hazza/Phraseanet
1
0
Fork 0
mirror of https://github.com/alchemy-fr/Phraseanet.git synced 2025-10-23 09:53:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3172 from aynsix/PHRAS-2680-webhook-privacy-and-security

Browse Source 
PHRAS-2680 #comment merge of webhook privacy and security in worker context
This commit is contained in:
Nicolas Maillat
2020-03-18 11:17:49 +01:00
committed by GitHub
parent 191cbb2b5e d1c299e774
commit 3a1be947a5
21 changed files with 144 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/Alchemy/Phrasea/Account/AccountService.php
View File

@@ -167,11 +167,11 @@ class AccountService
* @param string $login
* @throws AccountException
*/
public function deleteAccount($login = null)
public function deleteAccount($login = null, array $grantedBaseIdList = array())
{
$user = $this->getUserOrCurrentUser($login);
$this->userManipulator->delete($user);
$this->userManipulator->delete($user, $grantedBaseIdList);
}
/**

9
lib/Alchemy/Phrasea/Authentication/RegistrationService.php
View File

@@ -328,11 +328,9 @@ class RegistrationService
$autoReg = $acl->get_granted_base();
$granted = [];
foreach ($autoReg as $baseId => $collection) {
$granted[$baseId] = $collection->get_label($this->app['locale']);
}
if(count($granted) > 0) {
$this->app['manipulator.webhook-event']->create(
WebhookEvent::USER_REGISTRATION_GRANTED,
WebhookEvent::USER_REGISTRATION_TYPE,
@@ -340,8 +338,11 @@ class RegistrationService
'user_id' => $user->getId(),
'granted' => $granted,
'rejected' => []
]
],
[$baseId]
);
unset($granted);
}

4
lib/Alchemy/Phrasea/Controller/Admin/UserController.php
View File

@@ -515,9 +515,9 @@ class UserController extends Controller
$denyColl[] = $label;
$hookData['rejected'][$bas] = $label;
}
}
$this->app['manipulator.webhook-event']->create($hookName, $hookType, $hookData);
$this->app['manipulator.webhook-event']->create($hookName, $hookType, $hookData, [$bas]);
}
if ($user->hasMailNotificationsActivated() && (0 !== count($acceptColl) || 0 !== count($denyColl))) {
$message = '';

7
lib/Alchemy/Phrasea/Controller/Root/AccountController.php
View File

@@ -518,7 +518,9 @@ class AccountController extends Controller
$this->getApiApplicationManipulator()->deleteApiApplications($applications);
// revoke access and delete phraseanet user account
// get list of old granted base_id then revoke access and delete phraseanet user account
$oldGrantedBaseIds = array_keys($this->app->getAclForUser($user)->get_granted_base());
$list = array_keys($this->app['repo.collections-registry']->getBaseIdMap());
@@ -542,8 +544,9 @@ class AccountController extends Controller
$mail = null;
}
$this->app['manipulator.user']->delete($user);
$mail = MailSuccessAccountDelete::create($this->app, $receiver);
$this->app['manipulator.user']->delete($user, [$user->getId() => $oldGrantedBaseIds]);
if($mail) {
$this->deliver($mail);
}

3
lib/Alchemy/Phrasea/Core/Event/Subscriber/FeedEntrySubscriber.php
View File

@@ -33,7 +33,8 @@ class FeedEntrySubscriber extends AbstractNotificationSubscriber
$this->app['manipulator.webhook-event']->create(
WebhookEvent::NEW_FEED_ENTRY,
WebhookEvent::FEED_ENTRY_TYPE,
array_merge(array('feed_id' => $entry->getFeed()->getId()), $params)
array_merge(array('feed_id' => $entry->getFeed()->getId()), $params),
$entry->getFeed()->getBaseId() ? [$entry->getFeed()->getBaseId()] : []
);
$datas = json_encode($params);

