accounts/api/rbac/rules/OauthClientOwner.php

59 lines
1.6 KiB
PHP

<?php
declare(strict_types=1);
namespace api\rbac\rules;
use api\rbac\Permissions as P;
use common\models\OauthClient;
use Webmozart\Assert\Assert;
use Yii;
use yii\rbac\Rule;
class OauthClientOwner extends Rule {
public $name = 'oauth_client_owner';
/**
* Accepts 2 params:
* - clientId - it's the client id, that user want access to.
* - accountId - if it is passed to check the VIEW_OAUTH_CLIENTS permission, then it will
* check, that current user have access to the provided account.
*
* @param string|int $accessToken
* @param \yii\rbac\Item $item
* @param array $params
*
* @return bool a value indicating whether the rule permits the auth item it is associated with.
*/
public function execute($accessToken, $item, $params): bool {
$accountId = $params['accountId'] ?? null;
if ($accountId !== null && $item->name === P::VIEW_OWN_OAUTH_CLIENTS) {
return (new AccountOwner())->execute($accessToken, $item, ['accountId' => $accountId]);
}
Assert::keyExists($params, 'clientId');
/** @var OauthClient|null $client */
$client = OauthClient::findOne(['id' => $params['clientId']]);
if ($client === null) {
return true;
}
$identity = Yii::$app->user->getIdentity();
if ($identity === null) {
return false;
}
$account = $identity->getAccount();
if ($account === null) {
return false;
}
if ($account->id !== $client->account_id) {
return false;
}
return true;
}
}