[WIP] Implemented basic permissions (#960)

* Add permissions to Database & add "User"-classes * Add UI & API for Permissions, protect "User"-(Api)-Controller with new permissions. * Add some permissions. * Add permission localization * Add error handling. * Error pages: only redirect on 404 * ExceptionController: return JSON-Response on api-routes * Rename PRODUCT_ADD to PRODUCT_PURCHASE * Move translation to new file * Fix checkboxes stay selected on reload. * Remove configurable User-implementation * Remove MASTER_DATA_READ * Disable buttons the user isn't allowed to use. * Add default permissions for new users * When migration to permissions, everyone starts as ADMIN * Permission-Localization: add to transifex & LocalizationService * Review Co-authored-by: Bernd Bestel <bernd@berrnd.de>
2025-08-15 10:14:39 +00:00 · 2020-08-29 12:05:32 +02:00
parent f28697e5b4
commit b7d1b21f1d
41 changed files with 930 additions and 67 deletions
--- a/controllers/GenericEntityApiController.php
+++ b/controllers/GenericEntityApiController.php
@@ -2,6 +2,8 @@

 namespace Grocy\Controllers;

+use Grocy\Controllers\Users\User;
+
 class GenericEntityApiController extends BaseApiController
 {
 	public function __construct(\DI\Container $container)
@@ -11,7 +13,7 @@ class GenericEntityApiController extends BaseApiController

 	public function GetObjects(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$objects = $this->getDatabase()->{$args['entity']}();
+        $objects = $this->getDatabase()->{$args['entity']}();
 		$allUserfields = $this->getUserfieldsService()->GetAllValues($args['entity']);

 		foreach ($objects as $object)
@@ -41,7 +43,7 @@ class GenericEntityApiController extends BaseApiController

 	public function GetObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity']))
+        if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity']))
 		{
 			$userfields = $this->getUserfieldsService()->GetValues($args['entity'], $args['objectId']);
 			if (count($userfields) === 0)
@@ -66,7 +68,9 @@ class GenericEntityApiController extends BaseApiController

 	public function AddObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		if ($this->IsValidEntity($args['entity']))
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
+
+        if ($this->IsValidEntity($args['entity']))
 		{
 			$requestBody = $request->getParsedBody();

@@ -97,7 +101,9 @@ class GenericEntityApiController extends BaseApiController

 	public function EditObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		if ($this->IsValidEntity($args['entity']))
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
+
+        if ($this->IsValidEntity($args['entity']))
 		{
 			$requestBody = $request->getParsedBody();

@@ -126,7 +132,9 @@ class GenericEntityApiController extends BaseApiController

 	public function DeleteObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		if ($this->IsValidEntity($args['entity']))
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
+
+        if ($this->IsValidEntity($args['entity']))
 		{
 			$row = $this->getDatabase()->{$args['entity']}($args['objectId']);
 			$row->delete();
@@ -141,7 +149,8 @@ class GenericEntityApiController extends BaseApiController

 	public function SearchObjects(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity']))
+
+        if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity']))
 		{
 			try
 			{
@@ -160,7 +169,7 @@ class GenericEntityApiController extends BaseApiController

 	public function GetUserfields(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        try
 		{
 			return $this->ApiResponse($response, $this->getUserfieldsService()->GetValues($args['entity'], $args['objectId']));
 		}
@@ -172,7 +181,9 @@ class GenericEntityApiController extends BaseApiController

 	public function SetUserfields(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
+
+        $requestBody = $request->getParsedBody();

 		try
 		{