diff --git a/config/packages/security.yaml b/config/packages/security.yaml index b60c632c..c2241f08 100644 --- a/config/packages/security.yaml +++ b/config/packages/security.yaml @@ -69,3 +69,5 @@ security: # We get into trouble with the U2F authentication, if the calls to the trees trigger an 2FA login # This settings should not do much harm, because a read only access to show available data structures is not really critical - { path: "^/\\w{2}/tree", role: PUBLIC_ACCESS } + # Restrict access to API to users, which has the API access permission + - { path: "^/api", allow_if: 'is_granted("@api.access_api") and is_authenticated()' } diff --git a/config/permissions.yaml b/config/permissions.yaml index cf363100..f0f1af32 100644 --- a/config/permissions.yaml +++ b/config/permissions.yaml @@ -254,6 +254,7 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co show_updates: label: "perm.system.show_available_updates" + attachments: label: "perm.part.attachments" operations: @@ -304,4 +305,11 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co label: "perm.revert_elements" alsoSet: ['read_profiles', 'edit_profiles', 'create_profiles', 'delete_profiles'] - + api: + label: "perm.api" + operations: + access_api: + label: "perm.api.access_api" + manage_tokens: + label: "perm.api.manage_tokens" + alsoSet: ['access_api'] \ No newline at end of file diff --git a/src/Controller/UserSettingsController.php b/src/Controller/UserSettingsController.php index 3f9d89bd..bb03b71f 100644 --- a/src/Controller/UserSettingsController.php +++ b/src/Controller/UserSettingsController.php @@ -406,6 +406,8 @@ class UserSettingsController extends AbstractController #[Route('/api_token/create', name: 'user_api_token_create')] public function addApiToken(Request $request, EntityManagerInterface $entityManager): Response { + $this->denyAccessUnlessGranted('@api.manage_tokens'); + $token = new ApiToken(); $token->setUser($this->getUser()); diff --git a/src/Entity/UserSystem/User.php b/src/Entity/UserSystem/User.php index ae4f90d0..31a8e6e3 100644 --- a/src/Entity/UserSystem/User.php +++ b/src/Entity/UserSystem/User.php @@ -102,7 +102,7 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe final public const ID_ANONYMOUS = 1; #[Groups(['user:read'])] - protected ?int $id; + protected ?int $id = null; #[Groups(['user:read'])] protected ?\DateTimeInterface $lastModified = null; diff --git a/templates/users/_api_tokens.html.twig b/templates/users/_api_tokens.html.twig index d52b8970..fa199744 100644 --- a/templates/users/_api_tokens.html.twig +++ b/templates/users/_api_tokens.html.twig @@ -55,7 +55,9 @@ {% endif %} - {% trans %}api_token.create_new{% endtrans %} + + {% trans %}api_token.create_new{% endtrans %} + \ No newline at end of file diff --git a/templates/users/user_settings.html.twig b/templates/users/user_settings.html.twig index 359b993e..0f218a1b 100644 --- a/templates/users/user_settings.html.twig +++ b/templates/users/user_settings.html.twig @@ -77,5 +77,7 @@ - {% include "users/_api_tokens.html.twig" %} + {% if is_granted("@api.access_api") %} + {% include "users/_api_tokens.html.twig" %} + {% endif %} {% endblock %} diff --git a/translations/messages.en.xlf b/translations/messages.en.xlf index c55baaad..ccf1336f 100644 --- a/translations/messages.en.xlf +++ b/translations/messages.en.xlf @@ -731,10 +731,10 @@ user.edit.tfa.disable_tfa_message - This will disable <b>all active two-factor authentication methods of the user</b> and delete the <b>backup codes</b>! -<br> -The user will have to set up all two-factor authentication methods again and print new backup codes! <br><br> -<b>Only do this if you are absolutely sure about the identity of the user (seeking help), otherwise the account could be compromised by an attacker!</b> + all active two-factor authentication methods of the user and delete the backup codes! +
+The user will have to set up all two-factor authentication methods again and print new backup codes!

+Only do this if you are absolutely sure about the identity of the user (seeking help), otherwise the account could be compromised by an attacker!]]> @@ -11326,67 +11326,67 @@ Element 3 - + tfa_u2f.add_key.registration_error An error occurred during the registration of the security key. Try again or use another security key! - + log.target_type.none None - + ui.darkmode.light Light - + ui.darkmode.dark Dark - + ui.darkmode.auto Auto (decide based on system settings) - + label_generator.no_lines_given No text content given! The labels will remain empty. - + user.password_strength.very_weak Very weak - + user.password_strength.weak Weak - + user.password_strength.medium Medium - + user.password_strength.strong Strong - + user.password_strength.very_strong Very strong @@ -11580,25 +11580,25 @@ Please note, that you can not impersonate a disabled user. If you try you will g - + update_manager.new_version_available.title New version available - + update_manager.new_version_available.text A new version of Part-DB is available. Check it out here - + update_manager.new_version_available.only_administrators_can_see Only administrators can see this message. - + perm.system.show_available_updates Show available Part-DB updates @@ -11730,22 +11730,40 @@ Please note, that you can not impersonate a disabled user. If you try you will g - + project.build.dont_check_quantity Do not check quantities - + project.build.dont_check_quantity.help If this option is selected, the given withdraw quantities are used as given, no matter if more or less parts are actually required to build this project. - + part_list.action.invert_selection Invert selection + + + perm.api + API + + + + + perm.api.access_api + Access API + + + + + perm.api.manage_tokens + Manage API tokens + +