mirror of
https://gitlab.com/Chill-Projet/chill-bundles.git
synced 2025-08-05 07:19:49 +00:00
FIX [voter][household] only allow editing of household if user has chill_person_household_edit right linked to being able to edit persons
This commit is contained in:
parent
eac3471cbb
commit
51681edda7
@ -133,7 +133,7 @@ class HouseholdCompositionController extends AbstractController
|
|||||||
*/
|
*/
|
||||||
public function index(Household $household, Request $request): Response
|
public function index(Household $household, Request $request): Response
|
||||||
{
|
{
|
||||||
if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) {
|
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
|
||||||
throw new AccessDeniedException('not allowed to edit a household');
|
throw new AccessDeniedException('not allowed to edit a household');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -24,6 +24,7 @@ use Symfony\Component\Form\FormInterface;
|
|||||||
use Symfony\Component\HttpFoundation\Request;
|
use Symfony\Component\HttpFoundation\Request;
|
||||||
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
||||||
use Symfony\Component\Routing\Annotation\Route;
|
use Symfony\Component\Routing\Annotation\Route;
|
||||||
|
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
||||||
use Symfony\Component\Security\Core\Security;
|
use Symfony\Component\Security\Core\Security;
|
||||||
use Symfony\Component\Serializer\Normalizer\AbstractNormalizer;
|
use Symfony\Component\Serializer\Normalizer\AbstractNormalizer;
|
||||||
use Symfony\Component\Serializer\SerializerInterface;
|
use Symfony\Component\Serializer\SerializerInterface;
|
||||||
@ -123,7 +124,9 @@ class HouseholdController extends AbstractController
|
|||||||
*/
|
*/
|
||||||
public function addressEdit(Request $request, Household $household)
|
public function addressEdit(Request $request, Household $household)
|
||||||
{
|
{
|
||||||
// TODO ACL
|
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
|
||||||
|
throw new AccessDeniedException('You are not allowed to edit a household address');
|
||||||
|
}
|
||||||
|
|
||||||
$address_id = $request->query->get('address_id');
|
$address_id = $request->query->get('address_id');
|
||||||
$address = $this->getDoctrine()->getManager()
|
$address = $this->getDoctrine()->getManager()
|
||||||
@ -149,7 +152,9 @@ class HouseholdController extends AbstractController
|
|||||||
*/
|
*/
|
||||||
public function addresses(Request $request, Household $household)
|
public function addresses(Request $request, Household $household)
|
||||||
{
|
{
|
||||||
// TODO ACL
|
if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) {
|
||||||
|
throw new AccessDeniedException('You have no access to this household\'s details');
|
||||||
|
}
|
||||||
|
|
||||||
//TODO put these lines into a validator constraint on household->getAddress
|
//TODO put these lines into a validator constraint on household->getAddress
|
||||||
$addresses = $household->getAddresses();
|
$addresses = $household->getAddresses();
|
||||||
@ -179,7 +184,9 @@ class HouseholdController extends AbstractController
|
|||||||
*/
|
*/
|
||||||
public function addressMove(Request $request, Household $household)
|
public function addressMove(Request $request, Household $household)
|
||||||
{
|
{
|
||||||
// TODO ACL
|
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
|
||||||
|
throw new AccessDeniedException('You are not allowed to edit this household');
|
||||||
|
}
|
||||||
|
|
||||||
return $this->render(
|
return $this->render(
|
||||||
'@ChillPerson/Household/address_move.html.twig',
|
'@ChillPerson/Household/address_move.html.twig',
|
||||||
