mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-28 12:40:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added permission checking for part price edit page.

Browse source
This commit is contained in:
Jan Böhmer 2019-09-13 17:46:26 +02:00
parent da14ee942d
commit 3374153b73
5 changed files with 101 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/Form/Part/OrderdetailType.php
View file

@ -45,16 +45,19 @@ use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\Form\FormEvent; use Symfony\Component\Form\FormEvent;
use Symfony\Component\Form\FormEvents; use Symfony\Component\Form\FormEvents;
use Symfony\Component\OptionsResolver\OptionsResolver; use Symfony\Component\OptionsResolver\OptionsResolver;
use Symfony\Component\Security\Core\Security;
use Symfony\Contracts\Translation\TranslatorInterface; use Symfony\Contracts\Translation\TranslatorInterface;
use function foo\func; use function foo\func;
class OrderdetailType extends AbstractType class OrderdetailType extends AbstractType
{ {
protected $trans; protected $trans;
protected $security;
public function __construct(TranslatorInterface $trans) public function __construct(TranslatorInterface $trans, Security $security)
{ {
$this->trans = $trans; $this->trans = $trans;
$this->security = $security;
} }
public function buildForm(FormBuilderInterface $builder, array $options) public function buildForm(FormBuilderInterface $builder, array $options)
@ -100,11 +103,13 @@ class OrderdetailType extends AbstractType
//Attachment section //Attachment section
$event->getForm()->add('pricedetails', CollectionType::class, [ $event->getForm()->add('pricedetails', CollectionType::class, [
'entry_type' => PricedetailType::class, 'entry_type' => PricedetailType::class,
'allow_add' => true, 'allow_delete' => true, 'allow_add' => $this->security->isGranted('@parts_prices.create'),
'allow_delete' => $this->security->isGranted('@parts_prices.delete'),
'label' => false, 'label' => false,
'prototype_data' => $dummy_pricedetail, 'prototype_data' => $dummy_pricedetail,
'by_reference' => false, 'by_reference' => false,
'entry_options' => [ 'entry_options' => [
'disabled' => !$this->security->isGranted('@parts_prices.edit'),
'measurement_unit' => $options['measurement_unit'] 'measurement_unit' => $options['measurement_unit']
] ]
]); ]);

2
src/Form/Part/PartBaseType.php
View file

@ -254,7 +254,7 @@ class PartBaseType extends AbstractType
'prototype_data' => new Orderdetail(), 'prototype_data' => new Orderdetail(),
'entry_options' => [ 'entry_options' => [
'measurement_unit' => $part->getPartUnit(), 'measurement_unit' => $part->getPartUnit(),
'disabled' => !$this->security->isGranted('attachments.edit', $part), 'disabled' => !$this->security->isGranted('orderdetails.edit', $part),
] ]
]); ]);

81
src/Security/Voter/PermissionVoter.php Normal file
View file

@ -0,0 +1,81 @@
<?php
/**
*
* part-db version 0.1
* Copyright (C) 2005 Christoph Lechner
* http://www.cl-projects.de/
*
* part-db version 0.2+
* Copyright (C) 2009 K. Jacobs and others (see authors.php)
* http://code.google.com/p/part-db/
*
* Part-DB Version 0.4+
* Copyright (C) 2016 - 2019 Jan Böhmer
* https://github.com/jbtronics
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*
*/
namespace App\Security\Voter;
use App\Entity\UserSystem\User;
/**
* This voter allows you to directly check permissions from the permission structure, without passing an object.
* However you should use the "normal" object based voters if possible, because they are needed for a future ACL system.
* @package App\Security\Voter
*/
class PermissionVoter extends ExtendedVoter
{
/**
* Similar to voteOnAttribute, but checking for the anonymous user is already done.
* The current user (or the anonymous user) is passed by $user.
*
* @param $attribute
* @param $subject
* @param User $user
*
* @return bool
*/
protected function voteOnUser($attribute, $subject, User $user): bool
{
$attribute = ltrim($attribute, '@');
[$perm, $op] = explode('.', $attribute);
return $this->resolver->inherit($user, $perm, $op);
}
/**
* Determines if the attribute and subject are supported by this voter.
*
* @param string $attribute An attribute
* @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type
*
* @return bool True if the attribute and subject are supported, false otherwise
*/
protected function supports($attribute, $subject)
{
//Check if the attribute has the form @permission.operation
if (preg_match('/^@\\w+\\.\\w+$/', $attribute)) {
$attribute = ltrim($attribute, '@');
[$perm, $op] = explode('.', $attribute);
return $this->resolver->isValidOperation($perm, $op);
}
return false;
}
}

