Use IsGranted in UserController

This commit is contained in:
Yassine Guedidi 2024-02-05 22:02:50 +01:00
parent 39c24ab6e2
commit beaca32493
9 changed files with 277 additions and 21 deletions

View file

@ -76,6 +76,5 @@ security:
- { path: ^/settings, roles: ROLE_SUPER_ADMIN } - { path: ^/settings, roles: ROLE_SUPER_ADMIN }
- { path: ^/annotations, roles: ROLE_USER } - { path: ^/annotations, roles: ROLE_USER }
- { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS } - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
- { path: ^/users, roles: ROLE_SUPER_ADMIN }
- { path: ^/ignore-origin-instance-rules, roles: ROLE_SUPER_ADMIN } - { path: ^/ignore-origin-instance-rules, roles: ROLE_SUPER_ADMIN }
- { path: ^/, roles: ROLE_USER } - { path: ^/, roles: ROLE_USER }

View file

@ -10,6 +10,7 @@ use Pagerfanta\Doctrine\ORM\QueryAdapter as DoctrineORMAdapter;
use Pagerfanta\Exception\OutOfRangeCurrentPageException; use Pagerfanta\Exception\OutOfRangeCurrentPageException;
use Pagerfanta\Pagerfanta; use Pagerfanta\Pagerfanta;
use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticatorInterface; use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticatorInterface;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\Form\Form; use Symfony\Component\Form\Form;
use Symfony\Component\Form\FormInterface; use Symfony\Component\Form\FormInterface;
@ -41,6 +42,7 @@ class UserController extends AbstractController
* Creates a new User entity. * Creates a new User entity.
* *
* @Route("/users/new", name="user_new", methods={"GET", "POST"}) * @Route("/users/new", name="user_new", methods={"GET", "POST"})
* @IsGranted("CREATE_USERS")
*/ */
public function newAction(Request $request, UserManagerInterface $userManager, EventDispatcherInterface $eventDispatcher) public function newAction(Request $request, UserManagerInterface $userManager, EventDispatcherInterface $eventDispatcher)
{ {
@ -77,6 +79,7 @@ class UserController extends AbstractController
* Displays a form to edit an existing User entity. * Displays a form to edit an existing User entity.
* *
* @Route("/users/{id}/edit", name="user_edit", methods={"GET", "POST"}) * @Route("/users/{id}/edit", name="user_edit", methods={"GET", "POST"})
* @IsGranted("EDIT", subject="user")
*/ */
public function editAction(Request $request, User $user, UserManagerInterface $userManager, GoogleAuthenticatorInterface $googleAuthenticator) public function editAction(Request $request, User $user, UserManagerInterface $userManager, GoogleAuthenticatorInterface $googleAuthenticator)
{ {
@ -119,6 +122,7 @@ class UserController extends AbstractController
* Deletes a User entity. * Deletes a User entity.
* *
* @Route("/users/{id}", name="user_delete", methods={"DELETE"}) * @Route("/users/{id}", name="user_delete", methods={"DELETE"})
* @IsGranted("DELETE", subject="user")
*/ */
public function deleteAction(Request $request, User $user) public function deleteAction(Request $request, User $user)
{ {
@ -142,6 +146,7 @@ class UserController extends AbstractController
* @param int $page * @param int $page
* *
* @Route("/users/list/{page}", name="user_index", defaults={"page" = 1}) * @Route("/users/list/{page}", name="user_index", defaults={"page" = 1})
* @IsGranted("LIST_USERS")
* *
* Default parameter for page is hardcoded (in duplication of the defaults from the Route) * Default parameter for page is hardcoded (in duplication of the defaults from the Route)
* because this controller is also called inside the layout template without any page as argument * because this controller is also called inside the layout template without any page as argument

