Added a possibility to restrict the access to certain entity columns.

composer.json

@@ -5,6 +5,7 @@
         "php": "^7.1.3",
         "ext-ctype": "*",
         "ext-iconv": "*",
+        "doctrine/annotations": "^1.6",
         "friendsofsymfony/ckeditor-bundle": "^2.0",
         "omines/datatables-bundle": "^0.2.2",
         "php-translation/symfony-bundle": "^0.8.1",

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "content-hash": "66c8dc61f5af2f03d10c9c1d247549e6",
+    "content-hash": "c16d05fa5ba54398968ed9f503221d90",
     "packages": [
         {
             "name": "doctrine/annotations",

config/services.yaml

@@ -28,5 +28,12 @@ services:
         resource: '../src/Controller'
         tags: ['controller.service_arguments']
 
+    app.doctrine.elementListener:
+        class: App\Security\EntityListeners\ElementPermissionListener
+        public: false
+        autowire: true
+        tags:
+            - { name: "doctrine.orm.entity_listener" }
+
     # add more service definitions when explicit configuration is needed
     # please note that last definitions always *replace* previous ones

src/Entity/DBElement.php

@@ -34,6 +34,8 @@ use Doctrine\ORM\Mapping as ORM;
  *          must have the table row "id"!! The ID is the unique key to identify the elements.
  *
  * @ORM\MappedSuperclass()
+ *
+ * @ORM\EntityListeners({"App\Security\EntityListeners\ElementPermissionListener"})
  */
 abstract class DBElement
 {

src/Entity/Part.php

@@ -34,6 +34,7 @@
 namespace App\Entity;
 
 
+use App\Security\Annotations\ColumnSecurity;
 use Doctrine\ORM\Mapping as ORM;
 //use Webmozart\Assert\Assert;
 
@@ -109,6 +110,16 @@ class Part extends AttachmentContainingDBElement
     /**
      * @var string
      * @ORM\Column(type="string")
+     *
+     * @ColumnSecurity(prefix="name")
+     */
+    protected $name;
+
+    /**
+     * @var string
+     * @ORM\Column(type="string")
+     *
+     * @ColumnSecurity(prefix="description")
      */
     protected $description = "";
 
@@ -116,6 +127,8 @@ class Part extends AttachmentContainingDBElement
      * @var int
      * @ORM\Column(type="integer")
      * @Assert\GreaterThanOrEqual(0)
+     *
+     * @ColumnSecurity(prefix="instock", type="integer")
      */
     protected $instock = 0;
 
@@ -123,12 +136,15 @@ class Part extends AttachmentContainingDBElement
      * @var int
      * @ORM\Column(type="integer")
      * @Assert\GreaterThanOrEqual(0)
+     *
+     * @ColumnSecurity(prefix="mininstock", type="integer")
      */
     protected $mininstock = 0;
 
     /**
      * @var string
      * @ORM\Column(type="string")
+     * @ColumnSecurity(prefix="comment")
      */
     protected $comment = "";
 

src/Repository/PartRepository.php

@@ -38,5 +38,6 @@ use Doctrine\ORM\EntityRepository;
 
 class PartRepository extends EntityRepository
 {
+
     //TODO
 }

src/Security/Annotations/ColumnSecurity.php

@@ -0,0 +1,110 @@
+<?php
+/**
+ *
+ * part-db version 0.1
+ * Copyright (C) 2005 Christoph Lechner
+ * http://www.cl-projects.de/
+ *
+ * part-db version 0.2+
+ * Copyright (C) 2009 K. Jacobs and others (see authors.php)
+ * http://code.google.com/p/part-db/
+ *
+ * Part-DB Version 0.4+
+ * Copyright (C) 2016 - 2019 Jan Böhmer
+ * https://github.com/jbtronics
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ *
+ */
+
+namespace App\Security\Annotations;
+
+use Doctrine\Common\Annotations\Annotation;
+
+/**
+ * @Annotation
+ *
+ * @Annotation\Target("PROPERTY")
+ *
+ * With these annotation you can restrict the access to certain coloumns in entities.
+ * The entity which should use this class has to use ElementListener as EntityListener.
+ *
+ * @package App\Annotations
+ */
+class ColumnSecurity
+{
+    /**
+     * @var string The name of the edit permission
+     */
+    public $edit = "edit";
+    /**
+     * @var string The name of the read permission
+     */
+    public $read = "read";
+
+    /**
+     * @var string A prefix for all permission names (e.g. $prefix.edit, useful for Parts)
+     */
+    public $prefix = '';
+
+    /**
+     * @var string The placeholder that should be used, when the access to the property is denied.
+     */
+    public $placeholder = null;
+
+    public $subject = null;
+
+    /**
+     * @var string The name of the property. This is used to determine the default placeholder.
+     * @Annotation\Enum({"integer", "string", "object"})
+     */
+    public $type = 'string';
+
+    public function getReadOperationName() : string
+    {
+        if($this->prefix !== '') {
+            return $this->prefix . '.' . $this->read;
+        }
+        return $this->read;
+    }
+
+    public function getEditOperationName() : string
+    {
+        if($this->prefix !== '') {
+            return $this->prefix . '.' . $this->edit;
+        }
+
+        return $this->edit;
+    }
+
+    public function getPlaceholder()
+    {
+        if($this->placeholder === null)
+        {
+            switch($this->type)
+            {
+                case 'integer':
+                    return 0;
+                case 'string':
+                    return '???';
+                case 'object':
+                    return null;
+            }
+        }
+
+        return $this->placeholder;
+    }
+
+}

