First commit.

.gitignore

@@ -0,0 +1 @@
+/.idea/

Admin/SecurityHandlerRole.php

@@ -0,0 +1,128 @@
+<?php
+
+/*
+ * This file is part of the Glavweb SecurityBundle package.
+ *
+ * (c) GLAVWEB <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Glavweb\SecurityBundle\Admin;
+
+use Glavweb\SecurityBundle\Security\AccessHandler;
+use Sonata\AdminBundle\Admin\AdminInterface;
+use Sonata\AdminBundle\Security\Handler\SecurityHandlerInterface;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
+
+/**
+ * Class SecurityHandlerRole
+ *
+ * @author Andrey Nilov <[email protected]>
+ * @package Glavweb\SecurityBundle
+ */
+class SecurityHandlerRole implements SecurityHandlerInterface
+{
+    /**
+     * @var AuthorizationCheckerInterface
+     */
+    protected $authorizationChecker;
+
+    /**
+     * @var AccessHandler
+     */
+    private $accessHandler;
+
+    /**
+     * @var array
+     */
+    protected $superAdminRoles;
+
+    /**
+     * @var array
+     */
+    protected $roleReplaces = [
+        'LIST'   => 'LIST',
+        'VIEW'   => 'VIEW',
+        'CREATE' => 'CREATE',
+        'EDIT'   => 'EDIT',
+        'DELETE' => 'DELETE',
+        'EXPORT' => 'EXPORT',
+    ];
+
+    /**
+     * @param AuthorizationCheckerInterface $authorizationChecker
+     * @param AccessHandler $accessHandler
+     * @param array $superAdminRoles
+     */
+    public function __construct(AuthorizationCheckerInterface $authorizationChecker, AccessHandler $accessHandler, array $superAdminRoles)
+    {
+        $this->authorizationChecker = $authorizationChecker;
+        $this->accessHandler        = $accessHandler;
+        $this->superAdminRoles      = $superAdminRoles;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isGranted(AdminInterface $admin, $attributes, $object = null)
+    {
+        if (!is_array($attributes)) {
+            $attributes = array($attributes);
+        }
+
+        foreach ($attributes as $pos => $attribute) {
+            $attribute = isset($this->roleReplaces[$attribute]) ? $this->roleReplaces[$attribute] : $attribute;
+            $attributes[$pos] = sprintf($this->getBaseRole($admin), $attribute);
+        }
+
+        try {
+            return 
+                $this->authorizationChecker->isGranted($this->superAdminRoles) ||
+                $this->authorizationChecker->isGranted($attributes, $object)
+            ;
+
+        } catch (AuthenticationCredentialsNotFoundException $e) {
+            return false;
+
+        } catch (\Exception $e) {
+            throw $e;
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getBaseRole(AdminInterface $admin)
+    {
+        $baseRole = $this->accessHandler->getBaseRole($admin->getClass());
+
+        if (!$baseRole) {
+            $baseRole = 'ROLE_' . str_replace('.', '_', strtoupper($admin->getCode())) . '_%s';
+        }
+
+        return $baseRole;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function buildSecurityInformation(AdminInterface $admin)
+    {
+        return [];
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function createObjectSecurity(AdminInterface $admin, $object)
+    {}
+
+    /**
+     * {@inheritdoc}
+     */
+    public function deleteObjectSecurity(AdminInterface $admin, $object)
+    {}
+}

DependencyInjection/Configuration.php

@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * This file is part of the Glavweb SecurityBundle package.
+ *
+ * (c) GLAVWEB <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Glavweb\SecurityBundle\DependencyInjection;
+
+use Symfony\Component\Config\Definition\Builder\TreeBuilder;
+use Symfony\Component\Config\Definition\ConfigurationInterface;
+
+/**
+ * This is the class that validates and merges configuration from your app/config files
+ *
+ * To learn more see {@link http://symfony.com/doc/current/cookbook/bundles/extension.html#cookbook-bundles-extension-config-class}
+ */
+class Configuration implements ConfigurationInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getConfigTreeBuilder()
+    {
+        $treeBuilder = new TreeBuilder();
+        $treeBuilder->root('glavweb_security');
+
+        // Here you should define the parameters that are allowed to
+        // configure your bundle. See the documentation linked above for
+        // more information on that topic.
+
+        return $treeBuilder;
+    }
+}

DependencyInjection/GlavwebSecurityExtension.php

@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * This file is part of the Glavweb SecurityBundle package.
+ *
+ * (c) GLAVWEB <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Glavweb\SecurityBundle\DependencyInjection;
+
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\Config\FileLocator;
+use Symfony\Component\HttpKernel\DependencyInjection\Extension;
+use Symfony\Component\DependencyInjection\Loader;
+
+/**
+ * This is the class that loads and manages your bundle configuration
+ *
+ * To learn more see {@link http://symfony.com/doc/current/cookbook/bundles/extension.html}
+ */
+class GlavwebSecurityExtension extends Extension
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function load(array $configs, ContainerBuilder $container)
+    {
+        $configuration = new Configuration();
+        $this->processConfiguration($configuration, $configs);
+
+        $loader = new Loader\YamlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
+        $loader->load('services.yml');
+    }
+}

