kenmirrors/grocy
1
0
Fork 0
mirror of https://github.com/grocy/grocy.git synced 2025-08-18 19:37:12 +00:00
Code Issues Projects Releases Wiki Activity

Fixed granular user permission checking in GenericEntityApiController (fixes #2025)

Browse Source
This commit is contained in:
Bernd Bestel
2022-10-17 21:00:10 +02:00
parent 80a873da3e
commit 3070448555
3 changed files with 64 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
controllers/GenericEntityApiController.php
View File

@@ -9,7 +9,26 @@ class GenericEntityApiController extends BaseApiController
{
public function AddObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
{
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
if ($args['entity'] == 'shopping_list' || $args['entity'] == 'shopping_lists')
{
User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
}
elseif ($args['entity'] == 'recipes' || $args['entity'] == 'recipes_pos' || $args['entity'] == 'recipes_nestings')
{
User::checkPermission($request, User::PERMISSION_RECIPES);
}
elseif ($args['entity'] == 'meal_plan')
{
User::checkPermission($request, User::PERMISSION_RECIPES_MEALPLAN);
}
elseif ($args['entity'] == 'equipment')
{
User::checkPermission($request, User::PERMISSION_EQUIPMENT);
}
else
{
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
}
if ($this->IsValidExposedEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
{
@@ -48,7 +67,26 @@ class GenericEntityApiController extends BaseApiController
public function DeleteObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
{
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
if ($args['entity'] == 'shopping_list' || $args['entity'] == 'shopping_lists')
{
User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_DELETE);
}
elseif ($args['entity'] == 'recipes' || $args['entity'] == 'recipes_pos' || $args['entity'] == 'recipes_nestings')
{
User::checkPermission($request, User::PERMISSION_RECIPES);
}
elseif ($args['entity'] == 'meal_plan')
{
User::checkPermission($request, User::PERMISSION_RECIPES_MEALPLAN);
}
elseif ($args['entity'] == 'equipment')
{
User::checkPermission($request, User::PERMISSION_EQUIPMENT);
}
else
{
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
}
if ($this->IsValidExposedEntity($args['entity']) && !$this->IsEntityWithNoDelete($args['entity']))
{
@@ -76,7 +114,26 @@ class GenericEntityApiController extends BaseApiController
public function EditObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
{
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
if ($args['entity'] == 'shopping_list' || $args['entity'] == 'shopping_lists')
{
User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
}
elseif ($args['entity'] == 'recipes' || $args['entity'] == 'recipes_pos' || $args['entity'] == 'recipes_nestings')
{
User::checkPermission($request, User::PERMISSION_RECIPES);
}
elseif ($args['entity'] == 'meal_plan')
{
User::checkPermission($request, User::PERMISSION_RECIPES_MEALPLAN);
}
elseif ($args['entity'] == 'equipment')
{
User::checkPermission($request, User::PERMISSION_EQUIPMENT);
}
else
{
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
}
if ($this->IsValidExposedEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
{