Use IsGranted in SiteCredentialController

This commit is contained in:
Yassine Guedidi 2024-03-23 23:36:33 +01:00
parent 96cb024cf5
commit 247894209c
8 changed files with 158 additions and 28 deletions

View file

@ -4,6 +4,7 @@ namespace Wallabag\Controller;
use Craue\ConfigBundle\Util\Config; use Craue\ConfigBundle\Util\Config;
use Doctrine\ORM\EntityManagerInterface; use Doctrine\ORM\EntityManagerInterface;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
use Symfony\Component\Form\Form; use Symfony\Component\Form\Form;
use Symfony\Component\Form\FormInterface; use Symfony\Component\Form\FormInterface;
use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\RedirectResponse;
@ -41,6 +42,7 @@ class SiteCredentialController extends AbstractController
* Lists all User entities. * Lists all User entities.
* *
* @Route("/", name="site_credentials_index", methods={"GET"}) * @Route("/", name="site_credentials_index", methods={"GET"})
* @IsGranted("LIST_SITE_CREDENTIALS")
*/ */
public function indexAction(SiteCredentialRepository $repository) public function indexAction(SiteCredentialRepository $repository)
{ {
@ -57,6 +59,7 @@ class SiteCredentialController extends AbstractController
* Creates a new site credential entity. * Creates a new site credential entity.
* *
* @Route("/new", name="site_credentials_new", methods={"GET", "POST"}) * @Route("/new", name="site_credentials_new", methods={"GET", "POST"})
* @IsGranted("CREATE_SITE_CREDENTIALS")
* *
* @return Response * @return Response
*/ */
@ -94,6 +97,7 @@ class SiteCredentialController extends AbstractController
* Displays a form to edit an existing site credential entity. * Displays a form to edit an existing site credential entity.
* *
* @Route("/{id}/edit", name="site_credentials_edit", methods={"GET", "POST"}) * @Route("/{id}/edit", name="site_credentials_edit", methods={"GET", "POST"})
* @IsGranted("EDIT", subject="siteCredential")
* *
* @return Response * @return Response
*/ */
@ -101,8 +105,6 @@ class SiteCredentialController extends AbstractController
{ {
$this->isSiteCredentialsEnabled(); $this->isSiteCredentialsEnabled();
$this->checkUserAction($siteCredential);
$deleteForm = $this->createDeleteForm($siteCredential); $deleteForm = $this->createDeleteForm($siteCredential);
$editForm = $this->createForm(SiteCredentialType::class, $siteCredential); $editForm = $this->createForm(SiteCredentialType::class, $siteCredential);
$editForm->handleRequest($request); $editForm->handleRequest($request);
@ -133,6 +135,7 @@ class SiteCredentialController extends AbstractController
* Deletes a site credential entity. * Deletes a site credential entity.
* *
* @Route("/{id}", name="site_credentials_delete", methods={"DELETE"}) * @Route("/{id}", name="site_credentials_delete", methods={"DELETE"})
* @IsGranted("DELETE", subject="siteCredential")
* *
* @return RedirectResponse * @return RedirectResponse
*/ */
@ -140,8 +143,6 @@ class SiteCredentialController extends AbstractController
{ {
$this->isSiteCredentialsEnabled(); $this->isSiteCredentialsEnabled();
$this->checkUserAction($siteCredential);
$form = $this->createDeleteForm($siteCredential); $form = $this->createDeleteForm($siteCredential);
$form->handleRequest($request); $form->handleRequest($request);
@ -183,16 +184,4 @@ class SiteCredentialController extends AbstractController
->getForm() ->getForm()
; ;
} }
/**
* Check if the logged user can manage the given site credential.
*
* @param SiteCredential $siteCredential The site credential entity
*/
private function checkUserAction(SiteCredential $siteCredential)
{
if (null === $this->getUser() || $this->getUser()->getId() !== $siteCredential->getUser()->getId()) {
throw $this->createAccessDeniedException('You can not access this site credential.');
}
}
} }

