├── .gitignore ├── .editorconfig ├── src ├── CoopTilleulsAclSonataAdminExtensionBundle.php ├── Resources │ └── config │ │ └── services.xml └── Admin │ └── AclAdminExtension.php ├── .php_cs.dist ├── composer.json ├── LICENSE └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | /.php_cs.cache 2 | /.php_cs 3 | /composer.lock 4 | /composer.phar 5 | /vendor/ 6 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | [*] 3 | indent_style = space 4 | indent_size = 4 5 | end_of_line = lf 6 | charset = utf-8 7 | trim_trailing_whitespace = true 8 | insert_final_newline = true 9 | -------------------------------------------------------------------------------- /src/CoopTilleulsAclSonataAdminExtensionBundle.php: -------------------------------------------------------------------------------- 1 | 7 | * 8 | * For the full copyright and license information, please view the LICENSE 9 | * file that was distributed with this source code. 10 | */ 11 | 12 | namespace CoopTilleuls\Bundle\AclSonataAdminExtensionBundle; 13 | 14 | use Symfony\Component\HttpKernel\Bundle\Bundle; 15 | 16 | /** 17 | * ACL Sonata admin extension. 18 | * 19 | * @author Kévin Dunglas 20 | */ 21 | class CoopTilleulsAclSonataAdminExtensionBundle extends Bundle 22 | { 23 | } 24 | -------------------------------------------------------------------------------- /.php_cs.dist: -------------------------------------------------------------------------------- 1 | 7 | 8 | For the full copyright and license information, please view the LICENSE 9 | file that was distributed with this source code. 10 | EOF; 11 | 12 | return PhpCsFixer\Config::create() 13 | ->setRules([ 14 | '@Symfony' => true, 15 | 'ordered_imports' => true, 16 | 'phpdoc_order' => true, 17 | 'array_syntax' => ['syntax' => 'long'], 18 | 'header_comment' => ['header' => $header], 19 | ]) 20 | ->setFinder( 21 | PhpCsFixer\Finder::create() 22 | ->exclude('vendor') 23 | ->in(__DIR__) 24 | ) 25 | ; 26 | -------------------------------------------------------------------------------- /src/Resources/config/services.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "tilleuls/acl-sonata-admin-extension-bundle", 3 | "type": "symfony-bundle", 4 | "description": "ACL list filtering for SonataAdmin", 5 | "keywords": ["sonata", "admin", "acl"], 6 | "homepage": "http://les-tilleuls.coop", 7 | "license": "MIT", 8 | "authors": [ 9 | { 10 | "name": "Kévin Dunglas", 11 | "email": "kevin@les-tilleuls.coop", 12 | "homepage": "http://dunglas.fr" 13 | } 14 | ], 15 | "require": { 16 | "php": "^7.2", 17 | "sonata-project/admin-bundle": "^2.2.2 || ^3.0", 18 | "symfony/dependency-injection": "^2.2 || ^3.0", 19 | "doctrine/dbal": "^2.2 || ^3.0", 20 | "symfony/security-acl": "^3.0", 21 | "symfony/security-core": "^3.4 || ^4.4" 22 | }, 23 | "autoload": { 24 | "psr-4": { 25 | "CoopTilleuls\\Bundle\\AclSonataAdminExtensionBundle\\": "src/" 26 | } 27 | }, 28 | "extra": { 29 | "branch-alias": { 30 | "dev-master": "3.x-dev" 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License 2 | 3 | Copyright (c) 2013-2017 La Coopérative des Tilleuls 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is furnished 10 | to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ACL extension for Sonata Admin 2 | 3 | This bundle provides ACL list filtering for [SonataAdminBundle](https://github.com/sonata-project/SonataAdminBundle). 