mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-21 01:25:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added a possibility to restrict the access to certain entity columns.

Browse source
This commit is contained in:
Jan Böhmer 2019-03-20 19:11:34 +01:00
parent f31336bb87
commit 47fe76b22e
8 changed files with 271 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
composer.json
View file

@ -5,6 +5,7 @@
"php": "^7.1.3",
"ext-ctype": "*",
"ext-iconv": "*",
"doctrine/annotations": "^1.6",
"friendsofsymfony/ckeditor-bundle": "^2.0",
"omines/datatables-bundle": "^0.2.2",
"php-translation/symfony-bundle": "^0.8.1",

2
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
"content-hash": "66c8dc61f5af2f03d10c9c1d247549e6",
"content-hash": "c16d05fa5ba54398968ed9f503221d90",
"packages": [
{
"name": "doctrine/annotations",

7
config/services.yaml
View file

@ -28,5 +28,12 @@ services:
resource: '../src/Controller'
tags: ['controller.service_arguments']
app.doctrine.elementListener:
class: App\Security\EntityListeners\ElementPermissionListener
public: false
autowire: true
tags:
- { name: "doctrine.orm.entity_listener" }
# add more service definitions when explicit configuration is needed
# please note that last definitions always *replace* previous ones

2
src/Entity/DBElement.php
View file

@ -34,6 +34,8 @@ use Doctrine\ORM\Mapping as ORM;
* must have the table row "id"!! The ID is the unique key to identify the elements.
*
* @ORM\MappedSuperclass()
*
* @ORM\EntityListeners({"App\Security\EntityListeners\ElementPermissionListener"})
*/
abstract class DBElement
{

16
src/Entity/Part.php
View file

@ -34,6 +34,7 @@
namespace App\Entity;
use App\Security\Annotations\ColumnSecurity;
use Doctrine\ORM\Mapping as ORM;
//use Webmozart\Assert\Assert;
@ -109,6 +110,16 @@ class Part extends AttachmentContainingDBElement
/**
* @var string
* @ORM\Column(type="string")
*
* @ColumnSecurity(prefix="name")
*/
protected $name;
/**
* @var string
* @ORM\Column(type="string")
*
* @ColumnSecurity(prefix="description")
*/
protected $description = "";
@ -116,6 +127,8 @@ class Part extends AttachmentContainingDBElement
* @var int
* @ORM\Column(type="integer")
* @Assert\GreaterThanOrEqual(0)
*
* @ColumnSecurity(prefix="instock", type="integer")
*/
protected $instock = 0;
@ -123,12 +136,15 @@ class Part extends AttachmentContainingDBElement
* @var int
* @ORM\Column(type="integer")
* @Assert\GreaterThanOrEqual(0)
*
* @ColumnSecurity(prefix="mininstock", type="integer")
*/
protected $mininstock = 0;
/**
* @var string
* @ORM\Column(type="string")
* @ColumnSecurity(prefix="comment")
*/
protected $comment = "";

1
src/Repository/PartRepository.php
View file

@ -38,5 +38,6 @@ use Doctrine\ORM\EntityRepository;
class PartRepository extends EntityRepository
{
//TODO
}

110
src/Security/Annotations/ColumnSecurity.php Normal file
View file

@ -0,0 +1,110 @@
<?php
/**
*
* part-db version 0.1
* Copyright (C) 2005 Christoph Lechner
* http://www.cl-projects.de/
*
* part-db version 0.2+
* Copyright (C) 2009 K. Jacobs and others (see authors.php)
* http://code.google.com/p/part-db/
*
* Part-DB Version 0.4+
* Copyright (C) 2016 - 2019 Jan Böhmer
* https://github.com/jbtronics
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*
*/
namespace App\Security\Annotations;
use Doctrine\Common\Annotations\Annotation;
/**
* @Annotation
*
* @Annotation\Target("PROPERTY")
*
* With these annotation you can restrict the access to certain coloumns in entities.
* The entity which should use this class has to use ElementListener as EntityListener.
*
* @package App\Annotations
*/
class ColumnSecurity
{
/**
* @var string The name of the edit permission
*/
public $edit = "edit";
/**
* @var string The name of the read permission
*/
public $read = "read";
/**
* @var string A prefix for all permission names (e.g. $prefix.edit, useful for Parts)
*/
public $prefix = '';
/**
* @var string The placeholder that should be used, when the access to the property is denied.
*/
public $placeholder = null;
public $subject = null;
/**
* @var string The name of the property. This is used to determine the default placeholder.
* @Annotation\Enum({"integer", "string", "object"})
*/
public $type = 'string';
public function getReadOperationName() : string
{
if($this->prefix !== '') {
return $this->prefix . '.' . $this->read;
}
return $this->read;
}
public function getEditOperationName() : string
{
if($this->prefix !== '') {
return $this->prefix . '.' . $this->edit;
}
return $this->edit;
}
public function getPlaceholder()
{
if($this->placeholder === null)
{
switch($this->type)
{
case 'integer':
return 0;
case 'string':
return '???';
case 'object':
return null;
}
}
return $this->placeholder;
}
}

