Groß-Vogt, Tobias · 1d43096e · 1d43096e
--- a/src/Authorization/AbstractAuthorizationService.php
+++ b/src/Authorization/AbstractAuthorizationService.php
@@ -47,23 +47,23 @@ abstract class AbstractAuthorizationService
    }

    /**
-     * @param mixed $subject
+     * @param mixed $object
     *
     * @throws ApiError
     */
-    public function denyAccessUnlessIsGranted(string $rightName, $subject = null): void
+    public function denyAccessUnlessIsGranted(string $rightName, $object = null, string $objectAlias = null): void
    {
-        if ($this->isGrantedInternal($rightName, $subject) === false) {
+        if ($this->isGrantedInternal($rightName, $object, $objectAlias) === false) {
            throw new ApiError(Response::HTTP_FORBIDDEN, 'access denied. missing right '.$rightName);
        }
    }

    /**
-     * @param mixed $subject
+     * @param mixed $object
     */
-    public function isGranted(string $expressionName, $subject = null): bool
+    public function isGranted(string $expressionName, $object = null, string $objectAlias = null): bool
    {
-        return $this->isGrantedInternal($expressionName, $subject);
+        return $this->isGrantedInternal($expressionName, $object, $objectAlias);
    }

    /**
@@ -84,9 +84,9 @@ abstract class AbstractAuthorizationService
    /**
     * @throws AuthorizationException
     */
-    private function isGrantedInternal(string $rightName, $subject = null): bool
+    private function isGrantedInternal(string $rightName, $object, string $objectAlias = null): bool
    {
-        return $this->userAuthorizationChecker->isGranted($this->currentAuthorizationUser, $rightName, $subject);
+        return $this->userAuthorizationChecker->isGranted($this->currentAuthorizationUser, $rightName, $object, $objectAlias);
    }

    /**
@@ -101,7 +101,7 @@ abstract class AbstractAuthorizationService
    {
        $treeBuilder = new TreeBuilder(self::AUTHORIZATION_ROOT_CONFIG_NODE);

-        $rightsNodeChildBuilder = $treeBuilder->getRootNode()->children()->arrayNode(AuthorizationExpressionChecker::RIGHTS_CONFIG_NODE)
+        $rightsNodeChildBuilder = $treeBuilder->getRootNode()->children()->arrayNode(AuthorizationExpressionChecker::ROLES_CONFIG_NODE)
            ->addDefaultsIfNotSet()
            ->children();
        foreach ($rights as $right) {
@@ -128,7 +128,7 @@ abstract class AbstractAuthorizationService
    {
        return [
            AbstractAuthorizationService::AUTHORIZATION_ROOT_CONFIG_NODE => [
-                AuthorizationExpressionChecker::RIGHTS_CONFIG_NODE => $rightExpressions,
+                AuthorizationExpressionChecker::ROLES_CONFIG_NODE => $rightExpressions,
                AuthorizationExpressionChecker::ATTRIBUTES_CONFIG_NODE => $attributeExpressions,
            ],
        ];

--- a/src/Authorization/AuthorizationExpressionChecker.php
+++ b/src/Authorization/AuthorizationExpressionChecker.php
@@ -11,10 +11,11 @@ use Dbp\Relay\CoreBundle\ExpressionLanguage\ExpressionLanguage;
 */
 class AuthorizationExpressionChecker
 {
-    public const RIGHTS_CONFIG_NODE = 'rights';
+    public const ROLES_CONFIG_NODE = 'roles';
    public const ATTRIBUTES_CONFIG_NODE = 'attributes';

-    private const MAX_NUM_CALLS = 16;
+    private const USER_VARIBLE_NAME = 'user';
+    private const DEFAULT_OBJECT_VARIBLE_NAME = 'object';

    /** @var ExpressionLanguage */
    private $expressionLanguage;
@@ -46,7 +47,7 @@ class AuthorizationExpressionChecker

    public function setConfig(array $config)
    {
-        $this->loadExpressions($config[self::RIGHTS_CONFIG_NODE] ?? [], $this->rightExpressions);
+        $this->loadExpressions($config[self::ROLES_CONFIG_NODE] ?? [], $this->rightExpressions);
        $this->loadExpressions($config[self::ATTRIBUTES_CONFIG_NODE] ?? [], $this->attributeExpressions);
    }

@@ -95,7 +96,7 @@ class AuthorizationExpressionChecker
     *
     * @throws AuthorizationException
     */
-    public function isGranted(AuthorizationUser $currentAuthorizationUser, string $rightName, $subject): bool
+    public function isGranted(AuthorizationUser $currentAuthorizationUser, string $rightName, $object, string $objectAlias = null): bool
    {
        if (in_array($rightName, $this->rightExpressionStack, true)) {
            throw new AuthorizationException(sprintf('infinite loop caused by authorization right expression %s detected', $rightName), AuthorizationException::INFINITE_EXRPESSION_LOOP_DETECTED);
@@ -109,8 +110,8 @@ class AuthorizationExpressionChecker
            }

            return $this->expressionLanguage->evaluate($rightExpression, [
-                'user' => $currentAuthorizationUser,
-                'subject' => $subject,
+                self::USER_VARIBLE_NAME => $currentAuthorizationUser,
+                $objectAlias ?? self::DEFAULT_OBJECT_VARIBLE_NAME => $object,
            ]);
        } finally {
            array_pop($this->rightExpressionStack);