src/Eccube/Security/Voter/AuthorityVoter.php line 23

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of EC-CUBE
  5. *
  6. * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
  7. *
  8. * http://www.ec-cube.co.jp/
  9. *
  10. * For the full copyright and license information, please view the LICENSE
  11. * file that was distributed with this source code.
  12. */
  14. namespace Eccube\Security\Voter;
  16. use Eccube\Common\EccubeConfig;
  17. use Eccube\Entity\Member;
  18. use Eccube\Repository\AuthorityRoleRepository;
  19. use Symfony\Component\HttpFoundation\RequestStack;
  20. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  21. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  23. class AuthorityVoter implements VoterInterface
  24. {
  25. /**
  26. * @var AuthorityRoleRepository
  27. */
  28. protected $authorityRoleRepository;
  30. /**
  31. * @var RequestStack
  32. */
  33. protected $requestStack;
  35. /**
  36. * @var EccubeConfig
  37. */
  38. protected $eccubeConfig;
  40. public function __construct(
  41. AuthorityRoleRepository $authorityRoleRepository,
  42. RequestStack $requestStack,
  43. EccubeConfig $eccubeConfig
  44. ) {
  45. $this->authorityRoleRepository = $authorityRoleRepository;
  46. $this->requestStack = $requestStack;
  47. $this->eccubeConfig = $eccubeConfig;
  48. }
  50. public function vote(TokenInterface $token, $object, array $attributes)
  51. {
  52. $path = null;
  54. try {
  55. $request = $this->requestStack->getMainRequest();
  56. } catch (\RuntimeException $e) {
  57. // requestが取得できない場合、棄権する(テストプログラムで不要なため)
  58. return VoterInterface::ACCESS_ABSTAIN;
  59. }
  61. if (is_object($request)) {
  62. $path = rawurldecode($request->getPathInfo());
  63. }
  65. $Member = $token->getUser();
  66. if ($Member instanceof Member) {
  67. // 管理者のロールをチェック
  68. $AuthorityRoles = $this->authorityRoleRepository->findBy(['Authority' => $Member->getAuthority()]);
  69. $adminRoute = $this->eccubeConfig->get('eccube_admin_route');
  71. foreach ($AuthorityRoles as $AuthorityRole) {
  72. // 許可しないURLが含まれていればアクセス拒否
  73. try {
  74. // 正規表現でURLチェック
  75. $denyUrl = str_replace('/', '\/', $AuthorityRole->getDenyUrl());
  76. if (preg_match("/^(\/{$adminRoute}{$denyUrl})/i", $path)) {
  77. return VoterInterface::ACCESS_DENIED;
  78. }
  79. } catch (\Exception $e) {
  80. // 拒否URLの指定に誤りがある場合、エスケープさせてチェック
  81. $denyUrl = preg_quote($AuthorityRole->getDenyUrl(), '/');
  82. if (preg_match("/^(\/{$adminRoute}{$denyUrl})/i", $path)) {
  83. return VoterInterface::ACCESS_DENIED;
  84. }
  85. }
  86. }
  87. }
  89. return VoterInterface::ACCESS_GRANTED;
  90. }
  91. }