mirror of
https://github.com/Mibew/mibew.git
synced 2024-11-16 09:04:11 +03:00
Extract access check from operator controllers
This commit is contained in:
Dmitriy Simushev
parent
af45d34721
commit
9527ef632f
@ -0,0 +1,48 @@
|
||||
<?php
|
||||
/*
|
||||
* Copyright 2005-2014 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
namespace Mibew\AccessControl\Check;
|
||||
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
/**
|
||||
* Checks if operator from the request is logged in and has permissions to
|
||||
* edit target operators profile. Request must contain id of the target
|
||||
* operator in "operator_id" attribute.
|
||||
*/
|
||||
class OperatorEditCheck extends LoggedInCheck
|
||||
{
|
||||
/**
|
||||
* Checks the access.
|
||||
*
|
||||
* @param Request $request Incoming request
|
||||
* @return boolean Indicates if an operator has access or not.
|
||||
*/
|
||||
public function __invoke(Request $request)
|
||||
{
|
||||
// Check if the operator is logged in
|
||||
if (!parent::__invoke($request)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$operator = $request->attributes->get('_operator');
|
||||
$target_operator_id = $request->attributes->getInt('operator_id', false);
|
||||
|
||||
return is_capable(CAN_ADMINISTRATE, $operator)
|
||||
|| (is_capable(CAN_MODIFYPROFILE, $operator) && $operator['operatorid'] == $target_operator_id);
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,48 @@
|
||||
<?php
|
||||
/*
|
||||
* Copyright 2005-2014 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
namespace Mibew\AccessControl\Check;
|
||||
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
/**
|
||||
* Checks if operator from the request is logged in and has permissions to
|
||||
* view target operators profile. Request must contain id of the target
|
||||
* operator in "operator_id" attribute.
|
||||
*/
|
||||
class OperatorViewCheck extends LoggedInCheck
|
||||
{
|
||||
/**
|
||||
* Checks the access.
|
||||
*
|
||||
* @param Request $request Incoming request
|
||||
* @return boolean Indicates if an operator has access or not.
|
||||
*/
|
||||
public function __invoke(Request $request)
|
||||
{
|
||||
// Check if the operator is logged in
|
||||
if (!parent::__invoke($request)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$operator = $request->attributes->get('_operator');
|
||||
$target_operator_id = $request->attributes->getInt('operator_id', false);
|
||||
|
||||
return is_capable(CAN_ADMINISTRATE, $operator)
|
||||
|| $operator['operatorid'] == $target_operator_id;
|
||||
}
|
||||
}
|
||||
@ -18,7 +18,6 @@
|
||||
namespace Mibew\Controller\Operator;
|
||||
|
||||
use Mibew\Settings;
|
||||
use Mibew\Http\Exception\AccessDeniedException;
|
||||
use Mibew\Http\Exception\NotFoundException;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
@ -51,11 +50,6 @@ class AvatarController extends AbstractController
|
||||
$can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator))
|
||||
|| is_capable(CAN_ADMINISTRATE, $operator);
|
||||
|
||||
// Check if the curent operator has enough rights to access the page
|
||||
if ($op_id != $operator['operatorid'] && !is_capable(CAN_ADMINISTRATE, $operator)) {
|
||||
throw new AccessDeniedException();
|
||||
}
|
||||
|
||||
// Try to load the target operator.
|
||||
$op = operator_by_id($op_id);
|
||||
if (!$op) {
|
||||
@ -85,8 +79,6 @@ class AvatarController extends AbstractController
|
||||
* @return string Rendered page content.
|
||||
* @throws NotFoundException If the operator with specified ID is not found
|
||||
* in the system.
|
||||
* @throws AccessDeniedException If the current operator has no rights to
|
||||
* modify choosen profile.
|
||||
*/
|
||||
public function submitFormAction(Request $request)
|
||||
{
|
||||
@ -96,12 +88,6 @@ class AvatarController extends AbstractController
|
||||
$op_id = $request->attributes->getInt('operator_id');
|
||||
$errors = array();
|
||||
|
||||
$can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator))
|
||||
|| is_capable(CAN_ADMINISTRATE, $operator);
|
||||
if (!$can_modify) {
|
||||
throw new AccessDeniedException('Cannot modify avatar.');
|
||||
}
|
||||
|
||||
// Try to load the target operator.
|
||||
$op = operator_by_id($op_id);
|
||||
if (!$op) {
|
||||
@ -179,8 +165,6 @@ class AvatarController extends AbstractController
|
||||
* @return string Rendered page content.
|
||||
* @throws NotFoundException If the operator with specified ID is not found
|
||||
* in the system.
|
||||
* @throws AccessDeniedException If the current operator has no rights to
|
||||
* modify choosen profile.
