mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-07-01 05:54:32 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added a permission to control which users can access private attachments.

Browse source
This commit is contained in:
Jan Böhmer 2020-03-30 16:56:58 +02:00
parent 9769915b34
commit e83d72ec10
7 changed files with 31 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/Controller/AttachmentFileController.php
View file

@ -69,6 +69,10 @@ class AttachmentFileController extends AbstractController
{
$this->denyAccessUnlessGranted('read', $attachment);
if ($attachment->isSecure()) {
$this->denyAccessUnlessGranted('show_private', $attachment);
}
if ($attachment->isExternal()) {
throw new RuntimeException('You can not download external attachments!');
}
@ -97,6 +101,10 @@ class AttachmentFileController extends AbstractController
{
$this->denyAccessUnlessGranted('read', $attachment);
if ($attachment->isSecure()) {
$this->denyAccessUnlessGranted('show_private', $attachment);
}
if ($attachment->isExternal()) {
throw new RuntimeException('You can not download external attachments!');
}

6
src/Form/AttachmentFormType.php
View file

@ -57,6 +57,7 @@ use Symfony\Component\Form\FormEvent;
use Symfony\Component\Form\FormEvents;
use Symfony\Component\OptionsResolver\OptionsResolver;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Symfony\Component\Security\Core\Security;
use Symfony\Component\Validator\Constraints\File;
use Symfony\Component\Validator\Constraints\Url;
@ -65,13 +66,15 @@ class AttachmentFormType extends AbstractType
protected $attachment_helper;
protected $urlGenerator;
protected $allow_attachments_download;
protected $security;
public function __construct(AttachmentManager $attachmentHelper,
UrlGeneratorInterface $urlGenerator, bool $allow_attachments_downloads)
UrlGeneratorInterface $urlGenerator, Security $security, bool $allow_attachments_downloads)
{
$this->attachment_helper = $attachmentHelper;
$this->urlGenerator = $urlGenerator;
$this->allow_attachments_download = $allow_attachments_downloads;
$this->security = $security;
}
public function buildForm(FormBuilderInterface $builder, array $options): void
@ -103,6 +106,7 @@ class AttachmentFormType extends AbstractType
'required' => false,
'label' => 'attachment.edit.secure_file',
'mapped' => false,
'disabled' => !$this->security->isGranted('@parts_attachments.show_private'),
'attr' => [
'class' => 'form-control-sm',
],