Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2024-11-16 09:04:11 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Extract access check from operator controllers

Browse Source
This commit is contained in:
Dmitriy Simushev 2014-05-23 10:53:29 +00:00
parent af45d34721
commit 9527ef632f
7 changed files with 107 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
src/mibew/libs/classes/Mibew/AccessControl/Check/OperatorEditCheck.php Normal file
View File

@ -0,0 +1,48 @@
<?php
/*
* Copyright 2005-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
namespace Mibew\AccessControl\Check;
use Symfony\Component\HttpFoundation\Request;
/**
* Checks if operator from the request is logged in and has permissions to
* edit target operators profile. Request must contain id of the target
* operator in "operator_id" attribute.
*/
class OperatorEditCheck extends LoggedInCheck
{
/**
* Checks the access.
*
* @param Request $request Incoming request
* @return boolean Indicates if an operator has access or not.
*/
public function __invoke(Request $request)
{
// Check if the operator is logged in
if (!parent::__invoke($request)) {
return false;
}
$operator = $request->attributes->get('_operator');
$target_operator_id = $request->attributes->getInt('operator_id', false);
return is_capable(CAN_ADMINISTRATE, $operator)
|| (is_capable(CAN_MODIFYPROFILE, $operator) && $operator['operatorid'] == $target_operator_id);
}
}

48
src/mibew/libs/classes/Mibew/AccessControl/Check/OperatorViewCheck.php Normal file
View File

@ -0,0 +1,48 @@
<?php
/*
* Copyright 2005-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
namespace Mibew\AccessControl\Check;
use Symfony\Component\HttpFoundation\Request;
/**
* Checks if operator from the request is logged in and has permissions to
* view target operators profile. Request must contain id of the target
* operator in "operator_id" attribute.
*/
class OperatorViewCheck extends LoggedInCheck
{
/**
* Checks the access.
*
* @param Request $request Incoming request
* @return boolean Indicates if an operator has access or not.
*/
public function __invoke(Request $request)
{
// Check if the operator is logged in
if (!parent::__invoke($request)) {
return false;
}
$operator = $request->attributes->get('_operator');
$target_operator_id = $request->attributes->getInt('operator_id', false);
return is_capable(CAN_ADMINISTRATE, $operator)
|| $operator['operatorid'] == $target_operator_id;
}
}

22
src/mibew/libs/classes/Mibew/Controller/Operator/AvatarController.php
View File

