From 51681edda7fce570e2cf1079e0e7fbdc503ead66 Mon Sep 17 00:00:00 2001 From: Julie Lenaerts Date: Mon, 13 Feb 2023 17:17:56 +0100 Subject: [PATCH] FIX [voter][household] only allow editing of household if user has chill_person_household_edit right linked to being able to edit persons --- .../HouseholdCompositionController.php | 2 +- .../Controller/HouseholdController.php | 22 +++- .../Controller/HouseholdMemberController.php | 13 ++- .../views/Household/_render_member.html.twig | 13 ++- .../views/Household/addresses.html.twig | 18 +-- .../views/Household/summary.html.twig | 110 ++++++++++-------- .../views/Person/household_history.html.twig | 33 +++--- 7 files changed, 124 insertions(+), 87 deletions(-) diff --git a/src/Bundle/ChillPersonBundle/Controller/HouseholdCompositionController.php b/src/Bundle/ChillPersonBundle/Controller/HouseholdCompositionController.php index 43d35934b..3dceba5be 100644 --- a/src/Bundle/ChillPersonBundle/Controller/HouseholdCompositionController.php +++ b/src/Bundle/ChillPersonBundle/Controller/HouseholdCompositionController.php @@ -133,7 +133,7 @@ class HouseholdCompositionController extends AbstractController */ public function index(Household $household, Request $request): Response { - if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) { + if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) { throw new AccessDeniedException('not allowed to edit a household'); } diff --git a/src/Bundle/ChillPersonBundle/Controller/HouseholdController.php b/src/Bundle/ChillPersonBundle/Controller/HouseholdController.php index ba7c78f65..a8453cf5c 100644 --- a/src/Bundle/ChillPersonBundle/Controller/HouseholdController.php +++ b/src/Bundle/ChillPersonBundle/Controller/HouseholdController.php @@ -24,6 +24,7 @@ use Symfony\Component\Form\FormInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; use Symfony\Component\Routing\Annotation\Route; +use Symfony\Component\Security\Core\Exception\AccessDeniedException; use Symfony\Component\Security\Core\Security; use Symfony\Component\Serializer\Normalizer\AbstractNormalizer; use Symfony\Component\Serializer\SerializerInterface; @@ -123,7 +124,9 @@ class HouseholdController extends AbstractController */ public function addressEdit(Request $request, Household $household) { - // TODO ACL + if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) { + throw new AccessDeniedException('You are not allowed to edit a household address'); + } $address_id = $request->query->get('address_id'); $address = $this->getDoctrine()->getManager() @@ -149,7 +152,9 @@ class HouseholdController extends AbstractController */ public function addresses(Request $request, Household $household) { - // TODO ACL + if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) { + throw new AccessDeniedException('You have no access to this household\'s details'); + } //TODO put these lines into a validator constraint on household->getAddress $addresses = $household->getAddresses(); @@ -179,7 +184,9 @@ class HouseholdController extends AbstractController */ public function addressMove(Request $request, Household $household) { - // TODO ACL + if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) { + throw new AccessDeniedException('You are not allowed to edit this household'); + } return $this->render( '@ChillPerson/Household/address_move.html.twig', @@ -255,7 +262,10 @@ class HouseholdController extends AbstractController */ public function editHouseholdMetadata(Request $request, Household $household) { - // TODO ACL + if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) { + throw new AccessDeniedException('not allowed to edit a household'); + } + $form = $this->createMetadataForm($household); $form->handleRequest($request); @@ -311,7 +321,9 @@ class HouseholdController extends AbstractController */ public function summary(Request $request, Household $household) { - // TODO ACL + if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) { + throw new