mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-22 01:49:05 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Improved permission checking for certain controllers.

Browse source
This commit is contained in:
Jan Böhmer 2022-11-05 23:49:53 +01:00
parent a30b67e328
commit 78d1dff40f
3 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/Controller/AttachmentFileController.php
View file

@ -131,7 +131,7 @@ class AttachmentFileController extends AbstractController
*/ */
public function attachmentsTable(Request $request, DataTableFactory $dataTableFactory, NodesListBuilder $nodesListBuilder) public function attachmentsTable(Request $request, DataTableFactory $dataTableFactory, NodesListBuilder $nodesListBuilder)
{ {
$this->denyAccessUnlessGranted('read', new PartAttachment()); $this->denyAccessUnlessGranted('@attachments.list_attachments');
$formRequest = clone $request; $formRequest = clone $request;
$formRequest->setMethod('GET'); $formRequest->setMethod('GET');

7
src/Controller/TypeaheadController.php
View file

@ -156,6 +156,11 @@ class TypeaheadController extends AbstractController
public function parameters(string $type, EntityManagerInterface $entityManager, string $query = ""): JsonResponse public function parameters(string $type, EntityManagerInterface $entityManager, string $query = ""): JsonResponse
{ {
$class = $this->typeToParameterClass($type); $class = $this->typeToParameterClass($type);
$test_obj = new $class();
//Ensure user has the correct permissions
$this->denyAccessUnlessGranted('read', $test_obj);
/** @var ParameterRepository $repository */ /** @var ParameterRepository $repository */
$repository = $entityManager->getRepository($class); $repository = $entityManager->getRepository($class);
@ -169,6 +174,8 @@ class TypeaheadController extends AbstractController
*/ */
public function tags(string $query, TagFinder $finder): JsonResponse public function tags(string $query, TagFinder $finder): JsonResponse
{ {
$this->denyAccessUnlessGranted('@parts.read');
$array = $finder->searchTags($query); $array = $finder->searchTags($query);
$normalizers = [ $normalizers = [

2
src/Controller/WebauthnKeyRegistrationController.php
View file

@ -18,6 +18,8 @@ class WebauthnKeyRegistrationController extends AbstractController
*/ */
public function register(Request $request, TFAWebauthnRegistrationHelper $registrationHelper, EntityManagerInterface $em) public function register(Request $request, TFAWebauthnRegistrationHelper $registrationHelper, EntityManagerInterface $em)
{ {
//When user change its settings, he should be logged in fully.
$this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
//If form was submitted, check the auth response //If form was submitted, check the auth response
if ($request->getMethod() === 'POST') { if ($request->getMethod() === 'POST') {