133
src/Security/EntityListeners/ElementPermissionListener.php Normal file
View file

@ -0,0 +1,133 @@
<?php
/**
*
* part-db version 0.1
* Copyright (C) 2005 Christoph Lechner
* http://www.cl-projects.de/
*
* part-db version 0.2+
* Copyright (C) 2009 K. Jacobs and others (see authors.php)
* http://code.google.com/p/part-db/
*
* Part-DB Version 0.4+
* Copyright (C) 2016 - 2019 Jan Böhmer
* https://github.com/jbtronics
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*
*/
namespace App\Security\EntityListeners;
use App\Security\Annotations\ColumnSecurity;
use App\Entity\DBElement;
use Doctrine\Common\Annotations\AnnotationReader;
use Doctrine\Common\Persistence\Event\LifecycleEventArgs;
use Doctrine\ORM\Event\PreUpdateEventArgs;
use Doctrine\ORM\Mapping\PostLoad;
use Doctrine\ORM\Mapping\PreUpdate;
use ReflectionClass;
use Symfony\Component\Security\Core\Security;
/**
* The purpose of this class is to hook into the doctrine entity lifecycle and restrict access to entity informations
* configured by ColoumnSecurity Annotation.
*
* If a user does not have access to an coloumn, it will be filled, with a placeholder, after doctrine loading is finished.
* The edit process is also catched, so that these placeholders, does not get saved to database.
* @package App\EntityListeners
*/
class ElementPermissionListener
{
protected $security;
public function __construct(Security $security)
{
$this->security = $security;
}
/**
* @PostLoad
*
* This function is called after doctrine filled, the entity properties with db values.
* We use this, to check if the user is allowed to access these properties, and if not, we write a placeholder
* into the element properties, so that a user only gets non sensitve data.
*
*/
public function postLoadHandler(DBElement $element, LifecycleEventArgs $event)
{
//Read Annotations and properties.
$reflectionClass = new ReflectionClass($element);
$properties = $reflectionClass->getProperties();
$reader = new AnnotationReader();
foreach($properties as $property)
{
/**
* @var ColumnSecurity $annotation
*/
$annotation = $reader->getPropertyAnnotation($property,
ColumnSecurity::class);
if($annotation !== null)
{
//Check if user is allowed to read info, otherwise apply placeholder
if(!$this->security->isGranted($annotation->getReadOperationName(), $element))
{
$property->setAccessible(true);
$property->setValue($element, $annotation->getPlaceholder());
}
}
}
}
/**
* @PreUpdate
* This function is called before Doctrine saves the property values to the database.
* We use this function to revert the changes made in postLoadHandler(), so nothing gets changed persistently.
*/
public function preUpdateHandler(DBElement $element, PreUpdateEventArgs $event)
{
$reflectionClass = new ReflectionClass($element);
$properties = $reflectionClass->getProperties();
$reader = new AnnotationReader();
foreach($properties as $property)
{
/**
* @var ColumnSecurity $annotation
*/
$annotation = $reader->getPropertyAnnotation($property,
ColumnSecurity::class);
if($annotation !== null)
{
$field_name = $property->getName();
//Check if user is allowed to edit info, otherwise overwrite the new value
// so that nothing is changed in the DB.
if($event->hasChangedField($field_name) &&
!$this->security->isGranted($annotation->getEditOperationName(), $element))
{
$event->setNewValue($field_name, $event->getOldValue($field_name));
}
}
}
}
}