Apikeys (#986)

* Add QR-Code for API-Url/Key * Show only API-Keys for current user * Allow only admin users to create custom API-Keys * Use a managed package of qrcode-generator instead of a copy of the JS file * Reuse existing localization string (API key) * Center QR-Code in popups Co-authored-by: Bernd Bestel <bernd@berrnd.de>
2025-08-20 04:12:59 +00:00 · 2020-09-06 10:00:49 +02:00
parent 40f379b761
commit 85a95f1973
10 changed files with 67 additions and 2 deletions
--- a/controllers/GenericEntityApiController.php
+++ b/controllers/GenericEntityApiController.php
@@ -13,6 +13,9 @@ class GenericEntityApiController extends BaseApiController

 		if ($this->IsValidEntity($args['entity']))
 		{
+			if($this->IsEntityWithEditRequiresAdmin($args['entity']))
+				User::checkPermission($request, User::PERMISSION_ADMIN);
+
 			$requestBody = $request->getParsedBody();

 			try
@@ -47,6 +50,8 @@ class GenericEntityApiController extends BaseApiController

 		if ($this->IsValidEntity($args['entity']))
 		{
+			if($this->IsEntityWithEditRequiresAdmin($args['entity']))
+				User::checkPermission($request, User::PERMISSION_ADMIN);
 			$row = $this->getDatabase()->{$args['entity']}
 			($args['objectId']);
 			$row->delete();
@@ -65,6 +70,8 @@ class GenericEntityApiController extends BaseApiController

 		if ($this->IsValidEntity($args['entity']))
 		{
+			if($this->IsEntityWithEditRequiresAdmin($args['entity']))
+				User::checkPermission($request, User::PERMISSION_ADMIN);
 			$requestBody = $request->getParsedBody();

 			try
@@ -211,6 +218,10 @@ class GenericEntityApiController extends BaseApiController
 	{
 		parent::__construct($container);
 	}
+	private function IsEntityWithEditRequiresAdmin($entity)
+	{
+		return !in_array($entity, $this->getOpenApiSpec()->components->internalSchemas->EntityEditRequiresAdmin->enum);
+	}

 	private function IsEntityWithPreventedListing($entity)
 	{
--- a/controllers/OpenApiController.php
+++ b/controllers/OpenApiController.php
@@ -2,12 +2,17 @@

 namespace Grocy\Controllers;

+use Grocy\Controllers\Users\User;
+
 class OpenApiController extends BaseApiController
 {
 	public function ApiKeysList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
+		$apiKeys = $this->getDatabase()->api_keys();
+		if(!User::hasPermissions(User::PERMISSION_ADMIN))
+			$apiKeys = $apiKeys->where('user_id', GROCY_USER_ID);
 		return $this->renderPage($response, 'manageapikeys', [
-			'apiKeys' => $this->getDatabase()->api_keys(),
+			'apiKeys' =>$apiKeys,
 			'users' => $this->getDatabase()->users()
 		]);
 	}