From 009289b2825b2518fac59aedb4820e67022a0e2a Mon Sep 17 00:00:00 2001
From: Ramon Gutierrez <arcticzero@gmail.com>
Date: Thu, 11 Jan 2018 15:34:53 +0800
Subject: [PATCH] Add ACL security checks for role views and controllers

---
 src/Controller/RoleController.php | 57 +++++++++++++++++++++++--------
 templates/role/form.html.twig     |  2 +-
 templates/role/list.html.twig     | 16 ++++-----
 3 files changed, 51 insertions(+), 24 deletions(-)

diff --git a/src/Controller/RoleController.php b/src/Controller/RoleController.php
index f527e1f9..465ca2bb 100644
--- a/src/Controller/RoleController.php
+++ b/src/Controller/RoleController.php
@@ -25,22 +25,18 @@ class RoleController extends BaseController
 
     public function index()
     {
+        $this->denyAccessUnlessGranted('role.list', null, 'No access.');
+
         $params = $this->initParameters('role_list');
 
-        $qb = $this->getDoctrine()
-        	->getRepository(Role::class)
-        	->createQueryBuilder('q')
-        	->getQuery();
-
-        // get all rows
-        $rows = $qb->getResult(Query::HYDRATE_ARRAY);
-
         // response
         return $this->render('role/list.html.twig', $params);
     }
 
     public function rows(Request $req)
     {
+        $this->denyAccessUnlessGranted('role.list', null, 'No access.');
+
     	// build query
     	$qb = $this->getDoctrine()
         	->getRepository(Role::class)
@@ -89,15 +85,38 @@ class RoleController extends BaseController
         }
 
         // get rows for this page
-        $rows = $query->setFirstResult($offset)
+        $obj_rows = $query->setFirstResult($offset)
             ->setMaxResults($perpage)
             ->getQuery()
-            ->getResult(Query::HYDRATE_ARRAY);
+            ->getResult();
 
-        // add crud urls
-        foreach ($rows as $index => $row) {
-            $rows[$index]['update_url'] = $this->generateUrl('role_update', ['id' => $row['id']]);
-            $rows[$index]['delete_url'] = $this->generateUrl('role_delete', ['id' => $row['id']]);
+        // process rows
+        $rows = [];
+        foreach ($obj_rows as $orow) {
+            // add row data
+            $row['id'] = $orow->getID();
+            $row['name'] = $orow->getName();
+
+            // add row metadata
+            $row['meta'] = [
+                'update_url' => '',
+                'delete_url' => ''
+            ];
+
+            // check if they have access to super admin users
+            if (!$this->isGranted('user.role.sadmin') && $orow->isSuperAdmin())
+            {
+                $rows[] = $row;
+                continue;
+            }
+
+            // add crud urls
+            if ($this->isGranted('user.update'))
+                $row['meta']['update_url'] = $this->generateUrl('role_update', ['id' => $row['id']]);
+            if ($this->isGranted('user.delete'))
+                $row['meta']['delete_url'] = $this->generateUrl('role_delete', ['id' => $row['id']]);
+
+            $rows[] = $row;
         }
 
         // response
@@ -116,6 +135,8 @@ class RoleController extends BaseController
 
     public function create()
     {
+        $this->denyAccessUnlessGranted('role.add', null, 'No access.');
+
         $params = $this->initParameters('role_list');
         $this->padACLHierarchy($params);
 
@@ -126,6 +147,8 @@ class RoleController extends BaseController
 
     public function createSubmit(Request $req, ValidatorInterface $validator)
     {
+        $this->denyAccessUnlessGranted('role.add', null, 'No access.');
+
         // create new row
         $em = $this->getDoctrine()->getManager();
         $row = new Role();
@@ -173,6 +196,8 @@ class RoleController extends BaseController
 
     public function update($id)
     {
+        $this->denyAccessUnlessGranted('role.update', null, 'No access.');
+
         $params = $this->initParameters('role_list');
         $this->padACLHierarchy($params);
 
@@ -193,6 +218,8 @@ class RoleController extends BaseController
 
     public function updateSubmit(Request $req, ValidatorInterface $validator, $id)
     {
+        $this->denyAccessUnlessGranted('role.update', null, 'No access.');
+
         // get row data
         $em = $this->getDoctrine()->getManager();
         $row = $em->getRepository(Role::class)->find($id);
@@ -250,6 +277,8 @@ class RoleController extends BaseController
 
     public function destroy($id)
     {
+        $this->denyAccessUnlessGranted('role.delete', null, 'No access.');
+
     	$params = $this->initParameters('role_list');
 
         // get row data
diff --git a/templates/role/form.html.twig b/templates/role/form.html.twig
index f7c3fd1f..39686605 100644
--- a/templates/role/form.html.twig
+++ b/templates/role/form.html.twig
@@ -56,7 +56,7 @@
 							</div>	
 							<div class="form-group m-form__group row">
 								<label class="col-lg-3 col-form-label" data-field="name">
-									Acess Levels:
+									Access Levels:
 								</label>
 								<div class="col-lg-9">
                                     <div class="m-checkbox-list">
diff --git a/templates/role/list.html.twig b/templates/role/list.html.twig
index 89d4d833..4332f3eb 100644
--- a/templates/role/list.html.twig
+++ b/templates/role/list.html.twig
@@ -18,12 +18,6 @@
             <div class="col-xl-12">
             	<div class="m-portlet m-portlet--mobile">
                     <div class="m-portlet__body">
-                    	{% for message in app.flashes('success') %}
-                    	<div class="alert alert-success alert-dismissible fade show" role="alert">
-                    		<button type="button" class="close" data-dismiss="alert" aria-label="Close"></button>
-						  	<strong>Success!</strong> {{ message }}
-						</div>
-                    	{% endfor %}
                     	<div class="m-form m-form--label-align-right m--margin-top-20 m--margin-bottom-30">
 							<div class="row align-items-center">
 								<div class="col-xl-8 order-2 order-xl-1">
@@ -96,10 +90,14 @@
 						sortable: false,
 						overflow: 'visible',
 						template: function (row, index, datatable) {
-							var actions = '<a href="' + row.update_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" data-id="' + row.id + '" title="Edit"><i class="la la-edit"></i></a>';
+							var actions = '';
+                            
+                            if (row.meta.update_url != '') {
+                                actions += '<a href="' + row.meta.update_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" data-id="' + row.username + '" title="Edit"><i class="la la-edit"></i></a>';
+                            }
 
-							if (row.id != 'ROLE_SUPER_ADMIN') {
-								actions += '<a href="' + row.delete_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-danger m-btn--icon m-btn--icon-only m-btn--pill btn-delete" data-id="' + row.id + '" title="Delete"><i class="la la-trash"></i></a>';
+                            if (row.meta.delete_url != '') {
+								actions += '<a href="' + row.meta.delete_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-danger m-btn--icon m-btn--icon-only m-btn--pill btn-delete" data-id="' + row.username + '" title="Delete"><i class="la la-trash"></i></a>';
 							}
 							
 							return actions;