mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-23 10:18:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Added permissions to control access to info providers and oauth tokens

Browse source
This commit is contained in:
Jan Böhmer 2023-07-16 20:33:24 +02:00
parent 7bbf612394
commit b3b205cd6e
9 changed files with 72 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
config/permissions.yaml
View file

@ -139,6 +139,13 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
ic_logos: ic_logos:
label: "perm.tools.ic_logos" label: "perm.tools.ic_logos"
info_providers:
label: "perm.part.info_providers"
operations:
create_parts:
label: "perm.part.info_providers.create_parts"
alsoSet: ['parts.create']
groups: groups:
label: "perm.groups" label: "perm.groups"
group: "system" group: "system"
@ -242,6 +249,8 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
alsoSet: 'show_logs' alsoSet: 'show_logs'
server_infos: server_infos:
label: "perm.server_infos" label: "perm.server_infos"
manage_oauth_tokens:
label: "Manage OAuth tokens"
attachments: attachments:
label: "perm.part.attachments" label: "perm.part.attachments"

5
src/Controller/InfoProviderController.php
View file

@ -51,6 +51,8 @@ class InfoProviderController extends AbstractController
#[Route('/providers', name: 'info_providers_list')] #[Route('/providers', name: 'info_providers_list')]
public function listProviders(): Response public function listProviders(): Response
{ {
$this->denyAccessUnlessGranted('@info_providers.create_parts');
return $this->render('info_providers/providers_list/providers_list.html.twig', [ return $this->render('info_providers/providers_list/providers_list.html.twig', [
'active_providers' => $this->providerRegistry->getActiveProviders(), 'active_providers' => $this->providerRegistry->getActiveProviders(),
'disabled_providers' => $this->providerRegistry->getDisabledProviders(), 'disabled_providers' => $this->providerRegistry->getDisabledProviders(),
@ -60,6 +62,8 @@ class InfoProviderController extends AbstractController
#[Route('/search', name: 'info_providers_search')] #[Route('/search', name: 'info_providers_search')]
public function search(Request $request): Response public function search(Request $request): Response
{ {
$this->denyAccessUnlessGranted('@info_providers.create_parts');
$form = $this->createForm(PartSearchType::class); $form = $this->createForm(PartSearchType::class);
$form->handleRequest($request); $form->handleRequest($request);
@ -82,6 +86,7 @@ class InfoProviderController extends AbstractController
public function createPart(Request $request, EntityManagerInterface $em, TranslatorInterface $translator, public function createPart(Request $request, EntityManagerInterface $em, TranslatorInterface $translator,
AttachmentSubmitHandler $attachmentSubmitHandler, string $providerKey, string $providerId): Response AttachmentSubmitHandler $attachmentSubmitHandler, string $providerKey, string $providerId): Response
{ {
$this->denyAccessUnlessGranted('@info_providers.create_parts');
$new_part = $this->infoRetriever->createPart($providerKey, $providerId); $new_part = $this->infoRetriever->createPart($providerKey, $providerId);

4
src/Controller/OAuthClientController.php
View file

@ -43,6 +43,8 @@ class OAuthClientController extends AbstractController
#[Route('/{name}/connect', name: 'oauth_client_connect')] #[Route('/{name}/connect', name: 'oauth_client_connect')]
public function connect(string $name): Response public function connect(string $name): Response
{ {
$this->denyAccessUnlessGranted('@system.manage_oauth_tokens');
return $this->clientRegistry return $this->clientRegistry
->getClient($name) // key used in config/packages/knpu_oauth2_client.yaml ->getClient($name) // key used in config/packages/knpu_oauth2_client.yaml
->redirect(); ->redirect();
@ -51,6 +53,8 @@ class OAuthClientController extends AbstractController
#[Route('/{name}/check', name: 'oauth_client_check')] #[Route('/{name}/check', name: 'oauth_client_check')]
public function check(string $name, Request $request): Response public function check(string $name, Request $request): Response
{ {
$this->denyAccessUnlessGranted('@system.manage_oauth_tokens');
$client = $this->clientRegistry->getClient($name); $client = $this->clientRegistry->getClient($name);
$access_token = $client->getAccessToken(); $access_token = $client->getAccessToken();

2
src/Entity/UserSystem/PermissionData.php
View file

@ -43,7 +43,7 @@ final class PermissionData implements \JsonSerializable
/** /**
* The current schema version of the permission data * The current schema version of the permission data
*/ */
public const CURRENT_SCHEMA_VERSION = 2; public const CURRENT_SCHEMA_VERSION = 3;
/** /**
* Creates a new Permission Data Instance using the given data. * Creates a new Permission Data Instance using the given data.