@ -255,7 +262,10 @@ class HouseholdController extends AbstractController
|
|||||||
*/
|
*/
|
||||||
public function editHouseholdMetadata(Request $request, Household $household)
|
public function editHouseholdMetadata(Request $request, Household $household)
|
||||||
{
|
{
|
||||||
// TODO ACL
|
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
|
||||||
|
throw new AccessDeniedException('not allowed to edit a household');
|
||||||
|
}
|
||||||
|
|
||||||
$form = $this->createMetadataForm($household);
|
$form = $this->createMetadataForm($household);
|
||||||
|
|
||||||
$form->handleRequest($request);
|
$form->handleRequest($request);
|
||||||
@ -311,7 +321,9 @@ class HouseholdController extends AbstractController
|
|||||||
*/
|
*/
|
||||||
public function summary(Request $request, Household $household)
|
public function summary(Request $request, Household $household)
|
||||||
{
|
{
|
||||||
// TODO ACL
|
if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) {
|
||||||
|
throw new AccessDeniedException('not allowed to edit a household');
|
||||||
|
}
|
||||||
|
|
||||||
$positions = $this->positionRepository
|
$positions = $this->positionRepository
|
||||||
->findByActiveOrdered();
|
->findByActiveOrdered();
|
||||||
|
|||||||
@ -19,12 +19,15 @@ use Chill\PersonBundle\Entity\Person;
|
|||||||
use Chill\PersonBundle\Form\HouseholdMemberType;
|
use Chill\PersonBundle\Form\HouseholdMemberType;
|
||||||
use Chill\PersonBundle\Household\MembersEditor;
|
use Chill\PersonBundle\Household\MembersEditor;
|
||||||
use Chill\PersonBundle\Repository\AccompanyingPeriodRepository;
|
use Chill\PersonBundle\Repository\AccompanyingPeriodRepository;
|
||||||
|
use Chill\PersonBundle\Security\Authorization\HouseholdVoter;
|
||||||
use Chill\PersonBundle\Security\Authorization\PersonVoter;
|
use Chill\PersonBundle\Security\Authorization\PersonVoter;
|
||||||
use Symfony\Component\HttpFoundation\Request;
|
use Symfony\Component\HttpFoundation\Request;
|
||||||
use Symfony\Component\HttpFoundation\Response;
|
use Symfony\Component\HttpFoundation\Response;
|
||||||
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
||||||
use Symfony\Component\Routing\Annotation\Route;
|
use Symfony\Component\Routing\Annotation\Route;
|
||||||
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
|
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
|
||||||
|
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
||||||
|
use Symfony\Component\Security\Core\Security;
|
||||||
use Symfony\Component\Serializer\Exception;
|
use Symfony\Component\Serializer\Exception;
|
||||||
use Symfony\Contracts\Translation\TranslatorInterface;
|
use Symfony\Contracts\Translation\TranslatorInterface;
|
||||||
|
|
||||||
@ -38,14 +41,18 @@ class HouseholdMemberController extends ApiController
|
|||||||
|
|
||||||
private TranslatorInterface $translator;
|
private TranslatorInterface $translator;
|
||||||
|
|
||||||
|
private Security $security;
|
||||||
|
|
||||||
public function __construct(
|
public function __construct(
|
||||||
UrlGeneratorInterface $generator,
|
UrlGeneratorInterface $generator,
|
||||||
TranslatorInterface $translator,
|
TranslatorInterface $translator,
|
||||||
AccompanyingPeriodRepository $periodRepository
|
AccompanyingPeriodRepository $periodRepository,
|
||||||
|
Security $security
|
||||||
) {
|
) {
|
||||||
$this->generator = $generator;
|
$this->generator = $generator;
|
||||||
$this->translator = $translator;
|
$this->translator = $translator;
|
||||||
$this->periodRepository = $periodRepository;
|
$this->periodRepository = $periodRepository;
|
||||||
|
