diff --git a/config/permissions.yaml b/config/permissions.yaml index fc315f7f..bd5b8181 100644 --- a/config/permissions.yaml +++ b/config/permissions.yaml @@ -187,6 +187,10 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co label: "perm.revert_elements" bit: 10 alsoSet: ["read", "edit", "create", "delete", "show_history"] + show_private: + label: "perm.attachment_show_private" + bit: 12 + alsoSet: ["read"] parts_order: <<: *PART_ATTRIBUTE diff --git a/src/Controller/AttachmentFileController.php b/src/Controller/AttachmentFileController.php index bf0ab2e3..b2683e12 100644 --- a/src/Controller/AttachmentFileController.php +++ b/src/Controller/AttachmentFileController.php @@ -69,6 +69,10 @@ class AttachmentFileController extends AbstractController { $this->denyAccessUnlessGranted('read', $attachment); + if ($attachment->isSecure()) { + $this->denyAccessUnlessGranted('show_private', $attachment); + } + if ($attachment->isExternal()) { throw new RuntimeException('You can not download external attachments!'); } @@ -97,6 +101,10 @@ class AttachmentFileController extends AbstractController { $this->denyAccessUnlessGranted('read', $attachment); + if ($attachment->isSecure()) { + $this->denyAccessUnlessGranted('show_private', $attachment); + } + if ($attachment->isExternal()) { throw new RuntimeException('You can not download external attachments!'); } diff --git a/src/Form/AttachmentFormType.php b/src/Form/AttachmentFormType.php index 0dc1c14f..858d2a00 100644 --- a/src/Form/AttachmentFormType.php +++ b/src/Form/AttachmentFormType.php @@ -57,6 +57,7 @@ use Symfony\Component\Form\FormEvent; use Symfony\Component\Form\FormEvents; use Symfony\Component\OptionsResolver\OptionsResolver; use Symfony\Component\Routing\Generator\UrlGeneratorInterface; +use Symfony\Component\Security\Core\Security; use Symfony\Component\Validator\Constraints\File; use Symfony\Component\Validator\Constraints\Url; @@ -65,13 +66,15 @@ class AttachmentFormType extends AbstractType protected $attachment_helper; protected $urlGenerator; protected $allow_attachments_download; + protected $security; public function __construct(AttachmentManager $attachmentHelper, - UrlGeneratorInterface $urlGenerator, bool $allow_attachments_downloads) + UrlGeneratorInterface $urlGenerator, Security $security, bool $allow_attachments_downloads) { $this->attachment_helper = $attachmentHelper; $this->urlGenerator = $urlGenerator; $this->allow_attachments_download = $allow_attachments_downloads; + $this->security = $security; } public function buildForm(FormBuilderInterface $builder, array $options): void @@ -103,6 +106,7 @@ class AttachmentFormType extends AbstractType 'required' => false, 'label' => 'attachment.edit.secure_file', 'mapped' => false, + 'disabled' => !$this->security->isGranted('@parts_attachments.show_private'), 'attr' => [ 'class' => 'form-control-sm', ], diff --git a/templates/AdminPages/_attachments.html.twig b/templates/AdminPages/_attachments.html.twig index 81eaadd1..7d9df5e7 100644 --- a/templates/AdminPages/_attachments.html.twig +++ b/templates/AdminPages/_attachments.html.twig @@ -42,7 +42,9 @@ {% endif %} - {% if attach.picture %} + {% if attach.secure and not is_granted('show_private', attach) %} + {# Leave blank #} + {% elseif attach.picture %} {% trans %}attachment.preview.alt{% endtrans %} diff --git a/templates/Parts/edit/_attachments.html.twig b/templates/Parts/edit/_attachments.html.twig index 4a9b86fd..377d317d 100644 --- a/templates/Parts/edit/_attachments.html.twig +++ b/templates/Parts/edit/_attachments.html.twig @@ -40,7 +40,9 @@ {% endif %} - {% if attach.picture %} + {% if attach.secure and not is_granted('show_private', attach) %} + {# Leave blank #} + {% elseif attach.picture %} {% trans %}attachment.preview.alt{% endtrans %} diff --git a/templates/Parts/info/_attachments_info.html.twig b/templates/Parts/info/_attachments_info.html.twig index 9d9830e7..b9314294 100644 --- a/templates/Parts/info/_attachments_info.html.twig +++ b/templates/Parts/info/_attachments_info.html.twig @@ -41,12 +41,12 @@
@@ -58,9 +58,6 @@ ID: {{ attachment.iD }} {% trans %}createdAt{% endtrans %}: {{ attachment.addedDate | format_datetime("short")}} {% trans %}createdAt{% endtrans %}: {{ attachment.addedDate | format_datetime("short")}} -
- {% trans %}attachment.edit{% endtrans %} - {% trans %}attachment.delete{% endtrans %}
diff --git a/templates/helper.twig b/templates/helper.twig index 18f8d3bd..5304c3ac 100644 --- a/templates/helper.twig +++ b/templates/helper.twig @@ -7,14 +7,19 @@ {% endmacro %} {% macro attachment_icon(attachment, attachment_helper, class = "fa-fw fas fa-3x", link = true) %} + {% set disabled = attachment.secure and not is_granted("show_secure", attachment) %} {% if not attachment_helper or attachment_helper.fileExisting(attachment) %} - + {% if link and not disabled %} + + {% endif %} {% if attachment.picture %} {% else %} {% endif %} + {% if link and not disabled %} + {% endif %} {% elseif not attachment_helper.fileExisting(attachment) %} {% endif %}