mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-28 04:30:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Removed ElementPermissionListener and ColumnSecurity annotationn

Browse source
This commit is contained in:
Jan Böhmer 2022-09-18 23:38:01 +02:00
parent 51e05a8669
commit 8bc2c994d2
11 changed files with 1 additions and 408 deletions
Download patch file Download diff file Expand all files Collapse all files

148
src/Security/Annotations/ColumnSecurity.php
View file

@ -1,148 +0,0 @@
<?php
/**
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
declare(strict_types=1);
/**
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
namespace App\Security\Annotations;
use App\Entity\Base\AbstractNamedDBElement;
use DateTime;
use Doctrine\Common\Annotations\Annotation;
use Doctrine\Common\Collections\ArrayCollection;
use InvalidArgumentException;
use function is_string;
/**
* @Annotation
*
* @Annotation\Target("PROPERTY")
*
* With these annotation you can restrict the access to certain coloumns in entities.
* The entity which should use this class has to use ElementListener as EntityListener.
*/
class ColumnSecurity
{
/**
* @var string The name of the edit permission
*/
public string $edit = 'edit';
/**
* @var string The name of the read permission
*/
public string $read = 'read';
/**
* @var string A prefix for all permission names (e.g..edit, useful for Parts)
*/
public string $prefix = '';
/**
* @var mixed the placeholder that should be used, when the access to the property is denied
*/
public $placeholder = null;
public $subject = null;
/**
* @var string The name of the property. This is used to determine the default placeholder.
* @Annotation\Enum({"integer", "string", "object", "boolean", "datetime", "collection"})
*/
public $type = 'string';
public function getReadOperationName(): string
{
if ('' !== $this->prefix) {
return $this->prefix.'.'.$this->read;
}
return $this->read;
}
public function getEditOperationName(): string
{
if ('' !== $this->prefix) {
return $this->prefix.'.'.$this->edit;
}
return $this->edit;
}
public function getPlaceholder()
{
//Check if a class name was specified
if (class_exists($this->type)) {
$object = new $this->type();
if ($object instanceof AbstractNamedDBElement) {
if (is_string($this->placeholder) && '' !== $this->placeholder) {
$object->setName($this->placeholder);
} else {
$object->setName('???');
}
}
return $object;
}
if (null === $this->placeholder) {
switch ($this->type) {
case 'integer':
case 'int':
return 0;
case 'float':
return 0.0;
case 'string':
return '???';
case 'object':
return null;
case 'collection':
return new ArrayCollection();
case 'boolean':
case 'bool':
return false;
case 'datetime':
return (new DateTime())->setTimestamp(0);
default:
throw new InvalidArgumentException('Unknown type! You have to specify a placeholder!');
}
}
return $this->placeholder;
}
}