$this->security = $security;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -56,7 +63,9 @@ class HouseholdMemberController extends ApiController
|
|||||||
*/
|
*/
|
||||||
public function editMembership(Request $request, HouseholdMember $member): Response
|
public function editMembership(Request $request, HouseholdMember $member): Response
|
||||||
{
|
{
|
||||||
// TODO ACL
|
if (!$this->security->isGranted(HouseholdVoter::EDIT, $member->getHousehold())) {
|
||||||
|
throw new AccessDeniedException('You are not allowed to edit this household');
|
||||||
|
}
|
||||||
|
|
||||||
$form = $this->createForm(HouseholdMemberType::class, $member, [
|
$form = $this->createForm(HouseholdMemberType::class, $member, [
|
||||||
'validation_groups' => ['household_memberships'],
|
'validation_groups' => ['household_memberships'],
|
||||||
|
|||||||
@ -30,12 +30,13 @@
|
|||||||
{{ customButtons['before'] }}
|
{{ customButtons['before'] }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', member.household) %}
|
||||||
<li>
|
<li>
|
||||||
<a class="btn btn-sm btn-edit"
|
<a class="btn btn-sm btn-edit"
|
||||||
title="{{ 'household.Edit member household'|trans }}"
|
title="{{ 'household.Edit member household'|trans }}"
|
||||||
href="{{ chill_path_add_return_path('chill_person_household_member_edit', { 'id': member.id }) }}"></a>
|
href="{{ chill_path_add_return_path('chill_person_household_member_edit', { 'id': member.id }) }}"></a>
|
||||||
</li>
|
</li>
|
||||||
|
{% endif %}
|
||||||
{% if customButtons['after'] is defined %}
|
{% if customButtons['after'] is defined %}
|
||||||
{{ customButtons['after'] }}
|
{{ customButtons['after'] }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
@ -10,7 +10,7 @@
|
|||||||
{% if household.addresses|length == 0 %}
|
{% if household.addresses|length == 0 %}
|
||||||
<span class="chill-no-data-statement">{{ 'No address given'|trans }}</span>
|
<span class="chill-no-data-statement">{{ 'No address given'|trans }}</span>
|
||||||
{% else %}
|
{% else %}
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
|
||||||
<ul class="record_actions my-3">
|
<ul class="record_actions my-3">
|
||||||
<li style="margin: auto;">
|
<li style="margin: auto;">
|
||||||
|
|
||||||
@ -27,7 +27,7 @@
|
|||||||
|
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
{% endif %}
|
||||||
<div class="address-timeline grid">
|
<div class="address-timeline grid">
|
||||||
|
|
||||||
<div class="top"><i class="fa fa-caret-up fa-3x"></i></div>
|
<div class="top"><i class="fa fa-caret-up fa-3x"></i></div>
|
||||||
@ -92,6 +92,7 @@
|
|||||||
{{ 'Back to household'|trans }}
|
{{ 'Back to household'|trans }}
|
||||||
</a>
|
</a>
|
||||||
</li>
|
</li>
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
|
||||||
<li>
|
<li>
|
||||||
|
|
||||||
<a class="btn btn-create"
|
<a class="btn btn-create"
|
||||||
@ -100,6 +101,7 @@
|
|||||||
</a>
|
</a>
|
||||||
|
|
||||||
</li>
|
</li>
|
||||||
|
{% endif %}
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
@ -27,6 +27,7 @@
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
<ul class="list-inline text-right mt-2">
|
<ul class="list-inline text-right mt-2">
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
|
||||||
<li class="list-inline-item">
|
<li class="list-inline-item">
|
||||||
{# include vue_address component #}
|
{# include vue_address component #}
|
||||||
{% include '@ChillMain/Address/_insert_vue_address.html.twig' with {
|
{% include '@ChillMain/Address/_insert_vue_address.html.twig' with {
|
||||||
@ -41,6 +42,7 @@
|
|||||||
useValidFrom: true,
|
useValidFrom: true,
|
||||||
} %}
|
} %}
|
||||||
</li>
|
</li>
|
||||||
|
{% endif %}
|
||||||
<li class="list-inline-item">
|
<li class="list-inline-item">
|
||||||
<a class="btn btn-secondary btn-sm" title="{{ "Addresses history"|trans }}"
|
<a class="btn btn-secondary btn-sm" title="{{ "Addresses history"|trans }}"
|
||||||
href="{{ path('chill_person_household_addresses', { 'household_id': household.id } ) }}">
|
href="{{ path('chill_person_household_addresses', { 'household_id': household.id } ) }}">
|
||||||
@ -63,6 +65,7 @@
|
|||||||
<p>
|
<p>
|
||||||
{{ 'household_composition.Since'|trans({'startDate': currentComposition.startDate}) }}
|
{{ 'household_composition.Since'|trans({'startDate': currentComposition.startDate}) }}
|
||||||
</p>
|
</p>
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
|
||||||
<ul class="record_actions">
|
<ul class="record_actions">
|
||||||
<li>
|
<li>
|
||||||
<a class="btn btn-sm btn-update change-icon"
|
<a class="btn btn-sm btn-update change-icon"
|
||||||
@ -71,12 +74,14 @@
|
|||||||
</a>
|
</a>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
{% else %}
|
{% else %}
|
||||||
<div class="alert alert-danger">
|
<div class="alert alert-danger">
|
||||||
<p>
|
<p>
|
||||||
{{ 'household_composition.Currently no composition'|trans }}
|
{{ 'household_composition.Currently no composition'|trans }}
|
||||||
</p>
|
</p>
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
|
||||||
<ul class="record_actions" style="margin-bottom: 0">
|
<ul class="record_actions" style="margin-bottom: 0">
|
||||||
<li>
|
<li>
|
||||||
<a class="btn btn-sm btn-update change-icon"
|
<a class="btn btn-sm btn-update change-icon"
|
||||||
@ -85,6 +90,7 @@
|
|||||||
</a>
|
</a>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if household.waitingForBirth or not household.commentMembers.isEmpty() %}
|
{% if household.waitingForBirth or not household.commentMembers.isEmpty() %}
|
||||||
@ -104,6 +110,7 @@
|
|||||||
</div>
|
</div>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
|
||||||
{% if not household.commentMembers.isEmpty() %}
|
{% if not household.commentMembers.isEmpty() %}
|
||||||
<a href="{{ chill_path_add_return_path('chill_person_household_summary', { 'household_id': household.id, 'edit': 1 }) }}"
|
<a href="{{ chill_path_add_return_path('chill_person_household_summary', { 'household_id': household.id, 'edit': 1 }) }}"
|
||||||
class="btn btn-edit btn-block">
|
class="btn btn-edit btn-block">
|
||||||
@ -115,7 +122,7 @@
|
|||||||
{{ 'household.New comment and expecting birth'|trans }}
|
{{ 'household.New comment and expecting birth'|trans }}
|
||||||
</a>
|
</a>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|
||||||
{{ form_start(form) }}
|
{{ form_start(form) }}
|
||||||
@ -167,6 +174,7 @@
|
|||||||
|
|
||||||
|
|
||||||
{% macro customButtons(member, household) %}
|
{% macro customButtons(member, household) %}
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
|
||||||
<li>
|
<li>
|
||||||
<a href="{{ chill_path_add_return_path('chill_person_household_members_editor', {'persons': [ member.person.id ], 'allow_leave_without_household': true } ) }}"
|
<a href="{{ chill_path_add_return_path('chill_person_household_members_editor', {'persons': [ member.person.id ], 'allow_leave_without_household': true } ) }}"
|
||||||
class="btn btn-sm btn-misc" title="{{ 'household.person.leave'|trans }}"><i class="fa fa-scissors"></i></a>
|
class="btn btn-sm btn-misc" title="{{ 'household.person.leave'|trans }}"><i class="fa fa-scissors"></i></a>
|
||||||
@ -175,6 +183,7 @@
|
|||||||
<a href="{{ chill_path_add_return_path('chill_person_household_members_editor', {'persons': [ member.person.id ], 'household': household.id} ) }}"
|
