From 3374153b73dae81d8d69857f7cc065d3810b4f7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <jan.h.boehmer@gmx.de>
Date: Fri, 13 Sep 2019 17:46:26 +0200
Subject: [PATCH] Added permission checking for part price edit page.

---
 src/Form/Part/OrderdetailType.php             |  9 ++-
 src/Form/Part/PartBaseType.php                |  2 +-
 src/Security/Voter/PermissionVoter.php        | 81 +++++++++++++++++++
 src/Security/Voter/StructureVoter.php         |  8 +-
 .../Parts/edit/edit_form_styles.html.twig     | 11 ++-
 5 files changed, 101 insertions(+), 10 deletions(-)
 create mode 100644 src/Security/Voter/PermissionVoter.php

diff --git a/src/Form/Part/OrderdetailType.php b/src/Form/Part/OrderdetailType.php
index 024add89..fe118c86 100644
--- a/src/Form/Part/OrderdetailType.php
+++ b/src/Form/Part/OrderdetailType.php
@@ -45,16 +45,19 @@ use Symfony\Component\Form\FormBuilderInterface;
 use Symfony\Component\Form\FormEvent;
 use Symfony\Component\Form\FormEvents;
 use Symfony\Component\OptionsResolver\OptionsResolver;
+use Symfony\Component\Security\Core\Security;
 use Symfony\Contracts\Translation\TranslatorInterface;
 use function foo\func;
 
 class OrderdetailType extends AbstractType
 {
     protected $trans;
+    protected $security;
 
-    public function __construct(TranslatorInterface $trans)
+    public function __construct(TranslatorInterface $trans, Security $security)
     {
         $this->trans = $trans;
+        $this->security = $security;
     }
 
     public function buildForm(FormBuilderInterface $builder, array $options)
@@ -100,11 +103,13 @@ class OrderdetailType extends AbstractType
             //Attachment section
             $event->getForm()->add('pricedetails', CollectionType::class, [
                 'entry_type' => PricedetailType::class,
-                'allow_add' => true, 'allow_delete' => true,
+                'allow_add' => $this->security->isGranted('@parts_prices.create'),
+                'allow_delete' => $this->security->isGranted('@parts_prices.delete'),
                 'label' => false,
                 'prototype_data' => $dummy_pricedetail,
                 'by_reference' => false,
                 'entry_options' => [
+                    'disabled' => !$this->security->isGranted('@parts_prices.edit'),
                     'measurement_unit' => $options['measurement_unit']
                 ]
             ]);
diff --git a/src/Form/Part/PartBaseType.php b/src/Form/Part/PartBaseType.php
index 8aeacd53..d9866f65 100644
--- a/src/Form/Part/PartBaseType.php
+++ b/src/Form/Part/PartBaseType.php
@@ -254,7 +254,7 @@ class PartBaseType extends AbstractType
             'prototype_data' => new Orderdetail(),
             'entry_options' => [
                 'measurement_unit' => $part->getPartUnit(),
-                'disabled' => !$this->security->isGranted('attachments.edit', $part),
+                'disabled' => !$this->security->isGranted('orderdetails.edit', $part),
             ]
         ]);
 
