From c10445c8a40d65d63c85ee033a959f5221d14ee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20Fastr=C3=A9?= Date: Thu, 25 Jun 2015 22:42:19 +0200 Subject: [PATCH] allow report edit w/ scope + add deny statements [ci skip] --- Controller/ReportController.php | 38 ++++++++++++++++++++------- Resources/views/Report/list.html.twig | 4 +-- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/Controller/ReportController.php b/Controller/ReportController.php index 787ca45f8..b628808f9 100644 --- a/Controller/ReportController.php +++ b/Controller/ReportController.php @@ -45,9 +45,15 @@ class ReportController extends Controller { $em = $this->getDoctrine()->getManager(); - $reports = $em->getRepository('ChillReportBundle:Report')->findByPerson($person_id); - $person = $em->getRepository('ChillPersonBundle:Person')->find($person_id); + + $this->denyAccessUnlessGranted('CHILL_PERSON_SEE', $person); + + $reachableScopes = $this->get('chill.main.security.authorization.helper') + ->getReachableScopes($this->getUser(), new Role('CHILL_REPORT_SEE'), + $person->getCenter()); + $reports = $em->getRepository('ChillReportBundle:Report') + ->findBy(array('person' => $person, 'scope' => $reachableScopes)); return $this->render('ChillReportBundle:Report:list.html.twig', array( 'reports' => $reports, @@ -194,7 +200,7 @@ class ReportController extends Controller { $em = $this->getDoctrine()->getManager(); - $person = $em->getRepository('ChillPersonBundle:Person')->find($person_id); + $person = $em->getRepository('ChillPersonBundle:Person')->find($person_id); $cFGroup = $em ->getRepository('ChillCustomFieldsBundle:CustomFieldsGroup') ->find($cf_group_id); @@ -203,6 +209,8 @@ class ReportController extends Controller throw $this->createNotFoundException("Person not found"); } + $this->denyAccessUnlessGranted('CHILL_PERSON_SEE', $person); + if ($cFGroup === NULL){ throw $this->createNotFoundException("custom fields group not found"); } @@ -244,6 +252,8 @@ class ReportController extends Controller if($person === NULL || $cFGroup === NULL) { throw $this->createNotFoundException(); } + + $this->denyAccessUnlessGranted('CHILL_PERSON_SEE', $person); $form = $this->createCreateForm($entity, $person, $cFGroup); $form->handleRequest($request); @@ -252,6 +262,8 @@ class ReportController extends Controller $entity->setCFGroup($cFGroup); $entity->setPerson($person); + $this->denyAccessUnlessGranted('CHILL_REPORT_CREATE', $entity); + $em->persist($entity); $em->flush(); @@ -323,6 +335,8 @@ class ReportController extends Controller throw $this->createNotFoundException( $this->get('translator')->trans('Unable to find this report.')); } + + $this->denyAccessUnlessGranted('CHILL_REPORT_SEE', $entity); return $this->render('ChillReportBundle:Report:view.html.twig', array( 'entity' => $entity, @@ -352,10 +366,12 @@ class ReportController extends Controller throw new \RuntimeException( $this->get('translator')->trans('This is not the report of the person.'), 1); } + + $this->denyAccessUnlessGranted('CHILL_REPORT_UPDATE', $report); $person = $report->getPerson(); - $editForm = $this->createEditForm($report, $person->getId()); + $editForm = $this->createEditForm($report); return $this->render('ChillReportBundle:Report:edit.html.twig', array( 'edit_form' => $editForm->createView(), @@ -370,14 +386,16 @@ class ReportController extends Controller * @param integer $person_id The id of the person. * @return \Symfony\Component\Form\Form The form */ - private function createEditForm(Report $entity, $person_id) + private function createEditForm(Report $entity) { - $form = $this->createForm(new ReportType(), $entity, array( + $form = $this->createForm('chill_reportbundle_report', $entity, array( 'action' => $this->generateUrl('report_update', - array('person_id' => $person_id, 'report_id' => $entity->getId())), + array('person_id' => $entity->getPerson()->getId(), + 'report_id' => $entity->getId())), 'method' => 'PUT', - 'em' => $this->getDoctrine()->getManager(), 'cFGroup' => $entity->getCFGroup(), + 'role' => new Role('CHILL_REPORT_UPDATE'), + 'center' => $entity->getPerson()->getCenter() )); return $form; @@ -400,8 +418,10 @@ class ReportController extends Controller throw $this->createNotFoundException( $this->get('translator')->trans('Unable to find this report.')); } + + $this->denyAccessUnlessGranted('CHILL_REPORT_UPDATE', $report); - $editForm = $this->createEditForm($report, $person_id); + $editForm = $this->createEditForm($report); $editForm->handleRequest($request); if ($editForm->isValid()) { diff --git a/Resources/views/Report/list.html.twig b/Resources/views/Report/list.html.twig index 9495c920f..56b9e0faf 100644 --- a/Resources/views/Report/list.html.twig +++ b/Resources/views/Report/list.html.twig @@ -26,7 +26,7 @@ {{ 'Date' | trans }} {{ 'Report type' | trans }} - + {{ 'Report scope' | trans }} @@ -36,7 +36,7 @@ {% if report.date %}{{ report.date|localizeddate('long', 'none') }}{% endif %} {{ report.cFGroup.getName(app.request.locale) }} - + {{ report.scope.name|localize_translatable_string }} {{ 'View the report' | trans }} {{ 'Update the report' | trans }}