22
lib/Alchemy/Phrasea/Core/Event/Subscriber/OrderSubscriber.php
View File

@@ -41,13 +41,13 @@ class OrderSubscriber extends AbstractNotificationSubscriber
public function onCreate(OrderEvent $event)
{
$base_ids = array_unique(array_map(function (OrderElement $element) {
$baseIds = array_unique(array_map(function (OrderElement $element) {
return $element->getBaseId();
}, iterator_to_array($event->getOrder()->getElements())));
$query = $this->app['phraseanet.user-query'];
/** @var User[] $users */
$users = $query->on_base_ids($base_ids)
$users = $query->on_base_ids($baseIds)
->who_have_right([\ACL::ORDER_MASTER])
->execute()->get_results();
@@ -60,10 +60,12 @@ class OrderSubscriber extends AbstractNotificationSubscriber
'order_id' => $event->getOrder()->getId(),
]);
$notifier = $this->notifierRegistry->getNotifier($event->getOrder()->getNotificationMethod());
// notify by webhook
$notifier = $this->notifierRegistry->getNotifier(Order::NOTIFY_WEBHOOK);
$notifier->notifyCreation($event->getOrder(), $event->getOrder()->getUser());
$notifier->notifyCreation($event->getOrder(), $event->getOrder()->getUser(), $baseIds);
// notify by mail
$notifier = $this->notifierRegistry->getNotifier(Order::NOTIFY_MAIL);
foreach ($users as $user) {
@@ -85,7 +87,13 @@ class OrderSubscriber extends AbstractNotificationSubscriber
public function onDeliver(OrderDeliveryEvent $event)
{
// notify by webhook
$notifier = $this->notifierRegistry->getNotifier(Order::NOTIFY_WEBHOOK);
$notifier->notifyDelivery($event->getDelivery(), $event->getDelivery()->getPartialOrder()->getBaseIds());
$notified = false;
// actually NotificationMethod is always by mail
$notifier = $this->notifierRegistry->getNotifier($event->getOrder()->getNotificationMethod());
$notificationData = json_encode([
'from' => $event->getDelivery()->getAdmin()->getId(),
@@ -109,7 +117,13 @@ class OrderSubscriber extends AbstractNotificationSubscriber
public function onDeny(OrderDeliveryEvent $event)
{
// notify by webhook
$notifier = $this->notifierRegistry->getNotifier(Order::NOTIFY_WEBHOOK);
$notifier->notifyDenial($event->getDelivery(), $event->getDelivery()->getPartialOrder()->getBaseIds());
$notified = false;
// actually NotificationMethod is always by mail
$notifier = $this->notifierRegistry->getNotifier($event->getOrder()->getNotificationMethod());
$notificationData = json_encode([
'from' => $event->getDelivery()->getAdmin()->getId(),

2
lib/Alchemy/Phrasea/Core/Event/Subscriber/WebhookUserEventSubscriber.php
View File

@@ -45,7 +45,7 @@ class WebhookUserEventSubscriber implements EventSubscriberInterface
'user_id' => $event->getUserId(),
'email' => $event->getEmailAddress(),
'login' => $event->getLogin()
]);
], $event->getGrantedBaseIds());
}
public static function getSubscribedEvents()

8
lib/Alchemy/Phrasea/Core/Event/User/DeletedEvent.php
View File

@@ -36,4 +36,12 @@ class DeletedEvent extends UserEvent
{
return $this->args['email'];
}
/**
* @return array
*/
public function getGrantedBaseIds()
{
return $this->args['grantedBaseIds'];
}
}

4
lib/Alchemy/Phrasea/Helper/User/Edit.php
View File

@@ -73,10 +73,12 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper
{
$list = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN]));
$oldGrantedBaseIds = array_keys($this->app->getAclForUser($user)->get_granted_base());
$this->app->getAclForUser($user)->revoke_access_from_bases($list);
if ($this->app->getAclForUser($user)->is_phantom()) {
$this->app['manipulator.user']->delete($user);
$this->app['manipulator.user']->delete($user, [$user->getId() => $oldGrantedBaseIds]);
}
return $this;

