hazza/Phraseanet
1
0
Fork 0
mirror of https://github.com/alchemy-fr/Phraseanet.git synced 2025-10-09 11:03:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix users right

Browse Source
This commit is contained in:
Nicolas Le Goff
2014-09-08 20:21:15 +02:00
parent b0b7a249b7
commit ab73febefd
7 changed files with 2017 additions and 1755 deletions
Download Patch File Download Diff File Expand all files Collapse all files

189
lib/Alchemy/Phrasea/Controller/Api/V1.php
View File

@@ -34,7 +34,8 @@ class V1 implements ControllerProviderInterface
/** /**
* Api Service * Api Service
* @var Closure *
* @return \API_V1_adapter
*/ */
$app['api'] = function () use ($app) { $app['api'] = function () use ($app) {
return new \API_V1_adapter($app); return new \API_V1_adapter($app);
@@ -44,7 +45,7 @@ class V1 implements ControllerProviderInterface
* oAuth token verification process * oAuth token verification process
* - Check if oauth_token exists && is valid * - Check if oauth_token exists && is valid
* - Check if request comes from phraseanet Navigator && phraseanet Navigator * - Check if request comes from phraseanet Navigator && phraseanet Navigator
* is enbale on current instance * is enable on current instance
* - restore user session * - restore user session
* *
* @ throws \API_V1_exception_unauthorized * @ throws \API_V1_exception_unauthorized
@@ -165,6 +166,9 @@ class V1 implements ControllerProviderInterface
); );
}); });
/**
* Close session
*/
$controllers->after(function () use ($app) { $controllers->after(function () use ($app) {
$app['authentication']->closeAccount(); $app['authentication']->closeAccount();
}); });
@@ -177,7 +181,7 @@ class V1 implements ControllerProviderInterface
}; };
/** /**
* Check wether the current user is Admin or not * Check whether the current user is Admin or not
*/ */
$mustBeAdmin = function (Request $request) use ($app) { $mustBeAdmin = function (Request $request) use ($app) {
$user = $app['token']->get_account()->get_user(); $user = $app['token']->get_account()->get_user();
@@ -186,6 +190,71 @@ class V1 implements ControllerProviderInterface
} }
}; };
/**
* Check whether the current user has access to databox
*/
$hasAccessToDatabox = function (Request $request) use ($app) {
$user = $app['token']->get_account()->get_user();
$databox = $app['phraseanet.appbox']->get_databox($request->attributes->get('databox_id'));
if (!$user->ACL()->has_access_to_sbas($databox->get_sbas_id())) {
throw new \API_V1_exception_unauthorized('You are not authorized');
}
};
/**
* Check whether the current user has access to the record
*/
$hasAccessToRecord = function (Request $request) use ($app) {
$user = $app['token']->get_account()->get_user();
$record = $app['phraseanet.appbox']->get_databox($request->attributes->get('databox_id'))->get_record($request->attributes->get('record_id'));
if (!$user->ACL()->has_access_to_record($record)) {
throw new \API_V1_exception_unauthorized('You are not authorized');
}
};
/**
* Check whether the current user can modify the record
*/
$canModifyRecord = function (Request $request) use ($app) {
$user = $app['token']->get_account()->get_user();
if (!$user->ACL()->has_right('modifyrecord')) {
throw new \API_V1_exception_unauthorized('You are not authorized');
}
};
/**
* Check whether the current user can modify the record status
*/
$canModifyRecordStatus = function (Request $request) use ($app) {
$user = $app['token']->get_account()->get_user();
$record = $app['phraseanet.appbox']->get_databox($request->attributes->get('databox_id'))->get_record($request->attributes->get('record_id'));
if (!$user->ACL()->has_right_on_base($record->get_base_id(), 'chgstatus')) {
throw new \API_V1_exception_unauthorized('You are not authorized');
}
};
/**
* Check whether the current user can see databox structure
*/
$canSeeDataboxStructure = function (Request $request) use ($app) {
$user = $app['token']->get_account()->get_user();
$databox = $app['phraseanet.appbox']->get_databox($request->attributes->get('databox_id'));
if (!$user->ACL()->has_right_on_sbas($databox->get_sbas_id(), 'bas_modify_struct')) {
throw new \API_V1_exception_unauthorized('You are not authorized');
}
};
/**
* Check whether the current user can move record from a collection to an other
*/
$canMoveRecord = function (Request $request) use ($app) {