223
src/Security/EntityListeners/ElementPermissionListener.php
View file

@ -1,223 +0,0 @@
<?php
/**
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
declare(strict_types=1);
/**
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
namespace App\Security\EntityListeners;
use App\Entity\Base\AbstractDBElement;
use App\Entity\UserSystem\User;
use App\Security\Annotations\ColumnSecurity;
use function count;
use Doctrine\Common\Annotations\Reader;
use Doctrine\ORM\Event\LifecycleEventArgs;
use Doctrine\ORM\EntityManagerInterface;
use Doctrine\ORM\Event\PreFlushEventArgs;
use Doctrine\ORM\Mapping as ORM;
use Doctrine\ORM\Mapping\PostLoad;
use function get_class;
use InvalidArgumentException;
use ReflectionClass;
use Symfony\Component\Security\Core\Security;
/**
* The purpose of this class is to hook into the doctrine entity lifecycle and restrict access to entity informations
* configured by ColoumnSecurity Annotation.
* If the current programm is running from CLI (like a CLI command), the security checks are disabled.
* (Commands should be able to do everything they like).
*
* If a user does not have access to an coloumn, it will be filled, with a placeholder, after doctrine loading is finished.
* The edit process is also catched, so that these placeholders, does not get saved to database.
*/
class ElementPermissionListener
{
protected Security $security;
protected Reader $reader;
protected EntityManagerInterface $em;
protected bool $disabled;
protected array $perm_cache;
public function __construct(Security $security, Reader $reader, EntityManagerInterface $em)
{
$this->security = $security;
$this->reader = $reader;
$this->em = $em;
//Disable security when the current program is running from CLI
$this->disabled = $this->isRunningFromCLI();
$this->perm_cache = [];
}
/**
* @PostLoad
* @ORM\PostUpdate()
* This function is called after doctrine filled, the entity properties with db values.
* We use this, to check if the user is allowed to access these properties, and if not, we write a placeholder
* into the element properties, so that a user only gets non sensitve data.
*
* This function is also called after an entity was updated, so we dont show the original data to user,
* after an update.
*/
public function postLoadHandler(AbstractDBElement $element, LifecycleEventArgs $event): void
{
//Do nothing if security is disabled
if ($this->disabled) {
return;
}
//Read Annotations and properties.
$reflectionClass = new ReflectionClass($element);
$properties = $reflectionClass->getProperties();
foreach ($properties as $property) {
/** @var ColumnSecurity */
$annotation = $this->reader->getPropertyAnnotation(
$property,
ColumnSecurity::class
);
//Check if user is allowed to read info, otherwise apply placeholder
if ((null !== $annotation) && !$this->isGranted('read', $annotation, $element)) {
$property->setAccessible(true);
$value = $annotation->getPlaceholder();
//Detach placeholder entities, so we dont get cascade errors
if ($value instanceof AbstractDBElement) {
$this->em->detach($value);
}
$property->setValue($element, $value);
}
}
}
/**
* @ORM\PreFlush()
* This function is called before flushing. We use it, to remove all placeholders.
* We do it here and not in preupdate, because this is called before calculating the changeset,
* and so we dont get problems with orphan removal.
*/
public function preFlushHandler(AbstractDBElement $element, PreFlushEventArgs $eventArgs): void
{
//Do nothing if security is disabled
if ($this->disabled) {
return;
}
$unitOfWork = $eventArgs->getEntityManager()->getUnitOfWork();
$reflectionClass = new ReflectionClass($element);
$properties = $reflectionClass->getProperties();
$old_data = $unitOfWork->getOriginalEntityData($element);
foreach ($properties as $property) {
$annotation = $this->reader->getPropertyAnnotation(
$property,
ColumnSecurity::class
);
$changed = false;
//Only set the field if it has an annotation
if (null !== $annotation) {
$property->setAccessible(true);
//If the user is not allowed to edit or read this property, reset all values.
//Set value to old value, so that there a no change to this property
if ((!$this->isGranted('read', $annotation, $element)
|| !$this->isGranted('edit', $annotation, $element)) && isset(
$old_data[$property->getName()]
)) {
$property->setValue($element, $old_data[$property->getName()]);
$changed = true;
}
if ($changed) {
//Schedule for update, so the post update method will be called
$unitOfWork->scheduleForUpdate($element);
}
}
}
}
/**
* This function checks if the current script is run from web or from a terminal.
*
* @return bool Returns true if the current programm is running from CLI (terminal)
*/
protected function isRunningFromCLI(): bool
{
return empty($_SERVER['REMOTE_ADDR']) && !isset($_SERVER['HTTP_USER_AGENT']) && count($_SERVER['argv']) > 0;
}
/**
* Checks if access to the property of the given element is granted.
* This function adds an additional cache layer, where the voters are called only once (to improve performance).
*
* @param string $mode What operation should be checked. Must be 'read' or 'edit'
* @param ColumnSecurity $annotation The annotation of the property that should be checked
* @param AbstractDBElement $element The element that should for which should be checked
*
* @return bool True if the user is allowed to read that property
*/
protected function isGranted(string $mode, ColumnSecurity $annotation, AbstractDBElement $element): bool
{
if ('read' === $mode) {
$operation = $annotation->getReadOperationName();
} elseif ('edit' === $mode) {
$operation = $annotation->getEditOperationName();
} else {
throw new InvalidArgumentException('$mode must be either "read" or "edit"!');
}
//Users must always be checked, because its return value can differ if it is the user itself or something else
if ($element instanceof User) {
return $this->security->isGranted($operation, $element);
}
//Check if we have already have saved the permission, otherwise save it to cache
if (!isset($this->perm_cache[$mode][get_class($element)][$operation])) {
$this->perm_cache[$mode][get_class($element)][$operation] = $this->security->isGranted($operation, $element);
}
return $this->perm_cache[$mode][get_class($element)][$operation];
}
}