rgutierrez/resq
1
0
Fork 0
Code Issues 126 Pull requests 49 Projects Releases 4 Packages Wiki Activity Actions

Add ACL security checks for user views and controllers

Browse source
This commit is contained in:
Kendrick Chan 2018-01-11 03:04:09 +08:00
parent 55de671803
commit 9961510e40
4 changed files with 79 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
src/Controller/UserController.php
View file

@ -16,22 +16,17 @@ class UserController extends BaseController
{ {
public function index() public function index()
{ {
$this->denyAccessUnlessGranted('user.list', null, 'No access.');
$params = $this->initParameters('user_list'); $params = $this->initParameters('user_list');
$qb = $this->getDoctrine()
->getRepository(User::class)
->createQueryBuilder('q')
->getQuery();
// get all rows
$rows = $qb->getResult(Query::HYDRATE_ARRAY);
// response
return $this->render('user/list.html.twig', $params); return $this->render('user/list.html.twig', $params);
} }
public function rows(Request $req) public function rows(Request $req)
{ {
$this->denyAccessUnlessGranted('user.list', null, 'No access.');
// get query builder // get query builder
$qb = $this->getDoctrine() $qb = $this->getDoctrine()
->getRepository(User::class) ->getRepository(User::class)
@ -83,15 +78,45 @@ class UserController extends BaseController
} }
// get rows for this page // get rows for this page
$rows = $query->setFirstResult($offset) $obj_rows = $query->setFirstResult($offset)
->setMaxResults($perpage) ->setMaxResults($perpage)
->getQuery() ->getQuery()
->getResult(Query::HYDRATE_ARRAY); ->getResult();
// Query::HYDRATE_ARRAY);
// add crud urls // process rows
foreach ($rows as $index => $row) { $rows = [];
$rows[$index]['update_url'] = $this->generateUrl('user_update', ['id' => $row['id']]); foreach ($obj_rows as $orow) {
$rows[$index]['delete_url'] = $this->generateUrl('user_delete', ['id' => $row['id']]); // add row data
$row['id'] = $orow->getID();
$row['username'] = $orow->getUsername();
$row['first_name'] = $orow->getFirstName();
$row['last_name'] = $orow->getLastName();
$row['email'] = $orow->getEmail();
$row['contact_num'] = $orow->getContactNumber();
$row['enabled'] = $orow->isEnabled();
// add row metadata
$row['meta'] = [
'update_url' => '',
'delete_url' => ''
];
// check if they have access to super admin users
if (!$this->isGranted('user.role.sadmin') && $orow->isSuperAdmin())
{
$rows[] = $row;
continue;
}
// add crud urls
if ($this->isGranted('user.update'))
$row['meta']['update_url'] = $this->generateUrl('user_update', ['id' => $row['id']]);
if ($this->isGranted('user.delete'))
$row['meta']['delete_url'] = $this->generateUrl('user_delete', ['id' => $row['id']]);
$rows[] = $row;
} }
// response // response
@ -103,6 +128,8 @@ class UserController extends BaseController
public function create() public function create()
{ {
$this->denyAccessUnlessGranted('user.add', null, 'No access.');
$params = $this->initParameters('user_list'); $params = $this->initParameters('user_list');
// get roles // get roles
@ -115,6 +142,8 @@ class UserController extends BaseController
public function createSubmit(Request $req, EncoderFactoryInterface $ef, ValidatorInterface $validator) public function createSubmit(Request $req, EncoderFactoryInterface $ef, ValidatorInterface $validator)
{ {
$this->denyAccessUnlessGranted('user.add', null, 'No access.');
// create new row // create new row
$em = $this->getDoctrine()->getManager(); $em = $this->getDoctrine()->getManager();
$row = new User(); $row = new User();
@ -135,9 +164,14 @@ class UserController extends BaseController
foreach ($roles as $role_id) { foreach ($roles as $role_id) {
// check if role exists // check if role exists
$role = $em->getRepository(Role::class)->find($role_id); $role = $em->getRepository(Role::class)->find($role_id);
if (!empty($role)) if (!empty($role))
{
// check access to super user roles
if ($role->isSuperAdmin() && !$this->isGranted('user.role.sadmin'))
continue;
$row->addRole($role); $row->addRole($role);
}
} }
} }
@ -191,6 +225,8 @@ class UserController extends BaseController
public function update($id) public function update($id)
{ {
$this->denyAccessUnlessGranted('user.update', null, 'No access.');
$params = $this->initParameters('user_list'); $params = $this->initParameters('user_list');
// get row data // get row data
@ -214,6 +250,8 @@ class UserController extends BaseController
public function updateSubmit(Request $req, EncoderFactoryInterface $ef, ValidatorInterface $validator, $id) public function updateSubmit(Request $req, EncoderFactoryInterface $ef, ValidatorInterface $validator, $id)
{ {
$this->denyAccessUnlessGranted('user.update', null, 'No access.');
// get row data // get row data
$em = $this->getDoctrine()->getManager(); $em = $this->getDoctrine()->getManager();
$row = $em->getRepository(User::class)->find($id); $row = $em->getRepository(User::class)->find($id);
@ -293,6 +331,8 @@ class UserController extends BaseController
public function destroy($id) public function destroy($id)
{ {
$this->denyAccessUnlessGranted('user.delete', null, 'No access.');
$params = $this->initParameters('user_list'); $params = $this->initParameters('user_list');
// get row data // get row data

