Merge branch 'sudo-mode'

# Conflicts: # CHANGELOG.md
2025-10-12 07:24:27 +02:00 · 2015-12-03 15:12:51 +10:30
parent 287ce2fddd 9896378b59
commit 1cfae4ad14
68 changed files with 1071 additions and 509 deletions
--- a/src/Api/Controller/DeleteDiscussionController.php
+++ b/src/Api/Controller/DeleteDiscussionController.php
@@ -10,12 +10,15 @@

 namespace Flarum\Api\Controller;

+use Flarum\Core\Access\AssertPermissionTrait;
 use Flarum\Core\Command\DeleteDiscussion;
 use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface;

 class DeleteDiscussionController extends AbstractDeleteController
 {
+    use AssertPermissionTrait;
+
    /**
     * @var Dispatcher
     */
@@ -38,6 +41,8 @@ class DeleteDiscussionController extends AbstractDeleteController
        $actor = $request->getAttribute('actor');
        $input = $request->getParsedBody();

+        $this->assertSudo($request);
+
        $this->bus->dispatch(
            new DeleteDiscussion($id, $actor, $input)
        );
--- a/src/Api/Controller/DeleteGroupController.php
+++ b/src/Api/Controller/DeleteGroupController.php
@@ -10,12 +10,15 @@

 namespace Flarum\Api\Controller;

+use Flarum\Core\Access\AssertPermissionTrait;
 use Flarum\Core\Command\DeleteGroup;
 use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface;

 class DeleteGroupController extends AbstractDeleteController
 {
+    use AssertPermissionTrait;
+
    /**
     * @var Dispatcher
     */
@@ -34,6 +37,8 @@ class DeleteGroupController extends AbstractDeleteController
     */
    protected function delete(ServerRequestInterface $request)
    {
+        $this->assertSudo($request);
+
        $this->bus->dispatch(
            new DeleteGroup(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
        );
--- a/src/Api/Controller/DeletePostController.php
+++ b/src/Api/Controller/DeletePostController.php
@@ -10,12 +10,15 @@

 namespace Flarum\Api\Controller;

+use Flarum\Core\Access\AssertPermissionTrait;
 use Flarum\Core\Command\DeletePost;
 use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface;

 class DeletePostController extends AbstractDeleteController
 {
+    use AssertPermissionTrait;
+
    /**
     * @var Dispatcher
     */
@@ -34,6 +37,8 @@ class DeletePostController extends AbstractDeleteController
     */
    protected function delete(ServerRequestInterface $request)
    {
+        $this->assertSudo($request);
+
        $this->bus->dispatch(
            new DeletePost(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
        );
--- a/src/Api/Controller/DeleteUserController.php
+++ b/src/Api/Controller/DeleteUserController.php
@@ -10,12 +10,15 @@

 namespace Flarum\Api\Controller;

+use Flarum\Core\Access\AssertPermissionTrait;
 use Flarum\Core\Command\DeleteUser;
 use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface;

 class DeleteUserController extends AbstractDeleteController
 {
+    use AssertPermissionTrait;
+
    /**
     * @var Dispatcher
     */
@@ -34,6 +37,8 @@ class DeleteUserController extends AbstractDeleteController
     */
    protected function delete(ServerRequestInterface $request)
    {
+        $this->assertSudo($request);
+
        $this->bus->dispatch(
            new DeleteUser(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
        );
--- a/src/Api/Controller/SetPermissionController.php
+++ b/src/Api/Controller/SetPermissionController.php
@@ -25,7 +25,7 @@ class SetPermissionController implements ControllerInterface
     */
    public function handle(ServerRequestInterface $request)
    {
-        $this->assertAdmin($request->getAttribute('actor'));
+        $this->assertAdminAndSudo($request);

        $body = $request->getParsedBody();
        $permission = array_get($body, 'permission');
--- a/src/Api/Controller/SetSettingsController.php
+++ b/src/Api/Controller/SetSettingsController.php
@@ -47,7 +47,7 @@ class SetSettingsController implements ControllerInterface
     */
    public function handle(ServerRequestInterface $request)
    {
-        $this->assertAdmin($request->getAttribute('actor'));
+        $this->assertAdminAndSudo($request);

        $settings = $request->getParsedBody();

--- a/src/Api/Controller/TokenController.php
+++ b/src/Api/Controller/TokenController.php
@@ -10,11 +10,10 @@

 namespace Flarum\Api\Controller;

-use Flarum\Api\Command\GenerateAccessToken;
 use Flarum\Core\Exception\PermissionDeniedException;
 use Flarum\Core\Repository\UserRepository;
-use Flarum\Event\UserEmailChangeWasRequested;
 use Flarum\Http\Controller\ControllerInterface;
+use Flarum\Http\Session;
 use Illuminate\Contracts\Bus\Dispatcher as BusDispatcher;
 use Illuminate\Contracts\Events\Dispatcher as EventDispatcher;
 use Psr\Http\Message\ServerRequestInterface;
@@ -65,19 +64,13 @@ class TokenController implements ControllerInterface
            throw new PermissionDeniedException;
        }

-        if (! $user->is_activated) {
-            $this->events->fire(new UserEmailChangeWasRequested($user, $user->email));
+        $session = $request->getAttribute('session') ?: Session::generate($user);
+        $session->assign($user)->regenerateId()->renew()->save();

-            return new JsonResponse(['emailConfirmationRequired' => $user->email], 401);
-        }
-
-        $token = $this->bus->dispatch(
-            new GenerateAccessToken($user->id)
-        );
-
-        return new JsonResponse([
-            'token' => $token->id,
+        return (new JsonResponse([
+            'token' => $session->id,
            'userId' => $user->id
-        ]);
+        ]))
+            ->withHeader('X-CSRF-Token', $session->csrf_token);
    }
 }
--- a/src/Api/Controller/UninstallExtensionController.php
+++ b/src/Api/Controller/UninstallExtensionController.php
@@ -33,7 +33,7 @@ class UninstallExtensionController extends AbstractDeleteController

    protected function delete(ServerRequestInterface $request)
    {
-        $this->assertAdmin($request->getAttribute('actor'));
+        $this->assertAdminAndSudo($request);

        $name = array_get($request->getQueryParams(), 'name');

--- a/src/Api/Controller/UpdateExtensionController.php
+++ b/src/Api/Controller/UpdateExtensionController.php
@@ -38,7 +38,7 @@ class UpdateExtensionController implements ControllerInterface
     */
    public function handle(ServerRequestInterface $request)
    {
-        $this->assertAdmin($request->getAttribute('actor'));
+        $this->assertAdminAndSudo($request);

        $enabled = array_get($request->getParsedBody(), 'enabled');
        $name = array_get($request->getQueryParams(), 'name');
--- a/src/Api/Controller/UpdateUserController.php
+++ b/src/Api/Controller/UpdateUserController.php
@@ -10,6 +10,7 @@

 namespace Flarum\Api\Controller;

+use Flarum\Core\Access\AssertPermissionTrait;
 use Flarum\Core\Command\EditUser;
 use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface;
@@ -17,6 +18,8 @@ use Tobscure\JsonApi\Document;

 class UpdateUserController extends AbstractResourceController
 {
+    use AssertPermissionTrait;
+
    /**
     * {@inheritdoc}
     */
@@ -49,6 +52,8 @@ class UpdateUserController extends AbstractResourceController
        $actor = $request->getAttribute('actor');
        $data = array_get($request->getParsedBody(), 'data', []);

+        $this->assertSudo($request);
+
        return $this->bus->dispatch(
            new EditUser($id, $actor, $data)
        );