Chill-project/chill-bundles
6
0
Fork 0
mirror of https://gitlab.com/Chill-Projet/chill-bundles.git synced 2025-08-04 14:59:53 +00:00
Code Issues Actions Projects Releases Wiki Activity

FIX [voter][household] only allow editing of household if user has chill_person_household_edit right linked to being able to edit persons

Browse Source
This commit is contained in:
Julie Lenaerts 2023-02-13 17:17:56 +01:00
parent eac3471cbb
commit 51681edda7
7 changed files with 124 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Bundle/ChillPersonBundle/Controller/HouseholdCompositionController.php
View File

@ -133,7 +133,7 @@ class HouseholdCompositionController extends AbstractController
*/
public function index(Household $household, Request $request): Response
{
if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) {
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
throw new AccessDeniedException('not allowed to edit a household');
}

22
src/Bundle/ChillPersonBundle/Controller/HouseholdController.php
View File

@ -24,6 +24,7 @@ use Symfony\Component\Form\FormInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Security;
use Symfony\Component\Serializer\Normalizer\AbstractNormalizer;
use Symfony\Component\Serializer\SerializerInterface;
@ -123,7 +124,9 @@ class HouseholdController extends AbstractController
*/
public function addressEdit(Request $request, Household $household)
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
throw new AccessDeniedException('You are not allowed to edit a household address');
}
$address_id = $request->query->get('address_id');
$address = $this->getDoctrine()->getManager()
@ -149,7 +152,9 @@ class HouseholdController extends AbstractController
*/
public function addresses(Request $request, Household $household)
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) {
throw new AccessDeniedException('You have no access to this household\'s details');
}
//TODO put these lines into a validator constraint on household->getAddress
$addresses = $household->getAddresses();
@ -179,7 +184,9 @@ class HouseholdController extends AbstractController
*/
public function addressMove(Request $request, Household $household)
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
throw new AccessDeniedException('You are not allowed to edit this household');
}
return $this->render(
'@ChillPerson/Household/address_move.html.twig',
@ -255,7 +262,10 @@ class HouseholdController extends AbstractController
*/
public function editHouseholdMetadata(Request $request, Household $household)
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::EDIT, $household)) {
throw new AccessDeniedException('not allowed to edit a household');
}
$form = $this->createMetadataForm($household);
$form->handleRequest($request);
@ -311,7 +321,9 @@ class HouseholdController extends AbstractController
*/
public function summary(Request $request, Household $household)
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::SEE, $household)) {
throw new AccessDeniedException('not allowed to edit a household');
}
$positions = $this->positionRepository
->findByActiveOrdered();

13
src/Bundle/ChillPersonBundle/Controller/HouseholdMemberController.php
View File

@ -19,12 +19,15 @@ use Chill\PersonBundle\Entity\Person;
use Chill\PersonBundle\Form\HouseholdMemberType;
use Chill\PersonBundle\Household\MembersEditor;
use Chill\PersonBundle\Repository\AccompanyingPeriodRepository;
use Chill\PersonBundle\Security\Authorization\HouseholdVoter;
use Chill\PersonBundle\Security\Authorization\PersonVoter;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Security;
use Symfony\Component\Serializer\Exception;
use Symfony\Contracts\Translation\TranslatorInterface;
@ -38,14 +41,18 @@ class HouseholdMemberController extends ApiController
private TranslatorInterface $translator;
private Security $security;
public function __construct(
UrlGeneratorInterface $generator,
TranslatorInterface $translator,
AccompanyingPeriodRepository $periodRepository
AccompanyingPeriodRepository $periodRepository,
Security $security
) {
$this->generator = $generator;
$this->translator = $translator;
$this->periodRepository = $periodRepository;
$this->security = $security;
}
/**
@ -56,7 +63,9 @@ class HouseholdMemberController extends ApiController
*/
public function editMembership(Request $request, HouseholdMember $member): Response
{
// TODO ACL
if (!$this->security->isGranted(HouseholdVoter::EDIT, $member->getHousehold())) {
throw new AccessDeniedException('You are not allowed to edit this household');
}
$form = $this->createForm(HouseholdMemberType::class, $member, [
'validation_groups' => ['household_memberships'],

13
src/Bundle/ChillPersonBundle/Resources/views/Household/_render_member.html.twig
View File

