Implemented permissions on Admin pages.

2025-06-21 01:25:55 +02:00 · 2019-04-13 19:03:45 +02:00 · 2019-04-13 19:03:45 +02:00 · 004c7970a7
commit 004c7970a7
parent 6649460ed6
4 changed files with 42 additions and 14 deletions
--- a/src/Controller/AttachmentTypeController.php
+++ b/src/Controller/AttachmentTypeController.php
@ -64,6 +64,8 @@ class AttachmentTypeController extends AbstractController
    public function edit(AttachmentType $entity, Request $request, EntityManagerInterface $em)
    {

+        $this->denyAccessUnlessGranted('read', $entity);
+
        $form = $this->createForm(BaseEntityAdminForm::class, $entity);

        $form->handleRequest($request);
@ -88,7 +90,7 @@ class AttachmentTypeController extends AbstractController
    {
        $new_entity = new AttachmentType();

-        $this->denyAccessUnlessGranted('create', $new_entity);
+        $this->denyAccessUnlessGranted('read', $new_entity);

        //Basic edit form
        $form = $this->createForm(BaseEntityAdminForm::class, $new_entity);
@ -135,6 +137,8 @@ class AttachmentTypeController extends AbstractController
     */
    public function delete(Request $request, AttachmentType $entity)
    {
+        $this->denyAccessUnlessGranted('delete', $entity);
+
        if ($this->isCsrfTokenValid('delete'.$entity->getId(), $request->request->get('_token'))) {
            $entityManager = $this->getDoctrine()->getManager();

@ -164,6 +168,8 @@ class AttachmentTypeController extends AbstractController
     */
    public function exportAll(EntityManagerInterface $em, EntityExporter $exporter, Request $request)
    {
+        $this->denyAccessUnlessGranted('read', $entity);
+
        $entities = $em->getRepository(AttachmentType::class)->findAll();

        return $exporter->exportEntityFromRequest($entities,$request);
@ -176,6 +182,8 @@ class AttachmentTypeController extends AbstractController
     */
    public function exportEntity(AttachmentType $entity, EntityExporter $exporter, Request $request)
    {
+        $this->denyAccessUnlessGranted('read', $entity);
+
        return $exporter->exportEntityFromRequest($entity, $request);
    }

--- a/src/Form/BaseEntityAdminForm.php
+++ b/src/Form/BaseEntityAdminForm.php
@ -62,19 +62,21 @@ class BaseEntityAdminForm extends AbstractType
        $builder
            ->add('name', TextType::class, ['empty_data' => '', 'label' => 'name.label',
                'attr' => ['placeholder' => 'part.name.placeholder'],
-                'disabled' => !$this->security->isGranted('edit', $entity), ])
+                'disabled' => !$this->security->isGranted($is_new ? 'create' : 'edit', $entity), ])

            ->add('parent', EntityType::class, ['class' => get_class($entity), 'choice_label' => 'full_path',
                'attr' => ['class' => 'selectpicker', 'data-live-search' => true], 'required' => false, 'label' => 'parent.label',
-                'disabled' => !$this->security->isGranted('move', $entity), ])
+                'disabled' => !$this->security->isGranted($is_new ? 'create' : 'move', $entity), ])

            ->add('comment', CKEditorType::class, ['required' => false,
                'label' => 'comment.label', 'attr' => ['rows' => 4], 'help' => 'bbcode.hint',
-                'disabled' => !$this->security->isGranted('edit', $entity)])
+                'disabled' => !$this->security->isGranted($is_new ? 'create' : 'edit', $entity)])