|
||||
*/
|
||||
public function deleteAction(Request $request)
|
||||
{
|
||||
@ -189,12 +173,6 @@ class AvatarController extends AbstractController
|
||||
$operator = $request->attributes->get('_operator');
|
||||
$op_id = $request->attributes->getInt('operator_id');
|
||||
|
||||
$can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator))
|
||||
|| is_capable(CAN_ADMINISTRATE, $operator);
|
||||
if (!$can_modify) {
|
||||
throw new AccessDeniedException('Cannot modify avatar.');
|
||||
}
|
||||
|
||||
// Try to load the target operator.
|
||||
if (!operator_by_id($op_id)) {
|
||||
throw new NotFoundException('The operator is not found');
|
||||
|
||||
@ -17,7 +17,6 @@
|
||||
|
||||
namespace Mibew\Controller\Operator;
|
||||
|
||||
use Mibew\Http\Exception\AccessDeniedException;
|
||||
use Mibew\Http\Exception\BadRequestException;
|
||||
use Mibew\Http\Exception\NotFoundException;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
@ -34,8 +33,6 @@ class GroupsController extends AbstractController
|
||||
* @return string Rendered page content.
|
||||
* @throws NotFoundException If the operator with specified ID is not found
|
||||
* in the system.
|
||||
* @throws AccessDeniedException If the current operator has not enough
|
||||
* rights to view the page.
|
||||
*/
|
||||
public function showFormAction(Request $request)
|
||||
{
|
||||
@ -45,11 +42,6 @@ class GroupsController extends AbstractController
|
||||
$operator_in_isolation = in_isolation($operator);
|
||||
$op_id = $request->attributes->getInt('operator_id');
|
||||
|
||||
// Check if the curent operator has enough rights to access the page
|
||||
if ($op_id != $operator['operatorid'] && !is_capable(CAN_ADMINISTRATE, $operator)) {
|
||||
throw new AccessDeniedException();
|
||||
}
|
||||
|
||||
// Check if the target user exists
|
||||
$op = operator_by_id($op_id);
|
||||
if (!$op) {
|
||||
|
||||
@ -17,7 +17,6 @@
|
||||
|
||||
namespace Mibew\Controller\Operator;
|
||||
|
||||
use Mibew\Http\Exception\AccessDeniedException;
|
||||
use Mibew\Http\Exception\BadRequestException;
|
||||
use Mibew\Http\Exception\NotFoundException;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
@ -34,8 +33,6 @@ class PermissionsController extends AbstractController
|
||||
* @return string Rendered page content.
|
||||
* @throws NotFoundException If the operator with specified ID is not found
|
||||
* in the system.
|
||||
* @throws AccessDeniedException If the current operator has not enough
|
||||
* rights to view the page.
|
||||
*/
|
||||
public function showFormAction(Request $request)
|
||||
{
|
||||
@ -50,11 +47,6 @@ class PermissionsController extends AbstractController
|
||||
'errors' => array(),
|
||||
);
|
||||
|
||||
// Check if the curent operator has enough rights to access the page
|
||||
if ($op_id != $operator['operatorid'] && !is_capable(CAN_ADMINISTRATE, $operator)) {
|
||||
throw new AccessDeniedException();
|
||||
}
|
||||
|
||||
$op = operator_by_id($op_id);
|
||||
if (!$op) {
|
||||
throw new NotFoundException('The operator is not found.');
|
||||
|
||||
@ -17,7 +17,6 @@
|
||||
|
||||
namespace Mibew\Controller\Operator;
|
||||
|
||||
use Mibew\Http\Exception\AccessDeniedException;
|
||||
use Mibew\Http\Exception\NotFoundException;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
@ -88,14 +87,6 @@ class ProfileController extends AbstractController
|
||||
$page['formcode'] = $request->request->get('code');
|
||||
}
|
||||
|
||||
// Operator without CAN_ADMINISTRATE permission can neither create new
|
||||
// operators nor view/edit other operator's profile.
|
||||
$access_restricted = !is_capable(CAN_ADMINISTRATE, $operator)
|
||||
&& (!$op_id || ($operator['operatorid'] != $op_id));
|
||||
if ($access_restricted) {
|
||||
throw new AccessDeniedException();
|
||||
}
|
||||
|
||||
$can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator))
|
||||
|| is_capable(CAN_ADMINISTRATE, $operator);
|
||||
|
||||
@ -119,8 +110,6 @@ class ProfileController extends AbstractController
|
||||
*
|
||||
* @param Request $request Incoming request.
|
||||
* @return string Rendered page content.
|
||||
* @throws AccessDeniedException If the current operator has no rights to
|
||||
* modify choosen profile.
