From 190e2f48b3a112924b42aeae84950801355a5010 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20Fastr=C3=A9?= Date: Mon, 16 Apr 2018 17:20:34 +0200 Subject: [PATCH] introducer UserCircleConsistency validator This validator allow to check that the entity is consistent between user associated with the entity, and the scope. The entity is consistent if the user associated can reach the scope for the ROLE "SEE/SHOW". This is a Constraint with scope Class. Example of utilisation: ``` @UserCircleConsistency( * "CHILL_TASK_TASK_SEE", * getUserFunction="getAssignee", * path="circle" * ) class MyEntity { // ... public function getAssignee() { // return user } } ``` --- DependencyInjection/ChillMainExtension.php | 1 + Resources/config/services/validator.yml | 7 +++ Resources/translations/messages.fr.yml | 1 + Resources/translations/validators.fr.yml | 5 +- .../Entity/UserCircleConsistency.php | 52 ++++++++++++++++ .../Entity/UserCircleConsistencyValidator.php | 62 +++++++++++++++++++ 6 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 Resources/config/services/validator.yml create mode 100644 Validator/Constraints/Entity/UserCircleConsistency.php create mode 100644 Validator/Constraints/Entity/UserCircleConsistencyValidator.php diff --git a/DependencyInjection/ChillMainExtension.php b/DependencyInjection/ChillMainExtension.php index 7a5766d4c..2bd1b3f25 100644 --- a/DependencyInjection/ChillMainExtension.php +++ b/DependencyInjection/ChillMainExtension.php @@ -92,6 +92,7 @@ class ChillMainExtension extends Extension implements PrependExtensionInterface, $loader->load('services/pagination.yml'); $loader->load('services/export.yml'); $loader->load('services/form.yml'); + $loader->load('services/validator.yml'); } diff --git a/Resources/config/services/validator.yml b/Resources/config/services/validator.yml new file mode 100644 index 000000000..f09304375 --- /dev/null +++ b/Resources/config/services/validator.yml @@ -0,0 +1,7 @@ +services: + chill_main.validator_user_circle_consistency: + class: Chill\MainBundle\Validator\Constraints\Entity\UserCircleConsistencyValidator + arguments: + - "@chill.main.security.authorization.helper" + tags: + - { name: "validator.constraint_validator" } diff --git a/Resources/translations/messages.fr.yml b/Resources/translations/messages.fr.yml index 06e63ce31..bf082188f 100644 --- a/Resources/translations/messages.fr.yml +++ b/Resources/translations/messages.fr.yml @@ -31,6 +31,7 @@ not valid: non valide Confirm: Confirmer Cancel: Annuler Save: Enregistrer +This form contains errors: Ce formulaire contient des erreurs 'You are going to leave a page with unsubmitted data. Are you sure you want to leave ?': "Vous allez quitter la page alors que des données n'ont pas été enregistrées. Êtes vous sûr de vouloir partir ?" diff --git a/Resources/translations/validators.fr.yml b/Resources/translations/validators.fr.yml index 4307be2fb..ba260f2c6 100644 --- a/Resources/translations/validators.fr.yml +++ b/Resources/translations/validators.fr.yml @@ -5,4 +5,7 @@ The role "%role%" should not be associated with a scope.: Le rôle "%role%" ne d "The password must contains one letter, one capitalized letter, one number and one special character as *[@#$%!,;:+\"'-/{}~=µ()£]). Other characters are allowed.": "Le mot de passe doit contenir une majuscule, une minuscule, et au moins un caractère spécial parmi *[@#$%!,;:+\"'-/{}~=µ()£]). Les autres caractères sont autorisés." The password fields must match: Les mots de passe doivent correspondre -A permission is already present for the same role and scope: Une permission est déjà présente pour le même rôle et cercle. \ No newline at end of file +A permission is already present for the same role and scope: Une permission est déjà présente pour le même rôle et cercle. + +#UserCircleConsistency +"{{ username }} is not allowed to see entities published in this circle": "{{ username }} n'est pas autorisé à voir l'élément publié dans ce cercle." \ No newline at end of file diff --git a/Validator/Constraints/Entity/UserCircleConsistency.php b/Validator/Constraints/Entity/UserCircleConsistency.php new file mode 100644 index 000000000..238aa1a7f --- /dev/null +++ b/Validator/Constraints/Entity/UserCircleConsistency.php @@ -0,0 +1,52 @@ + + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ +namespace Chill\MainBundle\Validator\Constraints\Entity; + +use Symfony\Component\Validator\Constraint; + +/** + * + * + * @Annotation + */ +class UserCircleConsistency extends Constraint +{ + public $message = "{{ username }} is not allowed to see entities published in this circle"; + + public $role; + + public $getUserFunction = 'getUser'; + + public $path = 'circle'; + + public function getDefaultOption() + { + return 'role'; + } + + public function getRequiredOptions() + { + return [ 'role' ]; + } + + public function getTargets() + { + return self::CLASS_CONSTRAINT; + } + +} diff --git a/Validator/Constraints/Entity/UserCircleConsistencyValidator.php b/Validator/Constraints/Entity/UserCircleConsistencyValidator.php new file mode 100644 index 000000000..adba2d760 --- /dev/null +++ b/Validator/Constraints/Entity/UserCircleConsistencyValidator.php @@ -0,0 +1,62 @@ + + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ +namespace Chill\MainBundle\Validator\Constraints\Entity; + +use Chill\MainBundle\Security\Authorization\AuthorizationHelper; +use Symfony\Component\Validator\Constraint; +use Symfony\Component\Validator\ConstraintValidator; +use Chill\MainBundle\Entity\HasScopeInterface; + +/** + * + * + */ +class UserCircleConsistencyValidator extends ConstraintValidator +{ + /** + * + * @var AuthorizationHelper + */ + protected $autorizationHelper; + + function __construct(AuthorizationHelper $autorizationHelper) + { + $this->autorizationHelper = $autorizationHelper; + } + + + /** + * + * @param object $value + * @param UserCircleConsistency $constraint + */ + public function validate($value, Constraint $constraint) + { + /* @var $user \Chill\MainBundle\Entity\User */ + $user = \call_user_func([$value, $constraint->getUserFunction ]); + + if (FALSE === $this->autorizationHelper->userHasAccess($user, $value, $constraint->role)) { + $this->context + ->buildViolation($constraint->message) + ->setParameter('{{ username }}', $user->getUsername()) + ->atPath($constraint->path) + ->addViolation() + ; + } + } +}