$user = $app['token']->get_account()->get_user();
$record = $app['phraseanet.appbox']->get_databox($request->attributes->get('databox_id'))->get_record($request->attributes->get('record_id'));
if ((!$user->ACL()->has_right('addrecord') && !$user->ACL()->has_right('deleterecord')) || !$user->ACL()->has_right_on_base($record->get_base_id(), 'candeleterecord')) {
throw new \API_V1_exception_unauthorized('You are not authorized');
}
};
/** /**
* Get scheduler informations * Get scheduler informations
* *
@@ -309,7 +378,7 @@ class V1 implements ControllerProviderInterface
return $app['api'] return $app['api']
->get_databox_collections($app['request'], $databox_id) ->get_databox_collections($app['request'], $databox_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+'); })->before($hasAccessToDatabox)->assert('databox_id', '\d+');
$controllers->get('/databoxes/{any_id}/collections/', $bad_request_exception); $controllers->get('/databoxes/{any_id}/collections/', $bad_request_exception);
@@ -326,7 +395,7 @@ class V1 implements ControllerProviderInterface
return $app['api'] return $app['api']
->get_databox_status($app['request'], $databox_id) ->get_databox_status($app['request'], $databox_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+'); })->before($hasAccessToDatabox)->before($canSeeDataboxStructure)->assert('databox_id', '\d+');
$controllers->get('/databoxes/{any_id}/status/', $bad_request_exception); $controllers->get('/databoxes/{any_id}/status/', $bad_request_exception);
@@ -342,7 +411,7 @@ class V1 implements ControllerProviderInterface
return $app['api'] return $app['api']
->get_databox_metadatas($app['request'], $databox_id) ->get_databox_metadatas($app['request'], $databox_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+'); })->before($hasAccessToDatabox)->before($canSeeDataboxStructure)->assert('databox_id', '\d+');
$controllers->get('/databoxes/{any_id}/metadatas/', $bad_request_exception); $controllers->get('/databoxes/{any_id}/metadatas/', $bad_request_exception);
@@ -362,14 +431,31 @@ class V1 implements ControllerProviderInterface
$controllers->get('/databoxes/{any_id}/termsOfUse/', $bad_request_exception); $controllers->get('/databoxes/{any_id}/termsOfUse/', $bad_request_exception);
/**
* Route /quarantine/list/
*
* Method : GET
*
* Parameters ;
*/
$controllers->get('/quarantine/list/', function (SilexApplication $app, Request $request) { $controllers->get('/quarantine/list/', function (SilexApplication $app, Request $request) {
return $app['api']->list_quarantine($app, $request)->get_response(); return $app['api']->list_quarantine($app, $request)->get_response();
}); });
/**
* Route /quarantine/item/{lazaret_id}/
*
* Method : GET
*
* Parameters ;
* LAZARET_ID : required INT
*/
$controllers->get('/quarantine/item/{lazaret_id}/', function ($lazaret_id, SilexApplication $app, Request $request) { $controllers->get('/quarantine/item/{lazaret_id}/', function ($lazaret_id, SilexApplication $app, Request $request) {
return $app['api']->list_quarantine_item($lazaret_id, $app, $request)->get_response(); return $app['api']->list_quarantine_item($lazaret_id, $app, $request)->get_response();
}); });
$controllers->get('/quarantine/item/{any_id}/', $bad_request_exception);
/** /**
* Route : /records/add/ * Route : /records/add/
* *
@@ -422,11 +508,18 @@ class V1 implements ControllerProviderInterface
return $app['api']->search_records($app['request'])->get_response(); return $app['api']->search_records($app['request'])->get_response();
}); });
/**
* Route : /records/{databox_id}/{record_id}/caption/
*
* Parameters ;
* DATABOX_ID : required INT
* RECORD_ID : required INT
*/
$controllers->get('/records/{databox_id}/{record_id}/caption/', function (SilexApplication $app, $databox_id, $record_id) { $controllers->get('/records/{databox_id}/{record_id}/caption/', function (SilexApplication $app, $databox_id, $record_id) {
return $app['api'] return $app['api']
->caption_records($app['request'], $databox_id, $record_id) ->caption_records($app['request'], $databox_id, $record_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+')->assert('record_id', '\d+'); })->before($hasAccessToRecord)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->get('/records/{any_id}/{anyother_id}/caption/', $bad_request_exception); $controllers->get('/records/{any_id}/{anyother_id}/caption/', $bad_request_exception);
