vendor/sulu/sulu/src/Sulu/Bundle/SecurityBundle/EventListener/SuluSecurityListener.php line 43

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of Sulu.
  5. *
  6. * (c) Sulu GmbH
  7. *
  8. * This source file is subject to the MIT license that is bundled
  9. * with this source code in the file LICENSE.
  10. */
  12. namespace Sulu\Bundle\SecurityBundle\EventListener;
  14. use Sulu\Component\Security\Authorization\AccessControl\SecuredObjectControllerInterface;
  15. use Sulu\Component\Security\Authorization\PermissionTypes;
  16. use Sulu\Component\Security\Authorization\SecurityCheckerInterface;
  17. use Sulu\Component\Security\Authorization\SecurityCondition;
  18. use Sulu\Component\Security\SecuredControllerInterface;
  19. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  20. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  21. use Symfony\Component\HttpKernel\KernelEvents;
  22. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  24. /**
  25. * Listens on the kernel.controller event and checks if Sulu allows this action.
  26. */
  27. class SuluSecurityListener implements EventSubscriberInterface
  28. {
  29. public function __construct(private SecurityCheckerInterface $securityChecker)
  30. {
  31. }
  33. public static function getSubscribedEvents(): array
  34. {
  35. return [KernelEvents::CONTROLLER => 'onKernelController'];
  36. }
  38. /**
  39. * Checks if the action is allowed for the current user, and throws an Exception otherwise.
  40. *
  41. * @throws AccessDeniedException
  42. */
  43. public function onKernelController(ControllerEvent $event)
  44. {
  45. $controller = $event->getController();
  46. $action = '__invoke';
  48. if (\is_array($controller)) {
  49. if (isset($controller[1])) {
  50. $action = $controller[1];
  51. }
  53. if (isset($controller[0])) {
  54. $controller = $controller[0];
  55. }
  56. }
  58. if (
  59. !$controller instanceof SecuredControllerInterface
  60. && !$controller instanceof SecuredObjectControllerInterface
  61. ) {
  62. return;
  63. }
  65. $request = $event->getRequest();
  67. // find appropriate permission type for request
  68. $permission = '';
  70. switch ($request->getMethod()) {
  71. case 'GET':
  72. $permission = PermissionTypes::VIEW;
  73. break;
  74. case 'POST':
  75. if (\in_array($action, ['postAction', '__invoke'])) { // means that the ClassResourceInterface has to be used
  76. $permission = PermissionTypes::ADD;
  77. } else {
  78. $permission = PermissionTypes::EDIT;
  79. }
  80. break;
  81. case 'PUT':
  82. case 'PATCH':
  83. $permission = PermissionTypes::EDIT;
  84. break;
  85. case 'DELETE':
  86. $permission = PermissionTypes::DELETE;
  87. break;
  88. }
  90. $securityContext = null;
  91. $locale = $controller->getLocale($request);
  92. $objectType = null;
  93. $objectId = null;
  95. if ($controller instanceof SecuredObjectControllerInterface) {
  96. $objectType = $controller->getSecuredClass();
  97. $objectId = $controller->getSecuredObjectId($request);
  98. }
  100. // check permission
  101. if ($controller instanceof SecuredControllerInterface) {
  102. $securityContext = $controller->getSecurityContext();
  103. }
  105. if (null !== $securityContext) {
  106. $this->securityChecker->checkPermission(
  107. new SecurityCondition($securityContext, $locale, $objectType, $objectId),
  108. $permission
  109. );
  110. }
  111. }
  112. }