Form/SecurityRolesType.php

@@ -0,0 +1,98 @@
+<?php
+
+/*
+ * This file is part of the Glavweb SecurityBundle package.
+ *
+ * (c) GLAVWEB <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Glavweb\SecurityBundle\Form;
+
+use Glavweb\SecurityBundle\Security\EditableRolesBuilder;
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\ChoiceType;
+use Symfony\Component\Form\FormInterface;
+use Symfony\Component\Form\FormView;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+use Symfony\Component\OptionsResolver\Options;
+
+/**
+ * Class SecurityRolesType
+ *
+ * @author Andrey Nilov <[email protected]>
+ * @package Glavweb\SecurityBundle
+ */
+class SecurityRolesType extends AbstractType
+{
+    /**
+     * @var EditableRolesBuilder
+     */
+    protected $rolesBuilder;
+
+    /**
+     * @param EditableRolesBuilder $rolesBuilder
+     */
+    public function __construct(EditableRolesBuilder $rolesBuilder)
+    {
+        $this->rolesBuilder = $rolesBuilder;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function buildView(FormView $view, FormInterface $form, array $options)
+    {
+        $attr = $view->vars['attr'];
+
+        if (isset($attr['class']) && empty($attr['class'])) {
+            $attr['class'] = 'sonata-medium';
+        }
+
+        $view->vars['entityRoles']   = $options['entityRoles'];
+        $view->vars['securityRoles'] = $options['securityRoles'];
+        $view->vars['attr']          = $attr;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function configureOptions(OptionsResolver $resolver)
+    {
+        list($entityRoles, $securityRoles) = $this->rolesBuilder->getRoles();
+
+        $resolver->setDefaults(array(
+            'choices' => function (Options $options, $parentChoices) use ($entityRoles, $securityRoles) {
+                return empty($parentChoices) ? array_merge($entityRoles, $securityRoles) : [];
+            },
+
+            'entityRoles' => function (Options $options, $parentChoices) use ($entityRoles) {
+                return empty($parentChoices) ? $entityRoles : [];
+            },
+
+            'securityRoles' => function (Options $options, $parentChoices) use ($securityRoles) {
+                return empty($parentChoices) ? $securityRoles : [];
+            },
+
+            'data_class' => null
+        ));
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getBlockPrefix()
+    {
+        return 'glavweb_security_roles';
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getParent()
+    {
+        return ChoiceType::class;
+    }
+}

Form/Transformer/RestoreRolesTransformer.php

@@ -0,0 +1,82 @@
+<?php
+
+/*
+ * This file is part of the Glavweb SecurityBundle package.
+ *
+ * (c) GLAVWEB <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Glavweb\SecurityBundle\Form\Transformer;
+
+use Glavweb\SecurityBundle\Security\EditableRolesBuilder;
+use Symfony\Component\Form\DataTransformerInterface;
+
+/**
+ * Class RestoreRolesTransformer
+ *
+ * @author Andrey Nilov <[email protected]>
+ * @package Glavweb\SecurityBundle
+ */
+class RestoreRolesTransformer implements DataTransformerInterface
+{
+    /**
+     * @var array
+     */
+    protected $originalRoles = null;
+
+    /**
+     * @var EditableRolesBuilder
+     */
+    protected $rolesBuilder;
+
+    /**
+     * @param EditableRolesBuilder $rolesBuilder
+     */
+    public function __construct(EditableRolesBuilder $rolesBuilder)
+    {
+        $this->rolesBuilder = $rolesBuilder;
+    }
+
+    /**
+     * @param array|null $originalRoles
+     */
+    public function setOriginalRoles(array $originalRoles = null)
+    {
+        $this->originalRoles = $originalRoles ?: array();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function transform($value)
+    {
+        if ($value === null) {
+            return $value;
+        }
+
+        if ($this->originalRoles === null) {
+            throw new \RuntimeException('Invalid state, originalRoles array is not set');
+        }
+
+        return $value;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function reverseTransform($selectedRoles)
+    {
+        if ($this->originalRoles === null) {
+            throw new \RuntimeException('Invalid state, originalRoles array is not set');
+        }
+
+        list($availableRoles, ) = $this->rolesBuilder->getRoles();
+
+        $hiddenRoles = array_diff($this->originalRoles, array_keys($availableRoles));
+
+        return array_merge($selectedRoles, $hiddenRoles);
+    }
+}