@@ -444,7 +537,7 @@ class V1 implements ControllerProviderInterface
return $app['api'] return $app['api']
->get_record_metadatas($app['request'], $databox_id, $record_id) ->get_record_metadatas($app['request'], $databox_id, $record_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+')->assert('record_id', '\d+'); })->before($hasAccessToRecord)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->get('/records/{any_id}/{anyother_id}/metadatas/', $bad_request_exception); $controllers->get('/records/{any_id}/{anyother_id}/metadatas/', $bad_request_exception);
@@ -462,7 +555,7 @@ class V1 implements ControllerProviderInterface
return $app['api'] return $app['api']
->get_record_status($app['request'], $databox_id, $record_id) ->get_record_status($app['request'], $databox_id, $record_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+')->assert('record_id', '\d+'); })->before($hasAccessToRecord)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->get('/records/{any_id}/{anyother_id}/status/', $bad_request_exception); $controllers->get('/records/{any_id}/{anyother_id}/status/', $bad_request_exception);
@@ -480,7 +573,7 @@ class V1 implements ControllerProviderInterface
return $app['api'] return $app['api']
->get_record_related($app['request'], $databox_id, $record_id) ->get_record_related($app['request'], $databox_id, $record_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+')->assert('record_id', '\d+'); })->before($hasAccessToRecord)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->get('/records/{any_id}/{anyother_id}/related/', $bad_request_exception); $controllers->get('/records/{any_id}/{anyother_id}/related/', $bad_request_exception);
@@ -498,7 +591,7 @@ class V1 implements ControllerProviderInterface
return $app['api'] return $app['api']
->get_record_embed($app['request'], $databox_id, $record_id) ->get_record_embed($app['request'], $databox_id, $record_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+')->assert('record_id', '\d+'); })->before($hasAccessToRecord)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->get('/records/{any_id}/{anyother_id}/embed/', $bad_request_exception); $controllers->get('/records/{any_id}/{anyother_id}/embed/', $bad_request_exception);
@@ -516,7 +609,7 @@ class V1 implements ControllerProviderInterface
return $app['api'] return $app['api']
->set_record_metadatas($app['request'], $databox_id, $record_id) ->set_record_metadatas($app['request'], $databox_id, $record_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+')->assert('record_id', '\d+'); })->before($hasAccessToRecord)->before($canModifyRecord)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->post('/records/{any_id}/{anyother_id}/setmetadatas/', $bad_request_exception); $controllers->post('/records/{any_id}/{anyother_id}/setmetadatas/', $bad_request_exception);
@@ -534,7 +627,7 @@ class V1 implements ControllerProviderInterface
return $app['api'] return $app['api']
->set_record_status($app['request'], $databox_id, $record_id) ->set_record_status($app['request'], $databox_id, $record_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+')->assert('record_id', '\d+'); })->before($hasAccessToRecord)->before($canModifyRecord)->before($canModifyRecordStatus)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->post('/records/{any_id}/{anyother_id}/setstatus/', $bad_request_exception); $controllers->post('/records/{any_id}/{anyother_id}/setstatus/', $bad_request_exception);
@@ -552,15 +645,25 @@ class V1 implements ControllerProviderInterface
return $app['api'] return $app['api']
->set_record_collection($app['request'], $databox_id, $record_id) ->set_record_collection($app['request'], $databox_id, $record_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+')->assert('record_id', '\d+'); })->before($hasAccessToRecord)->before($canMoveRecord)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->post('/records/{wrong_databox_id}/{wrong_record_id}/setcollection/', $bad_request_exception); $controllers->post('/records/{wrong_databox_id}/{wrong_record_id}/setcollection/', $bad_request_exception);
/**
* Route : /records/DATABOX_ID/RECORD_ID
*
* Method : GET
*
* Parameters :
* DATABOX_ID : required INT
