mirror of
https://github.com/elyby/accounts.git
synced 2024-12-29 16:40:25 +05:30
59 lines
1.6 KiB
PHP
59 lines
1.6 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
namespace api\rbac\rules;
|
|
|
|
use api\rbac\Permissions as P;
|
|
use common\models\OauthClient;
|
|
use Webmozart\Assert\Assert;
|
|
use Yii;
|
|
use yii\rbac\Rule;
|
|
|
|
class OauthClientOwner extends Rule {
|
|
|
|
public $name = 'oauth_client_owner';
|
|
|
|
/**
|
|
* Accepts 2 params:
|
|
* - clientId - it's the client id, that user want access to.
|
|
* - accountId - if it is passed to check the VIEW_OAUTH_CLIENTS permission, then it will
|
|
* check, that current user have access to the provided account.
|
|
*
|
|
* @param string|int $accessToken
|
|
* @param \yii\rbac\Item $item
|
|
* @param array $params
|
|
*
|
|
* @return bool a value indicating whether the rule permits the auth item it is associated with.
|
|
*/
|
|
public function execute($accessToken, $item, $params): bool {
|
|
$accountId = $params['accountId'] ?? null;
|
|
if ($accountId !== null && $item->name === P::VIEW_OWN_OAUTH_CLIENTS) {
|
|
return (new AccountOwner())->execute($accessToken, $item, ['accountId' => $accountId]);
|
|
}
|
|
|
|
Assert::keyExists($params, 'clientId');
|
|
/** @var OauthClient|null $client */
|
|
$client = OauthClient::findOne(['id' => $params['clientId']]);
|
|
if ($client === null) {
|
|
return true;
|
|
}
|
|
|
|
$identity = Yii::$app->user->getIdentity();
|
|
if ($identity === null) {
|
|
return false;
|
|
}
|
|
|
|
$account = $identity->getAccount();
|
|
if ($account === null) {
|
|
return false;
|
|
}
|
|
|
|
if ($account->id !== $client->account_id) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
}
|