@ -18,7 +18,6 @@
namespace Mibew\Controller\Operator; namespace Mibew\Controller\Operator;
use Mibew\Settings; use Mibew\Settings;
use Mibew\Http\Exception\AccessDeniedException;
use Mibew\Http\Exception\NotFoundException; use Mibew\Http\Exception\NotFoundException;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
@ -51,11 +50,6 @@ class AvatarController extends AbstractController
$can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator)) $can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator))
|| is_capable(CAN_ADMINISTRATE, $operator); || is_capable(CAN_ADMINISTRATE, $operator);
// Check if the curent operator has enough rights to access the page
if ($op_id != $operator['operatorid'] && !is_capable(CAN_ADMINISTRATE, $operator)) {
throw new AccessDeniedException();
}
// Try to load the target operator. // Try to load the target operator.
$op = operator_by_id($op_id); $op = operator_by_id($op_id);
if (!$op) { if (!$op) {
@ -85,8 +79,6 @@ class AvatarController extends AbstractController
* @return string Rendered page content. * @return string Rendered page content.
* @throws NotFoundException If the operator with specified ID is not found * @throws NotFoundException If the operator with specified ID is not found
* in the system. * in the system.
* @throws AccessDeniedException If the current operator has no rights to
* modify choosen profile.
*/ */
public function submitFormAction(Request $request) public function submitFormAction(Request $request)
{ {
@ -96,12 +88,6 @@ class AvatarController extends AbstractController
$op_id = $request->attributes->getInt('operator_id'); $op_id = $request->attributes->getInt('operator_id');
$errors = array(); $errors = array();
$can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator))
|| is_capable(CAN_ADMINISTRATE, $operator);
if (!$can_modify) {
throw new AccessDeniedException('Cannot modify avatar.');
}
// Try to load the target operator. // Try to load the target operator.
$op = operator_by_id($op_id); $op = operator_by_id($op_id);
if (!$op) { if (!$op) {
@ -179,8 +165,6 @@ class AvatarController extends AbstractController
* @return string Rendered page content. * @return string Rendered page content.
* @throws NotFoundException If the operator with specified ID is not found * @throws NotFoundException If the operator with specified ID is not found
* in the system. * in the system.
* @throws AccessDeniedException If the current operator has no rights to
* modify choosen profile.
*/ */
public function deleteAction(Request $request) public function deleteAction(Request $request)
{ {
@ -189,12 +173,6 @@ class AvatarController extends AbstractController
$operator = $request->attributes->get('_operator'); $operator = $request->attributes->get('_operator');
$op_id = $request->attributes->getInt('operator_id'); $op_id = $request->attributes->getInt('operator_id');
$can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator))
|| is_capable(CAN_ADMINISTRATE, $operator);
if (!$can_modify) {
throw new AccessDeniedException('Cannot modify avatar.');
}
// Try to load the target operator. // Try to load the target operator.
if (!operator_by_id($op_id)) { if (!operator_by_id($op_id)) {
throw new NotFoundException('The operator is not found'); throw new NotFoundException('The operator is not found');

8
src/mibew/libs/classes/Mibew/Controller/Operator/GroupsController.php
View File

@ -17,7 +17,6 @@
namespace Mibew\Controller\Operator; namespace Mibew\Controller\Operator;
use Mibew\Http\Exception\AccessDeniedException;
use Mibew\Http\Exception\BadRequestException; use Mibew\Http\Exception\BadRequestException;
use Mibew\Http\Exception\NotFoundException; use Mibew\Http\Exception\NotFoundException;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
@ -34,8 +33,6 @@ class GroupsController extends AbstractController
* @return string Rendered page content. * @return string Rendered page content.
* @throws NotFoundException If the operator with specified ID is not found * @throws NotFoundException If the operator with specified ID is not found
* in the system. * in the system.
* @throws AccessDeniedException If the current operator has not enough
* rights to view the page.
*/ */
public function showFormAction(Request $request) public function showFormAction(Request $request)
{ {
@ -45,11 +42,6 @@ class GroupsController extends AbstractController
$operator_in_isolation = in_isolation($operator); $operator_in_isolation = in_isolation($operator);
$op_id = $request->attributes->getInt('operator_id'); $op_id = $request->attributes->getInt('operator_id');
// Check if the curent operator has enough rights to access the page
if ($op_id != $operator['operatorid'] && !is_capable(CAN_ADMINISTRATE, $operator)) {
throw new AccessDeniedException();
}
// Check if the target user exists // Check if the target user exists
$op = operator_by_id($op_id); $op = operator_by_id($op_id);
if (!$op) { if (!$op) {

8
src/mibew/libs/classes/Mibew/Controller/Operator/PermissionsController.php
View File

@ -17,7 +17,6 @@
namespace Mibew\Controller\Operator; namespace Mibew\Controller\Operator;
use Mibew\Http\Exception\AccessDeniedException;
use Mibew\Http\Exception\BadRequestException; use Mibew\Http\Exception\BadRequestException;
use Mibew\Http\Exception\NotFoundException; use Mibew\Http\Exception\NotFoundException;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
@ -34,8 +33,6 @@ class PermissionsController extends AbstractController
* @return string Rendered page content. * @return string Rendered page content.
* @throws NotFoundException If the operator with specified ID is not found * @throws NotFoundException If the operator with specified ID is not found
* in the system. * in the system.
* @throws AccessDeniedException If the current operator has not enough
* rights to view the page.
*/ */
public function showFormAction(Request $request) public function showFormAction(Request $request)
{ {
@ -50,11 +47,6 @@ class PermissionsController extends AbstractController
'errors' => array(), 'errors' => array(),
); );
// Check if the curent operator has enough rights to access the page
if ($op_id != $operator['operatorid'] && !is_capable(CAN_ADMINISTRATE, $operator)) {
throw new AccessDeniedException();
}
$op = operator_by_id($op_id); $op = operator_by_id($op_id);
if (!$op) { if (!$op) {
throw new NotFoundException('The operator is not found.'); throw new NotFoundException('The operator is not found.');

