mirror of
https://github.com/Part-DB/Part-DB-server.git
synced 2025-06-21 09:35:49 +02:00
Added a permission to control which users can access private attachments.
This commit is contained in:
Jan Böhmer
parent
9769915b34
commit
e83d72ec10
7 changed files with 31 additions and 9 deletions
|
|
@ -187,6 +187,10 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
|
|||
label: "perm.revert_elements"
|
||||
bit: 10
|
||||
alsoSet: ["read", "edit", "create", "delete", "show_history"]
|
||||
show_private:
|
||||
label: "perm.attachment_show_private"
|
||||
bit: 12
|
||||
alsoSet: ["read"]
|
||||
|
||||
parts_order:
|
||||
<<: *PART_ATTRIBUTE
|
||||
|
|
|
|||
|
|
@ -69,6 +69,10 @@ class AttachmentFileController extends AbstractController
|
|||
{
|
||||
$this->denyAccessUnlessGranted('read', $attachment);
|
||||
|
||||
if ($attachment->isSecure()) {
|
||||
$this->denyAccessUnlessGranted('show_private', $attachment);
|
||||
}
|
||||
|
||||
if ($attachment->isExternal()) {
|
||||
throw new RuntimeException('You can not download external attachments!');
|
||||
}
|
||||
|
|
@ -97,6 +101,10 @@ class AttachmentFileController extends AbstractController
|
|||
{
|
||||
$this->denyAccessUnlessGranted('read', $attachment);
|
||||
|
||||
if ($attachment->isSecure()) {
|
||||
$this->denyAccessUnlessGranted('show_private', $attachment);
|
||||
}
|
||||
|
||||
if ($attachment->isExternal()) {
|
||||
throw new RuntimeException('You can not download external attachments!');
|
||||
}
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@ use Symfony\Component\Form\FormEvent;
|
|||
use Symfony\Component\Form\FormEvents;
|
||||
use Symfony\Component\OptionsResolver\OptionsResolver;
|
||||
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
|
||||
use Symfony\Component\Security\Core\Security;
|
||||
use Symfony\Component\Validator\Constraints\File;
|
||||
use Symfony\Component\Validator\Constraints\Url;
|
||||
|
||||
|
|
@ -65,13 +66,15 @@ class AttachmentFormType extends AbstractType
|
|||
protected $attachment_helper;
|
||||
protected $urlGenerator;
|
||||
protected $allow_attachments_download;
|
||||
protected $security;
|
||||
|
||||
public function __construct(AttachmentManager $attachmentHelper,
|
||||
UrlGeneratorInterface $urlGenerator, bool $allow_attachments_downloads)
|
||||
UrlGeneratorInterface $urlGenerator, Security $security, bool $allow_attachments_downloads)
|
||||
{
|
||||
$this->attachment_helper = $attachmentHelper;
|
||||
$this->urlGenerator = $urlGenerator;
|
||||
$this->allow_attachments_download = $allow_attachments_downloads;
|
||||
$this->security = $security;
|
||||
}
|
||||
|
||||
public function buildForm(FormBuilderInterface $builder, array $options): void
|
||||
|
|
@ -103,6 +106,7 @@ class AttachmentFormType extends AbstractType
|
|||
'required' => false,
|
||||
'label' => 'attachment.edit.secure_file',
|
||||
'mapped' => false,
|
||||
'disabled' => !$this->security->isGranted('@parts_attachments.show_private'),
|
||||
'attr' => [
|
||||
'class' => 'form-control-sm',
|
||||
],
|
||||
|
|
|
|||
|
|
@ -42,7 +42,9 @@
|
|||
</span>
|
||||
</h6>
|
||||
{% endif %}
|
||||
{% if attach.picture %}
|
||||
{% if attach.secure and not is_granted('show_private', attach) %}
|
||||
{# Leave blank #}
|
||||
{% elseif attach.picture %}
|
||||
<a href="{{ attach | entityURL('file_view') }}" target="_blank" rel="noopener" data-no-ajax>
|
||||
<img class="img-fluid img-thumbnail thumbnail-sm" src="{{ attachment_thumbnail(attach, 'thumbnail_md') }}" alt="{% trans %}attachment.preview.alt{% endtrans %}" />
|
||||
</a>
|
||||
|
|
|
|||
|
|
@ -40,7 +40,9 @@
|
|||
