mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-21 01:25:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Check permissions in edit part form.

Browse source
This commit is contained in:
Jan Böhmer 2019-03-19 19:00:39 +01:00
parent 6ed2eeabae
commit 8d36bf913d
3 changed files with 62 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

38
src/Form/PartType.php
View file

@ -47,30 +47,50 @@ use Symfony\Component\Form\Extension\Core\Type\ResetType;
use Symfony\Component\Form\Extension\Core\Type\SubmitType;
use Symfony\Component\Form\Extension\Core\Type\TextType;
use Symfony\Component\OptionsResolver\OptionsResolver;
use Symfony\Component\Security\Core\Security;
class PartType extends AbstractType
{
protected $security;
public function __construct(Security $security)
{
$this->security = $security;
}
public function buildForm(FormBuilderInterface $builder, array $options)
{
$part = $options['data'];
$builder
->add('name', TextType::class, ['empty_data'=>'', 'label'=> 'name.label',
'attr' => ['placeholder' => 'part.name.placeholder']])
'attr' => ['placeholder' => 'part.name.placeholder'],
'disabled' => !$this->security->isGranted('name.edit', $part)])
->add('description', TextType::class, ['required'=>false, 'empty_data'=>'',
'label'=> 'description.label', 'help' => 'bbcode.hint', 'attr' => ['placeholder' => 'part.description.placeholder']])
'label'=> 'description.label', 'help' => 'bbcode.hint', 'attr' => ['placeholder' => 'part.description.placeholder'],
'disabled' => !$this->security->isGranted('description.edit', $part)])
->add('instock', IntegerType::class,
['attr' => ['min'=>0, 'placeholder' => 'part.instock.placeholder'], 'label'=> 'instock.label'])
['attr' => ['min'=>0, 'placeholder' => 'part.instock.placeholder'], 'label'=> 'instock.label',
'disabled' => !$this->security->isGranted('instock.edit', $part)])
->add('mininstock', IntegerType::class,
['attr' => ['min'=>0, 'placeholder' => 'part.mininstock.placeholder'], 'label'=> 'mininstock.label'])
['attr' => ['min'=>0, 'placeholder' => 'part.mininstock.placeholder'], 'label'=> 'mininstock.label',
'disabled' => !$this->security->isGranted('mininstock.edit', $part)])
->add('category', EntityType::class, ['class' => Category::class, 'choice_label' => 'full_path',
'attr' => ['class' => 'selectpicker', 'data-live-search' => true], 'label'=> 'category.label'])
'attr' => ['class' => 'selectpicker', 'data-live-search' => true], 'label'=> 'category.label',
'disabled' => !$this->security->isGranted('move', $part)])
->add('storelocation', EntityType::class, ['class' => Storelocation::class, 'choice_label' => 'full_path',
'attr' => ['class' => 'selectpicker', 'data-live-search' => true], 'required' => false, 'label'=> 'storelocation.label'])
'attr' => ['class' => 'selectpicker', 'data-live-search' => true], 'required' => false, 'label'=> 'storelocation.label',
'disabled' => !$this->security->isGranted('storelocation.edit', $part)])
->add('manufacturer', EntityType::class, ['class' => Manufacturer::class, 'choice_label' => 'full_path',
'attr' => ['class' => 'selectpicker', 'data-live-search' => true], 'required' => false, 'label'=> 'manufacturer.label'])
'attr' => ['class' => 'selectpicker', 'data-live-search' => true], 'required' => false, 'label'=> 'manufacturer.label',
'disabled' => !$this->security->isGranted('manufacturer.edit', $part)])
->add('manufacturer_product_url', UrlType::class, ['required'=>false, 'empty_data' => '',
'label'=> 'manufacturer_url.label'])
'label'=> 'manufacturer_url.label',
'disabled' => !$this->security->isGranted('manufacturer.edit', $part)])
->add('comment', CKEditorType::class, ['required'=>false,
'label'=> 'comment.label', 'attr' => ['rows'=> 4], 'help' => 'bbcode.hint'])
'label'=> 'comment.label', 'attr' => ['rows'=> 4], 'help' => 'bbcode.hint',
'disabled' => !$this->security->isGranted('comment.edit', $part)])
//Buttons
->add('save', SubmitType::class, ['label' => 'part.edit.save'])

15
src/Security/Voter/PartVoter.php
View file

@ -31,6 +31,14 @@ class PartVoter extends ExtendedVoter
if ($subject instanceof Part)
{
//Check if a sub permission should be checked -> $attribute has format name.edit
if(strpos($attribute, '.') !== false) {
[$perm, $op] = explode('.', $attribute);
return in_array($op, $this->resolver->listOperationsForPermission('parts_'.$perm), false);
}
return in_array($attribute, $this->resolver->listOperationsForPermission('parts'), false);
}
@ -41,6 +49,13 @@ class PartVoter extends ExtendedVoter
protected function voteOnUser($attribute, $subject, User $user): bool
{
if($subject instanceof Part) {
//Check for sub permissions
if(strpos($attribute, '.') !== false) {
[$perm, $op] = explode('.', $attribute);
return $this->resolver->inherit($user, 'parts_'. $perm, $op) ?? false;
}
//Null concealing operator means, that no
return $this->resolver->inherit($user, 'parts', $attribute) ?? false;
}

7
templates/show_part_info.html.twig
View file

@ -23,7 +23,12 @@
</div>
<div class="col-md-9">
<h5 class="text-muted pt-2" title="{% trans %}manufacturer.label{% endtrans %}">{{ part.manufacturer.name ?? ""}}</h5>
<h3>{{ part.name }} <a href="{{ part|entityURL('edit') }}"><i class="fas fa-fw fa-sm fa-edit"></i></a></h3>
<h3>{{ part.name }}
{# You need edit permission to use the edit button #}
{% if is_granted('edit', part) %}
<a href="{{ part|entityURL('edit') }}"><i class="fas fa-fw fa-sm fa-edit"></i></a>
{% endif %}
</h3>
<h6 class="text-muted"><span title="{% trans %}description.label{% endtrans %}">{{ part.description|bbCode }}</span></h6>
<h6 class="" title="{% trans %}category.label{% endtrans %}">
<i class="fas fa-tag fa-fw"></i>