[WIP] Implemented basic permissions (#960)

* Add permissions to Database & add "User"-classes * Add UI & API for Permissions, protect "User"-(Api)-Controller with new permissions. * Add some permissions. * Add permission localization * Add error handling. * Error pages: only redirect on 404 * ExceptionController: return JSON-Response on api-routes * Rename PRODUCT_ADD to PRODUCT_PURCHASE * Move translation to new file * Fix checkboxes stay selected on reload. * Remove configurable User-implementation * Remove MASTER_DATA_READ * Disable buttons the user isn't allowed to use. * Add default permissions for new users * When migration to permissions, everyone starts as ADMIN * Permission-Localization: add to transifex & LocalizationService * Review Co-authored-by: Bernd Bestel <bernd@berrnd.de>
2025-08-17 03:04:36 +00:00 · 2020-08-29 12:05:32 +02:00
parent f28697e5b4
commit b7d1b21f1d
41 changed files with 930 additions and 67 deletions
--- a/controllers/FilesApiController.php
+++ b/controllers/FilesApiController.php
@@ -2,6 +2,7 @@

 namespace Grocy\Controllers;

+use Grocy\Controllers\Users\User;
 use \Grocy\Services\FilesService;

 class FilesApiController extends BaseApiController
@@ -15,7 +16,9 @@ class FilesApiController extends BaseApiController
 	{
 		try
 		{
-			if (IsValidFileName(base64_decode($args['fileName'])))
+            User::checkPermission($request, User::PERMISSION_UPLOAD_FILE);
+
+            if (IsValidFileName(base64_decode($args['fileName'])))
 			{
 				$fileName = base64_decode($args['fileName']);
 			}
@@ -97,7 +100,9 @@ class FilesApiController extends BaseApiController
 	{
 		try
 		{
-			if (IsValidFileName(base64_decode($args['fileName'])))
+            User::checkPermission($request, User::PERMISSION_DELETE_FILE);
+
+            if (IsValidFileName(base64_decode($args['fileName'])))
 			{
 				$fileName = base64_decode($args['fileName']);
 			}