View file

@ -11,6 +11,8 @@ class MainVoter extends Voter
public const LIST_ENTRIES = 'LIST_ENTRIES'; public const LIST_ENTRIES = 'LIST_ENTRIES';
public const CREATE_ENTRIES = 'CREATE_ENTRIES'; public const CREATE_ENTRIES = 'CREATE_ENTRIES';
public const EDIT_ENTRIES = 'EDIT_ENTRIES'; public const EDIT_ENTRIES = 'EDIT_ENTRIES';
public const LIST_SITE_CREDENTIALS = 'LIST_SITE_CREDENTIALS';
public const CREATE_SITE_CREDENTIALS = 'CREATE_SITE_CREDENTIALS';
private Security $security; private Security $security;
@ -25,7 +27,7 @@ class MainVoter extends Voter
return false; return false;
} }
if (!\in_array($attribute, [self::LIST_ENTRIES, self::CREATE_ENTRIES, self::EDIT_ENTRIES], true)) { if (!\in_array($attribute, [self::LIST_ENTRIES, self::CREATE_ENTRIES, self::EDIT_ENTRIES, self::LIST_SITE_CREDENTIALS, self::CREATE_SITE_CREDENTIALS], true)) {
return false; return false;
} }
@ -38,6 +40,8 @@ class MainVoter extends Voter
case self::LIST_ENTRIES: case self::LIST_ENTRIES:
case self::CREATE_ENTRIES: case self::CREATE_ENTRIES:
case self::EDIT_ENTRIES: case self::EDIT_ENTRIES:
case self::LIST_SITE_CREDENTIALS:
case self::CREATE_SITE_CREDENTIALS:
return $this->security->isGranted('ROLE_USER'); return $this->security->isGranted('ROLE_USER');
} }

View file

@ -0,0 +1,46 @@
<?php
namespace Wallabag\Security\Voter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Wallabag\Entity\SiteCredential;
use Wallabag\Entity\User;
class SiteCredentialVoter extends Voter
{
public const EDIT = 'EDIT';
public const DELETE = 'DELETE';
protected function supports(string $attribute, $subject): bool
{
if (!$subject instanceof SiteCredential) {
return false;
}
if (!\in_array($attribute, [self::EDIT, self::DELETE], true)) {
return false;
}
return true;
}
protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
{
\assert($subject instanceof SiteCredential);
$user = $token->getUser();
if (!$user instanceof User) {
return false;
}
switch ($attribute) {
case self::EDIT:
case self::DELETE:
return $user === $subject->getUser();
}
return false;
}
}

View file

@ -44,11 +44,13 @@
{{ form_widget(edit_form.save, {'attr': {'class': 'btn waves-effect waves-light'}}) }} {{ form_widget(edit_form.save, {'attr': {'class': 'btn waves-effect waves-light'}}) }}
{{ form_widget(edit_form._token) }} {{ form_widget(edit_form._token) }}
</form> </form>
{% if is_granted('DELETE', credential) %}
<p> <p>
{{ form_start(delete_form) }} {{ form_start(delete_form) }}
<button onclick="return confirm('{{ 'site_credential.form.delete_confirm'|trans|escape('js') }}')" type="submit" class="btn waves-effect waves-light red">{{ 'site_credential.form.delete'|trans }}</button> <button onclick="return confirm('{{ 'site_credential.form.delete_confirm'|trans|escape('js') }}')" type="submit" class="btn waves-effect waves-light red">{{ 'site_credential.form.delete'|trans }}</button>
{{ form_end(delete_form) }} {{ form_end(delete_form) }}
</p> </p>
{% endif %}
<p><a class="waves-effect waves-light btn blue-grey" href="{{ path('site_credentials_index') }}">{{ 'site_credential.form.back_to_list'|trans }}</a></p> <p><a class="waves-effect waves-light btn blue-grey" href="{{ path('site_credentials_index') }}">{{ 'site_credential.form.back_to_list'|trans }}</a></p>
</div> </div>
</div> </div>

View file

@ -23,16 +23,20 @@
<tr> <tr>
<td>{{ credential.host }}</td> <td>{{ credential.host }}</td>
<td> <td>
{% if is_granted('EDIT', credential) %}
<a href="{{ path('site_credentials_edit', {'id': credential.id}) }}">{{ 'site_credential.list.edit_action'|trans }}</a> <a href="{{ path('site_credentials_edit', {'id': credential.id}) }}">{{ 'site_credential.list.edit_action'|trans }}</a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}
</tbody> </tbody>
</table> </table>
{% if is_granted('CREATE_SITE_CREDENTIALS') %}
<br /> <br />
<p> <p>
<a href="{{ path('site_credentials_new') }}" class="waves-effect waves-light btn">{{ 'site_credential.list.create_new_one'|trans }}</a> <a href="{{ path('site_credentials_new') }}" class="waves-effect waves-light btn">{{ 'site_credential.list.create_new_one'|trans }}</a>
</p> </p>
{% endif %}
</div> </div>
</div> </div>
</div> </div>

