Merge branch 'feature/user-getroles-10887'

resolves #10887
2016-03-29 11:28:56 +02:00 · 2016-03-29 11:28:56 +02:00 · 6e28b4690e
parent 98934e9c5f e0781cf8b5
commit 6e28b4690e
4 changed files with 166 additions and 16 deletions
--- a/library/Icinga/Authentication/AdmissionLoader.php
+++ b/library/Icinga/Authentication/AdmissionLoader.php
@ -5,6 +5,7 @@ namespace Icinga\Authentication;

 use Icinga\Application\Config;
 use Icinga\Application\Logger;
+use Icinga\Authentication\Role;
 use Icinga\Exception\NotReadableError;
 use Icinga\Data\ConfigObject;
 use Icinga\User;
@ -43,16 +44,12 @@ class AdmissionLoader
    }

    /**
-     * Get user permissions and restrictions
+     * Apply permissions, restrictions and roles to the given user
     *
-     * @param   User $user
-     *
-     * @return  array
+     * @param   User    $user
     */
-    public function getPermissionsAndRestrictions(User $user)
+    public function applyRoles(User $user)
    {
-        $permissions = array();
-        $restrictions = array();
        $username = $user->getUsername();
        try {
            $roles = Config::app('roles');
@ -62,14 +59,18 @@ class AdmissionLoader
                $username,
                $e
            );
-            return array($permissions, $restrictions);
+            return;
        }
        $userGroups = $user->getGroups();
-        foreach ($roles as $role) {
+        $permissions = array();
+        $restrictions = array();
+        $roleObjs = array();
+        foreach ($roles as $roleName => $role) {
            if ($this->match($username, $userGroups, $role)) {
+                $permissionsFromRole = StringHelper::trimSplit($role->permissions);
                $permissions = array_merge(
                    $permissions,
-                    array_diff(StringHelper::trimSplit($role->permissions), $permissions)
+                    array_diff($permissionsFromRole, $permissions)
                );
                $restrictionsFromRole = $role->toArray();
                unset($restrictionsFromRole['users']);
@ -81,8 +82,16 @@ class AdmissionLoader
                    }
                    $restrictions[$name][] = $restriction;
                }
+
+                $roleObj = new Role();
+                $roleObjs[] = $roleObj
+                    ->setName($roleName)
+                    ->setPermissions($permissionsFromRole)
+                    ->setRestrictions($restrictionsFromRole);
            }
        }
-        return array($permissions, $restrictions);
+        $user->setPermissions($permissions);
+        $user->setRestrictions($restrictions);
+        $user->setRoles($roleObjs);
    }
 }
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@ -160,9 +160,7 @@ class Auth
        }
        $user->setGroups($groups);
        $admissionLoader = new AdmissionLoader();
-        list($permissions, $restrictions) = $admissionLoader->getPermissionsAndRestrictions($user);
-        $user->setPermissions($permissions);
-        $user->setRestrictions($restrictions);
+        $admissionLoader->applyRoles($user);
        $this->user = $user;
        if ($persist) {
            $this->persistCurrentUser();
--- a/library/Icinga/Authentication/Role.php
+++ b/library/Icinga/Authentication/Role.php
@ -0,0 +1,109 @@
+<?php
+/* Icinga Web 2 | (c) 2016 Icinga Development Team | GPLv2+ */
+
+namespace Icinga\Authentication;
+
+class Role
+{
+    /**
+     * Name of the role
+     *
+     * @var string
+     */
+    protected $name;
+
+    /**
+     * Permissions of the role
+     *
+     * @var string[]
+     */
+    protected $permissions = array();
+
+    /**
+     * Restrictions of the role
+     *
+     * @var string[]
+     */
+    protected $restrictions = array();
+
+    /**
+     * Get the name of the role
+     *
+     * @return  string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Set the name of the role
+     *
+     * @param   string  $name
+     *
+     * @return  $this
+     */
+    public function setName($name)
+    {
+        $this->name = $name;
+        return $this;
+    }
+
+    /**
+     * Get the permissions of the role
+     *
+     * @return  string[]
+     */
+    public function getPermissions()
+    {
+        return $this->permissions;
+    }
+
+    /**
+     * Set the permissions of the role
+     *
+     * @param   string[]    $permissions
+     *
+     * @return  $this
+     */
+    public function setPermissions(array $permissions)
+    {
+        $this->permissions = $permissions;
+        return $this;
+    }
+
+    /**
+     * Get the restrictions of the role
+     *
+     * @param   string  $name   Optional name of the restriction
+     *
+     * @return  string[]|null
+     */
+    public function getRestrictions($name = null)
+    {
+        $restrictions = $this->restrictions;
+
+        if ($name === null) {
+            return $restrictions;
+        }
+
+        if (isset($restrictions[$name])) {
+            return $restrictions[$name];
+        }
+
+        return null;
+    }
+
+    /**
+     * Set the restrictions of the role
+     *
+     * @param   string[]    $restrictions
+     *
+     * @return  $this
+     */
+    public function setRestrictions(array $restrictions)
+    {
+        $this->restrictions = $restrictions;
+        return $this;
+    }
+}
--- a/library/Icinga/User.php
+++ b/library/Icinga/User.php
@ -6,6 +6,7 @@ namespace Icinga;
 use DateTimeZone;
 use InvalidArgumentException;
 use Icinga\Application\Config;
+use Icinga\Authentication\Role;
 use Icinga\User\Preferences;
 use Icinga\Web\Navigation\Navigation;

@ -91,6 +92,13 @@ class User
     */
    protected $groups = array();

+    /**
+     * Roles of this user
+     *
+     * @var Role[]
+     */
+    protected $roles = array();
+
    /**
     * Preferences object
     *
@ -229,13 +237,39 @@ class User
    }

    /**
-     * Settter for restrictions
+     * Set the user's restrictions
     *
-     * @param   array   $restrictions
+     * @param   string[]    $restrictions
+     *
+     * @return  $this
     */
    public function setRestrictions(array $restrictions)
    {
        $this->restrictions = $restrictions;
+        return $this;
+    }
+
+    /**
+     * Get the roles of the user
+     *
+     * @return Role[]
+     */
+    public function getRoles()
+    {
+        return $this->roles;
+    }
+
+    /**
+     * Set the roles of the user
+     *
+     * @param   Role[]  $roles
+     *
+     * @return  $this
+     */
+    public function setRoles(array $roles)
+    {
+        $this->roles = $roles;
+        return $this;
    }

    /**