11
src/Entity/User.php
View file

@ -233,4 +233,15 @@ class User implements AdvancedUserInterface, Serializable
{ {
return $this->email; return $this->email;
} }
public function isSuperAdmin()
{
foreach ($this->roles as $role)
{
if ($role->isSuperAdmin())
return true;
}
return false;
}
} }

5
templates/user/form.html.twig
View file

@ -103,11 +103,14 @@
<div class="col-lg-10"> <div class="col-lg-10">
<div class="m-checkbox-list"> <div class="m-checkbox-list">
{% for role in roles %} {% for role in roles %}
{% if role.isSuperAdmin and not is_granted('user.role.sadmin') %}
{% else %}
<label class="m-checkbox"> <label class="m-checkbox">
<input type="checkbox" name="roles[]" value="{{ role.getID() }}"{{ (values.roles is defined and role.getID() in value.roles) or (row is defined and values.roles is not defined and role.getID() in row.getRoles()) ? ' checked' : '' }}> <input type="checkbox" name="roles[]" value="{{ role.getID() }}"{{ (values.roles is defined and role.getID() in value.roles) or (row is defined and values.roles is not defined and role.getID() in row.getRoles()) ? ' checked' : '' }}>
{{ role.getName() }} {{ role.getName() }}
<span></span> <span></span>
</label> </label>
{% endif %}
{% endfor %} {% endfor %}
</div> </div>
<div class="form-control-feedback hide" data-field="roles"></div> <div class="form-control-feedback hide" data-field="roles"></div>
@ -213,4 +216,4 @@
} }
}); });
</script> </script>
{% endblock %} {% endblock %}

12
templates/user/list.html.twig
View file

@ -122,10 +122,14 @@
sortable: false, sortable: false,
overflow: 'visible', overflow: 'visible',
template: function (row, index, datatable) { template: function (row, index, datatable) {
var actions = '<a href="' + row.update_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" data-id="' + row.username + '" title="Edit"><i class="la la-edit"></i></a>'; var actions = '';
if (row.meta.update_url != '') {
actions += '<a href="' + row.meta.update_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" data-id="' + row.username + '" title="Edit"><i class="la la-edit"></i></a>';
}
if (row.id != 'ROLE_SUPER_ADMIN') { if (row.meta.delete_url != '') {
actions += '<a href="' + row.delete_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-danger m-btn--icon m-btn--icon-only m-btn--pill btn-delete" data-id="' + row.username + '" title="Delete"><i class="la la-trash"></i></a>'; actions += '<a href="' + row.meta.delete_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-danger m-btn--icon m-btn--icon-only m-btn--pill btn-delete" data-id="' + row.username + '" title="Delete"><i class="la la-trash"></i></a>';
} }
return actions; return actions;
@ -173,4 +177,4 @@
}); });
}); });
</script> </script>
{% endblock %} {% endblock %}