28
lib/Alchemy/Phrasea/Model/Entities/WebhookEvent.php
View File

@@ -68,6 +68,14 @@ class WebhookEvent
*/
private $created;
/**
* List of collection base_id concerned
* @var array
*
* @ORM\Column(name="collection_base_ids", type="json_array", nullable=true)
*/
private $collectionBaseIds;
/**
* @param \DateTime $created
*
@@ -175,4 +183,24 @@ class WebhookEvent
return $this;
}
/**
* @param array $collectionBaseIds
*
* @return $this
*/
public function setCollectionBaseIds(array $collectionBaseIds)
{
$this->collectionBaseIds = $collectionBaseIds;
return $this;
}
/**
* @return array
*/
public function getCollectionBaseIds()
{
return $this->collectionBaseIds;
}
}

10
lib/Alchemy/Phrasea/Model/Manipulator/UserManipulator.php
View File

@@ -126,8 +126,9 @@ class UserManipulator implements ManipulatorInterface
* Deletes a user.
*
* @param User|User[] $users
* @param array $grantedBaseIdList List of the old granted base_id per userId [user_id => [base_id, ...] ]
*/
public function delete($users)
public function delete($users, array $grantedBaseIdList = array())
{
/** @var User $user */
foreach ($this->makeTraversable($users) as $user) {
@@ -146,9 +147,10 @@ class UserManipulator implements ManipulatorInterface
new DeletedEvent(
null,
array(
'user_id'=>$old_id,
'login'=>$old_login,
'email'=>$old_email
'user_id' => $old_id,
'login' => $old_login,
'email' => $old_email,
'grantedBaseIds' => isset($grantedBaseIdList[$old_id]) ? $grantedBaseIdList[$old_id] : []
)
)
);

6
lib/Alchemy/Phrasea/Model/Manipulator/WebhookEventManipulator.php
View File

@@ -40,7 +40,7 @@ class WebhookEventManipulator implements ManipulatorInterface
$this->publisher = $publisher;
}
public function create($eventName, $type, array $data)
public function create($eventName, $type, array $data, array $collectionBaseIds = array())
{
$event = new WebhookEvent();
@@ -48,6 +48,10 @@ class WebhookEventManipulator implements ManipulatorInterface
$event->setType($type);
$event->setData($data);
if (count($collectionBaseIds) > 0) {
$event->setCollectionBaseIds($collectionBaseIds);
}
$this->update($event);
$this->publisher->publishWebhookEvent($event);

6
lib/Alchemy/Phrasea/Order/Controller/BaseOrderController.php
View File

@@ -172,7 +172,7 @@ class BaseOrderController extends Controller
$manager->persist($element);
}
$delivery = new OrderDelivery($order, $acceptor, count($basketElements));
$delivery = new OrderDelivery($order, $acceptor, count($basketElements), $partialOrder);
$this->dispatch(PhraseaEvents::ORDER_DELIVER, new OrderDeliveryEvent($delivery));
}
@@ -198,11 +198,13 @@ class BaseOrderController extends Controller
$elements = $this->findRequestedElements($order_id, $elementIds, $acceptor);
$order = $this->findOr404($order_id);
$partialOrder = new PartialOrder($order, $elements);
$this->getOrderValidator()->deny($acceptor, new PartialOrder($order, $elements));
try {
if (!empty($elements)) {
$delivery = new OrderDelivery($order, $acceptor, count($elements));
$delivery = new OrderDelivery($order, $acceptor, count($elements), $partialOrder);
$this->dispatch(PhraseaEvents::ORDER_DENY, new OrderDeliveryEvent($delivery));
}

23
lib/Alchemy/Phrasea/Order/OrderDelivery.php
View File

@@ -31,16 +31,23 @@ class OrderDelivery
*/
private $quantity;
/**
* @var PartialOrder
*/
private $partialOrder;
/**
* @param Order $deliveredOrder
* @param User $manager
* @param int $quantity
* @param PartialOrder $partialOrder
*/
public function __construct(Order $deliveredOrder, User $manager, $quantity)
public function __construct(Order $deliveredOrder, User $manager, $quantity, PartialOrder $partialOrder)
{
$this->order = $deliveredOrder;
$this->admin = $manager;
$this->quantity = $quantity;
$this->order = $deliveredOrder;
$this->admin = $manager;
$this->quantity = $quantity;
$this->partialOrder = $partialOrder;
}
/**
@@ -66,4 +73,12 @@ class OrderDelivery
{
return $this->quantity;
}
/**
* @return PartialOrder
*/
public function getPartialOrder()
{
return $this->partialOrder;
}
}

