mirror of
https://github.com/Part-DB/Part-DB-server.git
synced 2025-06-21 09:35:49 +02:00
Restrict part lot withdraw/add/move operations to the owner of a part lot
This commit is contained in:
Jan Böhmer
parent
447b54fa4b
commit
a7ff690891
3 changed files with 59 additions and 18 deletions
|
|
@ -55,8 +55,11 @@ use Symfony\Component\HttpFoundation\Request;
|
||||||
use Symfony\Component\HttpFoundation\Response;
|
use Symfony\Component\HttpFoundation\Response;
|
||||||
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
||||||
use Symfony\Component\Routing\Annotation\Route;
|
use Symfony\Component\Routing\Annotation\Route;
|
||||||
|
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
||||||
use Symfony\Contracts\Translation\TranslatorInterface;
|
use Symfony\Contracts\Translation\TranslatorInterface;
|
||||||
|
|
||||||
|
use function Symfony\Component\Translation\t;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @Route("/part")
|
* @Route("/part")
|
||||||
*/
|
*/
|
||||||
|
|
@ -360,23 +363,28 @@ class PartController extends AbstractController
|
||||||
$action = $request->request->get('action');
|
$action = $request->request->get('action');
|
||||||
|
|
||||||
|
|
||||||
|
try {
|
||||||
switch ($action) {
|
switch ($action) {
|
||||||
case "withdraw":
|
case "withdraw":
|
||||||
case "remove":
|
case "remove":
|
||||||
$this->denyAccessUnlessGranted('withdraw', $partLot);
|
$this->denyAccessUnlessGranted('withdraw', $partLot);
|
||||||
$withdrawAddHelper->withdraw($partLot, $amount, $comment);
|
$withdrawAddHelper->withdraw($partLot, $amount, $comment);
|
||||||
break;
|
break;
|
||||||
case "add":
|
case "add":
|
||||||
$this->denyAccessUnlessGranted('add', $partLot);
|
$this->denyAccessUnlessGranted('add', $partLot);
|
||||||
$withdrawAddHelper->add($partLot, $amount, $comment);
|
$withdrawAddHelper->add($partLot, $amount, $comment);
|
||||||
break;
|
break;
|
||||||
case "move":
|
case "move":
|
||||||
$this->denyAccessUnlessGranted('move', $partLot);
|
$this->denyAccessUnlessGranted('move', $partLot);
|
||||||
$withdrawAddHelper->move($partLot, $targetLot, $amount, $comment);
|
$this->denyAccessUnlessGranted('move', $targetLot);
|
||||||
break;
|
$withdrawAddHelper->move($partLot, $targetLot, $amount, $comment);
|
||||||
default:
|
break;
|
||||||
throw new \RuntimeException("Unknown action!");
|
default:
|
||||||
|
throw new \RuntimeException("Unknown action!");
|
||||||
|
}
|
||||||
|
} catch (AccessDeniedException $exception) {
|
||||||
|
$this->addFlash('error', t('part.withdraw.access_denied'));
|
||||||
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
//Save the changes to the DB
|
//Save the changes to the DB
|
||||||
|
|
@ -387,6 +395,7 @@ class PartController extends AbstractController
|
||||||
$this->addFlash('error', 'CSRF Token invalid!');
|
$this->addFlash('error', 'CSRF Token invalid!');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err:
|
||||||
//If an redirect was passed, then redirect there
|
//If an redirect was passed, then redirect there
|
||||||
if($request->request->get('_redirect')) {
|
if($request->request->get('_redirect')) {
|
||||||
return $this->redirect($request->request->get('_redirect'));
|
return $this->redirect($request->request->get('_redirect'));
|
||||||
|
|
|
||||||
|
|
@ -67,7 +67,15 @@ class PartLotVoter extends ExtendedVoter
|
||||||
|
|
||||||
if (in_array($attribute, ['withdraw', 'add', 'move']))
|
if (in_array($attribute, ['withdraw', 'add', 'move']))
|
||||||
{
|
{
|
||||||
return $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false;
|
$base_permission = $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false;
|
||||||
|
|
||||||
|
$lot_permission = true;
|
||||||
|
//If the lot has an owner, we need to check if the user is the owner of the lot to be allowed to withdraw it.
|
||||||
|
if ($subject instanceof PartLot && $subject->getOwner()) {
|
||||||
|
$lot_permission = $subject->getOwner() === $user || $subject->getOwner()->getID() === $user->getID();
|
||||||
|
}
|
||||||
|
|
||||||
|
return $base_permission && $lot_permission;
|
||||||
}
|
}
|
||||||
|
|
||||||
switch ($attribute) {
|
switch ($attribute) {
|
||||||
|
|
|
||||||
|
|
@ -11229,5 +11229,29 @@ Element 3</target>
|
||||||
<target>Only the owner can withdraw or add stock to this lot.</target>
|
<target>Only the owner can withdraw or add stock to this lot.</target>
|
||||||
</segment>
|
</segment>
|
||||||
</unit>
|
</unit>
|
||||||
|
<unit id="61.yfNy" name="log.element_edited.changed_fields.owner">
|
||||||
|
<segment>
|
||||||
|
<source>log.element_edited.changed_fields.owner</source>
|
||||||
|
<target>Owner</target>
|
||||||
|
</segment>
|
||||||
|
</unit>
|
||||||
|
<unit id="YkZAIS8" name="log.element_edited.changed_fields.instock_unknown">
|
||||||
|
<segment>
|
||||||
|
<source>log.element_edited.changed_fields.instock_unknown</source>
|
||||||
|
<target>Amount unknown</target>
|
||||||
|
</segment>
|
||||||
|
</unit>
|
||||||
|
<unit id="xf7NNZ9" name="log.element_edited.changed_fields.needs_refill">
|
||||||
|
<segment>
|
||||||
|
<source>log.element_edited.changed_fields.needs_refill</source>
|
||||||
|
<target>Refill needed</target>
|
||||||
|
</segment>
|
||||||
|
</unit>
|
||||||
|
<unit id="Gfw_MWL" name="part.withdraw.access_denied">
|
||||||
|
<segment>
|
||||||
|
<source>part.withdraw.access_denied</source>
|
||||||
|
<target>Not allowed to do the desired action. Please check your permissions and the owner of the part lots.</target>
|
||||||
|
</segment>
|
||||||
|
</unit>
|
||||||
</file>
|
</file>
|
||||||
</xliff>
|
</xliff>
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue