diff --git a/src/Controller/SiteCredentialController.php b/src/Controller/SiteCredentialController.php index c1b806f70..e9cfb203f 100644 --- a/src/Controller/SiteCredentialController.php +++ b/src/Controller/SiteCredentialController.php @@ -4,6 +4,7 @@ namespace Wallabag\Controller; use Craue\ConfigBundle\Util\Config; use Doctrine\ORM\EntityManagerInterface; +use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted; use Symfony\Component\Form\Form; use Symfony\Component\Form\FormInterface; use Symfony\Component\HttpFoundation\RedirectResponse; @@ -41,6 +42,7 @@ class SiteCredentialController extends AbstractController * Lists all User entities. * * @Route("/", name="site_credentials_index", methods={"GET"}) + * @IsGranted("LIST_SITE_CREDENTIALS") */ public function indexAction(SiteCredentialRepository $repository) { @@ -57,6 +59,7 @@ class SiteCredentialController extends AbstractController * Creates a new site credential entity. * * @Route("/new", name="site_credentials_new", methods={"GET", "POST"}) + * @IsGranted("CREATE_SITE_CREDENTIALS") * * @return Response */ @@ -94,6 +97,7 @@ class SiteCredentialController extends AbstractController * Displays a form to edit an existing site credential entity. * * @Route("/{id}/edit", name="site_credentials_edit", methods={"GET", "POST"}) + * @IsGranted("EDIT", subject="siteCredential") * * @return Response */ @@ -101,8 +105,6 @@ class SiteCredentialController extends AbstractController { $this->isSiteCredentialsEnabled(); - $this->checkUserAction($siteCredential); - $deleteForm = $this->createDeleteForm($siteCredential); $editForm = $this->createForm(SiteCredentialType::class, $siteCredential); $editForm->handleRequest($request); @@ -133,6 +135,7 @@ class SiteCredentialController extends AbstractController * Deletes a site credential entity. * * @Route("/{id}", name="site_credentials_delete", methods={"DELETE"}) + * @IsGranted("DELETE", subject="siteCredential") * * @return RedirectResponse */ @@ -140,8 +143,6 @@ class SiteCredentialController extends AbstractController { $this->isSiteCredentialsEnabled(); - $this->checkUserAction($siteCredential); - $form = $this->createDeleteForm($siteCredential); $form->handleRequest($request); @@ -183,16 +184,4 @@ class SiteCredentialController extends AbstractController ->getForm() ; } - - /** - * Check if the logged user can manage the given site credential. - * - * @param SiteCredential $siteCredential The site credential entity - */ - private function checkUserAction(SiteCredential $siteCredential) - { - if (null === $this->getUser() || $this->getUser()->getId() !== $siteCredential->getUser()->getId()) { - throw $this->createAccessDeniedException('You can not access this site credential.'); - } - } } diff --git a/src/Security/Voter/MainVoter.php b/src/Security/Voter/MainVoter.php index 015bac4b3..b036cc0cb 100644 --- a/src/Security/Voter/MainVoter.php +++ b/src/Security/Voter/MainVoter.php @@ -11,6 +11,8 @@ class MainVoter extends Voter public const LIST_ENTRIES = 'LIST_ENTRIES'; public const CREATE_ENTRIES = 'CREATE_ENTRIES'; public const EDIT_ENTRIES = 'EDIT_ENTRIES'; + public const LIST_SITE_CREDENTIALS = 'LIST_SITE_CREDENTIALS'; + public const CREATE_SITE_CREDENTIALS = 'CREATE_SITE_CREDENTIALS'; private Security $security; @@ -25,7 +27,7 @@ class MainVoter extends Voter return false; } - if (!\in_array($attribute, [self::LIST_ENTRIES, self::CREATE_ENTRIES, self::EDIT_ENTRIES], true)) { + if (!\in_array($attribute, [self::LIST_ENTRIES, self::CREATE_ENTRIES, self::EDIT_ENTRIES, self::LIST_SITE_CREDENTIALS, self::CREATE_SITE_CREDENTIALS], true)) { return false; } @@ -38,6 +40,8 @@ class MainVoter extends Voter case self::LIST_ENTRIES: case self::CREATE_ENTRIES: case self::EDIT_ENTRIES: + case self::LIST_SITE_CREDENTIALS: + case self::CREATE_SITE_CREDENTIALS: return $this->security->isGranted('ROLE_USER'); } diff --git a/src/Security/Voter/SiteCredentialVoter.php b/src/Security/Voter/SiteCredentialVoter.php new file mode 100644 index 000000000..35ab28484 --- /dev/null +++ b/src/Security/Voter/SiteCredentialVoter.php @@ -0,0 +1,46 @@ +getUser(); + + if (!$user instanceof User) { + return false; + } + + switch ($attribute) { + case self::EDIT: + case self::DELETE: + return $user === $subject->getUser(); + } + + return false; + } +} diff --git a/templates/SiteCredential/edit.html.twig b/templates/SiteCredential/edit.html.twig index aec6f9480..04d8f066b 100644 --- a/templates/SiteCredential/edit.html.twig +++ b/templates/SiteCredential/edit.html.twig @@ -44,11 +44,13 @@ {{ form_widget(edit_form.save, {'attr': {'class': 'btn waves-effect waves-light'}}) }} {{ form_widget(edit_form._token) }} -
- {{ form_start(delete_form) }} - - {{ form_end(delete_form) }} -
+ {% if is_granted('DELETE', credential) %} ++ {{ form_start(delete_form) }} + + {{ form_end(delete_form) }} +
+ {% endif %}{{ 'site_credential.form.back_to_list'|trans }}
diff --git a/templates/SiteCredential/index.html.twig b/templates/SiteCredential/index.html.twig index a85118a5a..5da1a8b0a 100644 --- a/templates/SiteCredential/index.html.twig +++ b/templates/SiteCredential/index.html.twig @@ -23,16 +23,20 @@- {{ 'site_credential.list.create_new_one'|trans }} -
+ {% if is_granted('CREATE_SITE_CREDENTIALS') %} ++ {{ 'site_credential.list.create_new_one'|trans }} +
+ {% endif %} diff --git a/templates/layout.html.twig b/templates/layout.html.twig index 1711b48f6..98e1adfaa 100644 --- a/templates/layout.html.twig +++ b/templates/layout.html.twig @@ -126,7 +126,7 @@