View file

@ -0,0 +1,47 @@
<?php
namespace Wallabag\Security\Voter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\Security;
use Wallabag\Entity\User;
class AdminVoter extends Voter
{
public const LIST_USERS = 'LIST_USERS';
public const CREATE_USERS = 'CREATE_USERS';
private Security $security;
public function __construct(Security $security)
{
$this->security = $security;
}
protected function supports(string $attribute, $subject): bool
{
if (!\in_array($attribute, [self::LIST_USERS, self::CREATE_USERS], true)) {
return false;
}
return true;
}
protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
{
$user = $token->getUser();
if (!$user instanceof User) {
return false;
}
switch ($attribute) {
case self::LIST_USERS:
case self::CREATE_USERS:
return $this->security->isGranted('ROLE_SUPER_ADMIN');
}
return false;
}
}

View file

@ -0,0 +1,53 @@
<?php
namespace Wallabag\Security\Voter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\Security;
use Wallabag\Entity\User;
class UserVoter extends Voter
{
public const EDIT = 'EDIT';
public const DELETE = 'DELETE';
private Security $security;
public function __construct(Security $security)
{
$this->security = $security;
}
protected function supports(string $attribute, $subject): bool
{
if (!$subject instanceof User) {
return false;
}
if (!\in_array($attribute, [self::EDIT, self::DELETE], true)) {
return false;
}
return true;
}
protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
{
$user = $token->getUser();
\assert($user instanceof User);
switch ($attribute) {
case self::EDIT:
return $this->security->isGranted('ROLE_SUPER_ADMIN');
case self::DELETE:
if ($user === $subject) {
return false;
}
return $this->security->isGranted('ROLE_SUPER_ADMIN');
}
return false;
}
}

View file

@ -66,9 +66,13 @@
{{ form_widget(edit_form._token) }} {{ form_widget(edit_form._token) }}
</form> </form>
<p> <p>
{{ form_start(delete_form) }} {% if is_granted('DELETE', user) %}
<button {% if app.user.id == user.id %}disabled="disabled"{% endif %} onclick="return confirm('{{ 'user.form.delete_confirm'|trans|escape('js') }}')" type="submit" class="btn waves-effect waves-light red">{{ 'user.form.delete'|trans }}</button> {{ form_start(delete_form) }}
{{ form_end(delete_form) }} <button onclick="return confirm('{{ 'user.form.delete_confirm'|trans|escape('js') }}')" type="submit" class="btn waves-effect waves-light red">{{ 'user.form.delete'|trans }}</button>
{{ form_end(delete_form) }}
{% else %}
<button disabled="disabled" type="button" class="btn waves-effect waves-light red">{{ 'user.form.delete'|trans }}</button>
{% endif %}
</p> </p>
<p><a class="waves-effect waves-light btn blue-grey" href="{{ path('user_index') }}">{{ 'user.form.back_to_list'|trans }}</a></p> <p><a class="waves-effect waves-light btn blue-grey" href="{{ path('user_index') }}">{{ 'user.form.back_to_list'|trans }}</a></p>
</div> </div>