17
src/mibew/libs/classes/Mibew/Controller/Operator/ProfileController.php
View File

@ -17,7 +17,6 @@
namespace Mibew\Controller\Operator; namespace Mibew\Controller\Operator;
use Mibew\Http\Exception\AccessDeniedException;
use Mibew\Http\Exception\NotFoundException; use Mibew\Http\Exception\NotFoundException;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
@ -88,14 +87,6 @@ class ProfileController extends AbstractController
$page['formcode'] = $request->request->get('code'); $page['formcode'] = $request->request->get('code');
} }
// Operator without CAN_ADMINISTRATE permission can neither create new
// operators nor view/edit other operator's profile.
$access_restricted = !is_capable(CAN_ADMINISTRATE, $operator)
&& (!$op_id || ($operator['operatorid'] != $op_id));
if ($access_restricted) {
throw new AccessDeniedException();
}
$can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator)) $can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator))
|| is_capable(CAN_ADMINISTRATE, $operator); || is_capable(CAN_ADMINISTRATE, $operator);
@ -119,8 +110,6 @@ class ProfileController extends AbstractController
* *
* @param Request $request Incoming request. * @param Request $request Incoming request.
* @return string Rendered page content. * @return string Rendered page content.
* @throws AccessDeniedException If the current operator has no rights to
* modify choosen profile.
*/ */
public function submitFormAction(Request $request) public function submitFormAction(Request $request)
{ {
@ -145,12 +134,6 @@ class ProfileController extends AbstractController
$common_name = $request->request->get('commonname'); $common_name = $request->request->get('commonname');
$code = $request->request->get('code'); $code = $request->request->get('code');
$can_modify = ($op_id == $operator['operatorid'] && is_capable(CAN_MODIFYPROFILE, $operator))
|| is_capable(CAN_ADMINISTRATE, $operator);
if (!$can_modify) {
throw new AccessDeniedException('Cannot modify profile.');
}
if (!$local_name) { if (!$local_name) {
$errors[] = no_field('form.field.agent_name'); $errors[] = no_field('form.field.agent_name');
} }

