Add ACL security checks for user views and controllers
This commit is contained in:
parent
55de671803
commit
9961510e40
4 changed files with 79 additions and 21 deletions
|
|
@ -16,22 +16,17 @@ class UserController extends BaseController
|
|||
{
|
||||
public function index()
|
||||
{
|
||||
$this->denyAccessUnlessGranted('user.list', null, 'No access.');
|
||||
|
||||
$params = $this->initParameters('user_list');
|
||||
|
||||
$qb = $this->getDoctrine()
|
||||
->getRepository(User::class)
|
||||
->createQueryBuilder('q')
|
||||
->getQuery();
|
||||
|
||||
// get all rows
|
||||
$rows = $qb->getResult(Query::HYDRATE_ARRAY);
|
||||
|
||||
// response
|
||||
return $this->render('user/list.html.twig', $params);
|
||||
}
|
||||
|
||||
public function rows(Request $req)
|
||||
{
|
||||
$this->denyAccessUnlessGranted('user.list', null, 'No access.');
|
||||
|
||||
// get query builder
|
||||
$qb = $this->getDoctrine()
|
||||
->getRepository(User::class)
|
||||
|
|
@ -83,15 +78,45 @@ class UserController extends BaseController
|
|||
}
|
||||
|
||||
// get rows for this page
|
||||
$rows = $query->setFirstResult($offset)
|
||||
$obj_rows = $query->setFirstResult($offset)
|
||||
->setMaxResults($perpage)
|
||||
->getQuery()
|
||||
->getResult(Query::HYDRATE_ARRAY);
|
||||
->getResult();
|
||||
// Query::HYDRATE_ARRAY);
|
||||
|
||||
// add crud urls
|
||||
foreach ($rows as $index => $row) {
|
||||
$rows[$index]['update_url'] = $this->generateUrl('user_update', ['id' => $row['id']]);
|
||||
$rows[$index]['delete_url'] = $this->generateUrl('user_delete', ['id' => $row['id']]);
|
||||
// process rows
|
||||
$rows = [];
|
||||
foreach ($obj_rows as $orow) {
|
||||
// add row data
|
||||
$row['id'] = $orow->getID();
|
||||
$row['username'] = $orow->getUsername();
|
||||
$row['first_name'] = $orow->getFirstName();
|
||||
$row['last_name'] = $orow->getLastName();
|
||||
$row['email'] = $orow->getEmail();
|
||||
$row['contact_num'] = $orow->getContactNumber();
|
||||
$row['enabled'] = $orow->isEnabled();
|
||||
|
||||
|
||||
// add row metadata
|
||||
$row['meta'] = [
|
||||
'update_url' => '',
|
||||
'delete_url' => ''
|
||||
];
|
||||
|
||||
// check if they have access to super admin users
|
||||
if (!$this->isGranted('user.role.sadmin') && $orow->isSuperAdmin())
|
||||
{
|
||||
$rows[] = $row;
|
||||
continue;
|
||||
}
|
||||
|
||||
// add crud urls
|
||||
if ($this->isGranted('user.update'))
|
||||
$row['meta']['update_url'] = $this->generateUrl('user_update', ['id' => $row['id']]);
|
||||
if ($this->isGranted('user.delete'))
|
||||
$row['meta']['delete_url'] = $this->generateUrl('user_delete', ['id' => $row['id']]);
|
||||
|
||||
$rows[] = $row;
|
||||
}
|
||||
|
||||
// response
|
||||
|
|
@ -103,6 +128,8 @@ class UserController extends BaseController
|
|||
|
||||
public function create()
|
||||
{
|
||||
$this->denyAccessUnlessGranted('user.add', null, 'No access.');
|
||||
|
||||
$params = $this->initParameters('user_list');
|
||||
|
||||
// get roles
|
||||
|
|
@ -115,6 +142,8 @@ class UserController extends BaseController
|
|||
|
||||
public function createSubmit(Request $req, EncoderFactoryInterface $ef, ValidatorInterface $validator)
|
||||
{
|
||||
$this->denyAccessUnlessGranted('user.add', null, 'No access.');
|
||||
|
||||
// create new row
|
||||
$em = $this->getDoctrine()->getManager();
|
||||
$row = new User();
|
||||
|
|
@ -135,9 +164,14 @@ class UserController extends BaseController
|
|||
foreach ($roles as $role_id) {
|
||||
// check if role exists
|
||||
$role = $em->getRepository(Role::class)->find($role_id);
|
||||
|
||||
if (!empty($role))
|
||||
{
|
||||
// check access to super user roles
