mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-21 17:39:06 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added a permission to control which users can access private attachments.

Browse source
This commit is contained in:
Jan Böhmer 2020-03-30 16:56:58 +02:00
parent 9769915b34
commit e83d72ec10
7 changed files with 31 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/Controller/AttachmentFileController.php
View file

@ -69,6 +69,10 @@ class AttachmentFileController extends AbstractController
{
$this->denyAccessUnlessGranted('read', $attachment);
if ($attachment->isSecure()) {
$this->denyAccessUnlessGranted('show_private', $attachment);
}
if ($attachment->isExternal()) {
throw new RuntimeException('You can not download external attachments!');
}
@ -97,6 +101,10 @@ class AttachmentFileController extends AbstractController
{
$this->denyAccessUnlessGranted('read', $attachment);
if ($attachment->isSecure()) {
$this->denyAccessUnlessGranted('show_private', $attachment);
}
if ($attachment->isExternal()) {
throw new RuntimeException('You can not download external attachments!');
}