View file

@ -15,21 +15,23 @@
<p class="help">{{ 'user.description'|trans|raw }}</p> <p class="help">{{ 'user.description'|trans|raw }}</p>
</div> </div>
<div class="col s6"> <div class="col s6">
<div class="input-field"> {% if is_granted('LIST_USERS') %}
<form name="search_users" method="GET" action="{{ path('user_index') }}"> <div class="input-field">
{% if form_errors(searchForm) %} <form name="search_users" method="GET" action="{{ path('user_index') }}">
<span class="black-text">{{ form_errors(searchForm) }}</span> {% if form_errors(searchForm) %}
{% endif %} <span class="black-text">{{ form_errors(searchForm) }}</span>
{% endif %}
{% if form_errors(searchForm.term) %} {% if form_errors(searchForm.term) %}
<span class="black-text">{{ form_errors(searchForm.term) }}</span> <span class="black-text">{{ form_errors(searchForm.term) }}</span>
{% endif %} {% endif %}
{{ form_widget(searchForm.term, {'attr': {'autocomplete': 'off', 'placeholder': 'user.search.placeholder'}}) }} {{ form_widget(searchForm.term, {'attr': {'autocomplete': 'off', 'placeholder': 'user.search.placeholder'}}) }}
{{ form_rest(searchForm) }} {{ form_rest(searchForm) }}
</form> </form>
</div> </div>
{% endif %}
</div> </div>
<table class="bordered"> <table class="bordered">
@ -48,16 +50,20 @@
<td>{{ user.email }}</td> <td>{{ user.email }}</td>
<td>{% if user.lastLogin %}{{ user.lastLogin|date('Y-m-d H:i:s') }}{% endif %}</td> <td>{% if user.lastLogin %}{{ user.lastLogin|date('Y-m-d H:i:s') }}{% endif %}</td>
<td> <td>
<a href="{{ path('user_edit', {'id': user.id}) }}">{{ 'user.list.edit_action'|trans }}</a> {% if is_granted('EDIT', user) %}
<a href="{{ path('user_edit', {'id': user.id}) }}">{{ 'user.list.edit_action'|trans }}</a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}
</tbody> </tbody>
</table> </table>
<br /> <br />
<p> {% if is_granted('CREATE_USERS') %}
<a href="{{ path('user_new') }}" class="waves-effect waves-light btn">{{ 'user.list.create_new_one'|trans }}</a> <p>
</p> <a href="{{ path('user_new') }}" class="waves-effect waves-light btn">{{ 'user.list.create_new_one'|trans }}</a>
</p>
{% endif %}
{% if users.getNbPages > 1 %} {% if users.getNbPages > 1 %}
{{ pagerfanta(users, 'default_wallabag') }} {{ pagerfanta(users, 'default_wallabag') }}
{% endif %} {% endif %}

View file

@ -124,8 +124,10 @@
<li><a href="{{ path('site_credentials_index') }}"><i class="material-icons">vpn_key</i> {{ 'menu.left.site_credentials'|trans }}</a></li> <li><a href="{{ path('site_credentials_index') }}"><i class="material-icons">vpn_key</i> {{ 'menu.left.site_credentials'|trans }}</a></li>
{% endif %} {% endif %}
<li class="divider"></li> <li class="divider"></li>
{% if is_granted('ROLE_SUPER_ADMIN') %} {% if is_granted('LIST_USERS') %}
<li><a href="{{ path('user_index') }}"><i class="material-icons">people</i>{{ 'menu.left.users_management'|trans }}</a></li> <li><a href="{{ path('user_index') }}"><i class="material-icons">people</i>{{ 'menu.left.users_management'|trans }}</a></li>
{% endif %}
{% if is_granted('ROLE_SUPER_ADMIN') %}
<li><a href="{{ path('craue_config_settings_modify') }}"><i class="material-icons">settings</i> {{ 'menu.left.internal_settings'|trans }}</a></li> <li><a href="{{ path('craue_config_settings_modify') }}"><i class="material-icons">settings</i> {{ 'menu.left.internal_settings'|trans }}</a></li>
<li><a href="{{ path('ignore_origin_instance_rules_index') }}"><i class="material-icons">build</i> {{ 'menu.left.ignore_origin_instance_rules'|trans }}</a></li> <li><a href="{{ path('ignore_origin_instance_rules_index') }}"><i class="material-icons">build</i> {{ 'menu.left.ignore_origin_instance_rules'|trans }}</a></li>
<li class="divider"></li> <li class="divider"></li>

