Added permissions to label system.

2025-06-22 09:53:35 +02:00 · 2020-05-04 23:21:58 +02:00 · 2020-05-04 23:21:58 +02:00 · 5a9be023b1
commit 5a9be023b1
parent fde1d7be4f
6 changed files with 62 additions and 27 deletions
--- a/config/permissions.yaml
+++ b/config/permissions.yaml
@ -466,11 +466,22 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
      edit_options:
        label: "perm.self.edit_options"
        bit: 2
-      delete_profiles:
-        label: "perm.self.delete_profiles"
-        bit: 4
+        alsoSet: ['create_labels']
+      read_profiles:
+        label: "perm.self.read_profiles"
+        bit: 10
      edit_profiles:
        label: "perm.self.edit_profiles"
        bit: 6
+        alsoSet: ['read_profiles']
+      create_profiles:
+        label: "perm.self.create_profiles"
+        bit: 8
+        alsoSet: ['read_profiles', 'edit_profiles']
+      delete_profiles:
+        label: "perm.self.delete_profiles"
+        bit: 4
+        alsoSet: ['read_profiles', 'edit_profiles', 'create_profiles']
+


--- a/src/Controller/LabelController.php
+++ b/src/Controller/LabelController.php
@ -61,25 +61,19 @@ class LabelController extends AbstractController
        $this->rangeParser = $rangeParser;
    }

-    /**
-     * @Route("/{profile}/{part}/view")
-     */
-    public function view(LabelProfile $profile, Part $part)
-    {
-        $label = $this->labelGenerator->generateLabel($profile->getOptions(), $part);
-
-        $response = new LabelResponse($label);
-        $response->setContentDisposition(ResponseHeaderBag::DISPOSITION_INLINE, 'label.pdf');
-
-        return $response;
-    }
-
    /**
     * @Route("/dialog", name="label_dialog")
     * @Route("/{profile}/dialog", name="label_dialog_profile")
     */
    public function generator(Request $request, ?LabelProfile $profile = null)
    {
+        $this->denyAccessUnlessGranted('@labels.create_labels');
+
+        //If we inherit a LabelProfile, the user need to have access to it...
+        if ($profile !== null) {
+            $this->denyAccessUnlessGranted('read', $profile);
+        }
+
        if ($profile) {
            $label_options = $profile->getOptions();
        } else {
--- a/src/Form/LabelSystem/LabelDialogType.php
+++ b/src/Form/LabelSystem/LabelDialogType.php
@ -29,9 +29,17 @@ use Symfony\Component\Form\Extension\Core\Type\SubmitType;
 use Symfony\Component\Form\Extension\Core\Type\TextType;
 use Symfony\Component\Form\FormBuilderInterface;
 use Symfony\Component\OptionsResolver\OptionsResolver;
+use Symfony\Component\Security\Core\Security;

 class LabelDialogType extends AbstractType
 {
+    protected $security;
+
+    public function __construct(Security $security)
+    {
+        $this->security = $security;
+    }
+
    public function buildForm(FormBuilderInterface $builder, array $options)
    {
        $builder->add('target_id', TextType::class, [
@ -45,6 +53,8 @@ class LabelDialogType extends AbstractType

        $builder->add('options', LabelOptionsType::class, [
            'label' => false,
+            'disabled' => !$this->security->isGranted('@labels.edit_options'),
+
        ]);
        $builder->add('update', SubmitType::class, [

--- a/src/Security/Voter/LabelProfileVoter.php
+++ b/src/Security/Voter/LabelProfileVoter.php
@ -27,12 +27,19 @@ use App\Entity\UserSystem\User;
 class LabelProfileVoter extends ExtendedVoter
 {

+    protected const MAPPING = [
+        'read' => 'read_profiles',
+        'create' => 'create_profiles',
+        'edit' => 'edit_profiles',
+        'delete' => 'delete_profiles',
+    ];
+
    /**
     * @inheritDoc
     */
    protected function voteOnUser($attribute, $subject, User $user): bool
    {
-        return true;
+        return $this->resolver->inherit($user, 'labels', self::MAPPING[$attribute]) ?? false;
    }

    /**
@ -41,7 +48,11 @@ class LabelProfileVoter extends ExtendedVoter
    protected function supports($attribute, $subject)
    {
        if ($subject instanceof LabelProfile) {
-            return true;
+            if (!isset(self::MAPPING[$attribute])) {
+                return false;
+            }
+
+            return $this->resolver->isValidOperation('labels', self::MAPPING[$attribute]);
        }

        return false;
--- a/src/Services/Trees/ToolsTreeBuilder.php
+++ b/src/Services/Trees/ToolsTreeBuilder.php
@ -118,10 +118,12 @@ class ToolsTreeBuilder
    {
        $nodes = [];

+        if($this->security->isGranted('@labels.create_labels')) {
            $nodes[] = new TreeViewNode(
                $this->translator->trans('tree.tools.tools.label_dialog'),
                $this->urlGenerator->generate('label_dialog')
            );
+        }

        $nodes[] = new TreeViewNode(
            $this->translator->trans('tree.tools.tools.label_scanner'),
@ -194,7 +196,7 @@ class ToolsTreeBuilder
                $this->urlGenerator->generate('measurement_unit_new')
            );
        }
-        if ($this->security->isGranted('create', new LabelProfile())) {
+        if ($this->security->isGranted('read', new LabelProfile())) {
            $nodes[] = new TreeViewNode(
                $this->translator->trans('tree.tools.edit.label_profile'),
                $this->urlGenerator->generate('label_profile_new')
--- a/templates/LabelSystem/dropdown_macro.html.twig
+++ b/templates/LabelSystem/dropdown_macro.html.twig
@ -1,17 +1,24 @@
 {% macro profile_dropdown(type, id = null, include_text = true, btn_type = 'btn-secondary') %}
    <div class="btn-group">
-        <button type="button" class="btn {{ btn_type }} dropdown-toggle" title="{% trans %}label_generator.label_btn{% endtrans %}" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+        <button type="button" class="btn {{ btn_type }} dropdown-toggle" title="{% trans %}label_generator.label_btn{% endtrans %}"
+                data-toggle="dropdown" aria-haspopup="true" aria-expanded="false" {% if not is_granted("@labels.create_labels") %}disabled{% endif %}>
            <i class="fas fa-fw fa-qrcode"></i> {% if include_text %}{% trans %}label_generator.label_btn{% endtrans %}{% endif %}
        </button>
        <div class="dropdown-menu">
+            {% if is_granted('@labels.read_profiles') %}
                {% set profiles = label_profile_dropdown_helper.dropdownProfiles(type) %}
+            {% else %}
+                {% set profiles = [] %}
+            {% endif %}
            {% for profile in profiles %}
                <a class="dropdown-item" href="{{ path('label_dialog_profile', {'profile': profile.id, 'target_type': type, 'target_id': id, 'generate': true}) }}">{{ profile.name }}</a>
            {% endfor %}
-            {% if profiles is not empty %}
+            {% if profiles is not empty and is_granted('@labels.edit_options') %}
                <div class="dropdown-divider"></div>
            {% endif %}
+            {% if is_granted('@labels.edit_options') %} {# An empty dialog does not make much sense, when you can not edit the options... #}
                <a class="dropdown-item" href="{{ path('label_dialog', {'target_type': type, 'target_id': id}) }}">{% trans %}label_generator.label_empty{% endtrans %}</a>
+            {% endif %}
        </div>
    </div>
 {% endmacro %}