4 | When enabled, list screens only display data the logged in user has right to view. 5 | 6 | This bundle is a good complementary of the SonataAdminBundle [ACL editor](http://sonata-project.org/bundles/admin/master/doc/reference/security.html#acl-editor). 7 | 8 | [![SensioLabsInsight](https://insight.sensiolabs.com/projects/d7d70442-b52c-4072-8e03-45e6a47e1ca2/mini.png)](https://insight.sensiolabs.com/projects/d7d70442-b52c-4072-8e03-45e6a47e1ca2) 9 | 10 | ## Install 11 | 12 | Be sure that SonataAdminBundle is working and has [ACL enabled](http://sonata-project.org/bundles/admin/master/doc/reference/security.html#acl-and-friendsofsymfony-userbundle). 13 | 14 | Install this bundle using composer: 15 | 16 | ``` 17 | composer require tilleuls/acl-sonata-admin-extension-bundle 18 | ``` 19 | 20 | Register the bundle in your AppKernel: 21 | 22 | ```php 23 | // app/AppKernel.php 24 | 25 | public function registerBundles() 26 | { 27 | return array( 28 | // ... 29 | new CoopTilleuls\Bundle\AclSonataAdminExtensionBundle\CoopTilleulsAclSonataAdminExtensionBundle(), 30 | // ... 31 | ); 32 | } 33 | ``` 34 | 35 | ## Enable 36 | 37 | This extension is automatically enabled for all admins. 38 | 39 | ## TODO 40 | 41 | * Test with other DBMSs than MySQL 42 | * Write tests 43 | 44 | ## Credits 45 | 46 | Created by [Kévin Dunglas](http://dunglas.fr) for [Les-Tilleuls.coop](http://les-tilleuls.coop). 47 | -------------------------------------------------------------------------------- /src/Admin/AclAdminExtension.php: -------------------------------------------------------------------------------- 1 | 7 | * 8 | * For the full copyright and license information, please view the LICENSE 9 | * file that was distributed with this source code. 10 | */ 11 | 12 | namespace CoopTilleuls\Bundle\AclSonataAdminExtensionBundle\Admin; 13 | 14 | use Doctrine\DBAL\Connection; 15 | use Sonata\AdminBundle\Admin\AbstractAdminExtension; 16 | use Sonata\AdminBundle\Admin\AdminInterface; 17 | use Sonata\AdminBundle\Datagrid\ProxyQueryInterface; 18 | use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity; 19 | use Symfony\Component\Security\Acl\Permission\MaskBuilder; 20 | use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; 21 | use Symfony\Component\Security\Core\Role\Role; 22 | use Symfony\Component\Security\Core\Role\RoleHierarchyInterface; 23 | use Symfony\Component\Security\Core\Role\RoleInterface; 24 | 25 | /** 26 | * Admin extension filtering the list. 27 | * 28 | * @author Kévin Dunglas 29 | */ 30 | class AclAdminExtension extends AbstractAdminExtension 31 | { 32 | protected $tokenStorage; 33 | protected $databaseConnection; 34 | protected $roleHierarchy; 35 | 36 | public function __construct( 37 | TokenStorageInterface $tokenStorage, 38 | Connection $databaseConnection, 39 | RoleHierarchyInterface $roleHierarchy 40 | ) { 41 | $this->tokenStorage = $tokenStorage; 42 | $this->databaseConnection = $databaseConnection; 43 | $this->roleHierarchy = $roleHierarchy; 44 | } 45 | 46 | /** 47 | * Filters with ACL. 48 | * 49 | * @param AdminInterface $admin 50 | * @param ProxyQueryInterface $query 51 | * @param string $context 52 | * 53 | * @throws \RuntimeException 54 | */ 55 | public function configureQuery(AdminInterface $admin, ProxyQueryInterface $query, $context = 'list') 56 | { 57 | // Don't filter for admins and for not ACL enabled classes and for command cli 58 | if ( 59 | !$admin->isAclEnabled() 60 | || !