|
||||
if ($role->isSuperAdmin() && !$this->isGranted('user.role.sadmin'))
|
||||
continue;
|
||||
|
||||
$row->addRole($role);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -191,6 +225,8 @@ class UserController extends BaseController
|
|||
|
||||
public function update($id)
|
||||
{
|
||||
$this->denyAccessUnlessGranted('user.update', null, 'No access.');
|
||||
|
||||
$params = $this->initParameters('user_list');
|
||||
|
||||
// get row data
|
||||
|
|
@ -214,6 +250,8 @@ class UserController extends BaseController
|
|||
|
||||
public function updateSubmit(Request $req, EncoderFactoryInterface $ef, ValidatorInterface $validator, $id)
|
||||
{
|
||||
$this->denyAccessUnlessGranted('user.update', null, 'No access.');
|
||||
|
||||
// get row data
|
||||
$em = $this->getDoctrine()->getManager();
|
||||
$row = $em->getRepository(User::class)->find($id);
|
||||
|
|
@ -293,6 +331,8 @@ class UserController extends BaseController
|
|||
|
||||
public function destroy($id)
|
||||
{
|
||||
$this->denyAccessUnlessGranted('user.delete', null, 'No access.');
|
||||
|
||||
$params = $this->initParameters('user_list');
|
||||
|
||||
// get row data
|
||||
|
|
|
|||
|
|
@ -233,4 +233,15 @@ class User implements AdvancedUserInterface, Serializable
|
|||
{
|
||||
return $this->email;
|
||||
}
|
||||
|
||||
public function isSuperAdmin()
|
||||
{
|
||||
foreach ($this->roles as $role)
|
||||
{
|
||||
if ($role->isSuperAdmin())
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -103,11 +103,14 @@
|
|||
<div class="col-lg-10">
|
||||
<div class="m-checkbox-list">
|
||||
{% for role in roles %}
|
||||
{% if role.isSuperAdmin and not is_granted('user.role.sadmin') %}
|
||||
{% else %}
|
||||
<label class="m-checkbox">
|
||||
<input type="checkbox" name="roles[]" value="{{ role.getID() }}"{{ (values.roles is defined and role.getID() in value.roles) or (row is defined and values.roles is not defined and role.getID() in row.getRoles()) ? ' checked' : '' }}>
|
||||
{{ role.getName() }}
|
||||
<span></span>
|
||||
</label>
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
</div>
|
||||
<div class="form-control-feedback hide" data-field="roles"></div>
|
||||
|
|
@ -213,4 +216,4 @@
|
|||
}
|
||||
});
|
||||
</script>
|
||||
{% endblock %}
|
||||
{% endblock %}
|
||||
|
|
|
|||
|
|
@ -122,10 +122,14 @@
|
|||
sortable: false,
|
||||
overflow: 'visible',
|
||||
template: function (row, index, datatable) {
|
||||
var actions = '<a href="' + row.update_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" data-id="' + row.username + '" title="Edit"><i class="la la-edit"></i></a>';
|
||||
var actions = '';
|
||||
|
||||
if (row.meta.update_url != '') {
|
||||
actions += '<a href="' + row.meta.update_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" data-id="' + row.username + '" title="Edit"><i class="la la-edit"></i></a>';
|
||||
}
|
||||
|
||||
if (row.id != 'ROLE_SUPER_ADMIN') {
|
||||
actions += '<a href="' + row.delete_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-danger m-btn--icon m-btn--icon-only m-btn--pill btn-delete" data-id="' + row.username + '" title="Delete"><i class="la la-trash"></i></a>';
|
||||
if (row.meta.delete_url != '') {
|
||||
actions += '<a href="' + row.meta.delete_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-danger m-btn--icon m-btn--icon-only m-btn--pill btn-delete" data-id="' + row.username + '" title="Delete"><i class="la la-trash"></i></a>';
|
||||
}
|
||||
|
||||
return actions;
|
||||
|
|
@ -173,4 +177,4 @@
|
|||
});
|
||||
});
|
||||
</script>
|
||||
{% endblock %}
|
||||
{% endblock %}
|
||||
|
|
|
|||
Loading…
Reference in a new issue