Check permissions for time travel and element undo.

This commit is contained in:
Jan Böhmer 2020-03-07 20:49:52 +01:00
parent 254d4e6c69
commit 8a61b465d0
23 changed files with 370 additions and 90 deletions

View file

@ -58,11 +58,7 @@ class AttachmentVoter extends ExtendedVoter
*/
protected function voteOnUser($attribute, $subject, User $user): bool
{
if ($subject instanceof Attachment) {
return $this->resolver->inherit($user, 'parts_attachments', $attribute) ?? false;
}
return false;
return $this->resolver->inherit($user, 'parts_attachments', $attribute) ?? false;
}
/**
@ -75,10 +71,11 @@ class AttachmentVoter extends ExtendedVoter
*/
protected function supports($attribute, $subject)
{
if ($subject instanceof Attachment) {
if (is_a($subject, Attachment::class, true)) {
return in_array($attribute, $this->resolver->listOperationsForPermission('parts_attachments'), false);
}
//Allow class name as subject
return false;
}
}

View file

@ -57,11 +57,7 @@ class GroupVoter extends ExtendedVoter
*/
protected function voteOnUser($attribute, $subject, User $user): bool
{
if ($subject instanceof Group) {
return $this->resolver->inherit($user, 'groups', $attribute) ?? false;
}
return false;
return $this->resolver->inherit($user, 'groups', $attribute) ?? false;
}
/**
@ -74,7 +70,7 @@ class GroupVoter extends ExtendedVoter
*/
protected function supports($attribute, $subject)
{
if ($subject instanceof Group) {
if (is_a($subject, Group::class, true)) {
return $this->resolver->isValidOperation('groups', $attribute);
}

View file

@ -51,25 +51,21 @@ class LogEntryVoter extends ExtendedVoter
protected function voteOnUser($attribute, $subject, User $user): bool
{
if ($subject instanceof AbstractLogEntry) {
if ('delete' === $attribute) {
return $this->resolver->inherit($user, 'system', 'delete_logs') ?? false;
}
if ('read' === $attribute) {
//Allow read of the users own log entries
if (
$subject->getUser() === $user
&& $this->resolver->inherit($user, 'self', 'show_logs')
) {
return true;
}
return $this->resolver->inherit($user, 'system', 'show_logs') ?? false;
}
if ('delete' === $attribute) {
return $this->resolver->inherit($user, 'system', 'delete_logs') ?? false;
}
return false;
if ('read' === $attribute) {
//Allow read of the users own log entries
if (
$subject->getUser() === $user
&& $this->resolver->inherit($user, 'self', 'show_logs')
) {
return true;
}
return $this->resolver->inherit($user, 'system', 'show_logs') ?? false;
}
}
protected function supports($attribute, $subject)

View file

@ -0,0 +1,57 @@
<?php
/**
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
namespace App\Security\Voter;
use App\Entity\Parts\PartLot;
use App\Entity\PriceInformations\Orderdetail;
use App\Entity\UserSystem\User;
class OrderdetailVoter extends ExtendedVoter
{
/** @var string[] When this permsission are encountered, they are checked on part */
protected const PART_PERMS = ['show_history', 'revert_element'];
/**
* @inheritDoc
*/
protected function voteOnUser($attribute, $subject, User $user): bool
{
if (in_array($attribute, self::PART_PERMS, true)) {
return $this->resolver->inherit($user, 'parts', $attribute) ?? false;
}
return $this->resolver->inherit($user, 'parts_orderdetails', $attribute) ?? false;
}
/**
* @inheritDoc
*/
protected function supports($attribute, $subject)
{
if (is_a($subject, Orderdetail::class, true)) {
return in_array($attribute, array_merge(
self::PART_PERMS,
$this->resolver->listOperationsForPermission('parts_orderdetails')
), true);
}
}
}

View file

@ -0,0 +1,56 @@
<?php
/**
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
namespace App\Security\Voter;
use App\Entity\Parts\PartLot;
use App\Entity\UserSystem\User;
class PartLotVoter extends ExtendedVoter
{
/** @var string[] When this permsission are encountered, they are checked on part */
protected const PART_PERMS = ['show_history', 'revert_element'];
/**
* @inheritDoc
*/
protected function voteOnUser($attribute, $subject, User $user): bool
{
if (in_array($attribute, self::PART_PERMS, true)) {
return $this->resolver->inherit($user, 'parts', $attribute) ?? false;
}
return $this->resolver->inherit($user, 'parts_lots', $attribute) ?? false;
}
/**
* @inheritDoc
*/
protected function supports($attribute, $subject)
{
if (is_a($subject, PartLot::class, true)) {
return in_array($attribute, array_merge(
self::PART_PERMS,
$this->resolver->listOperationsForPermission('parts_lots')
), true);
}
}
}