@ -30,12 +30,13 @@
{{ customButtons['before'] }}
{% endif %}
<li>
<a class="btn btn-sm btn-edit"
title="{{ 'household.Edit member household'|trans }}"
href="{{ chill_path_add_return_path('chill_person_household_member_edit', { 'id': member.id }) }}"></a>
</li>
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', member.household) %}
<li>
<a class="btn btn-sm btn-edit"
title="{{ 'household.Edit member household'|trans }}"
href="{{ chill_path_add_return_path('chill_person_household_member_edit', { 'id': member.id }) }}"></a>
</li>
{% endif %}
{% if customButtons['after'] is defined %}
{{ customButtons['after'] }}
{% endif %}

18
src/Bundle/ChillPersonBundle/Resources/views/Household/addresses.html.twig
View File

@ -10,7 +10,7 @@
{% if household.addresses|length == 0 %}
<span class="chill-no-data-statement">{{ 'No address given'|trans }}</span>
{% else %}
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
<ul class="record_actions my-3">
<li style="margin: auto;">
@ -27,7 +27,7 @@
</li>
</ul>
{% endif %}
<div class="address-timeline grid">
<div class="top"><i class="fa fa-caret-up fa-3x"></i></div>
@ -92,14 +92,16 @@
{{ 'Back to household'|trans }}
</a>
</li>
<li>
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
<li>
<a class="btn btn-create"
href="{{ chill_path_add_return_path('chill_person_household_address_move', { 'household_id': household.id }) }}">
{{ 'Move household'|trans }}
</a>
<a class="btn btn-create"
href="{{ chill_path_add_return_path('chill_person_household_address_move', { 'household_id': household.id }) }}">
{{ 'Move household'|trans }}
</a>
</li>
</li>
{% endif %}
</ul>
</div>

110
src/Bundle/ChillPersonBundle/Resources/views/Household/summary.html.twig
View File

@ -27,20 +27,22 @@
{% endif %}
<ul class="list-inline text-right mt-2">
<li class="list-inline-item">
{# include vue_address component #}
{% include '@ChillMain/Address/_insert_vue_address.html.twig' with {
targetEntity: { name: 'household', id: household.id },
backUrl: path('chill_person_household_summary', { 'household_id': household.id }),
onlyButton: true,
mode: 'new',
buttonSize: 'btn-sm',
buttonText: 'Move household',
modalTitle: 'Move household',
buttonDisplayText: false,
useValidFrom: true,
} %}
</li>
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
<li class="list-inline-item">
{# include vue_address component #}
{% include '@ChillMain/Address/_insert_vue_address.html.twig' with {
targetEntity: { name: 'household', id: household.id },
backUrl: path('chill_person_household_summary', { 'household_id': household.id }),
onlyButton: true,
mode: 'new',
buttonSize: 'btn-sm',
buttonText: 'Move household',
modalTitle: 'Move household',
buttonDisplayText: false,
useValidFrom: true,
} %}
</li>
{% endif %}
<li class="list-inline-item">
<a class="btn btn-secondary btn-sm" title="{{ "Addresses history"|trans }}"
href="{{ path('chill_person_household_addresses', { 'household_id': household.id } ) }}">
@ -63,28 +65,32 @@
<p>
{{ 'household_composition.Since'|trans({'startDate': currentComposition.startDate}) }}
</p>
<ul class="record_actions">
<li>
<a class="btn btn-sm btn-update change-icon"
href="{{ path('chill_person_household_composition_index', {'id': household.id}) }}">
{{ 'household_composition.Update composition'|trans }}
</a>
</li>
</ul>
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
<ul class="record_actions">
<li>
<a class="btn btn-sm btn-update change-icon"
href="{{ path('chill_person_household_composition_index', {'id': household.id}) }}">
{{ 'household_composition.Update composition'|trans }}
</a>
</li>
</ul>
{% endif %}
</div>
{% else %}
<div class="alert alert-danger">
<p>
{{ 'household_composition.Currently no composition'|trans }}
</p>
<ul class="record_actions" style="margin-bottom: 0">
<li>
<a class="btn btn-sm btn-update change-icon"
href="{{ path('chill_person_household_composition_index', {'id': household.id}) }}">
{{ 'household_composition.Add a composition'|trans }}
</a>
</li>
</ul>
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
<ul class="record_actions" style="margin-bottom: 0">
<li>
<a class="btn btn-sm btn-update change-icon"
href="{{ path('chill_person_household_composition_index', {'id': household.id}) }}">
{{ 'household_composition.Add a composition'|trans }}
</a>
</li>
</ul>
{% endif %}
</div>
{% endif %}
{% if household.waitingForBirth or not household.commentMembers.isEmpty() %}
@ -104,18 +110,19 @@
</div>
{% endif %}
{% if not household.commentMembers.isEmpty() %}
<a href="{{ chill_path_add_return_path('chill_person_household_summary', { 'household_id': household.id, 'edit': 1 }) }}"
class="btn btn-edit btn-block">
{{ 'household.Edit comment and expecting birth'|trans }}
</a>
{% else %}
<a href="{{ chill_path_add_return_path('chill_person_household_summary', { 'household_id': household.id, 'edit': 1 }) }}"
class="btn btn-create btn-block">
{{ 'household.New comment and expecting birth'|trans }}
</a>
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
{% if not household.commentMembers.isEmpty() %}
<a href="{{ chill_path_add_return_path('chill_person_household_summary', { 'household_id': household.id, 'edit': 1 }) }}"
class="btn btn-edit btn-block">
{{ 'household.Edit comment and expecting birth'|trans }}
</a>
{% else %}
<a href="{{ chill_path_add_return_path('chill_person_household_summary', { 'household_id': household.id, 'edit': 1 }) }}"
class="btn btn-create btn-block">
{{ 'household.New comment and expecting birth'|trans }}
</a>
{% endif %}
{% endif %}
{% else %}
{{ form_start(form) }}
@ -167,6 +174,7 @@
{% macro customButtons(member, household) %}
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
<li>
<a href="{{ chill_path_add_return_path('chill_person_household_members_editor', {'persons': [ member.person.id ], 'allow_leave_without_household': true } ) }}"
class="btn btn-sm btn-misc" title="{{ 'household.person.leave'|trans }}"><i class="fa fa-scissors"></i></a>
@ -175,6 +183,7 @@
<a href="{{ chill_path_add_return_path('chill_person_household_members_editor', {'persons': [ member.person.id ], 'household': household.id} ) }}"
class="btn btn-sm btn-misc" title="{{ 'household.Change position'|trans }}"><i class="fa fa-arrows-h"></i></a>
</li>
{% endif %}
{% endmacro %}
{% if members|length > 0 %}
@ -244,15 +253,16 @@
<ul class="record_actions">
<li>
<a href="{{ chill_path_add_return_path('chill_person_household_members_editor', {'household': household.id }) }}"
class="btn btn-create">
{{ 'household.Add a member'|trans }}
</a>
</li>
</ul>
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
<ul class="record_actions">
<li>
<a href="{{ chill_path_add_return_path('chill_person_household_members_editor', {'household': household.id }) }}"
class="btn btn-create">
{{ 'household.Add a member'|trans }}
</a>
</li>
</ul>
{% endif %}
</div>
{% endblock %}

