public function isGrantedForRoles(array $roles, $privilegeType, $subject, &$reason = '')
{
$effectivePrivilegeIdentifiersWithPermission = [];
$accessGrants = 0;
$accessDenies = 0;
$accessAbstains = 0;
/** @var Role $role */
foreach ($roles as $role) {
/** @var PrivilegeInterface[] $availablePrivileges */
$availablePrivileges = $role->getPrivilegesByType($privilegeType);
/** @var PrivilegeInterface[] $effectivePrivileges */
$effectivePrivileges = [];
foreach ($availablePrivileges as $privilege) {
if ($privilege->matchesSubject($subject)) {
$effectivePrivileges[] = $privilege;
}
}
foreach ($effectivePrivileges as $effectivePrivilege) {
$privilegeName = $effectivePrivilege->getPrivilegeTargetIdentifier();
$parameterStrings = [];
foreach ($effectivePrivilege->getParameters() as $parameter) {
$parameterStrings[] = sprintf('%s: "%s"', $parameter->getName(), $parameter->getValue());
}
if ($parameterStrings !== []) {
$privilegeName .= ' (with parameters: ' . implode(', ', $parameterStrings) . ')';
}
$effectivePrivilegeIdentifiersWithPermission[] = sprintf('"%s": %s', $privilegeName, strtoupper($effectivePrivilege->getPermission()));
if ($effectivePrivilege->isGranted()) {
$accessGrants++;
} elseif ($effectivePrivilege->isDenied()) {
$accessDenies++;
} else {
$accessAbstains++;
}
}
}
if (count($effectivePrivilegeIdentifiersWithPermission) === 0) {
$reason = sprintf('No privilege of type "%s" matched.', $privilegeType);
return true;
} else {
$reason = sprintf('Evaluated following %d privilege target(s):' . chr(10) . '%s' . chr(10) . '(%d granted, %d denied, %d abstained)', count($effectivePrivilegeIdentifiersWithPermission), implode(chr(10), $effectivePrivilegeIdentifiersWithPermission), $accessGrants, $accessDenies, $accessAbstains);
}
if ($accessDenies > 0) {
return false;
}
if ($accessGrants > 0) {
return true;
}
return false;
}