* RECORD_ID : required INT
*
*/
$controllers->get('/records/{databox_id}/{record_id}/', function (SilexApplication $app, $databox_id, $record_id) { $controllers->get('/records/{databox_id}/{record_id}/', function (SilexApplication $app, $databox_id, $record_id) {
return $app['api'] return $app['api']
->get_record($app['request'], $databox_id, $record_id) ->get_record($app['request'], $databox_id, $record_id)
->get_response(); ->get_response();
})->assert('databox_id', '\d+')->assert('record_id', '\d+'); })->before($hasAccessToRecord)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->get('/records/{any_id}/{anyother_id}/', $bad_request_exception); $controllers->get('/records/{any_id}/{anyother_id}/', $bad_request_exception);
@@ -666,12 +769,29 @@ class V1 implements ControllerProviderInterface
->get_response(); ->get_response();
}); });
/**
* Route : /feeds/content/
*
* Method : GET
*
* Parameters :
*
*/
$controllers->get('/feeds/content/', function (SilexApplication $app) { $controllers->get('/feeds/content/', function (SilexApplication $app) {
return $app['api'] return $app['api']
->get_publications($app['request'], $app['authentication']->getUser()) ->get_publications($app['request'], $app['authentication']->getUser())
->get_response(); ->get_response();
}); });
/**
* Route : /feeds/entry/{entry_id}/
*
* Method : GET
*
* Parameters :
* ENTRY_ID : required INT
*
*/
$controllers->get('/feeds/entry/{entry_id}/', function (SilexApplication $app, $entry_id) { $controllers->get('/feeds/entry/{entry_id}/', function (SilexApplication $app, $entry_id) {
return $app['api'] return $app['api']
->get_feed_entry($app['request'], $entry_id, $app['authentication']->getUser()) ->get_feed_entry($app['request'], $entry_id, $app['authentication']->getUser())
@@ -704,33 +824,44 @@ class V1 implements ControllerProviderInterface
* *
* Parameters : * Parameters :
* DATABOX_ID : required INT * DATABOX_ID : required INT
* RECORD_ID : required INT * STORY_ID : required INT
* *
*/ */
$controllers->get('/stories/{databox_id}/{story_id}/embed/', function ($databox_id, $story_id) use ($app) { $controllers->get('/stories/{databox_id}/{record_id}/embed/', function ($databox_id, $record_id) use ($app) {
$result = $app['api']->get_story_embed($app['request'], $databox_id, $story_id); $result = $app['api']->get_story_embed($app['request'], $databox_id, $record_id);
return $result->get_response(); return $result->get_response();
} }
)->assert('databox_id', '\d+')->assert('story_id', '\d+'); )->before($hasAccessToRecord)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->get('/stories/{any_id}/{anyother_id}/embed/', $bad_request_exception); $controllers->get('/stories/{any_id}/{anyother_id}/embed/', $bad_request_exception);
$controllers->get('/stories/{databox_id}/{story_id}/', function ($databox_id, $story_id) use ($app) { /**
$result = $app['api']->get_story($app['request'], $databox_id, $story_id); * Route : /stories/DATABOX_ID/RECORD_ID/
*
* Method : GET
*
* Parameters :
* DATABOX_ID : required INT
* STORY_ID : required INT
*
*/
$controllers->get('/stories/{databox_id}/{record_id}/', function ($databox_id, $record_id) use ($app) {
$result = $app['api']->get_story($app['request'], $databox_id, $record_id);
return $result->get_response(); return $result->get_response();
})->assert('databox_id', '\d+')->assert('story_id', '\d+'); })->before($hasAccessToRecord)->assert('databox_id', '\d+')->assert('record_id', '\d+');
$controllers->get('/stories/{any_id}/{anyother_id}/', $bad_request_exception); $controllers->get('/stories/{any_id}/{anyother_id}/', $bad_request_exception);
$controllers->get('/stories/{databox_id}/{story_id}/', function ($databox_id, $story_id) use ($app) { /**
$result = $app['api']->get_story($app['request'], $databox_id, $story_id); * Route : /me/
*
return $result->get_response(); * Method : GET
})->assert('databox_id', '\d+')->assert('story_id', '\d+'); *
$controllers->get('/stories/{any_id}/{anyother_id}/', $bad_request_exception); * Parameters :
*
*/
$controllers->get('/me/', function (SilexApplication $app, Request $request) { $controllers->get('/me/', function (SilexApplication $app, Request $request) {
$result = $app['api']->get_current_user($app, $request); $result = $app['api']->get_current_user($app, $request);