src/Security/EntityListeners/ElementPermissionListener.php

@@ -0,0 +1,133 @@
+<?php
+/**
+ *
+ * part-db version 0.1
+ * Copyright (C) 2005 Christoph Lechner
+ * http://www.cl-projects.de/
+ *
+ * part-db version 0.2+
+ * Copyright (C) 2009 K. Jacobs and others (see authors.php)
+ * http://code.google.com/p/part-db/
+ *
+ * Part-DB Version 0.4+
+ * Copyright (C) 2016 - 2019 Jan Böhmer
+ * https://github.com/jbtronics
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ *
+ */
+
+namespace App\Security\EntityListeners;
+
+
+use App\Security\Annotations\ColumnSecurity;
+use App\Entity\DBElement;
+use Doctrine\Common\Annotations\AnnotationReader;
+use Doctrine\Common\Persistence\Event\LifecycleEventArgs;
+use Doctrine\ORM\Event\PreUpdateEventArgs;
+use Doctrine\ORM\Mapping\PostLoad;
+use Doctrine\ORM\Mapping\PreUpdate;
+use ReflectionClass;
+use Symfony\Component\Security\Core\Security;
+
+/**
+ * The purpose of this class is to hook into the doctrine entity lifecycle and restrict access to entity informations
+ * configured by ColoumnSecurity Annotation.
+ *
+ * If a user does not have access to an coloumn, it will be filled, with a placeholder, after doctrine loading is finished.
+ * The edit process is also catched, so that these placeholders, does not get saved to database.
+ * @package App\EntityListeners
+ */
+class ElementPermissionListener
+{
+    protected $security;
+
+    public function __construct(Security $security)
+    {
+        $this->security = $security;
+    }
+
+
+    /**
+     * @PostLoad
+     *
+     * This function is called after doctrine filled, the entity properties with db values.
+     * We use this, to check if the user is allowed to access these properties, and if not, we write a placeholder
+     * into the element properties, so that a user only gets non sensitve data.
+     *
+     */
+    public function postLoadHandler(DBElement $element, LifecycleEventArgs $event)
+    {
+        //Read Annotations and properties.
+        $reflectionClass = new ReflectionClass($element);
+        $properties = $reflectionClass->getProperties();
+        $reader = new AnnotationReader();
+
+        foreach($properties as $property)
+        {
+            /**
+             * @var ColumnSecurity $annotation
+             */
+            $annotation = $reader->getPropertyAnnotation($property,
+                ColumnSecurity::class);
+
+            if($annotation !== null)
+            {
+                //Check if user is allowed to read info, otherwise apply placeholder
+                if(!$this->security->isGranted($annotation->getReadOperationName(), $element))
+                {
+                    $property->setAccessible(true);
+                    $property->setValue($element, $annotation->getPlaceholder());
+                }
+            }
+        }
+    }
+
+    /**
+     * @PreUpdate
+     * This function is called before Doctrine saves the property values to the database.
+     * We use this function to revert the changes made in postLoadHandler(), so nothing gets changed persistently.
+     */
+    public function preUpdateHandler(DBElement $element, PreUpdateEventArgs $event)
+    {
+        $reflectionClass = new ReflectionClass($element);
+        $properties = $reflectionClass->getProperties();
+        $reader = new AnnotationReader();
+
+        foreach($properties as $property)
+        {
+            /**
+             * @var ColumnSecurity $annotation
+             */
+            $annotation = $reader->getPropertyAnnotation($property,
+                ColumnSecurity::class);
+
+            if($annotation !== null)
+            {
+                $field_name = $property->getName();
+
+                //Check if user is allowed to edit info, otherwise overwrite the new value
+                // so that nothing is changed in the DB.
+                if($event->hasChangedField($field_name) &&
+                    !$this->security->isGranted($annotation->getEditOperationName(), $element))
+                {
+                    $event->setNewValue($field_name, $event->getOldValue($field_name));
+                }
+            }
+        }
+    }
+
+
+}