holm/Part-DB-server
1
0
Fork 0
forked from mirror/Part-DB.Part-DB-server
Code Pull requests Activity

Improved permission checking for certain controllers.

Browse source
This commit is contained in:
Jan Böhmer 2022-11-05 23:49:53 +01:00
parent a30b67e328
commit 78d1dff40f
3 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/Controller/TypeaheadController.php
View file

@ -156,6 +156,11 @@ class TypeaheadController extends AbstractController
public function parameters(string $type, EntityManagerInterface $entityManager, string $query = ""): JsonResponse
{
$class = $this->typeToParameterClass($type);
$test_obj = new $class();
//Ensure user has the correct permissions
$this->denyAccessUnlessGranted('read', $test_obj);
/** @var ParameterRepository $repository */
$repository = $entityManager->getRepository($class);
@ -169,6 +174,8 @@ class TypeaheadController extends AbstractController
*/
public function tags(string $query, TagFinder $finder): JsonResponse
{
$this->denyAccessUnlessGranted('@parts.read');
$array = $finder->searchTags($query);
$normalizers = [