View file

@ -57,11 +57,7 @@ class PartVoter extends ExtendedVoter
protected function supports($attribute, $subject)
{
// replace with your own logic
// https://symfony.com/doc/current/security/voters.html
//return ($subject instanceof Part || in_array($subject, ['PERM_parts', 'PERM_parts_name']));
if ($subject instanceof Part) {
if (is_a($subject, Part::class, true)) {
//Check if a sub permission should be checked -> $attribute has format name.edit
if (false !== strpos($attribute, '.')) {
[$perm, $op] = explode('.', $attribute);
@ -72,24 +68,21 @@ class PartVoter extends ExtendedVoter
return $this->resolver->isValidOperation('parts', $attribute);
}
//Allow class name as subject
return false;
}
protected function voteOnUser($attribute, $subject, User $user): bool
{
if ($subject instanceof Part) {
//Check for sub permissions
if (false !== strpos($attribute, '.')) {
[$perm, $op] = explode('.', $attribute);
//Check for sub permissions
if (false !== strpos($attribute, '.')) {
[$perm, $op] = explode('.', $attribute);
return $this->resolver->inherit($user, 'parts_'.$perm, $op) ?? false;
}
//Null concealing operator means, that no
return $this->resolver->inherit($user, 'parts', $attribute) ?? false;
return $this->resolver->inherit($user, 'parts_'.$perm, $op) ?? false;
}
//Deny access by default.
return false;
//Null concealing operator means, that no
return $this->resolver->inherit($user, 'parts', $attribute) ?? false;
}
}

View file

@ -0,0 +1,57 @@
<?php
/**
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
namespace App\Security\Voter;
use App\Entity\Parts\PartLot;
use App\Entity\PriceInformations\Pricedetail;
use App\Entity\UserSystem\User;
class PricedetailVoter extends ExtendedVoter
{
/** @var string[] When this permsission are encountered, they are checked on part */
protected const PART_PERMS = ['show_history', 'revert_element'];
/**
* @inheritDoc
*/
protected function voteOnUser($attribute, $subject, User $user): bool
{
if (in_array($attribute, self::PART_PERMS, true)) {
return $this->resolver->inherit($user, 'parts', $attribute) ?? false;
}
return $this->resolver->inherit($user, 'parts_prices', $attribute) ?? false;
}
/**
* @inheritDoc
*/
protected function supports($attribute, $subject)
{
if (is_a($subject, Pricedetail::class, true)) {
return in_array($attribute, array_merge(
self::PART_PERMS,
$this->resolver->listOperationsForPermission('parts_prices')
), true);
}
}
}

View file

@ -43,11 +43,13 @@ declare(strict_types=1);
namespace App\Security\Voter;
use App\Entity\Attachments\AttachmentType;
use App\Entity\Base\AbstractStructuralDBElement;
use App\Entity\Devices\Device;
use App\Entity\Parts\Category;
use App\Entity\Parts\Footprint;
use App\Entity\Parts\Manufacturer;
use App\Entity\Parts\MeasurementUnit;
use App\Entity\Parts\Part;
use App\Entity\Parts\Storelocation;
use App\Entity\Parts\Supplier;
use App\Entity\PriceInformations\Currency;
@ -67,24 +69,29 @@ class StructureVoter extends ExtendedVoter
*/
protected function supports($attribute, $subject)
{
if (is_object($subject)) {
if (is_object($subject) || is_string($subject)) {
$permission_name = $this->instanceToPermissionName($subject);
//If permission name is null, then the subject is not supported
return (null !== $permission_name) && $this->resolver->isValidOperation($permission_name, $attribute);
}
return false;
}
/**
* Maps a instance type to the permission name.
*
* @param mixed $subject The subject for which the permission name should be generated
* @param object|string $subject The subject for which the permission name should be generated
*
* @return string|null the name of the permission for the subject's type or null, if the subject is not supported
*/
protected function instanceToPermissionName($subject): ?string
{
$class_name = get_class($subject);
if (!is_string($subject)) {
$class_name = get_class($subject);
} else {
$class_name = $subject;
}
switch ($class_name) {
case AttachmentType::class:
return 'attachment_types';

View file

@ -57,11 +57,11 @@ class UserVoter extends ExtendedVoter
*/
protected function supports($attribute, $subject)
{
if ($subject instanceof User) {
if (is_a($subject, User::class, true)) {
return in_array($attribute, array_merge(
$this->resolver->listOperationsForPermission('users'),
$this->resolver->listOperationsForPermission('self')),
false
false
);
}
@ -89,10 +89,11 @@ class UserVoter extends ExtendedVoter
return $tmp;
}
}
//Else just check users permission:
if ($this->resolver->isValidOperation('users', $attribute)) {
return $this->resolver->inherit($user, 'users', $attribute) ?? false;
}
}
//Else just check users permission:
if ($this->resolver->isValidOperation('users', $attribute)) {
return $this->resolver->inherit($user, 'users', $attribute) ?? false;
}
return false;