|
||||
*/
|
||||
public function submitFormAction(Request $request)
|
||||
{
|
||||
@ -145,12 +134,6 @@ class ProfileController extends AbstractController
|
||||
$common_name = $request->request->get('commonname');
|
||||
$code = $request->request->get('code');
|
||||
|
||||
$can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator))
|
||||
|| is_capable(CAN_ADMINISTRATE, $operator);
|
||||
if (!$can_modify) {
|
||||
throw new AccessDeniedException('Cannot modify profile.');
|
||||
}
|
||||
|
||||
if (!$local_name) {
|
||||
$errors[] = no_field('form.field.agent_name');
|
||||
}
|
||||
|
||||
@ -174,21 +174,23 @@ operator_add:
|
||||
path: /operator/operator/add
|
||||
defaults:
|
||||
_controller: Mibew\Controller\Operator\ProfileController::showFormAction
|
||||
_access_check: Mibew\AccessControl\Check\LoggedInCheck
|
||||
_access_check: Mibew\AccessControl\Check\PermissionsCheck
|
||||
_access_permissions: [CAN_ADMINISTRATE]
|
||||
methods: [GET]
|
||||
|
||||
operator_add_save:
|
||||
path: /operator/operator/add
|
||||
defaults:
|
||||
_controller: Mibew\Controller\Operator\ProfileController::submitFormAction
|
||||
_access_check: Mibew\AccessControl\Check\LoggedInCheck
|
||||
_access_check: Mibew\AccessControl\Check\PermissionsCheck
|
||||
_access_permissions: [CAN_ADMINISTRATE]
|
||||
methods: [POST]
|
||||
|
||||
operator_avatar:
|
||||
path: /operator/operator/{operator_id}/avatar
|
||||
defaults:
|
||||
_controller: Mibew\Controller\Operator\AvatarController::showFormAction
|
||||
_access_check: Mibew\AccessControl\Check\LoggedInCheck
|
||||
_access_check: Mibew\AccessControl\Check\OperatorViewCheck
|
||||
requirements:
|
||||
operator_id: \d{1,10}
|
||||
methods: [GET]
|
||||
@ -197,7 +199,7 @@ operator_avatar_delete:
|
||||
path: /operator/operator/{operator_id}/avatar/delete
|
||||
defaults:
|
||||
_controller: Mibew\Controller\Operator\AvatarController::deleteAction
|
||||
_access_check: Mibew\AccessControl\Check\LoggedInCheck
|
||||
_access_check: Mibew\AccessControl\Check\OperatorEditCheck
|
||||
requirements:
|
||||
operator_id: \d{1,10}
|
||||
|
||||
@ -205,7 +207,7 @@ operator_avatar_save:
|
||||
path: /operator/operator/{operator_id}/avatar
|
||||
defaults:
|
||||
_controller: Mibew\Controller\Operator\AvatarController::submitFormAction
|
||||
_access_check: Mibew\AccessControl\Check\LoggedInCheck
|
||||
_access_check: Mibew\AccessControl\Check\OperatorEditCheck
|
||||
requirements:
|
||||
operator_id: \d{1,10}
|
||||
methods: [POST]
|
||||
@ -214,7 +216,7 @@ operator_edit:
|
||||
path: /operator/operator/{operator_id}/edit
|
||||
defaults:
|
||||
_controller: Mibew\Controller\Operator\ProfileController::showFormAction
|
||||
_access_check: Mibew\AccessControl\Check\LoggedInCheck
|
||||
_access_check: Mibew\AccessControl\Check\OperatorViewCheck
|
||||
requirements:
|
||||
operator_id: \d{1,10}
|
||||
methods: [GET]
|
||||
@ -223,7 +225,7 @@ operator_edit_save:
|
||||
path: /operator/operator/{operator_id}/edit
|
||||
defaults:
|
||||
_controller: Mibew\Controller\Operator\ProfileController::submitFormAction
|
||||
_access_check: Mibew\AccessControl\Check\LoggedInCheck
|
||||
_access_check: Mibew\AccessControl\Check\OperatorEditCheck
|
||||
requirements:
|
||||
operator_id: \d{1,10}
|
||||
methods: [POST]
|
||||
@ -259,7 +261,7 @@ operator_groups:
|
||||
path: /operator/operator/{operator_id}/groups
|
||||
defaults:
|
||||
_controller: Mibew\Controller\Operator\GroupsController::showFormAction
|
||||
_access_check: Mibew\AccessControl\Check\LoggedInCheck
|
||||
_access_check: Mibew\AccessControl\Check\OperatorViewCheck
|
||||
requirements:
|
||||
operator_id: \d{1,10}
|
||||
methods: [GET]
|
||||
@ -278,7 +280,7 @@ operator_permissions:
|
||||
path: /operator/operator/{operator_id}/permissions
|
||||
defaults:
|
||||
_controller: Mibew\Controller\Operator\PermissionsController::showFormAction
|
||||
_access_check: Mibew\AccessControl\Check\LoggedInCheck
|
||||
_access_check: Mibew\AccessControl\Check\OperatorViewCheck
|
||||
requirements:
|
||||
operator_id: \d{1,10}
|
||||
methods: [GET]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user