fix: [userSettings] Various permissions issues

pull/85/head
Sami Mokaddem 2022-01-17 15:24:30 +01:00
parent 1c81257b75
commit ef2827e87a
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
2 changed files with 57 additions and 9 deletions

View File

@ -9,6 +9,8 @@ use \Cake\Database\Expression\QueryExpression;
use Cake\Http\Exception\NotFoundException; use Cake\Http\Exception\NotFoundException;
use Cake\Http\Exception\MethodNotAllowedException; use Cake\Http\Exception\MethodNotAllowedException;
use Cake\Http\Exception\ForbiddenException; use Cake\Http\Exception\ForbiddenException;
use Cake\Http\Exception\UnauthorizedException;
class UserSettingsController extends AppController class UserSettingsController extends AppController
{ {
@ -19,8 +21,12 @@ class UserSettingsController extends AppController
public function index() public function index()
{ {
$conditions = []; $conditions = [];
$currentUser = $this->ACL->getUser();
if (empty($currentUser['role']['perm_admin'])) {
$conditions['user_id'] = $currentUser->id;
}
$this->CRUD->index([ $this->CRUD->index([
'conditions' => [], 'conditions' => $conditions,
'contain' => $this->containFields, 'contain' => $this->containFields,
'filters' => $this->filterFields, 'filters' => $this->filterFields,
'quickFilters' => $this->quickFilterFields, 'quickFilters' => $this->quickFilterFields,
@ -39,6 +45,9 @@ class UserSettingsController extends AppController
public function view($id) public function view($id)
{ {
if (!$this->isLoggedUserAllowedToEdit($id)) {
throw new NotFoundException(__('Invalid {0}.', 'user setting'));
}
$this->CRUD->view($id, [ $this->CRUD->view($id, [
'contain' => ['Users'] 'contain' => ['Users']
]); ]);
@ -50,10 +59,13 @@ class UserSettingsController extends AppController
public function add($user_id = false) public function add($user_id = false)
{ {
$currentUser = $this->ACL->getUser();
$this->CRUD->add([ $this->CRUD->add([
'redirect' => ['action' => 'index', $user_id], 'redirect' => ['action' => 'index', $user_id],
'beforeSave' => function($data) use ($user_id) { 'beforeSave' => function ($data) use ($currentUser) {
$data['user_id'] = $user_id; if (empty($currentUser['role']['perm_admin'])) {
$data['user_id'] = $currentUser->id;
}
return $data; return $data;
} }
]); ]);
@ -61,10 +73,13 @@ class UserSettingsController extends AppController
if (!empty($responsePayload)) { if (!empty($responsePayload)) {
return $responsePayload; return $responsePayload;
} }
$allUsers = $this->UserSettings->Users->find('list', ['keyField' => 'id', 'valueField' => 'username'])->order(['username' => 'ASC']);
if (empty($currentUser['role']['perm_admin'])) {
$allUsers->where(['id' => $currentUser->id]);
$user_id = $currentUser->id;
}
$dropdownData = [ $dropdownData = [
'user' => $this->UserSettings->Users->find('list', [ 'user' => $allUsers->all()->toArray(),
'sort' => ['username' => 'asc']
]),
]; ];
$this->set(compact('dropdownData')); $this->set(compact('dropdownData'));
$this->set('user_id', $user_id); $this->set('user_id', $user_id);
@ -75,6 +90,11 @@ class UserSettingsController extends AppController
$entity = $this->UserSettings->find()->where([ $entity = $this->UserSettings->find()->where([
'id' => $id 'id' => $id
])->first(); ])->first();
if (!$this->isLoggedUserAllowedToEdit($entity)) {
throw new NotFoundException(__('Invalid {0}.', 'user setting'));
}
$entity = $this->CRUD->edit($id, [ $entity = $this->CRUD->edit($id, [
'redirect' => ['action' => 'index', $entity->user_id] 'redirect' => ['action' => 'index', $entity->user_id]
]); ]);
@ -94,6 +114,9 @@ class UserSettingsController extends AppController
public function delete($id) public function delete($id)
{ {
if (!$this->isLoggedUserAllowedToEdit($id)) {
throw new NotFoundException(__('Invalid {0}.', 'user setting'));
}
$this->CRUD->delete($id); $this->CRUD->delete($id);
$responsePayload = $this->CRUD->getResponsePayload(); $responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) { if (!empty($responsePayload)) {
@ -160,7 +183,7 @@ class UserSettingsController extends AppController
} }
} }
public function getBookmarks($forSidebar=false) public function getBookmarks($forSidebar = false)
{ {
$bookmarks = $this->UserSettings->getSettingByName($this->ACL->getUser(), $this->UserSettings->BOOKMARK_SETTING_NAME); $bookmarks = $this->UserSettings->getSettingByName($this->ACL->getUser(), $this->UserSettings->BOOKMARK_SETTING_NAME);
$bookmarks = json_decode($bookmarks['value'], true); $bookmarks = json_decode($bookmarks['value'], true);
@ -200,4 +223,29 @@ class UserSettingsController extends AppController
$this->set('user_id', $this->ACL->getUser()->id); $this->set('user_id', $this->ACL->getUser()->id);
} }
} /**
* isLoggedUserAllowedToEdit
*
* @param int|\App\Model\Entity\UserSetting $setting
* @return boolean
*/
private function isLoggedUserAllowedToEdit($setting): bool
{
$currentUser = $this->ACL->getUser();
$isAllowed = false;
if (!empty($currentUser['role']['perm_admin'])) {
$isAllowed = true;
} else {
if (is_numeric($setting)) {
$setting = $this->UserSettings->find()->where([
'id' => $setting
])->first();
if (empty($setting)) {
return false;
}
}
$isAllowed = $setting->user_id == $currentUser->id;
}
return $isAllowed;
}
}

View File

@ -11,7 +11,7 @@ use App\Settings\SettingsProvider\UserSettingsProvider;
class UserSettingsTable extends AppTable class UserSettingsTable extends AppTable
{ {
protected $BOOKMARK_SETTING_NAME = 'ui.bookmarks'; public $BOOKMARK_SETTING_NAME = 'ui.bookmarks';
public function initialize(array $config): void public function initialize(array $config): void
{ {