Chill-project/chill-bundles
6
0
Fork 0
mirror of https://gitlab.com/Chill-Projet/chill-bundles.git synced 2025-08-28 18:43:49 +00:00
Code Issues Actions Projects Releases Wiki Activity

FIX [voter][household] only allow editing of household if user has chill_person_household_edit right linked to being able to edit persons

Browse Source
This commit is contained in:
Julie Lenaerts
2023-02-13 17:17:56 +01:00
parent eac3471cbb
commit 51681edda7
7 changed files with 124 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/Bundle/ChillPersonBundle/Controller/HouseholdController.php
View File

@@ -24,6 +24,7 @@ use Symfony\Component\Form\FormInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Security;
use Symfony\Component\Serializer\Normalizer\AbstractNormalizer;
use Symfony\Component\Serializer\SerializerInterface;
@@ -123,7 +124,9 @@ class HouseholdController extends AbstractController
*/
public function addressEdit(Request $request, Household $household)
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
throw new AccessDeniedException('You are not allowed to edit a household address');
}
$address_id = $request->query->get('address_id');
$address = $this->getDoctrine()->getManager()
@@ -149,7 +152,9 @@ class HouseholdController extends AbstractController
*/
public function addresses(Request $request, Household $household)
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) {
throw new AccessDeniedException('You have no access to this household\'s details');
}
//TODO put these lines into a validator constraint on household->getAddress
$addresses = $household->getAddresses();
@@ -179,7 +184,9 @@ class HouseholdController extends AbstractController
*/
public function addressMove(Request $request, Household $household)
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
throw new AccessDeniedException('You are not allowed to edit this household');
}
return $this->render(
'@ChillPerson/Household/address_move.html.twig',
@@ -255,7 +262,10 @@ class HouseholdController extends AbstractController
*/
public function editHouseholdMetadata(Request $request, Household $household)
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
throw new AccessDeniedException('not allowed to edit a household');
}
$form = $this->createMetadataForm($household);
$form->handleRequest($request);
@@ -311,7 +321,9 @@ class HouseholdController extends AbstractController
*/
public function summary(Request $request, Household $household)
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) {
throw new AccessDeniedException('not allowed to edit a household');
}
$positions = $this->positionRepository
->findByActiveOrdered();