Restrict part lot withdraw/add/move operations to the owner of a part lot

2025-06-21 01:25:55 +02:00 · 2023-04-02 23:35:18 +02:00 · 2023-04-02 23:35:18 +02:00 · a7ff690891
commit a7ff690891
parent 447b54fa4b
3 changed files with 59 additions and 18 deletions
--- a/src/Controller/PartController.php
+++ b/src/Controller/PartController.php
@ -55,8 +55,11 @@ use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Routing\Annotation\Route;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Contracts\Translation\TranslatorInterface;

+use function Symfony\Component\Translation\t;
+
 /**
 * @Route("/part")
 */
@ -360,23 +363,28 @@ class PartController extends AbstractController
            $action = $request->request->get('action');


-
-            switch ($action) {
-                case "withdraw":
-                case "remove":
-                    $this->denyAccessUnlessGranted('withdraw', $partLot);
-                    $withdrawAddHelper->withdraw($partLot, $amount, $comment);
-                    break;
-                case "add":
-                    $this->denyAccessUnlessGranted('add', $partLot);
-                    $withdrawAddHelper->add($partLot, $amount, $comment);
-                    break;
-                case "move":
-                    $this->denyAccessUnlessGranted('move', $partLot);
-                    $withdrawAddHelper->move($partLot, $targetLot, $amount, $comment);
-                    break;
-                default:
-                    throw new \RuntimeException("Unknown action!");
+            try {
+                switch ($action) {
+                    case "withdraw":
+                    case "remove":
+                        $this->denyAccessUnlessGranted('withdraw', $partLot);
+                        $withdrawAddHelper->withdraw($partLot, $amount, $comment);
+                        break;
+                    case "add":
+                        $this->denyAccessUnlessGranted('add', $partLot);
+                        $withdrawAddHelper->add($partLot, $amount, $comment);
+                        break;
+                    case "move":
+                        $this->denyAccessUnlessGranted('move', $partLot);
+                        $this->denyAccessUnlessGranted('move', $targetLot);
+                        $withdrawAddHelper->move($partLot, $targetLot, $amount, $comment);
+                        break;
+                    default:
+                        throw new \RuntimeException("Unknown action!");
+                }
+            } catch (AccessDeniedException $exception) {
+                $this->addFlash('error', t('part.withdraw.access_denied'));
+                goto err;
            }

            //Save the changes to the DB
@ -387,6 +395,7 @@ class PartController extends AbstractController
            $this->addFlash('error', 'CSRF Token invalid!');
        }

+        err:
        //If an redirect was passed, then redirect there
        if($request->request->get('_redirect')) {
            return $this->redirect($request->request->get('_redirect'));
--- a/src/Security/Voter/PartLotVoter.php
+++ b/src/Security/Voter/PartLotVoter.php
@ -67,7 +67,15 @@ class PartLotVoter extends ExtendedVoter

        if (in_array($attribute, ['withdraw', 'add', 'move']))
        {
-            return $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false;
+            $base_permission = $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false;
+
+            $lot_permission = true;
+            //If the lot has an owner, we need to check if the user is the owner of the lot to be allowed to withdraw it.
+            if ($subject instanceof PartLot && $subject->getOwner()) {
+                $lot_permission = $subject->getOwner() === $user || $subject->getOwner()->getID() === $user->getID();
+            }
+
+            return $base_permission && $lot_permission;
        }

        switch ($attribute) {
--- a/translations/messages.en.xlf
+++ b/translations/messages.en.xlf
@ -11229,5 +11229,29 @@ Element 3</target>
        <target>Only the owner can withdraw or add stock to this lot.</target>
      </segment>
    </unit>
+    <unit id="61.yfNy" name="log.element_edited.changed_fields.owner">
+      <segment>
+        <source>log.element_edited.changed_fields.owner</source>
+        <target>Owner</target>
+      </segment>
+    </unit>
+    <unit id="YkZAIS8" name="log.element_edited.changed_fields.instock_unknown">
+      <segment>
+        <source>log.element_edited.changed_fields.instock_unknown</source>
+        <target>Amount unknown</target>
+      </segment>
+    </unit>
+    <unit id="xf7NNZ9" name="log.element_edited.changed_fields.needs_refill">
+      <segment>
+        <source>log.element_edited.changed_fields.needs_refill</source>
+        <target>Refill needed</target>
+      </segment>
+    </unit>
+    <unit id="Gfw_MWL" name="part.withdraw.access_denied">
+      <segment>
+        <source>part.withdraw.access_denied</source>
+        <target>Not allowed to do the desired action. Please check your permissions and the owner of the part lots.</target>
+      </segment>
+    </unit>
  </file>
 </xliff>