View file

@ -0,0 +1,67 @@
<?php
namespace Tests\Wallabag\Security\Voter;
use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\Security\Core\Security;
use Wallabag\Entity\User;
use Wallabag\Security\Voter\AdminVoter;
class AdminVoterTest extends TestCase
{
private $security;
private $token;
private $adminVoter;
protected function setUp(): void
{
$this->security = $this->createMock(Security::class);
$this->token = $this->createMock(TokenInterface::class);
$this->token->method('getUser')->willReturn(new User());
$this->adminVoter = new AdminVoter($this->security);
}
public function testVoteReturnsAbstainForInvalidAttribute(): void
{
$this->assertSame(VoterInterface::ACCESS_ABSTAIN, $this->adminVoter->vote($this->token, null, ['INVALID']));
}
public function testVoteReturnsDeniedForInvalidUser(): void
{
$this->token->method('getUser')->willReturn(new \stdClass());
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->adminVoter->vote($this->token, null, [AdminVoter::LIST_USERS]));
}
public function testVoteReturnsDeniedForNonSuperAdminListUsers(): void
{
$this->security->method('isGranted')->with('ROLE_SUPER_ADMIN')->willReturn(false);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->adminVoter->vote($this->token, null, [AdminVoter::LIST_USERS]));
}
public function testVoteReturnsGrantedForSuperAdminListUsers(): void
{
$this->security->method('isGranted')->with('ROLE_SUPER_ADMIN')->willReturn(true);
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->adminVoter->vote($this->token, null, [AdminVoter::LIST_USERS]));
}
public function testVoteReturnsDeniedForNonSuperAdminCreateUsers(): void
{
$this->security->method('isGranted')->with('ROLE_SUPER_ADMIN')->willReturn(false);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->adminVoter->vote($this->token, null, [AdminVoter::CREATE_USERS]));
}
public function testVoteReturnsGrantedForSuperAdminCreateUsers(): void
{
$this->security->method('isGranted')->with('ROLE_SUPER_ADMIN')->willReturn(true);
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->adminVoter->vote($this->token, null, [AdminVoter::CREATE_USERS]));
}
}

View file

@ -0,0 +1,73 @@
<?php
namespace Tests\Wallabag\Security\Voter;
use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\Security\Core\Security;
use Wallabag\Entity\User;
use Wallabag\Security\Voter\UserVoter;
class UserVoterTest extends TestCase
{
private $security;
private $token;
private $userVoter;
protected function setUp(): void
{
$this->security = $this->createMock(Security::class);
$this->token = $this->createMock(TokenInterface::class);
$this->token->method('getUser')->willReturn(new User());
$this->userVoter = new UserVoter($this->security);
}
public function testVoteReturnsAbstainForInvalidSubject(): void
{
$this->assertSame(VoterInterface::ACCESS_ABSTAIN, $this->userVoter->vote($this->token, new \stdClass(), [UserVoter::EDIT]));
}
public function testVoteReturnsAbstainForInvalidAttribute(): void
{
$this->assertSame(VoterInterface::ACCESS_ABSTAIN, $this->userVoter->vote($this->token, new User(), ['INVALID']));
}
public function testVoteReturnsDeniedForNonSuperAdminEdit(): void
{
$this->security->method('isGranted')->with('ROLE_SUPER_ADMIN')->willReturn(false);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->userVoter->vote($this->token, new User(), [UserVoter::EDIT]));
}
public function testVoteReturnsGrantedForSuperAdminEdit(): void
{
$this->security->method('isGranted')->with('ROLE_SUPER_ADMIN')->willReturn(true);
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->userVoter->vote($this->token, new User(), [UserVoter::EDIT]));
}
public function testVoteReturnsDeniedForSelfDelete(): void
{
$user = new User();
$this->token->method('getUser')->willReturn($user);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->userVoter->vote($this->token, $user, [UserVoter::DELETE]));
}
public function testVoteReturnsDeniedForNonSuperAdminDelete(): void
{
$this->security->method('isGranted')->with('ROLE_SUPER_ADMIN')->willReturn(false);
$this->assertSame(VoterInterface::ACCESS_DENIED, $this->userVoter->vote($this->token, new User(), [UserVoter::DELETE]));
}
public function testVoteReturnsGrantedForSuperAdminDelete(): void
{
$this->security->method('isGranted')->with('ROLE_SUPER_ADMIN')->willReturn(true);
$this->assertSame(VoterInterface::ACCESS_GRANTED, $this->userVoter->vote($this->token, new User(), [UserVoter::DELETE]));
}
}