9
lib/Alchemy/Phrasea/Order/ValidationNotifier.php
View File

@@ -19,20 +19,23 @@ interface ValidationNotifier
/**
* @param Order $order
* @param User $recipient
* @param array $baseIds
* @return void
*/
public function notifyCreation(Order $order, User $recipient);
public function notifyCreation(Order $order, User $recipient, array $baseIds = array());
/**
* @param OrderDelivery $delivery
* @param array $baseIds
* @return void
*/
public function notifyDelivery(OrderDelivery $delivery);
public function notifyDelivery(OrderDelivery $delivery, array $baseIds = array());
/**
* @param OrderDelivery $delivery
* @param array $baseIds
* @return void
*/
public function notifyDenial(OrderDelivery $delivery);
public function notifyDenial(OrderDelivery $delivery, array $baseIds = array());
}

13
lib/Alchemy/Phrasea/Order/ValidationNotifier/CompositeNotifier.php
View File

@@ -26,8 +26,9 @@ class CompositeNotifier implements ValidationNotifier
/**
* @param Order $order
* @param User $recipient
* @param array $baseIds
*/
public function notifyCreation(Order $order, User $recipient)
public function notifyCreation(Order $order, User $recipient, array $baseIds = array())
{
foreach ($this->notifiers as $notifier) {
$notifier->notifyCreation($order, $recipient);
@@ -36,21 +37,23 @@ class CompositeNotifier implements ValidationNotifier
/**
* @param OrderDelivery $delivery
* @param array $baseIds
*/
public function notifyDelivery(OrderDelivery $delivery)
public function notifyDelivery(OrderDelivery $delivery, array $baseIds = array())
{
foreach ($this->notifiers as $notifier) {
$notifier->notifyDelivery($delivery);
$notifier->notifyDelivery($delivery, $baseIds);
}
}
/**
* @param OrderDelivery $delivery
* @param array $baseIds
*/
public function notifyDenial(OrderDelivery $delivery)
public function notifyDenial(OrderDelivery $delivery, array $baseIds = array())
{
foreach ($this->notifiers as $notifier) {
$notifier->notifyDenial($delivery);
$notifier->notifyDenial($delivery, $baseIds);
}
}
}

9
lib/Alchemy/Phrasea/Order/ValidationNotifier/MailNotifier.php
View File

@@ -46,8 +46,9 @@ class MailNotifier implements ValidationNotifier
/**
* @param Order $order
* @param User $recipient
* @param array $baseIds
*/
public function notifyCreation(Order $order, User $recipient)
public function notifyCreation(Order $order, User $recipient, array $baseIds = array())
{
$mail = MailInfoNewOrder::create($this->application, Receiver::fromUser($recipient));
@@ -58,8 +59,9 @@ class MailNotifier implements ValidationNotifier
/**
* @param OrderDelivery $delivery
* @param array $baseIds
*/
public function notifyDelivery(OrderDelivery $delivery)
public function notifyDelivery(OrderDelivery $delivery, array $baseIds = array())
{
$order = $delivery->getOrder();
@@ -85,8 +87,9 @@ class MailNotifier implements ValidationNotifier
/**
* @param OrderDelivery $delivery
* @param array $baseIds
*/
public function notifyDenial(OrderDelivery $delivery)
public function notifyDenial(OrderDelivery $delivery, array $baseIds = array())
{
$sender = Emitter::fromUser($delivery->getAdmin());
$recipient = Receiver::fromUser($delivery->getOrder()->getUser());