diff --git a/src/Security/Voter/PermissionVoter.php b/src/Security/Voter/PermissionVoter.php
new file mode 100644
index 00000000..ab36d03f
--- /dev/null
+++ b/src/Security/Voter/PermissionVoter.php
@@ -0,0 +1,81 @@
+<?php
+/**
+ *
+ * part-db version 0.1
+ * Copyright (C) 2005 Christoph Lechner
+ * http://www.cl-projects.de/
+ *
+ * part-db version 0.2+
+ * Copyright (C) 2009 K. Jacobs and others (see authors.php)
+ * http://code.google.com/p/part-db/
+ *
+ * Part-DB Version 0.4+
+ * Copyright (C) 2016 - 2019 Jan Böhmer
+ * https://github.com/jbtronics
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ *
+ */
+
+namespace App\Security\Voter;
+
+
+use App\Entity\UserSystem\User;
+
+/**
+ * This voter allows you to directly check permissions from the permission structure, without passing an object.
+ * However you should use the "normal" object based voters if possible, because they are needed for a future ACL system.
+ * @package App\Security\Voter
+ */
+class PermissionVoter extends ExtendedVoter
+{
+
+    /**
+     * Similar to voteOnAttribute, but checking for the anonymous user is already done.
+     * The current user (or the anonymous user) is passed by $user.
+     *
+     * @param $attribute
+     * @param $subject
+     * @param User $user
+     *
+     * @return bool
+     */
+    protected function voteOnUser($attribute, $subject, User $user): bool
+    {
+        $attribute = ltrim($attribute, '@');
+        [$perm, $op] = explode('.', $attribute);
+        return $this->resolver->inherit($user, $perm, $op);
+    }
+
+    /**
+     * Determines if the attribute and subject are supported by this voter.
+     *
+     * @param string $attribute An attribute
+     * @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type
+     *
+     * @return bool True if the attribute and subject are supported, false otherwise
+     */
+    protected function supports($attribute, $subject)
+    {
+        //Check if the attribute has the form @permission.operation
+        if (preg_match('/^@\\w+\\.\\w+$/', $attribute)) {
+            $attribute = ltrim($attribute, '@');
+            [$perm, $op] = explode('.', $attribute);
+            return $this->resolver->isValidOperation($perm, $op);
+        }
+
+        return false;
+    }
+}
\ No newline at end of file
diff --git a/src/Security/Voter/StructureVoter.php b/src/Security/Voter/StructureVoter.php
index d0302c95..b9a1a59f 100644
--- a/src/Security/Voter/StructureVoter.php
+++ b/src/Security/Voter/StructureVoter.php
@@ -56,9 +56,11 @@ class StructureVoter extends ExtendedVoter
      */
     protected function supports($attribute, $subject)
     {
-        $permission_name = $this->instanceToPermissionName($subject);
-        //If permission name is null, then the subject is not supported
-        return ($permission_name !== null) && $this->resolver->isValidOperation($permission_name, $attribute);
+        if(is_object($subject)) {
+            $permission_name = $this->instanceToPermissionName($subject);
+            //If permission name is null, then the subject is not supported
+            return ($permission_name !== null) && $this->resolver->isValidOperation($permission_name, $attribute);
+        }
 
     }
 
diff --git a/templates/Parts/edit/edit_form_styles.html.twig b/templates/Parts/edit/edit_form_styles.html.twig
index 5f2e96a6..0d357a18 100644
--- a/templates/Parts/edit/edit_form_styles.html.twig
+++ b/templates/Parts/edit/edit_form_styles.html.twig
@@ -14,7 +14,9 @@
             {{ form_errors(form.currency) }}
         </td>
         <td>{{ form_widget(form.price_related_quantity, {'attr': {'class': 'form-control-sm'}}) }} {{ form_errors(form.price_related_quantity) }}</td>
-        <td><button type="button" class="btn btn-danger order_btn_delete btn-sm" title="{% trans %}orderdetail.delete{% endtrans %}" onclick="delete_pricedetail_entry(this);">
+        <td>
+            <button type="button" class="btn btn-danger order_btn_delete btn-sm" title="{% trans %}orderdetail.delete{% endtrans %}"
+                    onclick="delete_pricedetail_entry(this);" {% if not is_granted('@parts_prices.delete') %}disabled{% endif %}>
                 <i class="fas fa-trash-alt fa-fw"></i>
             </button>
             {{ form_errors(form) }}
@@ -31,7 +33,7 @@
             {{ form_widget(form.obsolete) }}
         </td>
         <td>
-            <table class="table table-sm table-bordered" data-prototype="{{ form_widget(form.pricedetails.vars.prototype)|e('html_attr') }}">
+            <table class="table table-sm table-bordered" data-prototype="{% if form.pricedetails.vars.prototype is defined %}{{ form_widget(form.pricedetails.vars.prototype)|e('html_attr') }}{% endif %}">
                 <thead>
                 <tr>
                     <th>{% trans %}pricedetails.edit.min_qty{% endtrans %}</th>
@@ -47,13 +49,14 @@
                 </tbody>
             </table>
 
-            <button type="button" class="btn btn-success" onclick="create_pricedetail_entry(this)">
+            <button type="button" class="btn btn-success" onclick="create_pricedetail_entry(this)" {% if not is_granted('@parts_prices.create') %}disabled{% endif %}>
                 <i class="fas fa-plus-square fa-fw"></i>
                 {% trans %}pricedetail.create{% endtrans %}
             </button>
         </td>
         <td>
-            <button type="button" class="btn btn-danger order_btn_delete" onclick="delete_orderdetail_entry(this);" title="{% trans %}orderdetail.delete{% endtrans %}" {% if disable_delete %}disabled{% endif %}>
+            <button type="button" class="btn btn-danger order_btn_delete" onclick="delete_orderdetail_entry(this);" title="{% trans %}orderdetail.delete{% endtrans %}"
+                    {% if not is_granted('@parts_orderdetails.delete') %}disabled{% endif %}>
                 <i class="fas fa-trash-alt fa-fw"></i>
             </button>
             {{ form_errors(form) }}