</h6>
|
||||
{% endif %}
|
||||
|
||||
{% if attach.picture %}
|
||||
{% if attach.secure and not is_granted('show_private', attach) %}
|
||||
{# Leave blank #}
|
||||
{% elseif attach.picture %}
|
||||
<a href="{{ attach | entityURL('file_view') }}" rel="noopener" target="_blank" data-no-ajax>
|
||||
<img class="img-fluid img-thumbnail thumbnail-sm" src="{{ attachment_thumbnail(attach, 'thumbnail_md') }}" alt="{% trans %}attachment.preview.alt{% endtrans %}" />
|
||||
</a>
|
||||
|
|
|
|||
|
|
@ -41,12 +41,12 @@
|
|||
|
||||
<td><div class="btn-group" role="group" aria-label="">
|
||||
<a {% if attachment_helper.fileExisting(attachment) %}href="{{ attachment|entityURL('file_view') }}"{% endif %} target="_blank"
|
||||
class="btn btn-secondary {% if not attachment_helper.fileExisting(attachment) %}disabled{% endif %}"
|
||||
class="btn btn-secondary {% if not attachment_helper.fileExisting(attachment) or (attachment.secure and not is_granted("show_secure", attachment)) %}disabled{% endif %}"
|
||||
data-no-ajax title="{% trans %}attachment.view{% endtrans %}" rel="noopener">
|
||||
<i class="fas fa-eye fa-fw"></i>
|
||||
</a>
|
||||
<a {% if attachment_helper.fileExisting(attachment) %}href="{{ attachment|entityURL('file_download') }}"{% endif %} data-no-ajax
|
||||
class="btn btn-secondary {% if not attachment_helper.fileExisting(attachment) %}disabled{% endif %}"
|
||||
class="btn btn-secondary {% if not attachment_helper.fileExisting(attachment) or (attachment.secure and not is_granted("show_secure", attachment)) %}disabled{% endif %}"
|
||||
title="{% trans %}attachment.download{% endtrans %}">
|
||||
<i class="fas fa-download fa-fw"></i>
|
||||
</a>
|
||||
|
|
@ -58,9 +58,6 @@
|
|||
<span class="text-muted dropdown-item-text" ><i class="fas fa-lightbulb fa-fw"></i> <b>ID:</b> {{ attachment.iD }}</span>
|
||||
<span class="text-muted dropdown-item-text" ><i class="fas fa-calendar fa-fw"></i> <b>{% trans %}createdAt{% endtrans %}:</b> {{ attachment.addedDate | format_datetime("short")}}</span>
|
||||
<span class="text-muted dropdown-item-text" ><i class="fas fa-history fa-fw"></i> <b>{% trans %}createdAt{% endtrans %}:</b> {{ attachment.addedDate | format_datetime("short")}}</span>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item" href="#">{% trans %}attachment.edit{% endtrans %}</a>
|
||||
<a class="dropdown-item" href="#">{% trans %}attachment.delete{% endtrans %}</a>
|
||||
</div>
|
||||
</div>
|
||||
</div></td>
|
||||
|
|
|
|||
|
|
@ -7,14 +7,19 @@
|
|||
{% endmacro %}
|
||||
|
||||
{% macro attachment_icon(attachment, attachment_helper, class = "fa-fw fas fa-3x", link = true) %}
|
||||
{% set disabled = attachment.secure and not is_granted("show_secure", attachment) %}
|
||||
{% if not attachment_helper or attachment_helper.fileExisting(attachment) %}
|
||||
<a target="_blank" data-no-ajax rel="noopener" href="{% if link %}{{ attachment|entityURL('file_view') }}{% endif %}">
|
||||
{% if link and not disabled %}
|
||||
<a target="_blank" data-no-ajax rel="noopener" href="{{ attachment|entityURL('file_view') }}">
|
||||
{% endif %}
|
||||
{% if attachment.picture %}
|
||||
<img class="hoverpic" src="{{ attachment|entityURL('file_view') }}">
|
||||
{% else %}
|
||||
<i class="text-dark {{ class }} {{ ext_to_fa_icon(attachment.extension) }}"></i>
|
||||
{% endif %}
|
||||
{% if link and not disabled %}
|
||||
</a>
|
||||
{% endif %}
|
||||
{% elseif not attachment_helper.fileExisting(attachment) %}
|
||||
<i class="{{ class }} fa-exclamation-triangle text-danger"></i>
|
||||
{% endif %}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue