mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-24 10:49:00 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Prevent that an administrator can lockout himself accidentally out of the user interface by using one of the permission presets

Browse source
This commit is contained in:
Jan Böhmer 2023-08-20 12:42:56 +02:00
parent 0e5613b57b
commit 7b112512a9
1 changed files with 20 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

28
src/Controller/UserController.php
View file

@ -46,6 +46,7 @@ use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route; use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Validator\Validator\ValidatorInterface;
#[Route(path: '/user')] #[Route(path: '/user')]
class UserController extends BaseAdminController class UserController extends BaseAdminController
@ -79,7 +80,8 @@ class UserController extends BaseAdminController
*/ */
#[Route(path: '/{id}/edit/{timestamp}', requirements: ['id' => '\d+'], name: 'user_edit')] #[Route(path: '/{id}/edit/{timestamp}', requirements: ['id' => '\d+'], name: 'user_edit')]
#[Route(path: '/{id}/', requirements: ['id' => '\d+'])] #[Route(path: '/{id}/', requirements: ['id' => '\d+'])]
public function edit(User $entity, Request $request, EntityManagerInterface $em, PermissionPresetsHelper $permissionPresetsHelper, PermissionSchemaUpdater $permissionSchemaUpdater, ?string $timestamp = null): Response public function edit(User $entity, Request $request, EntityManagerInterface $em, PermissionPresetsHelper $permissionPresetsHelper,
PermissionSchemaUpdater $permissionSchemaUpdater, ValidatorInterface $validator, ?string $timestamp = null): Response
{ {
//Do an upgrade of the permission schema if needed (so the user can see the permissions a user get on next request (even if it was not done yet) //Do an upgrade of the permission schema if needed (so the user can see the permissions a user get on next request (even if it was not done yet)
$permissionSchemaUpdater->userUpgradeSchemaRecursively($entity); $permissionSchemaUpdater->userUpgradeSchemaRecursively($entity);
@ -108,7 +110,7 @@ class UserController extends BaseAdminController
$this->addFlash('success', 'user.edit.reset_success'); $this->addFlash('success', 'user.edit.reset_success');
} else { } else {
$this->addFlash('danger', 'csfr_invalid'); $this->addFlash('error', 'csfr_invalid');
} }
} }
@ -120,15 +122,25 @@ class UserController extends BaseAdminController
$permissionPresetsHelper->applyPreset($entity, $preset); $permissionPresetsHelper->applyPreset($entity, $preset);
$em->flush(); //Ensure that the user is valid after applying the preset
$errors = $validator->validate($entity);
if (count($errors) > 0) {
$this->addFlash('error', 'validator.noLockout');
//Refresh the entity to remove the changes
$em->refresh($entity);
} else {
$em->flush();
$this->addFlash('success', 'user.edit.permission_success'); $this->addFlash('success', 'user.edit.permission_success');
//We need to stop the execution here, or our permissions changes will be overwritten by the form values //We need to stop the execution here, or our permissions changes will be overwritten by the form values
return $this->redirectToRoute('user_edit', ['id' => $entity->getID()]); return $this->redirectToRoute('user_edit', ['id' => $entity->getID()]);
}
} else {
$this->addFlash('error', 'csfr_invalid');
} }
$this->addFlash('danger', 'csfr_invalid');
} }
return $this->_edit($entity, $request, $em, $timestamp); return $this->_edit($entity, $request, $em, $timestamp);