8
src/Security/Voter/StructureVoter.php
View file

@ -56,9 +56,11 @@ class StructureVoter extends ExtendedVoter
*/ */
protected function supports($attribute, $subject) protected function supports($attribute, $subject)
{ {
$permission_name = $this->instanceToPermissionName($subject); if(is_object($subject)) {
//If permission name is null, then the subject is not supported $permission_name = $this->instanceToPermissionName($subject);
return ($permission_name !== null) && $this->resolver->isValidOperation($permission_name, $attribute); //If permission name is null, then the subject is not supported
return ($permission_name !== null) && $this->resolver->isValidOperation($permission_name, $attribute);
}
} }

11
templates/Parts/edit/edit_form_styles.html.twig
View file

@ -14,7 +14,9 @@
{{ form_errors(form.currency) }} {{ form_errors(form.currency) }}
</td> </td>
<td>{{ form_widget(form.price_related_quantity, {'attr': {'class': 'form-control-sm'}}) }} {{ form_errors(form.price_related_quantity) }}</td> <td>{{ form_widget(form.price_related_quantity, {'attr': {'class': 'form-control-sm'}}) }} {{ form_errors(form.price_related_quantity) }}</td>
<td><button type="button" class="btn btn-danger order_btn_delete btn-sm" title="{% trans %}orderdetail.delete{% endtrans %}" onclick="delete_pricedetail_entry(this);"> <td>
<button type="button" class="btn btn-danger order_btn_delete btn-sm" title="{% trans %}orderdetail.delete{% endtrans %}"
onclick="delete_pricedetail_entry(this);" {% if not is_granted('@parts_prices.delete') %}disabled{% endif %}>
<i class="fas fa-trash-alt fa-fw"></i> <i class="fas fa-trash-alt fa-fw"></i>
</button> </button>
{{ form_errors(form) }} {{ form_errors(form) }}
@ -31,7 +33,7 @@
{{ form_widget(form.obsolete) }} {{ form_widget(form.obsolete) }}
</td> </td>
<td> <td>
<table class="table table-sm table-bordered" data-prototype="{{ form_widget(form.pricedetails.vars.prototype)|e('html_attr') }}"> <table class="table table-sm table-bordered" data-prototype="{% if form.pricedetails.vars.prototype is defined %}{{ form_widget(form.pricedetails.vars.prototype)|e('html_attr') }}{% endif %}">
<thead> <thead>
<tr> <tr>
<th>{% trans %}pricedetails.edit.min_qty{% endtrans %}</th> <th>{% trans %}pricedetails.edit.min_qty{% endtrans %}</th>
@ -47,13 +49,14 @@
</tbody> </tbody>
</table> </table>
<button type="button" class="btn btn-success" onclick="create_pricedetail_entry(this)"> <button type="button" class="btn btn-success" onclick="create_pricedetail_entry(this)" {% if not is_granted('@parts_prices.create') %}disabled{% endif %}>
<i class="fas fa-plus-square fa-fw"></i> <i class="fas fa-plus-square fa-fw"></i>
{% trans %}pricedetail.create{% endtrans %} {% trans %}pricedetail.create{% endtrans %}
</button> </button>
</td> </td>
<td> <td>
<button type="button" class="btn btn-danger order_btn_delete" onclick="delete_orderdetail_entry(this);" title="{% trans %}orderdetail.delete{% endtrans %}" {% if disable_delete %}disabled{% endif %}> <button type="button" class="btn btn-danger order_btn_delete" onclick="delete_orderdetail_entry(this);" title="{% trans %}orderdetail.delete{% endtrans %}"
{% if not is_granted('@parts_orderdetails.delete') %}disabled{% endif %}>
<i class="fas fa-trash-alt fa-fw"></i> <i class="fas fa-trash-alt fa-fw"></i>
</button> </button>
{{ form_errors(form) }} {{ form_errors(form) }}