accounts/common/rbac/rules/OauthClientOwner.php

62 lines
1.7 KiB
PHP
Raw Normal View History

<?php
declare(strict_types=1);
namespace common\rbac\rules;
use common\models\OauthClient;
use common\rbac\Permissions as P;
use Yii;
use yii\rbac\Rule;
class OauthClientOwner extends Rule {
public $name = 'oauth_client_owner';
/**
* Accepts 2 params:
* - clientId - it's the client id, that user want access to.
* - accountId - if it is passed to check the VIEW_OAUTH_CLIENTS permission, then it will
* check, that current user have access to the provided account.
*
* @param string|int $accessToken
* @param \yii\rbac\Item $item
* @param array $params
*
* @return bool a value indicating whether the rule permits the auth item it is associated with.
*/
public function execute($accessToken, $item, $params): bool {
$accountId = $params['accountId'] ?? null;
if ($accountId !== null && $item->name === P::VIEW_OWN_OAUTH_CLIENTS) {
return (new AccountOwner())->execute($accessToken, $item, ['accountId' => $accountId]);
}
$clientId = $params['clientId'] ?? null;
if ($clientId === null) {
return false;
}
/** @var OauthClient|null $client */
$client = OauthClient::findOne($clientId);
if ($client === null) {
return false;
}
$identity = Yii::$app->user->findIdentityByAccessToken($accessToken);
if ($identity === null) {
return false;
}
$account = $identity->getAccount();
if ($account === null) {
return false;
}
if ($account->id !== $client->account_id) {
return false;
}
return true;
}
}