-07 12:04:00 -04:00
|
|
|
$permissions = $this->getPermissions();
|
2016-07-15 13:41:36 -04:00
|
|
|
if ($allowed && !empty($this->userUid) && (!empty($metadata['access']) && $metadata['access'] == 'protected')) {
|
|
|
|
|
$parameters = Util::nestedValue($this->restler, 'apiMethodInfo', 'parameters');
|
|
|
|
|
if (!is_null(self::$className) && is_string(self::$className)) {
|
|
|
|
|
$authObj = Scope::get(self::$className);
|
|
|
|
|
$authObj->parameters = $parameters;
|
2017-12-07 12:04:00 -04:00
|
|
|
$authObj->permission = $permissions;
|
2016-07-15 13:41:36 -04:00
|
|
|
if (!method_exists($authObj, Defaults::$authenticationMethod)) {
|
|
|
|
|
throw new RestException (
|
|
|
|
|
500,
|
|
|
|
|
'Authentication Class should implement iAuthenticate');
|
|
|
|
|
} elseif (!$authObj->{Defaults::$authenticationMethod}()) {
|
2017-02-20 16:31:27 -04:00
|
|
|
throw new RestException(403, "You don't have permission to access this endpoint or resource on this server.");
|
2016-07-15 13:41:36 -04:00
|
|
|
}
|
2017-12-07 12:04:00 -04:00
|
|
|
} elseif (!$this->verifyAccess($permissions)) {
|
2016-07-15 13:41:36 -04:00
|
|
|
throw new RestException(401);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return $response;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @return string
|
|
|
|
|
*/
|
|
|
|
|
public function __getWWWAuthenticateString()
|
|
|
|
|
{
|
|
|
|
|
return '';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2017-12-07 12:04:00 -04:00
|
|
|
* Verify the permissions required to access the endpoint.
|
|
|
|
|
*
|
2016-07-15 13:41:36 -04:00
|
|
|
* @param $permissions
|
|
|
|
|
* @return bool
|
|
|
|
|
*/
|
|
|
|
|
public function verifyAccess($permissions)
|
|
|
|
|
{
|
|
|
|
|
$response = false;
|
|
|
|
|
$access = -1;
|
|
|
|
|
if (!is_array($permissions)) {
|
|
|
|
|
$access = $this->userCanAccess($permissions);
|
|
|
|
|
} elseif (count($permissions) > 0) {
|
|
|
|
|
foreach ($permissions as $perm) {
|
|
|
|
|
$access = $this->userCanAccess($perm);
|
|
|
|
|
if ($access == 1) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if ($access == 1 || empty($permissions)) {
|
|
|
|
|
$response = true;
|
|
|
|
|
}
|
|
|
|
|
return $response;
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-07 12:04:00 -04:00
|
|
|
/**
|
|
|
|
|
* Verify if the user has a right over the permission.
|
|
|
|
|
*
|
|
|
|
|
* @param string $perm
|
|
|
|
|
* @return int
|
|
|
|
|
*/
|
2016-07-15 13:41:36 -04:00
|
|
|
public function userCanAccess($perm)
|
|
|
|
|
{
|
2017-12-07 12:04:00 -04:00
|
|
|
return $this->rbac->userCanAccess($perm);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get the required permission(s) of the endpoint.
|
|
|
|
|
*
|
|
|
|
|
* @return mixed
|
|
|
|
|
*/
|
|
|
|
|
private function getPermissions()
|
|
|
|
|
{
|
|
|
|
|
if (is_string(self::$permission)) {
|
|
|
|
|
$permission = trim(self::$permission);
|
|
|
|
|
} elseif (is_array(self::$permission)) {
|
|
|
|
|
$permission = [];
|
|
|
|
|
foreach (self::$permission as $perm) {
|
|
|
|
|
$permission[] = trim($perm);
|
2016-07-15 13:41:36 -04:00
|
|
|
}
|
2017-12-07 12:04:00 -04:00
|
|
|
} else {
|
|
|
|
|
$permission = self::$permission;
|
2016-07-15 13:41:36 -04:00
|
|
|
}
|
2017-12-07 12:04:00 -04:00
|
|
|
return $permission;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Load the RBAC object to validate the user permissions.
|
|
|
|
|
*
|
|
|
|
|
* @param string $userUid
|
|
|
|
|
*/
|
|
|
|
|
private function loadRbacUser($userUid)
|
|
|
|
|
{
|
|
|
|
|
$this->rbac = new RBAC;
|
|
|
|
|
$this->rbac->initRBAC();
|
|
|
|
|
$this->rbac->loadUserRolePermission(self::SYSTEM, $userUid);
|
2016-07-15 13:41:36 -04:00
|
|
|
}
|
|
|
|
|
}
|
