Hide trees in sidebar, if user does not have permission to show them (and protect the JSON endpoints)

config/permissions.yaml

@@ -207,6 +207,14 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
         label: "perm.delete_logs"
         alsoSet: 'show_logs'
 
+  attachments:
+    label: "perm.part.attachments"
+    operations:
+      show_private:
+        label: "perm.attachments.show_private"
+      list_attachments:
+        label: "perm.attachments.list_attachments"
+
   self:
     label: "perm.self"
     operations:

src/Controller/TreeController.php

@@ -84,7 +84,11 @@ class TreeController extends AbstractController
      */
     public function categoryTree(?Category $category = null): JsonResponse
     {
-        $tree = $this->treeGenerator->getTreeView(Category::class, $category, 'list_parts_root');
+        if ($this->isGranted('@parts.read') && $this->isGranted('@categories.read')) {
+            $tree = $this->treeGenerator->getTreeView(Category::class, $category, 'list_parts_root');
+        } else {
+            return new JsonResponse("Access denied", 403);
+        }
 
         return new JsonResponse($tree);
     }
@@ -95,8 +99,11 @@ class TreeController extends AbstractController
      */
     public function footprintTree(?Footprint $footprint = null): JsonResponse
     {
-        $tree = $this->treeGenerator->getTreeView(Footprint::class, $footprint, 'list_parts_root');
-
+        if ($this->isGranted('@parts.read') && $this->isGranted('@footprints.read')) {
+            $tree = $this->treeGenerator->getTreeView(Footprint::class, $footprint, 'list_parts_root');
+        } else {
+            return new JsonResponse("Access denied", 403);
+        }
         return new JsonResponse($tree);
     }
 
@@ -106,7 +113,11 @@ class TreeController extends AbstractController
      */
     public function locationTree(?Storelocation $location = null): JsonResponse
     {
-        $tree = $this->treeGenerator->getTreeView(Storelocation::class, $location, 'list_parts_root');
+        if ($this->isGranted('@parts.read') && $this->isGranted('@storelocations.read')) {
+            $tree = $this->treeGenerator->getTreeView(Storelocation::class, $location, 'list_parts_root');
+        } else {
+            return new JsonResponse("Access denied", 403);
+        }
 
         return new JsonResponse($tree);
     }
@@ -117,7 +128,11 @@ class TreeController extends AbstractController
      */
     public function manufacturerTree(?Manufacturer $manufacturer = null): JsonResponse
     {
-        $tree = $this->treeGenerator->getTreeView(Manufacturer::class, $manufacturer, 'list_parts_root');
+        if ($this->isGranted('@parts.read') && $this->isGranted('@manufacturers.read')) {
+            $tree = $this->treeGenerator->getTreeView(Manufacturer::class, $manufacturer, 'list_parts_root');
+        } else {
+            return new JsonResponse("Access denied", 403);
+        }
 
         return new JsonResponse($tree);
     }
@@ -128,7 +143,9 @@ class TreeController extends AbstractController
      */
     public function supplierTree(?Supplier $supplier = null): JsonResponse
     {
-        $tree = $this->treeGenerator->getTreeView(Supplier::class, $supplier, 'list_parts_root');
+        if ($this->isGranted('@parts.read') && $this->isGranted('@suppliers.read')) {
+            $tree = $this->treeGenerator->getTreeView(Supplier::class, $supplier, 'list_parts_root');
+        }
 
         return new JsonResponse($tree);
     }
@@ -139,7 +156,11 @@ class TreeController extends AbstractController
      */
     public function deviceTree(?Device $device = null): JsonResponse
     {
-        $tree = $this->treeGenerator->getTreeView(Device::class, $device, 'devices');
+        if ($this->isGranted('@devices.read')) {
+            $tree = $this->treeGenerator->getTreeView(Device::class, $device, 'devices');
+        } else {
+            return new JsonResponse("Access denied", 403);
+        }
 
         return new JsonResponse($tree);
     }

src/Security/Voter/ExtendedVoter.php

@@ -72,7 +72,7 @@ abstract class ExtendedVoter extends Voter
             return false;
         }
 