5
lib/Alchemy/Phrasea/SearchEngine/SearchEngineOptions.php
View File

@@ -625,7 +625,12 @@ class SearchEngineOptions
if (is_array($request->get('bases'))) { if (is_array($request->get('bases'))) {
$bas = array_map(function ($base_id) use ($app) { $bas = array_map(function ($base_id) use ($app) {
try {
return \collection::get_from_base_id($app, $base_id); return \collection::get_from_base_id($app, $base_id);
} catch (\Exception_Databox_CollectionNotFound $e) {
return null;
}
}, $request->get('bases')); }, $request->get('bases'));
} elseif (!$app['authentication']->isAuthenticated()) { } elseif (!$app['authentication']->isAuthenticated()) {
$bas = $app->getOpenCollections(); $bas = $app->getOpenCollections();

2
lib/classes/API/V1/Interface.php
View File

@@ -292,7 +292,7 @@ interface API_V1_Interface
* USER_ID : required INT * USER_ID : required INT
* *
*/ */
public function get_user_acces(Request $request, $usr_id); public function get_user_access(Request $request, $usr_id);
public function add_record(Application $app, Request $request); public function add_record(Application $app, Request $request);

3537
lib/classes/API/V1/adapter.php
View File

File diff suppressed because it is too large Load Diff

17
lib/classes/databox/subdefsStructure.php
View File

@@ -130,17 +130,22 @@ class databox_subdefsStructure implements IteratorAggregate, Countable
} }
/** /**
* @param $subdef_type
* @param $subdef_name
* *
* @param type $subdef_type * @return mixed
* @param type $subdef_name * @throws Exception_Databox_SubdefNotFound
* @return databox_subdef
*/ */
public function get_subdef($subdef_type, $subdef_name) public function get_subdef($subdef_type, $subdef_name)
{ {
if (isset($this->AvSubdefs[$subdef_type]) && isset($this->AvSubdefs[$subdef_type][$subdef_name])) { $type = strtolower($subdef_type);
return $this->AvSubdefs[$subdef_type][$subdef_name]; $name = strtolower($subdef_name);
if (isset($this->AvSubdefs[$type]) && isset($this->AvSubdefs[$type][$name])) {
return $this->AvSubdefs[$type][$name];
} }
throw new Exception_Databox_SubdefNotFound(sprintf('Databox subdef name `%s` of type `%s` not found', $subdef_name, $subdef_type));
throw new Exception_Databox_SubdefNotFound(sprintf('Databox subdef name `%s` of type `%s` not found', $name, $type));
} }
/** /**

18
tests/classes/api/v1/api_v1_adapterTest.php
View File

@@ -474,7 +474,23 @@ class API_V1_adapterTest extends PhraseanetPHPUnitAuthenticatedAbstract
{ {
$app = self::$DI['app']; $app = self::$DI['app'];
$stub = $this->getMock("API_V1_adapter", array("list_record"), array($app)); $stub = $this->getMock("API_V1_adapter", array("list_record"), array($app));
$databox = self::$DI['record_1']->get_databox(); self::$DI['app']['authentication']->setUser($this->getMockBuilder('\User_Adapter')
->setMethods(array('ACL'))
->disableOriginalConstructor()
->getMock());
$stubbedACL = $this->getMockBuilder('\ACL')
->disableOriginalConstructor()
->getMock();
//has_right_on_base return true
$stubbedACL->expects($this->any())
->method('has_right_on_base')
->will($this->returnValue(true));
self::$DI['app']['authentication']->getUser()->expects($this->any())
->method('ACL')
->will($this->returnValue($stubbedACL));
$request = new Request(array("salut" => "salut c'est la fete"), array(), array(), array(), array(), array('HTTP_Accept' => 'application/json')); $request = new Request(array("salut" => "salut c'est la fete"), array(), array(), array(), array(), array('HTTP_Accept' => 'application/json'));
$result = $stub->set_record_collection($request, self::$DI['record_1']->get_sbas_id(), self::$DI['record_1']->get_record_id()); $result = $stub->set_record_collection($request, self::$DI['record_1']->get_sbas_id(), self::$DI['record_1']->get_record_id());

BIN
tests/db-ref.sqlite
View File

Binary file not shown.