From 1d43096e7e5a5a1289d76ef0d0d1819d6f9a66ac Mon Sep 17 00:00:00 2001
From: Tobias Gross-Vogt <tobias.gross-vogt@tugraz.at>
Date: Tue, 7 Feb 2023 13:00:47 +0100
Subject: [PATCH] #39832 renamed 'rights' to 'roles'; optional alias for
 autorization 'object'

---
 .../AbstractAuthorizationService.php          | 20 +++++++++----------
 .../AuthorizationExpressionChecker.php        | 13 ++++++------
 2 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/src/Authorization/AbstractAuthorizationService.php b/src/Authorization/AbstractAuthorizationService.php
index 910e74f..2d3e209 100644
--- a/src/Authorization/AbstractAuthorizationService.php
+++ b/src/Authorization/AbstractAuthorizationService.php
@@ -47,23 +47,23 @@ abstract class AbstractAuthorizationService
     }
 
     /**
-     * @param mixed $subject
+     * @param mixed $object
      *
      * @throws ApiError
      */
-    public function denyAccessUnlessIsGranted(string $rightName, $subject = null): void
+    public function denyAccessUnlessIsGranted(string $rightName, $object = null, string $objectAlias = null): void
     {
-        if ($this->isGrantedInternal($rightName, $subject) === false) {
+        if ($this->isGrantedInternal($rightName, $object, $objectAlias) === false) {
             throw new ApiError(Response::HTTP_FORBIDDEN, 'access denied. missing right '.$rightName);
         }
     }
 
     /**
-     * @param mixed $subject
+     * @param mixed $object
      */
-    public function isGranted(string $expressionName, $subject = null): bool
+    public function isGranted(string $expressionName, $object = null, string $objectAlias = null): bool
     {
-        return $this->isGrantedInternal($expressionName, $subject);
+        return $this->isGrantedInternal($expressionName, $object, $objectAlias);
     }
 
     /**
@@ -84,9 +84,9 @@ abstract class AbstractAuthorizationService
     /**
      * @throws AuthorizationException
      */
-    private function isGrantedInternal(string $rightName, $subject = null): bool
+    private function isGrantedInternal(string $rightName, $object, string $objectAlias = null): bool
     {
-        return $this->userAuthorizationChecker->isGranted($this->currentAuthorizationUser, $rightName, $subject);
+        return $this->userAuthorizationChecker->isGranted($this->currentAuthorizationUser, $rightName, $object, $objectAlias);
     }
 
     /**
@@ -101,7 +101,7 @@ abstract class AbstractAuthorizationService
     {
         $treeBuilder = new TreeBuilder(self::AUTHORIZATION_ROOT_CONFIG_NODE);
 
-        $rightsNodeChildBuilder = $treeBuilder->getRootNode()->children()->arrayNode(AuthorizationExpressionChecker::RIGHTS_CONFIG_NODE)
+        $rightsNodeChildBuilder = $treeBuilder->getRootNode()->children()->arrayNode(AuthorizationExpressionChecker::ROLES_CONFIG_NODE)
             ->addDefaultsIfNotSet()
             ->children();
         foreach ($rights as $right) {
@@ -128,7 +128,7 @@ abstract class AbstractAuthorizationService
     {
         return [
             AbstractAuthorizationService::AUTHORIZATION_ROOT_CONFIG_NODE => [
-                AuthorizationExpressionChecker::RIGHTS_CONFIG_NODE => $rightExpressions,
+                AuthorizationExpressionChecker::ROLES_CONFIG_NODE => $rightExpressions,
                 AuthorizationExpressionChecker::ATTRIBUTES_CONFIG_NODE => $attributeExpressions,
             ],
         ];
diff --git a/src/Authorization/AuthorizationExpressionChecker.php b/src/Authorization/AuthorizationExpressionChecker.php
index 6dbf409..b99ec9f 100644
--- a/src/Authorization/AuthorizationExpressionChecker.php
+++ b/src/Authorization/AuthorizationExpressionChecker.php
@@ -11,10 +11,11 @@ use Dbp\Relay\CoreBundle\ExpressionLanguage\ExpressionLanguage;
  */
 class AuthorizationExpressionChecker
 {
-    public const RIGHTS_CONFIG_NODE = 'rights';
+    public const ROLES_CONFIG_NODE = 'roles';
     public const ATTRIBUTES_CONFIG_NODE = 'attributes';
 
-    private const MAX_NUM_CALLS = 16;
+    private const USER_VARIBLE_NAME = 'user';
+    private const DEFAULT_OBJECT_VARIBLE_NAME = 'object';
 
     /** @var ExpressionLanguage */
     private $expressionLanguage;
@@ -46,7 +47,7 @@ class AuthorizationExpressionChecker
 
     public function setConfig(array $config)
     {
-        $this->loadExpressions($config[self::RIGHTS_CONFIG_NODE] ?? [], $this->rightExpressions);
+        $this->loadExpressions($config[self::ROLES_CONFIG_NODE] ?? [], $this->rightExpressions);
         $this->loadExpressions($config[self::ATTRIBUTES_CONFIG_NODE] ?? [], $this->attributeExpressions);
     }
 
@@ -95,7 +96,7 @@ class AuthorizationExpressionChecker
      *
      * @throws AuthorizationException
      */
-    public function isGranted(AuthorizationUser $currentAuthorizationUser, string $rightName, $subject): bool
+    public function isGranted(AuthorizationUser $currentAuthorizationUser, string $rightName, $object, string $objectAlias = null): bool
     {
         if (in_array($rightName, $this->rightExpressionStack, true)) {
             throw new AuthorizationException(sprintf('infinite loop caused by authorization right expression %s detected', $rightName), AuthorizationException::INFINITE_EXRPESSION_LOOP_DETECTED);
@@ -109,8 +110,8 @@ class AuthorizationExpressionChecker
             }
 
             return $this->expressionLanguage->evaluate($rightExpression, [
-                'user' => $currentAuthorizationUser,
-                'subject' => $subject,
+                self::USER_VARIBLE_NAME => $currentAuthorizationUser,
+                $objectAlias ?? self::DEFAULT_OBJECT_VARIBLE_NAME => $object,
             ]);
         } finally {
             array_pop($this->rightExpressionStack);
-- 
GitLab