20
src/mibew/libs/routing.yml
View File

@ -174,21 +174,23 @@ operator_add:
path: /operator/operator/add path: /operator/operator/add
defaults: defaults:
_controller: Mibew\Controller\Operator\ProfileController::showFormAction _controller: Mibew\Controller\Operator\ProfileController::showFormAction
_access_check: Mibew\AccessControl\Check\LoggedInCheck _access_check: Mibew\AccessControl\Check\PermissionsCheck
_access_permissions: [CAN_ADMINISTRATE]
methods: [GET] methods: [GET]
operator_add_save: operator_add_save:
path: /operator/operator/add path: /operator/operator/add
defaults: defaults:
_controller: Mibew\Controller\Operator\ProfileController::submitFormAction _controller: Mibew\Controller\Operator\ProfileController::submitFormAction
_access_check: Mibew\AccessControl\Check\LoggedInCheck _access_check: Mibew\AccessControl\Check\PermissionsCheck
_access_permissions: [CAN_ADMINISTRATE]
methods: [POST] methods: [POST]
operator_avatar: operator_avatar:
path: /operator/operator/{operator_id}/avatar path: /operator/operator/{operator_id}/avatar
defaults: defaults:
_controller: Mibew\Controller\Operator\AvatarController::showFormAction _controller: Mibew\Controller\Operator\AvatarController::showFormAction
_access_check: Mibew\AccessControl\Check\LoggedInCheck _access_check: Mibew\AccessControl\Check\OperatorViewCheck
requirements: requirements:
operator_id: \d{1,10} operator_id: \d{1,10}
methods: [GET] methods: [GET]
@ -197,7 +199,7 @@ operator_avatar_delete:
path: /operator/operator/{operator_id}/avatar/delete path: /operator/operator/{operator_id}/avatar/delete
defaults: defaults:
_controller: Mibew\Controller\Operator\AvatarController::deleteAction _controller: Mibew\Controller\Operator\AvatarController::deleteAction
_access_check: Mibew\AccessControl\Check\LoggedInCheck _access_check: Mibew\AccessControl\Check\OperatorEditCheck
requirements: requirements:
operator_id: \d{1,10} operator_id: \d{1,10}
@ -205,7 +207,7 @@ operator_avatar_save:
path: /operator/operator/{operator_id}/avatar path: /operator/operator/{operator_id}/avatar
defaults: defaults:
_controller: Mibew\Controller\Operator\AvatarController::submitFormAction _controller: Mibew\Controller\Operator\AvatarController::submitFormAction
_access_check: Mibew\AccessControl\Check\LoggedInCheck _access_check: Mibew\AccessControl\Check\OperatorEditCheck
requirements: requirements:
operator_id: \d{1,10} operator_id: \d{1,10}
methods: [POST] methods: [POST]
@ -214,7 +216,7 @@ operator_edit:
path: /operator/operator/{operator_id}/edit path: /operator/operator/{operator_id}/edit
defaults: defaults:
_controller: Mibew\Controller\Operator\ProfileController::showFormAction _controller: Mibew\Controller\Operator\ProfileController::showFormAction
_access_check: Mibew\AccessControl\Check\LoggedInCheck _access_check: Mibew\AccessControl\Check\OperatorViewCheck
requirements: requirements:
operator_id: \d{1,10} operator_id: \d{1,10}
methods: [GET] methods: [GET]
@ -223,7 +225,7 @@ operator_edit_save:
path: /operator/operator/{operator_id}/edit path: /operator/operator/{operator_id}/edit
defaults: defaults:
_controller: Mibew\Controller\Operator\ProfileController::submitFormAction _controller: Mibew\Controller\Operator\ProfileController::submitFormAction
_access_check: Mibew\AccessControl\Check\LoggedInCheck _access_check: Mibew\AccessControl\Check\OperatorEditCheck
requirements: requirements:
operator_id: \d{1,10} operator_id: \d{1,10}
methods: [POST] methods: [POST]
@ -259,7 +261,7 @@ operator_groups:
path: /operator/operator/{operator_id}/groups path: /operator/operator/{operator_id}/groups
defaults: defaults:
_controller: Mibew\Controller\Operator\GroupsController::showFormAction _controller: Mibew\Controller\Operator\GroupsController::showFormAction
_access_check: Mibew\AccessControl\Check\LoggedInCheck _access_check: Mibew\AccessControl\Check\OperatorViewCheck
requirements: requirements:
operator_id: \d{1,10} operator_id: \d{1,10}
methods: [GET] methods: [GET]
@ -278,7 +280,7 @@ operator_permissions:
path: /operator/operator/{operator_id}/permissions path: /operator/operator/{operator_id}/permissions
defaults: defaults:
_controller: Mibew\Controller\Operator\PermissionsController::showFormAction _controller: Mibew\Controller\Operator\PermissionsController::showFormAction
_access_check: Mibew\AccessControl\Check\LoggedInCheck _access_check: Mibew\AccessControl\Check\OperatorViewCheck
requirements: requirements:
operator_id: \d{1,10} operator_id: \d{1,10}
methods: [GET] methods: [GET]