<a href="{{ chill_path_add_return_path('chill_person_household_members_editor', {'persons': [ member.person.id ], 'household': household.id} ) }}"
|
||||||
class="btn btn-sm btn-misc" title="{{ 'household.Change position'|trans }}"><i class="fa fa-arrows-h"></i></a>
|
class="btn btn-sm btn-misc" title="{{ 'household.Change position'|trans }}"><i class="fa fa-arrows-h"></i></a>
|
||||||
</li>
|
</li>
|
||||||
|
{% endif %}
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
|
|
||||||
{% if members|length > 0 %}
|
{% if members|length > 0 %}
|
||||||
@ -244,6 +253,7 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
|
||||||
<ul class="record_actions">
|
<ul class="record_actions">
|
||||||
<li>
|
<li>
|
||||||
<a href="{{ chill_path_add_return_path('chill_person_household_members_editor', {'household': household.id }) }}"
|
<a href="{{ chill_path_add_return_path('chill_person_household_members_editor', {'household': household.id }) }}"
|
||||||
@ -252,7 +262,7 @@
|
|||||||
</a>
|
</a>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
|
|||||||
@ -119,11 +119,13 @@
|
|||||||
<a href="{{ chill_path_add_return_path('chill_person_household_summary',{ 'household_id': p.household.id }) }}"
|
<a href="{{ chill_path_add_return_path('chill_person_household_summary',{ 'household_id': p.household.id }) }}"
|
||||||
class="btn btn-show" title="{{ 'Show'|trans }}"></a>
|
class="btn btn-show" title="{{ 'Show'|trans }}"></a>
|
||||||
</li>
|
</li>
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', p.household) %}
|
||||||
<li>
|
<li>
|
||||||
<a href="{{ chill_path_add_return_path('chill_person_household_member_edit', { id: p.id }) }}"
|
<a href="{{ chill_path_add_return_path('chill_person_household_member_edit', { id: p.id }) }}"
|
||||||
class="btn btn-edit" title="{{ 'Edit'|trans }}"></a>
|
class="btn btn-edit" title="{{ 'Edit'|trans }}"></a>
|
||||||
</li>
|
</li>
|
||||||
{% if p.isCurrent() %}
|
{% endif %}
|
||||||
|
{% if p.isCurrent() and is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', p.household) %}
|
||||||
<li>
|
<li>
|
||||||
<a class="btn btn-misc" href="{{ chill_path_add_return_path( 'chill_person_household_members_editor', { 'persons': [ person.id ], 'allow_leave_without_household': true }) }}">
|
<a class="btn btn-misc" href="{{ chill_path_add_return_path( 'chill_person_household_members_editor', { 'persons': [ person.id ], 'allow_leave_without_household': true }) }}">
|
||||||
<i class="fa fa-scissors"></i>
|
<i class="fa fa-scissors"></i>
|
||||||
@ -138,7 +140,7 @@
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
{% if not person.isSharingHousehold() %}
|
{% if not person.isSharingHousehold() and is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', p.household) %}
|
||||||
<ul class="record_actions">
|
<ul class="record_actions">
|
||||||
<li>
|
<li>
|
||||||
<a class="btn btn-misc" href="{{chill_path_add_return_path('chill_person_household_members_editor', { 'persons': [ person.id ], 'followAfter': true}) }}">
|
<a class="btn btn-misc" href="{{chill_path_add_return_path('chill_person_household_members_editor', { 'persons': [ person.id ], 'followAfter': true}) }}">
|
||||||
@ -164,6 +166,7 @@
|
|||||||
|
|
||||||
{{ _self.bloc_content(p) }}
|
{{ _self.bloc_content(p) }}
|
||||||
|
|
||||||
|
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', p.household) %}
|
||||||
<div class="item-row separator">
|
<div class="item-row separator">
|
||||||
<ul class="record_actions">
|
<ul class="record_actions">
|
||||||
<li>
|
<li>
|
||||||
@ -172,7 +175,7 @@
|
|||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</div>
|
</div>
|
||||||
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user