mirrors/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-03-13 22:52:39 +00:00
Code Issues Projects Releases Wiki Activity

Add IsGranted to AnnotationController

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-10 23:05:06 +01:00
parent bd9ce9a48a
commit 4651307712
8 changed files with 173 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/config/security.yml
View file

@ -74,6 +74,5 @@ security:
- { path: /(unread|starred|archive|annotated).xml$, roles: IS_AUTHENTICATED_ANONYMOUSLY } # For backwards compatibility
- { path: ^/share, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/settings, roles: ROLE_SUPER_ADMIN }
- { path: ^/annotations, roles: ROLE_USER }
- { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
- { path: ^/, roles: ROLE_USER }

2
phpstan-baseline.neon
View file

@ -6,7 +6,7 @@ parameters:
path: src/Controller/AnnotationController.php
-
message: "#^Method Wallabag\\\\Controller\\\\AnnotationController\\:\\:putAnnotationAction\\(\\) should return Symfony\\\\Component\\\\HttpFoundation\\\\JsonResponse but returns Symfony\\\\Component\\\\Form\\\\FormInterface\\<null\\>\\.$#"
message: "#^Method Wallabag\\\\Controller\\\\AnnotationController\\:\\:putAnnotationAction\\(\\) should return Symfony\\\\Component\\\\HttpFoundation\\\\JsonResponse but returns Symfony\\\\Component\\\\Form\\\\FormInterface\\<mixed\\>\\.$#"
count: 1
path: src/Controller/AnnotationController.php

24
src/Controller/AnnotationController.php
View file

@ -5,6 +5,7 @@ namespace Wallabag\Controller;
use Doctrine\ORM\EntityManagerInterface;
use FOS\RestBundle\Controller\AbstractFOSRestController;
use JMS\Serializer\SerializerInterface;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
use Symfony\Component\Form\FormFactoryInterface;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
@ -36,6 +37,7 @@ class AnnotationController extends AbstractFOSRestController
* @see Api\WallabagRestController
*
* @Route("/annotations/{entry}.{_format}", name="annotations_get_annotations", methods={"GET"}, defaults={"_format": "json"})
* @IsGranted("LIST_ANNOTATIONS", subject="entry")
*
* @return JsonResponse
*/
@ -57,6 +59,7 @@ class AnnotationController extends AbstractFOSRestController
* @see Api\WallabagRestController
*
* @Route("/annotations/{entry}.{_format}", name="annotations_post_annotation", methods={"POST"}, defaults={"_format": "json"})
* @IsGranted("CREATE_ANNOTATIONS", subject="entry")
*
* @return JsonResponse
*/
@ -91,14 +94,13 @@ class AnnotationController extends AbstractFOSRestController
* @see Api\WallabagRestController
*
* @Route("/annotations/{annotation}.{_format}", name="annotations_put_annotation", methods={"PUT"}, defaults={"_format": "json"})
* @IsGranted("EDIT", subject="annotation")
*
* @return JsonResponse
*/
public function putAnnotationAction(Request $request, AnnotationRepository $annotationRepository, int $annotation)
public function putAnnotationAction(Request $request, Annotation $annotation)
{
try {
$annotation = $this->validateAnnotation($annotationRepository, $annotation, $this->getUser()->getId());
$data = json_decode($request->getContent(), true, 512, \JSON_THROW_ON_ERROR);
$form = $this->formFactory->createNamed('', EditAnnotationType::class, $annotation, [
@ -128,14 +130,13 @@ class AnnotationController extends AbstractFOSRestController
* @see Api\WallabagRestController
*
* @Route("/annotations/{annotation}.{_format}", name="annotations_delete_annotation", methods={"DELETE"}, defaults={"_format": "json"})
* @IsGranted("DELETE", subject="annotation")
*
* @return JsonResponse
*/
public function deleteAnnotationAction(AnnotationRepository $annotationRepository, int $annotation)
public function deleteAnnotationAction(Annotation $annotation)
{
try {
$annotation = $this->validateAnnotation($annotationRepository, $annotation, $this->getUser()->getId());
$this->entityManager->remove($annotation);
$this->entityManager->flush();
@ -157,15 +158,4 @@ class AnnotationController extends AbstractFOSRestController
return $user;
}
private function validateAnnotation(AnnotationRepository $annotationRepository, int $annotationId, int $userId)
{
$annotation = $annotationRepository->findOneByIdAndUserId($annotationId, $userId);
if (null === $annotation) {
throw new NotFoundHttpException();
}
return $annotation;
}
}

46
src/Security/Voter/AnnotationVoter.php Normal file
View file

@ -0,0 +1,46 @@
<?php
namespace Wallabag\Security\Voter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Wallabag\Entity\Annotation;
use Wallabag\Entity\User;
class AnnotationVoter extends Voter
{
public const EDIT = 'EDIT';
public const DELETE = 'DELETE';
protected function supports(string $attribute, $subject): bool
{
if (!$subject instanceof Annotation) {
return false;
}
if (!\in_array($attribute, [self::EDIT, self::DELETE], true)) {
return false;
}
return true;
}
protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
{
\assert($subject instanceof Annotation);
$user = $token->getUser();
if (!$user instanceof User) {
return false;
}
switch ($attribute) {
case self::EDIT:
case self::DELETE:
return $subject->getUser() === $user;
}
return false;
}
}

