Prevent a user from lock itself out from the user system.

2025-06-22 09:53:35 +02:00 · 2019-09-11 18:50:23 +02:00 · 2019-09-11 18:50:23 +02:00 · 90d449ea22
commit 90d449ea22
parent 856e20586f
6 changed files with 164 additions and 1 deletions
--- a/src/Controller/DebugController.php
+++ b/src/Controller/DebugController.php
@ -87,5 +87,7 @@ class DebugController extends AbstractController
        $translator->trans('flash.notice');
        $translator->trans('flash.info');

+        $translator->trans('validator.noLockout');
+
    }
 }
--- a/src/Entity/UserSystem/Group.php
+++ b/src/Entity/UserSystem/Group.php
@ -33,6 +33,7 @@ namespace App\Entity\UserSystem;

 use App\Entity\Base\StructuralDBElement;
 use App\Security\Interfaces\HasPermissionsInterface;
+use App\Validator\Constraints\ValidPermission;
 use Doctrine\ORM\Mapping as ORM;

 /**
@ -61,6 +62,7 @@ class Group extends StructuralDBElement implements HasPermissionsInterface

    /** @var PermissionsEmbed
     * @ORM\Embedded(class="PermissionsEmbed", columnPrefix="perms_")
+     * @ValidPermission()
     */
    protected $permissions;

--- a/src/Form/Permissions/PermissionsType.php
+++ b/src/Form/Permissions/PermissionsType.php
@ -33,10 +33,12 @@ namespace App\Form\Permissions;


 use App\Services\PermissionResolver;
+use App\Validator\Constraints\NoLockout;
 use Symfony\Component\Form\AbstractType;
 use Symfony\Component\Form\FormBuilderInterface;
 use Symfony\Component\Form\FormInterface;
 use Symfony\Component\Form\FormView;
+use Symfony\Component\OptionsResolver\Options;
 use Symfony\Component\OptionsResolver\OptionsResolver;

 class PermissionsType extends AbstractType
@ -54,8 +56,16 @@ class PermissionsType extends AbstractType
    public function configureOptions(OptionsResolver $resolver)
    {
        $resolver->setDefaults([
-            'show_legend' => true
+            'show_legend' => true,
+            'constraints' => function (Options $options) {
+                if (!$options['disabled']) {
+                    return [new NoLockout()];
+                }
+                return [];
+            }
        ]);
+
+
    }

    public function buildView(FormView $view, FormInterface $form, array $options)
--- a/src/Repository/UserRepository.php
+++ b/src/Repository/UserRepository.php
@ -19,6 +19,17 @@ class UserRepository extends ServiceEntityRepository
        parent::__construct($registry, User::class);
    }

+    /**
+     * Returns the anonymous user
+     * @return User|null
+     */
+    public function getAnonymousUser()
+    {
+        return $this->findOneBy([
+                'id' => User::ID_ANONYMOUS
+            ]);
+    }
+
    // /**
    //  * @return User[] Returns an array of User objects
    //  */
--- a/src/Validator/Constraints/NoLockout.php
+++ b/src/Validator/Constraints/NoLockout.php
@ -0,0 +1,44 @@
+<?php
+/**
+ *
+ * part-db version 0.1
+ * Copyright (C) 2005 Christoph Lechner
+ * http://www.cl-projects.de/
+ *
+ * part-db version 0.2+
+ * Copyright (C) 2009 K. Jacobs and others (see authors.php)
+ * http://code.google.com/p/part-db/
+ *
+ * Part-DB Version 0.4+
+ * Copyright (C) 2016 - 2019 Jan Böhmer
+ * https://github.com/jbtronics
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ *
+ */
+
+namespace App\Validator\Constraints;
+
+
+use Symfony\Component\Validator\Constraint;
+
+/**
+ * This constraint restricts a user in that way that it can not lock itself out of the user system
+ * @package App\Validator\Constraints
+ */
+class NoLockout extends Constraint
+{
+    public $message = "validator.noLockout";
+}
--- a/src/Validator/Constraints/NoLockoutValidator.php
+++ b/src/Validator/Constraints/NoLockoutValidator.php
@ -0,0 +1,94 @@
+<?php
+/**
+ *
+ * part-db version 0.1
+ * Copyright (C) 2005 Christoph Lechner
+ * http://www.cl-projects.de/
+ *
+ * part-db version 0.2+
+ * Copyright (C) 2009 K. Jacobs and others (see authors.php)
+ * http://code.google.com/p/part-db/
+ *
+ * Part-DB Version 0.4+
+ * Copyright (C) 2016 - 2019 Jan Böhmer
+ * https://github.com/jbtronics
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ *
+ */
+
+namespace App\Validator\Constraints;
+
+
+use App\Entity\UserSystem\Group;
+use App\Entity\UserSystem\User;
+use App\Services\PermissionResolver;
+use Doctrine\ORM\EntityManager;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\ORM\Mapping\Entity;
+use Symfony\Component\Form\Exception\UnexpectedTypeException;
+use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Validator\Constraint;
+use Symfony\Component\Validator\ConstraintValidator;
+
+class NoLockoutValidator extends ConstraintValidator
+{
+
+    protected $resolver;
+    protected $perm_structure;
+    protected $security;
+    protected $entityManager;
+
+    public function __construct(PermissionResolver $resolver, Security $security, EntityManagerInterface $entityManager)
+    {
+        $this->resolver = $resolver;
+        $this->perm_structure = $resolver->getPermissionStructure();
+        $this->security = $security;
+        $this->entityManager = $entityManager;
+    }
+
+    /**
+     * Checks if the passed value is valid.
+     *
+     * @param mixed $value The value that should be validated
+     * @param Constraint $constraint The constraint for the validation
+     */
+    public function validate($value, Constraint $constraint)
+    {
+        if (!$constraint instanceof NoLockout) {
+            throw new UnexpectedTypeException($constraint, NoLockout::class);
+        }
+
+
+        $perm_holder = $value;
+
+        //Prevent that a user revokes its own change_permission perm (prevent the user to lock out itself)
+        if ($perm_holder instanceof User || $perm_holder instanceof Group) {
+
+            $user = $this->security->getUser();
+
+            if ($user === null) {
+                $user = $this->entityManager->getRepository(User::class)->getAnonymousUser();
+            }
+
+            if ($user instanceof User) {
+                //Check if we the change_permission permission has changed from allow to disallow
+                if (($this->resolver->inherit($user, 'users', 'edit_permissions') ?? false) === false) {
+                    $this->context->addViolation($constraint->message);
+                }
+            }
+        }
+    }
+}