rgutierrez/resq
1
0
Fork 0
Code Issues 126 Pull requests 49 Projects Releases 4 Packages Wiki Activity Actions

Add ACL security checks for role views and controllers

Browse source
This commit is contained in:
Ramon Gutierrez 2018-01-11 15:34:53 +08:00
parent 9961510e40
commit 009289b282
3 changed files with 51 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
src/Controller/RoleController.php
View file

@ -25,22 +25,18 @@ class RoleController extends BaseController
public function index() public function index()
{ {
$this->denyAccessUnlessGranted('role.list', null, 'No access.');
$params = $this->initParameters('role_list'); $params = $this->initParameters('role_list');
$qb = $this->getDoctrine()
->getRepository(Role::class)
->createQueryBuilder('q')
->getQuery();
// get all rows
$rows = $qb->getResult(Query::HYDRATE_ARRAY);
// response // response
return $this->render('role/list.html.twig', $params); return $this->render('role/list.html.twig', $params);
} }
public function rows(Request $req) public function rows(Request $req)
{ {
$this->denyAccessUnlessGranted('role.list', null, 'No access.');
// build query // build query
$qb = $this->getDoctrine() $qb = $this->getDoctrine()
->getRepository(Role::class) ->getRepository(Role::class)
@ -89,15 +85,38 @@ class RoleController extends BaseController
} }
// get rows for this page // get rows for this page
$rows = $query->setFirstResult($offset) $obj_rows = $query->setFirstResult($offset)
->setMaxResults($perpage) ->setMaxResults($perpage)
->getQuery() ->getQuery()
->getResult(Query::HYDRATE_ARRAY); ->getResult();
// add crud urls // process rows
foreach ($rows as $index => $row) { $rows = [];
$rows[$index]['update_url'] = $this->generateUrl('role_update', ['id' => $row['id']]); foreach ($obj_rows as $orow) {
$rows[$index]['delete_url'] = $this->generateUrl('role_delete', ['id' => $row['id']]); // add row data
$row['id'] = $orow->getID();
$row['name'] = $orow->getName();
// add row metadata
$row['meta'] = [
'update_url' => '',
'delete_url' => ''
];
// check if they have access to super admin users
if (!$this->isGranted('user.role.sadmin') && $orow->isSuperAdmin())
{
$rows[] = $row;
continue;
}
// add crud urls
if ($this->isGranted('user.update'))
$row['meta']['update_url'] = $this->generateUrl('role_update', ['id' => $row['id']]);
if ($this->isGranted('user.delete'))
$row['meta']['delete_url'] = $this->generateUrl('role_delete', ['id' => $row['id']]);
$rows[] = $row;
} }
// response // response
@ -116,6 +135,8 @@ class RoleController extends BaseController
public function create() public function create()
{ {
$this->denyAccessUnlessGranted('role.add', null, 'No access.');
$params = $this->initParameters('role_list'); $params = $this->initParameters('role_list');
$this->padACLHierarchy($params); $this->padACLHierarchy($params);
@ -126,6 +147,8 @@ class RoleController extends BaseController
public function createSubmit(Request $req, ValidatorInterface $validator) public function createSubmit(Request $req, ValidatorInterface $validator)
{ {
$this->denyAccessUnlessGranted('role.add', null, 'No access.');
// create new row // create new row
$em = $this->getDoctrine()->getManager(); $em = $this->getDoctrine()->getManager();
$row = new Role(); $row = new Role();
@ -173,6 +196,8 @@ class RoleController extends BaseController
public function update($id) public function update($id)
{ {
$this->denyAccessUnlessGranted('role.update', null, 'No access.');
$params = $this->initParameters('role_list'); $params = $this->initParameters('role_list');
$this->padACLHierarchy($params); $this->padACLHierarchy($params);
@ -193,6 +218,8 @@ class RoleController extends BaseController
public function updateSubmit(Request $req, ValidatorInterface $validator, $id) public function updateSubmit(Request $req, ValidatorInterface $validator, $id)
{ {
$this->denyAccessUnlessGranted('role.update', null, 'No access.');
// get row data // get row data
$em = $this->getDoctrine()->getManager(); $em = $this->getDoctrine()->getManager();
$row = $em->getRepository(Role::class)->find($id); $row = $em->getRepository(Role::class)->find($id);
@ -250,6 +277,8 @@ class RoleController extends BaseController
public function destroy($id) public function destroy($id)
{ {
$this->denyAccessUnlessGranted('role.delete', null, 'No access.');
$params = $this->initParameters('role_list'); $params = $this->initParameters('role_list');
// get row data // get row data

2
templates/role/form.html.twig
View file

@ -56,7 +56,7 @@
</div> </div>
<div class="form-group m-form__group row"> <div class="form-group m-form__group row">
<label class="col-lg-3 col-form-label" data-field="name"> <label class="col-lg-3 col-form-label" data-field="name">
Acess Levels: Access Levels:
</label> </label>
<div class="col-lg-9"> <div class="col-lg-9">
<div class="m-checkbox-list"> <div class="m-checkbox-list">

16
templates/role/list.html.twig
View file

@ -18,12 +18,6 @@
<div class="col-xl-12"> <div class="col-xl-12">
<div class="m-portlet m-portlet--mobile"> <div class="m-portlet m-portlet--mobile">
<div class="m-portlet__body"> <div class="m-portlet__body">
{% for message in app.flashes('success') %}
<div class="alert alert-success alert-dismissible fade show" role="alert">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"></button>
<strong>Success!</strong> {{ message }}
</div>
{% endfor %}
<div class="m-form m-form--label-align-right m--margin-top-20 m--margin-bottom-30"> <div class="m-form m-form--label-align-right m--margin-top-20 m--margin-bottom-30">
<div class="row align-items-center"> <div class="row align-items-center">
<div class="col-xl-8 order-2 order-xl-1"> <div class="col-xl-8 order-2 order-xl-1">
@ -96,10 +90,14 @@
sortable: false, sortable: false,
overflow: 'visible', overflow: 'visible',
template: function (row, index, datatable) { template: function (row, index, datatable) {
var actions = '<a href="' + row.update_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" data-id="' + row.id + '" title="Edit"><i class="la la-edit"></i></a>'; var actions = '';
if (row.meta.update_url != '') {
actions += '<a href="' + row.meta.update_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" data-id="' + row.username + '" title="Edit"><i class="la la-edit"></i></a>';
}
if (row.id != 'ROLE_SUPER_ADMIN') { if (row.meta.delete_url != '') {
actions += '<a href="' + row.delete_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-danger m-btn--icon m-btn--icon-only m-btn--pill btn-delete" data-id="' + row.id + '" title="Delete"><i class="la la-trash"></i></a>'; actions += '<a href="' + row.meta.delete_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-danger m-btn--icon m-btn--icon-only m-btn--pill btn-delete" data-id="' + row.username + '" title="Delete"><i class="la la-trash"></i></a>';
} }
return actions; return actions;