diff --git a/config/permissions.yaml b/config/permissions.yaml index bd5b8181..c2997934 100644 --- a/config/permissions.yaml +++ b/config/permissions.yaml @@ -466,11 +466,22 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co edit_options: label: "perm.self.edit_options" bit: 2 - delete_profiles: - label: "perm.self.delete_profiles" - bit: 4 + alsoSet: ['create_labels'] + read_profiles: + label: "perm.self.read_profiles" + bit: 10 edit_profiles: label: "perm.self.edit_profiles" bit: 6 + alsoSet: ['read_profiles'] + create_profiles: + label: "perm.self.create_profiles" + bit: 8 + alsoSet: ['read_profiles', 'edit_profiles'] + delete_profiles: + label: "perm.self.delete_profiles" + bit: 4 + alsoSet: ['read_profiles', 'edit_profiles', 'create_profiles'] + diff --git a/src/Controller/LabelController.php b/src/Controller/LabelController.php index d13ab17b..946ab9ab 100644 --- a/src/Controller/LabelController.php +++ b/src/Controller/LabelController.php @@ -61,25 +61,19 @@ class LabelController extends AbstractController $this->rangeParser = $rangeParser; } - /** - * @Route("/{profile}/{part}/view") - */ - public function view(LabelProfile $profile, Part $part) - { - $label = $this->labelGenerator->generateLabel($profile->getOptions(), $part); - - $response = new LabelResponse($label); - $response->setContentDisposition(ResponseHeaderBag::DISPOSITION_INLINE, 'label.pdf'); - - return $response; - } - /** * @Route("/dialog", name="label_dialog") * @Route("/{profile}/dialog", name="label_dialog_profile") */ public function generator(Request $request, ?LabelProfile $profile = null) { + $this->denyAccessUnlessGranted('@labels.create_labels'); + + //If we inherit a LabelProfile, the user need to have access to it... + if ($profile !== null) { + $this->denyAccessUnlessGranted('read', $profile); + } + if ($profile) { $label_options = $profile->getOptions(); } else { diff --git a/src/Form/LabelSystem/LabelDialogType.php b/src/Form/LabelSystem/LabelDialogType.php index b1d59fff..233c7796 100644 --- a/src/Form/LabelSystem/LabelDialogType.php +++ b/src/Form/LabelSystem/LabelDialogType.php @@ -29,9 +29,17 @@ use Symfony\Component\Form\Extension\Core\Type\SubmitType; use Symfony\Component\Form\Extension\Core\Type\TextType; use Symfony\Component\Form\FormBuilderInterface; use Symfony\Component\OptionsResolver\OptionsResolver; +use Symfony\Component\Security\Core\Security; class LabelDialogType extends AbstractType { + protected $security; + + public function __construct(Security $security) + { + $this->security = $security; + } + public function buildForm(FormBuilderInterface $builder, array $options) { $builder->add('target_id', TextType::class, [ @@ -45,6 +53,8 @@ class LabelDialogType extends AbstractType $builder->add('options', LabelOptionsType::class, [ 'label' => false, + 'disabled' => !$this->security->isGranted('@labels.edit_options'), + ]); $builder->add('update', SubmitType::class, [ diff --git a/src/Security/Voter/LabelProfileVoter.php b/src/Security/Voter/LabelProfileVoter.php index 2d1ccd8c..0b655166 100644 --- a/src/Security/Voter/LabelProfileVoter.php +++ b/src/Security/Voter/LabelProfileVoter.php @@ -27,12 +27,19 @@ use App\Entity\UserSystem\User; class LabelProfileVoter extends ExtendedVoter { + protected const MAPPING = [ + 'read' => 'read_profiles', + 'create' => 'create_profiles', + 'edit' => 'edit_profiles', + 'delete' => 'delete_profiles', + ]; + /** * @inheritDoc */ protected function voteOnUser($attribute, $subject, User $user): bool { - return true; + return $this->resolver->inherit($user, 'labels', self::MAPPING[$attribute]) ?? false; } /** @@ -41,7 +48,11 @@ class LabelProfileVoter extends ExtendedVoter protected function supports($attribute, $subject) { if ($subject instanceof LabelProfile) { - return true; + if (!isset(self::MAPPING[$attribute])) { + return false; + } + + return $this->resolver->isValidOperation('labels', self::MAPPING[$attribute]); } return false; diff --git a/src/Services/Trees/ToolsTreeBuilder.php b/src/Services/Trees/ToolsTreeBuilder.php index 98f7ba77..de082f0e 100644 --- a/src/Services/Trees/ToolsTreeBuilder.php +++ b/src/Services/Trees/ToolsTreeBuilder.php @@ -118,10 +118,12 @@ class ToolsTreeBuilder { $nodes = []; - $nodes[] = new TreeViewNode( - $this->translator->trans('tree.tools.tools.label_dialog'), - $this->urlGenerator->generate('label_dialog') - ); + if($this->security->isGranted('@labels.create_labels')) { + $nodes[] = new TreeViewNode( + $this->translator->trans('tree.tools.tools.label_dialog'), + $this->urlGenerator->generate('label_dialog') + ); + } $nodes[] = new TreeViewNode( $this->translator->trans('tree.tools.tools.label_scanner'), @@ -194,7 +196,7 @@ class ToolsTreeBuilder $this->urlGenerator->generate('measurement_unit_new') ); } - if ($this->security->isGranted('create', new LabelProfile())) { + if ($this->security->isGranted('read', new LabelProfile())) { $nodes[] = new TreeViewNode( $this->translator->trans('tree.tools.edit.label_profile'), $this->urlGenerator->generate('label_profile_new') diff --git a/templates/LabelSystem/dropdown_macro.html.twig b/templates/LabelSystem/dropdown_macro.html.twig index 821153ae..af7fefda 100644 --- a/templates/LabelSystem/dropdown_macro.html.twig +++ b/templates/LabelSystem/dropdown_macro.html.twig @@ -1,17 +1,24 @@ {% macro profile_dropdown(type, id = null, include_text = true, btn_type = 'btn-secondary') %}
-
- {% set profiles = label_profile_dropdown_helper.dropdownProfiles(type) %} + {% if is_granted('@labels.read_profiles') %} + {% set profiles = label_profile_dropdown_helper.dropdownProfiles(type) %} + {% else %} + {% set profiles = [] %} + {% endif %} {% for profile in profiles %} {{ profile.name }} {% endfor %} - {% if profiles is not empty %} + {% if profiles is not empty and is_granted('@labels.edit_options') %}
{% endif %} - {% trans %}label_generator.label_empty{% endtrans %} + {% if is_granted('@labels.edit_options') %} {# An empty dialog does not make much sense, when you can not edit the options... #} + {% trans %}label_generator.label_empty{% endtrans %} + {% endif %}
{% endmacro %} \ No newline at end of file