6
src/Security/Voter/EntryVoter.php
View file

@ -17,6 +17,8 @@ class EntryVoter extends Voter
public const SHARE = 'SHARE';
public const UNSHARE = 'UNSHARE';
public const DELETE = 'DELETE';
public const LIST_ANNOTATIONS = 'LIST_ANNOTATIONS';
public const CREATE_ANNOTATIONS = 'CREATE_ANNOTATIONS';
protected function supports(string $attribute, $subject): bool
{
@ -24,7 +26,7 @@ class EntryVoter extends Voter
return false;
}
if (!\in_array($attribute, [self::VIEW, self::EDIT, self::RELOAD, self::STAR, self::ARCHIVE, self::SHARE, self::UNSHARE, self::DELETE], true)) {
if (!\in_array($attribute, [self::VIEW, self::EDIT, self::RELOAD, self::STAR, self::ARCHIVE, self::SHARE, self::UNSHARE, self::DELETE, self::LIST_ANNOTATIONS, self::CREATE_ANNOTATIONS], true)) {
return false;
}
@ -50,6 +52,8 @@ class EntryVoter extends Voter
case self::SHARE:
case self::UNSHARE:
case self::DELETE:
case self::LIST_ANNOTATIONS:
case self::CREATE_ANNOTATIONS:
return $user === $subject->getUser();
}

5
tests/Controller/AnnotationControllerTest.php
View file

@ -82,10 +82,7 @@ class AnnotationControllerTest extends WallabagTestCase
}
$this->client->request('GET', $prefixUrl . '/' . $entry->getId() . '.json');
$this->assertSame(200, $this->client->getResponse()->getStatusCode());
$content = json_decode($this->client->getResponse()->getContent(), true);
$this->assertGreaterThanOrEqual(0, $content['total']);
$this->assertSame(404, $this->client->getResponse()->getStatusCode());
}
/**

85
tests/Security/Voter/AnnotationVoterTest.php Normal file
View file

@ -0,0 +1,85 @@
<?php
namespace Security\Voter;
use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Wallabag\Entity\Annotation;
use Wallabag\Entity\User;
use Wallabag\Security\Voter\AnnotationVoter;
class AnnotationVoterTest extends TestCase
{
private $token;
private $annotationVoter;
protected function setUp(): void
{
$this->token = $this->createMock(TokenInterface::class);
$this->annotationVoter = new AnnotationVoter();
}
public function testVoteReturnsAbstainForInvalidSubject(): void
{
$this->assertSame(VoterInterface::ACCESS_ABSTAIN, $this->annotationVoter->vote($this->token, new \stdClass(), [AnnotationVoter::EDIT]));
}
public function testVoteReturnsAbstainForInvalidAttribute(): void
{
$this->assertSame(VoterInterface::ACCESS_ABSTAIN, $this->annotationVoter->vote($this->token, new Annotation(new User()), ['INVALID']));
}
public function testVoteReturnsDeniedForUnauthenticatedEdit(): void
{
$this->token->method('getUser')->willReturn(null);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->annotationVoter->vote($this->token, new Annotation(new User()), [AnnotationVoter::EDIT]));
}
public function testVoteReturnsDeniedForOtherUserEdit(): void
{
$currentUser = new User();
$annotationUser = new User();
$this->token->method('getUser')->willReturn($currentUser);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->annotationVoter->vote($this->token, new Annotation($annotationUser), [AnnotationVoter::EDIT]));
}
public function testVoteReturnsGrantedForAnnotationUserEdit(): void
{
$user = new User();
$this->token->method('getUser')->willReturn($user);
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->annotationVoter->vote($this->token, new Annotation($user), [AnnotationVoter::EDIT]));
}
public function testVoteReturnsDeniedForUnauthenticatedDelete(): void
{
$this->token->method('getUser')->willReturn(null);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->annotationVoter->vote($this->token, new Annotation(new User()), [AnnotationVoter::DELETE]));
}
public function testVoteReturnsDeniedForOtherUserDelete(): void
{
$currentUser = new User();
$annotationUser = new User();
$this->token->method('getUser')->willReturn($currentUser);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->annotationVoter->vote($this->token, new Annotation($annotationUser), [AnnotationVoter::DELETE]));
}
public function testVoteReturnsGrantedForAnnotationUserDelete(): void
{
$user = new User();
$this->token->method('getUser')->willReturn($user);
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->annotationVoter->vote($this->token, new Annotation($user), [AnnotationVoter::DELETE]));
}
}

28
tests/Security/Voter/EntryVoterTest.php
View file

@ -146,4 +146,32 @@ class EntryVoterTest extends TestCase
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->entryVoter->vote($this->token, $this->entry, [EntryVoter::DELETE]));
}
public function testVoteReturnsDeniedForNonEntryUserListAnnotations(): void
{
$this->token->method('getUser')->willReturn(new User());
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->entryVoter->vote($this->token, $this->entry, [EntryVoter::LIST_ANNOTATIONS]));
}
public function testVoteReturnsGrantedForEntryUserListAnnotations(): void
{
$this->token->method('getUser')->willReturn($this->user);
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->entryVoter->vote($this->token, $this->entry, [EntryVoter::LIST_ANNOTATIONS]));
}
public function testVoteReturnsDeniedForNonEntryUserCreateAnnotations(): void
{
$this->token->method('getUser')->willReturn(new User());
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->entryVoter->vote($this->token, $this->entry, [EntryVoter::CREATE_ANNOTATIONS]));
}
public function testVoteReturnsGrantedForEntryUserCreateAnnotations(): void
{
$this->token->method('getUser')->willReturn($this->user);
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->entryVoter->vote($this->token, $this->entry, [EntryVoter::CREATE_ANNOTATIONS]));
}
}