kenmirrors/grocy
1
0
Fork 0
mirror of https://github.com/grocy/grocy.git synced 2025-08-13 01:06:23 +00:00
Code Issues Projects Releases Wiki Activity

Don't expose uihelper views via the API / allow to get stock_log via generic entity interaction endpoints (no edit)

Browse Source
This commit is contained in:
Bernd Bestel
2020-11-16 22:18:37 +01:00
parent e85b21384f
commit 512ef745da
4 changed files with 49 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
controllers/GenericEntityApiController.php
View File

@@ -11,7 +11,7 @@ class GenericEntityApiController extends BaseApiController
{
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
if ($this->IsValidEntity($args['entity']))
if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
{
if ($this->IsEntityWithEditRequiresAdmin($args['entity']))
{
@@ -27,10 +27,10 @@ class GenericEntityApiController extends BaseApiController
throw new \Exception('Request body could not be parsed (probably invalid JSON format or missing/wrong Content-Type header)');
}
$newRow = $this->getDatabase()->{$args['entity']}
()->createRow($requestBody);
$newRow = $this->getDatabase()->{$args['entity']}()->createRow($requestBody);
$newRow->save();
$success = $newRow->isClean();
return $this->ApiResponse($response, [
'created_object_id' => $this->getDatabase()->lastInsertId()
]);
@@ -50,16 +50,17 @@ class GenericEntityApiController extends BaseApiController
{
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
if ($this->IsValidEntity($args['entity']))
if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
{
if ($this->IsEntityWithEditRequiresAdmin($args['entity']))
{
User::checkPermission($request, User::PERMISSION_ADMIN);
}
$row = $this->getDatabase()->{$args['entity']}
($args['objectId']);
$row = $this->getDatabase()->{$args['entity']}($args['objectId']);
$row->delete();
$success = $row->isClean();
return $this->EmptyApiResponse($response);
}
else
@@ -72,7 +73,7 @@ class GenericEntityApiController extends BaseApiController
{
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
if ($this->IsValidEntity($args['entity']))
if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
{
if ($this->IsEntityWithEditRequiresAdmin($args['entity']))
{
@@ -88,10 +89,10 @@ class GenericEntityApiController extends BaseApiController
throw new \Exception('Request body could not be parsed (probably invalid JSON format or missing/wrong Content-Type header)');
}
$row = $this->getDatabase()->{$args['entity']}
($args['objectId']);
$row = $this->getDatabase()->{$args['entity']}($args['objectId']);
$row->update($requestBody);
$success = $row->isClean();
return $this->EmptyApiResponse($response);
}
catch (\Exception $ex)
@@ -213,6 +214,11 @@ class GenericEntityApiController extends BaseApiController
return !in_array($entity, $this->getOpenApiSpec()->components->internalSchemas->ExposedEntityButNoListing->enum);
}
private function IsEntityWithNoEdit($entity)
{
return in_array($entity, $this->getOpenApiSpec()->components->internalSchemas->ExposedEntityNoEdit->enum);
}
private function IsValidEntity($entity)
{
return in_array($entity, $this->getOpenApiSpec()->components->internalSchemas->ExposedEntity->enum);