7
src/Services/Trees/ToolsTreeBuilder.php
View file

@ -133,6 +133,13 @@ class ToolsTreeBuilder
))->setIcon('fa-treeview fa-fw fa-solid fa-file-import'); ))->setIcon('fa-treeview fa-fw fa-solid fa-file-import');
} }
if ($this->security->isGranted('@info_providers.create_parts')) {
$nodes[] = (new TreeViewNode(
$this->translator->trans('info_providers.search.title'),
$this->urlGenerator->generate('info_providers_search')
))->setIcon('fa-treeview fa-fw fa-solid fa-cloud-arrow-down');
}
return $nodes; return $nodes;
} }

6
src/Services/UserSystem/PermissionPresetsHelper.php
View file

@ -105,6 +105,9 @@ class PermissionPresetsHelper
$this->permissionResolver->setAllOperationsOfPermission($perm_holder, 'suppliers', PermissionData::ALLOW); $this->permissionResolver->setAllOperationsOfPermission($perm_holder, 'suppliers', PermissionData::ALLOW);
$this->permissionResolver->setAllOperationsOfPermission($perm_holder, 'projects', PermissionData::ALLOW); $this->permissionResolver->setAllOperationsOfPermission($perm_holder, 'projects', PermissionData::ALLOW);
//Allow to manage Oauth tokens
$this->permissionResolver->setPermission($perm_holder, 'system', 'manage_oauth_tokens', PermissionData::ALLOW);
} }
private function editor(HasPermissionsInterface $permHolder): HasPermissionsInterface private function editor(HasPermissionsInterface $permHolder): HasPermissionsInterface
@ -139,6 +142,9 @@ class PermissionPresetsHelper
//Various other permissions //Various other permissions
$this->permissionResolver->setPermission($permHolder, 'tools', 'lastActivity', PermissionData::ALLOW); $this->permissionResolver->setPermission($permHolder, 'tools', 'lastActivity', PermissionData::ALLOW);
//Allow to create parts from information providers
$this->permissionResolver->setPermission($permHolder, 'info_providers', 'create_parts', PermissionData::ALLOW);
return $permHolder; return $permHolder;
} }

9
src/Services/UserSystem/PermissionSchemaUpdater.php
View file

@ -138,4 +138,13 @@ class PermissionSchemaUpdater
$holder->getPermissions()->removePermission('devices'); $holder->getPermissions()->removePermission('devices');
} }
} }
private function upgradeSchemaToVersion3(HasPermissionsInterface $holder): void //@phpstan-ignore-line This is called via reflection
{
//If the info_providers permissions are not defined yet, set it if the user can create parts
if (!$holder->getPermissions()->isAnyOperationOfPermissionSet('info_providers')) {
$user_can_create_parts = $holder->getPermissions()->getPermissionValue('parts', 'create');
$holder->getPermissions()->setPermissionValue('info_providers', 'create_parts', $user_can_create_parts);
}
}
} }

13
tests/Services/UserSystem/PermissionSchemaUpdaterTest.php
View file

@ -110,4 +110,17 @@ class PermissionSchemaUpdaterTest extends WebTestCase
self::assertEquals(PermissionData::INHERIT, $user->getPermissions()->getPermissionValue('projects', 'edit')); self::assertEquals(PermissionData::INHERIT, $user->getPermissions()->getPermissionValue('projects', 'edit'));
self::assertEquals(PermissionData::DISALLOW, $user->getPermissions()->getPermissionValue('projects', 'delete')); self::assertEquals(PermissionData::DISALLOW, $user->getPermissions()->getPermissionValue('projects', 'delete'));
} }
public function testUpgradeSchemaToVersion3(): void
{
$perm_data = new PermissionData();
$perm_data->setSchemaVersion(2);
$perm_data->setPermissionValue('parts', 'create', PermissionData::ALLOW);
$user = new TestPermissionHolder($perm_data);
//After the upgrade the user should be allowed to create parts from info providers
self::assertTrue($this->service->upgradeSchema($user, 3));
self::assertEquals(PermissionData::ALLOW, $user->getPermissions()->getPermissionValue('info_providers', 'create_parts'));
}
} }

18
translations/messages.en.xlf
View file

@ -11543,5 +11543,23 @@ Please note, that you can not impersonate a disabled user. If you try you will g
<target>Create parts from info provider</target> <target>Create parts from info provider</target>
</segment> </segment>
</unit> </unit>
<unit id="8w3P1gW" name="oauth_client.flash.connection_successful">
<segment>
<source>oauth_client.flash.connection_successful</source>
<target>Connected to OAuth application successfully!</target>
</segment>
</unit>
<unit id="9ULD.eH" name="perm.part.info_providers">
<segment>
<source>perm.part.info_providers</source>
<target>Info providers</target>
</segment>
</unit>
<unit id="En713bs" name="perm.part.info_providers.create_parts">
<segment>
<source>perm.part.info_providers.create_parts</source>
<target>Create parts from info provider</target>
</segment>
</unit>
</file> </file>
</xliff> </xliff>