            //Buttons
            ->add('save', SubmitType::class, ['label' =>  $is_new ? 'entity.create' : 'entity.edit.save',
-                'attr' => ['class' => $is_new ? 'btn-success' : '']])
-            ->add('reset', ResetType::class, ['label' => 'entity.edit.reset']);
+                'attr' => ['class' => $is_new ? 'btn-success' : ''],
+                'disabled' => !$this->security->isGranted($is_new ? 'create' : 'edit', $entity)])
+            ->add('reset', ResetType::class, ['label' => 'entity.edit.reset',
+                'disabled' => !$this->security->isGranted($is_new ? 'create' : 'edit', $entity)]);
    }
 }
--- a/src/Form/ImportType.php
+++ b/src/Form/ImportType.php
@ -40,30 +40,48 @@ use Symfony\Component\Form\Extension\Core\Type\FileType;
 use Symfony\Component\Form\Extension\Core\Type\SubmitType;
 use Symfony\Component\Form\Extension\Core\Type\TextType;
 use Symfony\Component\Form\FormBuilderInterface;
+use Symfony\Component\Security\Core\Security;

 class ImportType extends AbstractType
 {
+
+    protected $security;
+
+    public function __construct(Security $security)
+    {
+        $this->security = $security;
+    }
+
    public function buildForm(FormBuilderInterface $builder, array $options)
    {

        $data = $options['data'];

+        //Disable import if user is not allowed to create elements.
+        $entity = new $data['entity_class'];
+        $perm_name = "create";
+        $disabled = ! $this->security->isGranted($perm_name, $entity);
+
        $builder

            ->add('format', ChoiceType::class, ['choices' =>
-                ['JSON' => 'json', 'XML' => 'xml','CSV'=>'csv' ,'YAML' => 'yaml'], 'label' => 'export.format'])
-            ->add('csv_separator', TextType::class, ['data' => ';', 'label' => 'import.csv_separator'])
+                ['JSON' => 'json', 'XML' => 'xml','CSV'=>'csv' ,'YAML' => 'yaml'], 'label' => 'export.format',
+                'disabled' => $disabled])
+            ->add('csv_separator', TextType::class, ['data' => ';', 'label' => 'import.csv_separator',
+                'disabled' => $disabled])
            ->add('parent', EntityType::class, ['class' => $data['entity_class'], 'choice_label' => 'full_path',
-                'attr' => ['class' => 'selectpicker', 'data-live-search' => true], 'required' => false, 'label' => 'parent.label'])
+                'attr' => ['class' => 'selectpicker', 'data-live-search' => true], 'required' => false,
+                'label' => 'parent.label', 'disabled' => $disabled])
            ->add('file', FileType::class, ['label' => 'import.file',
-                'attr' => ['class' => 'file', 'data-show-preview' => 'false', 'data-show-upload' => 'false']])
+                'attr' => ['class' => 'file', 'data-show-preview' => 'false', 'data-show-upload' => 'false'], 'disabled' => $disabled])

            ->add('preserve_children', CheckboxType::class, ['data' => true, 'required' => false,
-                'label' => 'import.preserve_children', 'label_attr'=> ['class' => 'checkbox-custom']])
+                'label' => 'import.preserve_children', 'label_attr'=> ['class' => 'checkbox-custom'], 'disabled' => $disabled])
            ->add('abort_on_validation_error', CheckboxType::class, ['data' => true, 'required' => false,
-                'label' => 'import.abort_on_validation', 'help'=> 'import.abort_on_validation.help', 'label_attr'=> ['class' => 'checkbox-custom']])
+                'label' => 'import.abort_on_validation', 'help'=> 'import.abort_on_validation.help',
+                'label_attr'=> ['class' => 'checkbox-custom'], 'disabled' => $disabled])

            //Buttons
-            ->add('import', SubmitType::class, ['label' => 'import.btn']);
+            ->add('import', SubmitType::class, ['label' => 'import.btn', 'disabled' => $disabled]);
    }
 }
--- a/templates/AdminPages/_delete_form.html.twig
+++ b/templates/AdminPages/_delete_form.html.twig
@ -6,7 +6,7 @@
    <div class="form-group">
        <div class=""></div>
        <div class="col offset-3 pl-2">
-            <button class="btn btn-danger">{% trans %}entity.delete{% endtrans %}</button>
+            <button class="btn btn-danger" {% if not is_granted("delete", entity) %}disabled{% endif %}">{% trans %}entity.delete{% endtrans %}</button>
        </div>
    </div>
 </form>