33
src/Bundle/ChillPersonBundle/Resources/views/Person/household_history.html.twig
View File

@ -119,11 +119,13 @@
<a href="{{ chill_path_add_return_path('chill_person_household_summary',{ 'household_id': p.household.id }) }}"
class="btn btn-show" title="{{ 'Show'|trans }}"></a>
</li>
<li>
<a href="{{ chill_path_add_return_path('chill_person_household_member_edit', { id: p.id }) }}"
class="btn btn-edit" title="{{ 'Edit'|trans }}"></a>
</li>
{% if p.isCurrent() %}
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', p.household) %}
<li>
<a href="{{ chill_path_add_return_path('chill_person_household_member_edit', { id: p.id }) }}"
class="btn btn-edit" title="{{ 'Edit'|trans }}"></a>
</li>
{% endif %}
{% if p.isCurrent() and is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', p.household) %}
<li>
<a class="btn btn-misc" href="{{ chill_path_add_return_path( 'chill_person_household_members_editor', { 'persons': [ person.id ], 'allow_leave_without_household': true }) }}">
<i class="fa fa-scissors"></i>
@ -138,7 +140,7 @@
{% endfor %}
</div>
{% if not person.isSharingHousehold() %}
{% if not person.isSharingHousehold() and is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', p.household) %}
<ul class="record_actions">
<li>
<a class="btn btn-misc" href="{{chill_path_add_return_path('chill_person_household_members_editor', { 'persons': [ person.id ], 'followAfter': true}) }}">
@ -164,15 +166,16 @@
{{ _self.bloc_content(p) }}
<div class="item-row separator">
<ul class="record_actions">
<li>
<a href="{{ chill_path_add_return_path('chill_person_household_member_edit', { id: p.id }) }}"
class="btn btn-edit" title="{{ 'Edit'|trans }}"></a>
</li>
</ul>
</div>
{% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', p.household) %}
<div class="item-row separator">
<ul class="record_actions">
<li>
<a href="{{ chill_path_add_return_path('chill_person_household_member_edit', { id: p.id }) }}"
class="btn btn-edit" title="{{ 'Edit'|trans }}"></a>
</li>
</ul>
</div>
{% endif %}
</div>
{% endfor %}
</div>