Added permissions to control access to info providers and oauth tokens

2025-07-16 05:14:35 +02:00 · 2023-07-16 20:33:24 +02:00 · 2023-07-16 20:33:24 +02:00 · b3b205cd6e
commit b3b205cd6e
parent 7bbf612394
9 changed files with 72 additions and 1 deletions
--- a/src/Controller/InfoProviderController.php
+++ b/src/Controller/InfoProviderController.php
@ -51,6 +51,8 @@ class InfoProviderController extends  AbstractController
    #[Route('/providers', name: 'info_providers_list')]
    public function listProviders(): Response
    {
+        $this->denyAccessUnlessGranted('@info_providers.create_parts');
+
        return $this->render('info_providers/providers_list/providers_list.html.twig', [
            'active_providers' => $this->providerRegistry->getActiveProviders(),
            'disabled_providers' => $this->providerRegistry->getDisabledProviders(),
@ -60,6 +62,8 @@ class InfoProviderController extends  AbstractController
    #[Route('/search', name: 'info_providers_search')]
    public function search(Request $request): Response
    {
+        $this->denyAccessUnlessGranted('@info_providers.create_parts');
+
        $form = $this->createForm(PartSearchType::class);
        $form->handleRequest($request);

@ -82,6 +86,7 @@ class InfoProviderController extends  AbstractController
    public function createPart(Request $request, EntityManagerInterface $em, TranslatorInterface $translator,
        AttachmentSubmitHandler $attachmentSubmitHandler, string $providerKey, string $providerId): Response
    {
+        $this->denyAccessUnlessGranted('@info_providers.create_parts');

        $new_part = $this->infoRetriever->createPart($providerKey, $providerId);

--- a/src/Controller/OAuthClientController.php
+++ b/src/Controller/OAuthClientController.php
@ -43,6 +43,8 @@ class OAuthClientController extends AbstractController
    #[Route('/{name}/connect', name: 'oauth_client_connect')]
    public function connect(string $name): Response
    {
+        $this->denyAccessUnlessGranted('@system.manage_oauth_tokens');
+
        return $this->clientRegistry
            ->getClient($name) // key used in config/packages/knpu_oauth2_client.yaml
            ->redirect();
@ -51,6 +53,8 @@ class OAuthClientController extends AbstractController
    #[Route('/{name}/check', name: 'oauth_client_check')]
    public function check(string $name, Request $request): Response
    {
+        $this->denyAccessUnlessGranted('@system.manage_oauth_tokens');
+
        $client = $this->clientRegistry->getClient($name);

        $access_token = $client->getAccessToken();
--- a/src/Entity/UserSystem/PermissionData.php
+++ b/src/Entity/UserSystem/PermissionData.php
@ -43,7 +43,7 @@ final class PermissionData implements \JsonSerializable
    /**
     * The current schema version of the permission data
     */
-    public const CURRENT_SCHEMA_VERSION = 2;
+    public const CURRENT_SCHEMA_VERSION = 3;

    /**
     * Creates a new Permission Data Instance using the given data.
--- a/src/Services/Trees/ToolsTreeBuilder.php
+++ b/src/Services/Trees/ToolsTreeBuilder.php
@ -133,6 +133,13 @@ class ToolsTreeBuilder
            ))->setIcon('fa-treeview fa-fw fa-solid fa-file-import');
        }

+        if ($this->security->isGranted('@info_providers.create_parts')) {
+            $nodes[] = (new TreeViewNode(
+                $this->translator->trans('info_providers.search.title'),
+                $this->urlGenerator->generate('info_providers_search')
+            ))->setIcon('fa-treeview fa-fw fa-solid fa-cloud-arrow-down');
+        }
+
        return $nodes;
    }

--- a/src/Services/UserSystem/PermissionPresetsHelper.php
+++ b/src/Services/UserSystem/PermissionPresetsHelper.php
@ -105,6 +105,9 @@ class PermissionPresetsHelper
        $this->permissionResolver->setAllOperationsOfPermission($perm_holder, 'suppliers', PermissionData::ALLOW);
        $this->permissionResolver->setAllOperationsOfPermission($perm_holder, 'projects', PermissionData::ALLOW);

+        //Allow to manage Oauth tokens
+        $this->permissionResolver->setPermission($perm_holder, 'system', 'manage_oauth_tokens', PermissionData::ALLOW);
+
    }

    private function editor(HasPermissionsInterface $permHolder): HasPermissionsInterface
@ -139,6 +142,9 @@ class PermissionPresetsHelper
        //Various other permissions
        $this->permissionResolver->setPermission($permHolder, 'tools', 'lastActivity', PermissionData::ALLOW);

+        //Allow to create parts from information providers
+        $this->permissionResolver->setPermission($permHolder, 'info_providers', 'create_parts', PermissionData::ALLOW);
+

        return $permHolder;
    }
--- a/src/Services/UserSystem/PermissionSchemaUpdater.php
+++ b/src/Services/UserSystem/PermissionSchemaUpdater.php
@ -138,4 +138,13 @@ class PermissionSchemaUpdater
            $holder->getPermissions()->removePermission('devices');
        }
    }
+
+    private function upgradeSchemaToVersion3(HasPermissionsInterface $holder): void //@phpstan-ignore-line This is called via reflection
+    {
+        //If the info_providers permissions are not defined yet, set it if the user can create parts
+        if (!$holder->getPermissions()->isAnyOperationOfPermissionSet('info_providers')) {
+            $user_can_create_parts = $holder->getPermissions()->getPermissionValue('parts', 'create');
+            $holder->getPermissions()->setPermissionValue('info_providers', 'create_parts', $user_can_create_parts);
+        }
+    }
 }