From f6b983851a8aebd1c8dc7c40a092fe258d8569ff Mon Sep 17 00:00:00 2001
From: Romain Neutron <imprec@gmail.com>
Date: Fri, 21 Sep 2012 15:52:15 +0200
Subject: [PATCH] Update firewall

---
 lib/Alchemy/Phrasea/Security/Firewall.php | 158 ++++++++++++++++++----
 1 file changed, 133 insertions(+), 25 deletions(-)

diff --git a/lib/Alchemy/Phrasea/Security/Firewall.php b/lib/Alchemy/Phrasea/Security/Firewall.php
index 2afaf3bb6a..3c7512ed45 100644
--- a/lib/Alchemy/Phrasea/Security/Firewall.php
+++ b/lib/Alchemy/Phrasea/Security/Firewall.php
@@ -3,54 +3,162 @@
 namespace Alchemy\Phrasea\Security;
 
 use Silex\Application;
+use \Symfony\Component\HttpFoundation\Response;
 
 class Firewall
 {
+    private $app;
 
-    public function requireSetUp(Application $app)
+    public function __construct(Application $app)
     {
-        if ( ! \setup::is_installed()) {
-
-            return $app->redirect("/setup/");
-        }
+        $this->app = $app;
     }
 
-    public function requireAdmin(Application $app)
+    public function requireSetUp()
     {
-        if (null !== $response = $this->requireAuthentication($app)) {
+        if (!\setup::is_installed()) {
+            return $this->app->redirect("/setup/");
+        }
 
+        return $this;
+    }
+
+    public function requireAdmin()
+    {
+        $response = $this->requireNotGuest();
+        if ($response instanceof Response) {
             return $response;
         }
 
-        if ( ! $app['phraseanet.core']->getAuthenticatedUser()->is_admin()) {
-            $app->abort(403);
+        if (!$this->app['phraseanet.user']->ACL()->is_admin()) {
+            $this->app->abort(403, 'Admin role is required');
         }
+
+        return $this;
     }
 
-    public function requireAuthentication(Application $app)
+    public function requireAccessToModule($module)
     {
-        if (false === $app['phraseanet.core']->isAuthenticated()) {
-
-            return $app->redirect('/login/');
+        $response = $this->requireAuthentication();
+        if ($response instanceof Response) {
+            return $response;
         }
 
-        if ($app['phraseanet.core']->getAuthenticatedUser()->is_guest()) {
-
-            return $app->redirect('/login/');
+        if (!$this->app['phraseanet.user']->ACL()->has_access_to_module($module)) {
+            $this->app->abort(403, 'You do not have required rights');
         }
 
-        try {
-            $session = $app['phraseanet.appbox']->get_session();
-            $session->open_phrasea_session();
-        } catch (\Exception $e) {
+        unset($response);
 
-            return $app->redirect('/login/logout/');
-        }
+        return $this;
     }
 
-    public function requireOrdersAdmin(Application $app) {
-        if ( false === ! ! count($app['phraseanet.core']->getAuthenticatedUser()->ACL()->get_granted_base(array('order_master')))) {
-            $app->abort(403);
+    public function requireAccessToSbas($sbas_id)
+    {
+        $response = $this->requireAuthentication();
+        if ($response instanceof Response) {
+            return $response;
         }
+
+        if (!$this->app['phraseanet.user']->ACL()->has_access_to_sbas($sbas_id)) {
+            $this->app->abort(403, 'You do not have required rights');
+        }
+
+        unset($response);
+
+        return $this;
+    }
+
+    public function requireAccessToBase($base_id)
+    {
+        $response = $this->requireAuthentication();
+        if ($response instanceof Response) {
+            return $response;
+        }
+
+        if (!$this->app['phraseanet.user']->ACL()->has_access_to_base($base_id)) {
+            $this->app->abort(403, 'You do not have required rights');
+        }
+
+        unset($response);
+
+        return $this;
+    }
+
+    public function requireRight($right)
+    {
+        $response = $this->requireAuthentication();
+        if ($response instanceof Response) {
+            return $response;
+        }
+
+        if (!$this->app['phraseanet.user']->ACL()->has_right($right)) {
+            $this->app->abort(403, 'You do not have required rights');
+        }
+
+        unset($response);
+
+        return $this;
+    }
+
+    public function requireRightOnBase($base_id, $right)
+    {
+        $response = $response = $this->requireAuthentication();
+        if ($response instanceof Response) {
+            return $response;
+        }
+
+        if (!$this->app['phraseanet.user']->ACL()->has_right_on_base($base_id, $right)) {
+            $this->app->abort(403, 'You do not have required rights');
+        }
+
+        return $this;
+    }
+
+
+    public function requireRightOnSbas($sbas_id, $right)
+    {
+        $response = $response = $this->requireAuthentication();
+        if ($response instanceof Response) {
+            return $response;
+        }
+
+        if (!$this->app['phraseanet.user']->ACL()->has_right_on_sbas($sbas_id, $right)) {
+            $this->app->abort(403, 'You do not have required rights');
+        }
+
+        return $this;
+    }
+
+    public function requireNotGuest()
+    {
+        $response = $response = $this->requireAuthentication();
+        if ($response instanceof Response) {
+            return $response;
+        }
+
+        if ($this->app['phraseanet.user']->is_guest()) {
+            $this->app->abort(403, 'Guests do not have admin role');
+        }
+
+        return $this;
+    }
+
+    public function requireAuthentication()
+    {
+        if (!$this->app->isAuthenticated()) {
+            return $this->app->redirect('/login/');
+        }
+
+        return $this;
+    }
+
+    public function requireOrdersAdmin()
+    {
+        if (false === !!count($this->app['phraseanet.user']->ACL()->get_granted_base(array('order_master')))) {
+            $this->app->abort(403);
+        }
+
+        return $this;
     }
 }