AccessDeniedException('not allowed to edit a household'); + } $positions = $this->positionRepository ->findByActiveOrdered(); diff --git a/src/Bundle/ChillPersonBundle/Controller/HouseholdMemberController.php b/src/Bundle/ChillPersonBundle/Controller/HouseholdMemberController.php index d286cb270..26d040692 100644 --- a/src/Bundle/ChillPersonBundle/Controller/HouseholdMemberController.php +++ b/src/Bundle/ChillPersonBundle/Controller/HouseholdMemberController.php @@ -19,12 +19,15 @@ use Chill\PersonBundle\Entity\Person; use Chill\PersonBundle\Form\HouseholdMemberType; use Chill\PersonBundle\Household\MembersEditor; use Chill\PersonBundle\Repository\AccompanyingPeriodRepository; +use Chill\PersonBundle\Security\Authorization\HouseholdVoter; use Chill\PersonBundle\Security\Authorization\PersonVoter; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; use Symfony\Component\Routing\Annotation\Route; use Symfony\Component\Routing\Generator\UrlGeneratorInterface; +use Symfony\Component\Security\Core\Exception\AccessDeniedException; +use Symfony\Component\Security\Core\Security; use Symfony\Component\Serializer\Exception; use Symfony\Contracts\Translation\TranslatorInterface; @@ -38,14 +41,18 @@ class HouseholdMemberController extends ApiController private TranslatorInterface $translator; + private Security $security; + public function __construct( UrlGeneratorInterface $generator, TranslatorInterface $translator, - AccompanyingPeriodRepository $periodRepository + AccompanyingPeriodRepository $periodRepository, + Security $security ) { $this->generator = $generator; $this->translator = $translator; $this->periodRepository = $periodRepository; + $this->security = $security; } /** @@ -56,7 +63,9 @@ class HouseholdMemberController extends ApiController */ public function editMembership(Request $request, HouseholdMember $member): Response { - // TODO ACL + if (!$this->security->isGranted(HouseholdVoter::EDIT, $member->getHousehold())) { + throw new AccessDeniedException('You are not allowed to edit this household'); + } $form = $this->createForm(HouseholdMemberType::class, $member, [ 'validation_groups' => ['household_memberships'], diff --git a/src/Bundle/ChillPersonBundle/Resources/views/Household/_render_member.html.twig b/src/Bundle/ChillPersonBundle/Resources/views/Household/_render_member.html.twig index fdd1e0717..07c83e18b 100644 --- a/src/Bundle/ChillPersonBundle/Resources/views/Household/_render_member.html.twig +++ b/src/Bundle/ChillPersonBundle/Resources/views/Household/_render_member.html.twig @@ -30,12 +30,13 @@ {{ customButtons['before'] }} {% endif %} -
  • - -
    • - + {% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', member.household) %} +
  • + +
    • + {% endif %} {% if customButtons['after'] is defined %} {{ customButtons['after'] }} {% endif %} diff --git a/src/Bundle/ChillPersonBundle/Resources/views/Household/addresses.html.twig b/src/Bundle/ChillPersonBundle/Resources/views/Household/addresses.html.twig index 6242e6aae..a6614ed53 100644 --- a/src/Bundle/ChillPersonBundle/Resources/views/Household/addresses.html.twig +++ b/src/Bundle/ChillPersonBundle/Resources/views/Household/addresses.html.twig @@ -10,7 +10,7 @@ {% if household.addresses|length == 0 %} {{ 'No address given'|trans }} {% else %} - + {% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %} - + {% endif %}
    @@ -92,14 +92,16 @@ {{ 'Back to household'|trans }} -
  • + {% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %} +
  • - - {{ 'Move household'|trans }} - + + {{ 'Move household'|trans }} + -
    • + + {% endif %}
    diff --git a/src/Bundle/ChillPersonBundle/Resources/views/Household/summary.html.twig b/src/Bundle/ChillPersonBundle/Resources/views/Household/summary.html.twig index bdf06c0bd..c496f949b 100644 --- a/src/Bundle/ChillPersonBundle/Resources/views/Household/summary.html.twig +++ b/src/Bundle/ChillPersonBundle/Resources/views/Household/summary.html.twig @@ -27,20 +27,22 @@ {% endif %}