$this->tokenStorage->getToken() 61 | || $admin->isGranted(sprintf($admin->getSecurityHandler()->getBaseRole($admin), 'ADMIN')) 62 | ) { 63 | return; 64 | } 65 | 66 | // Retrieve current logged user SecurityIdentity 67 | $user = $this->tokenStorage->getToken()->getUser(); 68 | $userSecurityIdentity = UserSecurityIdentity::fromAccount($user); 69 | 70 | // Retrieve current logged user roles 71 | $userRoles = $user->getRoles(); 72 | 73 | // Find child roles 74 | $roles = array(); 75 | foreach ($userRoles as $userRole) { 76 | if (!$userRole instanceof RoleInterface && !$userRole instanceof Role) { 77 | $userRole = new Role($userRole); 78 | } 79 | 80 | $roles[] = $userRole; 81 | } 82 | 83 | $reachableRoles = $this->roleHierarchy->getReachableRoles($roles); 84 | 85 | // Get identity ACL user identifier 86 | $identifiers[] = sprintf('%s-%s', $userSecurityIdentity->getClass(), $userSecurityIdentity->getUsername()); 87 | 88 | // Get identities ACL roles identifiers 89 | foreach ($reachableRoles as $reachableRole) { 90 | $role = $reachableRole->getRole(); 91 | if (!in_array($role, $identifiers, true)) { 92 | $identifiers[] = $role; 93 | } 94 | } 95 | 96 | $identityStmt = $this->databaseConnection->executeQuery( 97 | 'SELECT id FROM acl_security_identities WHERE identifier IN (?)', 98 | array($identifiers), 99 | array(Connection::PARAM_STR_ARRAY) 100 | ); 101 | 102 | $identityIds = array(); 103 | foreach ($identityStmt->fetchAll() as $row) { 104 | $identityIds[] = $row['id']; 105 | } 106 | 107 | // Get class ACL identifier 108 | $classType = $admin->getClass(); 109 | $classStmt = $this->databaseConnection->prepare('SELECT id FROM acl_classes WHERE class_type = :classType'); 110 | $classStmt->bindValue('classType', $classType); 111 | if (method_exists($classStmt, 'executeQuery')) { 112 | $classStmt->executeQuery(); 113 | } else { 114 | $classStmt->execute(); 115 | } 116 | 117 | $statement = $classStmt->getWrappedStatement(); 118 | if (method_exists($statement, 'fetchOne')) { 119 | $classId = $statement->fetchOne(); 120 | } else { 121 | $classId = $statement->fetchColumn(); 122 | } 123 | 124 | if (!empty($identityIds) && $classId) { 125 | $entriesStmt = $this->databaseConnection->executeQuery( 126 | 'SELECT DISTINCT object_identifier FROM acl_entries AS ae JOIN acl_object_identities AS aoi ON ae.object_identity_id = aoi.id WHERE ae.class_id = ? AND ae.security_identity_id IN (?) AND (? = ae.mask & ? OR ? = ae.mask & ? OR ? = ae.mask & ? OR ? = ae.mask & ?)', 127 | array( 128 | $classId, 129 | $identityIds, 130 | MaskBuilder::MASK_VIEW, 131 | MaskBuilder::MASK_VIEW, 132 | MaskBuilder::MASK_OPERATOR, 133 | MaskBuilder::MASK_OPERATOR, 134 | MaskBuilder::MASK_MASTER, 135 | MaskBuilder::MASK_MASTER, 136 | MaskBuilder::MASK_OWNER, 137 | MaskBuilder::MASK_OWNER, 138 | ), 139 | array( 140 | \PDO::PARAM_INT, 141 | Connection::PARAM_INT_ARRAY, 142 | \PDO::PARAM_INT, 143 | \PDO::PARAM_INT, 144 | \PDO::PARAM_INT, 145 | \PDO::PARAM_INT, 146 | \PDO::PARAM_INT, 147 | \PDO::PARAM_INT, 148 | \PDO::PARAM_INT, 149 | \PDO::PARAM_INT, 150 | ) 151 | ); 152 | 153 | $ids = array(); 154 | $rows = method_exists($entriesStmt, 'fetchAllAssociative') ? $entriesStmt->fetchAllAssociative() : $entriesStmt->fetchAll(); 155 | foreach ($rows as $row) { 156 | $ids[] = $row['object_identifier']; 157 | } 158 | 159 | if (count($ids)) { 160 | $query 161 | ->andWhere('o IN (:ids)') 162 | ->setParameter('ids', $ids) 163 | ; 164 | 165 | return; 166 | } 167 | } 168 | 169 | // Display an empty list 170 | $query->andWhere('1 = 2'); 171 | } 172 | } 173 | --------------------------------------------------------------------------------