mirror of
https://github.com/grocy/grocy.git
synced 2025-04-29 01:32:38 +00:00
Fixed granular user permission checking in GenericEntityApiController (fixes #2025)
This commit is contained in:
Bernd Bestel
parent
80a873da3e
commit
3070448555
@ -61,6 +61,7 @@
|
||||
|
||||
- It's now possible to edit a user without necessarily updating the users password
|
||||
- Fixed that when running label printer WebHooks client side (so when `LABEL_PRINTER_RUN_SERVER` = `false`), the setting `LABEL_PRINTER_HOOK_JSON` was ignored (the WebHook data was always sent as form data)
|
||||
- Fixed that granular user permissions (like "Shopping list / Add items" or "Equipment") didn't allow to add/edit the corresponding items without also having the "Edit master data" permission
|
||||
- New translations: (thanks all the translators)
|
||||
- Lithuanian (demo available at <https://lt.demo.grocy.info>)
|
||||
- Ukrainian (demo available at <https://uk.demo.grocy.info>)
|
||||
|
||||
@ -8,8 +8,27 @@ use Slim\Exception\HttpBadRequestException;
|
||||
class GenericEntityApiController extends BaseApiController
|
||||
{
|
||||
public function AddObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||
{
|
||||
if ($args['entity'] == 'shopping_list' || $args['entity'] == 'shopping_lists')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
|
||||
}
|
||||
elseif ($args['entity'] == 'recipes' || $args['entity'] == 'recipes_pos' || $args['entity'] == 'recipes_nestings')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_RECIPES);
|
||||
}
|
||||
elseif ($args['entity'] == 'meal_plan')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_RECIPES_MEALPLAN);
|
||||
}
|
||||
elseif ($args['entity'] == 'equipment')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_EQUIPMENT);
|
||||
}
|
||||
else
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
|
||||
}
|
||||
|
||||
if ($this->IsValidExposedEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
|
||||
{
|
||||
@ -47,8 +66,27 @@ class GenericEntityApiController extends BaseApiController
|
||||
}
|
||||
|
||||
public function DeleteObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||
{
|
||||
if ($args['entity'] == 'shopping_list' || $args['entity'] == 'shopping_lists')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_DELETE);
|
||||
}
|
||||
elseif ($args['entity'] == 'recipes' || $args['entity'] == 'recipes_pos' || $args['entity'] == 'recipes_nestings')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_RECIPES);
|
||||
}
|
||||
elseif ($args['entity'] == 'meal_plan')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_RECIPES_MEALPLAN);
|
||||
}
|
||||
elseif ($args['entity'] == 'equipment')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_EQUIPMENT);
|
||||
}
|
||||
else
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
|
||||
}
|
||||
|
||||
if ($this->IsValidExposedEntity($args['entity']) && !$this->IsEntityWithNoDelete($args['entity']))
|
||||
{
|
||||
@ -75,8 +113,27 @@ class GenericEntityApiController extends BaseApiController
|
||||
}
|
||||
|
||||
public function EditObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||
{
|
||||
if ($args['entity'] == 'shopping_list' || $args['entity'] == 'shopping_lists')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
|
||||
}
|
||||
elseif ($args['entity'] == 'recipes' || $args['entity'] == 'recipes_pos' || $args['entity'] == 'recipes_nestings')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_RECIPES);
|
||||
}
|
||||
elseif ($args['entity'] == 'meal_plan')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_RECIPES_MEALPLAN);
|
||||
}
|
||||
elseif ($args['entity'] == 'equipment')
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_EQUIPMENT);
|
||||
}
|
||||
else
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
|
||||
}
|
||||
|
||||
if ($this->IsValidExposedEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
|
||||
{
|
||||
|
||||
@ -83,18 +83,14 @@ class User
|
||||
return $user->getPermissionList();
|
||||
}
|
||||
|
||||
public static function checkPermission($request, string ...$permissions): void
|
||||
public static function checkPermission($request, string $permission): void
|
||||
{
|
||||
$user = new self();
|
||||
|
||||
foreach ($permissions as $permission)
|
||||
{
|
||||
if (!$user->hasPermission($permission))
|
||||
{
|
||||
throw new PermissionMissingException($request, $permission);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function getPermissionList()
|
||||
{
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user