View file

@ -126,7 +126,7 @@
<li><a href="{{ path('config') }}"><i class="material-icons">settings</i> {{ 'menu.left.config'|trans }}</a></li> <li><a href="{{ path('config') }}"><i class="material-icons">settings</i> {{ 'menu.left.config'|trans }}</a></li>
<li><a href="{{ path('developer') }}"><i class="material-icons">smartphone</i> {{ 'menu.left.developer'|trans }}</a></li> <li><a href="{{ path('developer') }}"><i class="material-icons">smartphone</i> {{ 'menu.left.developer'|trans }}</a></li>
<li><a href="{{ path('import') }}"><i class="material-icons">import_export</i> {{ 'menu.left.import'|trans }}</a></li> <li><a href="{{ path('import') }}"><i class="material-icons">import_export</i> {{ 'menu.left.import'|trans }}</a></li>
{% if craue_setting('restricted_access') %} {% if craue_setting('restricted_access') and is_granted('LIST_SITE_CREDENTIALS') %}
<li><a href="{{ path('site_credentials_index') }}"><i class="material-icons">vpn_key</i> {{ 'menu.left.site_credentials'|trans }}</a></li> <li><a href="{{ path('site_credentials_index') }}"><i class="material-icons">vpn_key</i> {{ 'menu.left.site_credentials'|trans }}</a></li>
{% endif %} {% endif %}
<li class="divider"></li> <li class="divider"></li>

View file

@ -83,4 +83,32 @@ class MainVoterTest extends TestCase
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->mainVoter->vote($this->token, null, [MainVoter::EDIT_ENTRIES])); $this->assertSame(VoterInterface::ACCESS_GRANTED, $this->mainVoter->vote($this->token, null, [MainVoter::EDIT_ENTRIES]));
} }
public function testVoteReturnsDeniedForNonUserListSiteCredentials(): void
{
$this->security->method('isGranted')->with('ROLE_USER')->willReturn(false);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->mainVoter->vote($this->token, null, [MainVoter::LIST_SITE_CREDENTIALS]));
}
public function testVoteReturnsGrantedForUserListSiteCredentials(): void
{
$this->security->method('isGranted')->with('ROLE_USER')->willReturn(true);
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->mainVoter->vote($this->token, null, [MainVoter::LIST_SITE_CREDENTIALS]));
}
public function testVoteReturnsDeniedForNonUserCreateSiteCredentials(): void
{
$this->security->method('isGranted')->with('ROLE_USER')->willReturn(false);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->mainVoter->vote($this->token, null, [MainVoter::CREATE_SITE_CREDENTIALS]));
}
public function testVoteReturnsGrantedForUserCreateSiteCredentials(): void
{
$this->security->method('isGranted')->with('ROLE_USER')->willReturn(true);
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->mainVoter->vote($this->token, null, [MainVoter::CREATE_SITE_CREDENTIALS]));
}
} }

View file

@ -0,0 +1,57 @@
<?php
namespace Security\Voter;
use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Wallabag\Entity\SiteCredential;
use Wallabag\Entity\User;
use Wallabag\Security\Voter\SiteCredentialVoter;
class SiteCredentialVoterTest extends TestCase
{
private $user;
private $token;
private $siteCredentialVoter;
protected function setUp(): void
{
$this->user = new User();
$this->token = $this->createMock(TokenInterface::class);
$this->token->method('getUser')->willReturn($this->user);
$this->siteCredentialVoter = new SiteCredentialVoter();
}
public function testVoteReturnsAbstainForInvalidSubject(): void
{
$this->assertSame(VoterInterface::ACCESS_ABSTAIN, $this->siteCredentialVoter->vote($this->token, new \stdClass(), [SiteCredentialVoter::EDIT]));
}
public function testVoteReturnsAbstainForInvalidAttribute(): void
{
$this->assertSame(VoterInterface::ACCESS_ABSTAIN, $this->siteCredentialVoter->vote($this->token, new SiteCredential(new User()), ['INVALID']));
}
public function testVoteReturnsDeniedForNonSiteCredentialUserEdit(): void
{
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->siteCredentialVoter->vote($this->token, new SiteCredential(new User()), [SiteCredentialVoter::EDIT]));
}
public function testVoteReturnsGrantedForSiteCredentialUserEdit(): void
{
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->siteCredentialVoter->vote($this->token, new SiteCredential($this->user), [SiteCredentialVoter::EDIT]));
}
public function testVoteReturnsDeniedForNonSiteCredentialUserDelete(): void
{
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->siteCredentialVoter->vote($this->token, new SiteCredential(new User()), [SiteCredentialVoter::DELETE]));
}
public function testVoteReturnsGrantedForSiteCredentialUserDelete(): void
{
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->siteCredentialVoter->vote($this->token, new SiteCredential($this->user), [SiteCredentialVoter::DELETE]));
}
}