15
lib/Alchemy/Phrasea/Order/ValidationNotifier/WebhookNotifier.php
View File

@@ -47,21 +47,23 @@ class WebhookNotifier implements ValidationNotifier
/**
* @param Order $order
* @param User $recipient
* @param array $baseIds
*/
public function notifyCreation(Order $order, User $recipient)
public function notifyCreation(Order $order, User $recipient, array $baseIds = array())
{
$eventData = [
'order_id' => $order->getId(),
'user_id' => $recipient->getId(),
];
$this->getManipulator()->create(WebhookEvent::ORDER_CREATED, WebhookEvent::ORDER_TYPE, $eventData);
$this->getManipulator()->create(WebhookEvent::ORDER_CREATED, WebhookEvent::ORDER_TYPE, $eventData, $baseIds);
}
/**
* @param OrderDelivery $delivery
* @param array $baseIds
*/
public function notifyDelivery(OrderDelivery $delivery)
public function notifyDelivery(OrderDelivery $delivery, array $baseIds = array())
{
$eventData = [
'order_id' => $delivery->getOrder()->getId(),
@@ -69,13 +71,14 @@ class WebhookNotifier implements ValidationNotifier
'quantity' => $delivery->getQuantity()
];
$this->getManipulator()->create(WebhookEvent::ORDER_DELIVERED, WebhookEvent::ORDER_TYPE, $eventData);
$this->getManipulator()->create(WebhookEvent::ORDER_DELIVERED, WebhookEvent::ORDER_TYPE, $eventData, $baseIds);
}
/**
* @param OrderDelivery $delivery
* @param array $baseIds
*/
public function notifyDenial(OrderDelivery $delivery)
public function notifyDenial(OrderDelivery $delivery, array $baseIds = array())
{
$eventData = [
'order_id' => $delivery->getOrder()->getId(),
@@ -83,6 +86,6 @@ class WebhookNotifier implements ValidationNotifier
'quantity' => $delivery->getQuantity()
];
$this->getManipulator()->create(WebhookEvent::ORDER_DENIED, WebhookEvent::ORDER_TYPE, $eventData);
$this->getManipulator()->create(WebhookEvent::ORDER_DENIED, WebhookEvent::ORDER_TYPE, $eventData, $baseIds);
}
}

11
lib/Alchemy/Phrasea/Webhook/Processor/FeedEntryProcessor.php
View File

@@ -34,17 +34,16 @@ class FeedEntryProcessor implements ProcessorInterface
{
$data = $event->getData();
if (!isset($data->entry_id)) {
if (!isset($data['entry_id'])) {
return null;
}
$entry = $this->entryRepository->find($data->entry_id);
$entry = $this->entryRepository->find($data['entry_id']);
if (null === $entry) {
return null;
}
$data = $event->getData();
$feed = $entry->getFeed();
$query = $this->userQuery;
@@ -54,8 +53,8 @@ class FeedEntryProcessor implements ProcessorInterface
->include_templates(false)
->email_not_null(true);
if ($feed->getCollection($this->app)) {
$query->on_base_ids([$feed->getCollection($this->app)->get_base_id()]);
if ($feed->getCollection($this->application)) {
$query->on_base_ids([$feed->getCollection($this->application)->get_base_id()]);
}
$start = 0;
@@ -76,7 +75,7 @@ class FeedEntryProcessor implements ProcessorInterface
return [
'event' => $event->getName(),
'users_were_notified' => isset($data->notify_email) ?: (bool) $data->notify_email,
'users_were_notified' => isset($data['notify_email']) ? (bool) $data['notify_email'] : false,
'feed' => [
'id' => $feed->getId(),
'title' => $feed->getTitle(),

2
tests/Alchemy/Tests/Phrasea/Functional/UserDeletionTest.php
View File

@@ -79,7 +79,7 @@ class UserDeletionTest extends \PhraseanetAuthenticatedWebTestCase
$apiLog = $apiLogManipulator->create($account, new Request(), new Response());
$apiLogId = $apiLog->getId();
$this->userManipulator->delete($this->user, true);
$this->userManipulator->delete($this->user);
$this->assertTrue($this->user->isDeleted(), 'User was not properly deleted');
$apiLogRepository->clear();

2
tests/Alchemy/Tests/Phrasea/Webhook/Processor/FeedEntryProcessorTest.php
View File

@@ -59,6 +59,6 @@ class FeedEntryProcessorTest extends \PhraseanetTestCase
self::$DI['app']['repo.feed-entries'],
self::$DI['app']['phraseanet.user-query']
);
$this->assertEquals($processor->process($event), null);
$this->assertInternalType(\PHPUnit_Framework_Constraint_IsType::TYPE_ARRAY, $processor->process($event));
}
}