-        // if the user is anonymous, we use the anonymous user.
+        // if the user is anonymous (meaning $user is null), we use the anonymous user.
         if (!$user instanceof User) {
             /** @var UserRepository $repo */
             $repo = $this->entityManager->getRepository(User::class);

src/Services/Trees/ToolsTreeBuilder.php

@@ -247,7 +247,7 @@ class ToolsTreeBuilder
             $this->urlGenerator->generate('parts_show_all')
         ))->setIcon('fa-fw fa-treeview fa-solid fa-globe');
 
-        if ($this->security->isGranted('read', new PartAttachment())) {
+        if ($this->security->isGranted('@attachments.list_attachments')) {
             $show_nodes[] = (new TreeViewNode(
                 $this->translator->trans('tree.tools.show.all_attachments'),
                 $this->urlGenerator->generate('attachment_list')

templates/components/tree_macros.html.twig

@@ -1,13 +1,13 @@
 {% macro sidebar_dropdown() %}
-    {# Format is [mode, route, label] #}
+    {# Format is [mode, route, label, show_condition] #}
     {% set data_sources = [
-        ['categories', path('tree_category_root'), 'category.labelp'],
-        ['locations', path('tree_location_root'), 'storelocation.labelp'],
-        ['footprints', path('tree_footprint_root'), 'footprint.labelp'],
-        ['manufacturers', path('tree_manufacturer_root'), 'manufacturer.labelp'],
-        ['suppliers', path('tree_supplier_root'), 'supplier.labelp'],
-        ['devices', path('tree_device_root'), 'device.labelp'],
-        ['tools', path('tree_tools'), 'tools.label'],
+        ['categories', path('tree_category_root'), 'category.labelp', is_granted('@categories.read') and is_granted('@parts.read')],
+        ['locations', path('tree_location_root'), 'storelocation.labelp', is_granted('@storelocations.read') and is_granted('@parts.read')],
+        ['footprints', path('tree_footprint_root'), 'footprint.labelp', is_granted('@footprints.read') and is_granted('@parts.read')],
+        ['manufacturers', path('tree_manufacturer_root'), 'manufacturer.labelp', is_granted('@manufacturers.read') and is_granted('@parts.read')],
+        ['suppliers', path('tree_supplier_root'), 'supplier.labelp', is_granted('@suppliers.read') and is_granted('@parts.read')],
+        ['devices', path('tree_device_root'), 'device.labelp', is_granted('@devices.read')],
+        ['tools', path('tree_tools'), 'tools.label', true],
     ] %}
 
     <li class="dropdown-header">{% trans %}actions{% endtrans %}</li>
@@ -17,9 +17,11 @@
     <li class="dropdown-header">{% trans %}datasource{% endtrans %}</li>
 
     {% for source in data_sources %}
-        <li><button class="tree-btns dropdown-item" data-mode="{{ source[0] }}" data-url="{{ source[1] }}" data-text="{{ source[2] | trans }}"
-                    {{ stimulus_action('elements/sidebar_tree', 'changeDataSource')  }}
-            >{{ source[2] | trans }}</button></li>
+        {% if source[3] %} {# show_condition #}
+            <li><button class="tree-btns dropdown-item" data-mode="{{ source[0] }}" data-url="{{ source[1] }}" data-text="{{ source[2] | trans }}"
+                        {{ stimulus_action('elements/sidebar_tree', 'changeDataSource')  }}
+                >{{ source[2] | trans }}</button></li>
+        {% endif %}
     {% endfor %}
 {% endmacro %}
 
@@ -28,7 +30,7 @@
         <div class="input-group input-group-sm mb-2 mt-1">
             <button class="btn btn-light dropdown-toggle" type="button"
                     data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"
-            ><span class="sidebar-title" {{ stimulus_target('elements/sidebar_tree', 'sourceText') }}>Loading...</span></button>
+            ><span class="sidebar-title" {{ stimulus_target('elements/sidebar_tree', 'sourceText') }}>Loading... / Access Denied</span></button>
             <ul class="dropdown-menu" aria-labelledby="dropdownCat">
                 {{ _self.sidebar_dropdown('tree-categories') }}
             </ul>