mirror_php/formwork
1
0
Fork 0
mirror of https://github.com/getformwork/formwork.git synced 2025-01-17 13:38:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Avoid early exit caused by AbstractController::ensurePermission()

Browse Source
This commit is contained in:
Giuseppe Criscione 2024-10-24 00:01:39 +02:00
parent 4066211cd7
commit 79a070564a
10 changed files with 115 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
formwork/src/Panel/Controllers/AbstractController.php
View File

@ -209,17 +209,11 @@ abstract class AbstractController extends BaseAbstractController
}
/**
* Ensure current user has a permission
* Get if current user has a permission
*/
protected function ensurePermission(string $permission): void
protected function hasPermission(string $permission): bool
{
if (!$this->user()->permissions()->has($permission)) {
$this->container->build(ErrorsController::class)
->forbidden()
->prepare($this->request)
->send();
exit;
}
return $this->user()->permissions()->has($permission);
}
protected function modals(): ModalCollection

17
formwork/src/Panel/Controllers/BackupController.php
View File

@ -19,9 +19,12 @@ class BackupController extends AbstractController
/**
* Backup@make action
*/
public function make(Config $config): JsonResponse
public function make(Config $config): JsonResponse|Response
{
$this->ensurePermission('backup.make');
if (!$this->hasPermission('backup.make')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$backupper = new Backupper($this->config);
try {
$file = $backupper->backup();
@ -45,7 +48,10 @@ class BackupController extends AbstractController
*/
public function download(RouteParams $routeParams): Response
{
$this->ensurePermission('backup.download');
if (!$this->hasPermission('backup.download')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$file = FileSystem::joinPaths($this->config->get('system.backup.path'), basename(base64_decode((string) $routeParams->get('backup'))));
try {
if (FileSystem::isFile($file, assertExists: false)) {
@ -63,7 +69,10 @@ class BackupController extends AbstractController
*/
public function delete(RouteParams $routeParams): Response
{
$this->ensurePermission('backup.download');
if (!$this->hasPermission('backup.download')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$file = FileSystem::joinPaths($this->config->get('system.backup.path'), basename(base64_decode((string) $routeParams->get('backup'))));
try {
if (FileSystem::isFile($file, assertExists: false)) {

7
formwork/src/Panel/Controllers/CacheController.php
View File

@ -4,6 +4,7 @@ namespace Formwork\Panel\Controllers;
use Formwork\Cache\AbstractCache;
use Formwork\Http\JsonResponse;
use Formwork\Http\Response;
use Formwork\Router\RouteParams;
use Formwork\Utils\FileSystem;
@ -12,9 +13,11 @@ class CacheController extends AbstractController
/**
* Cache@clear action
*/
public function clear(RouteParams $routeParams, AbstractCache $cache): JsonResponse
public function clear(RouteParams $routeParams, AbstractCache $cache): JsonResponse|Response
{
$this->ensurePermission('cache.clear');
if (!$this->hasPermission('cache.clear')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
switch ($type = $routeParams->get('type', 'default')) {
case 'default':

4
formwork/src/Panel/Controllers/DashboardController.php
View File

@ -14,7 +14,9 @@ class DashboardController extends AbstractController
*/
public function index(Schemes $schemes, Statistics $statistics): Response
{
$this->ensurePermission('dashboard');
if (!$this->hasPermission('dashboard')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$this->modal('newPage');

16
formwork/src/Panel/Controllers/OptionsController.php
View File

@ -3,7 +3,6 @@
namespace Formwork\Panel\Controllers;
use Formwork\Fields\FieldCollection;
use Formwork\Http\RedirectResponse;
use Formwork\Http\RequestMethod;
use Formwork\Http\Response;
use Formwork\Parsers\Yaml;
@ -24,9 +23,12 @@ class OptionsController extends AbstractController
/**
* Options@index action
*/
public function index(): RedirectResponse
public function index(): Response
{
$this->ensurePermission('options.site');
if (!$this->hasPermission('options.site')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
return $this->redirect($this->generateRoute('panel.options.site'));
}
@ -35,7 +37,9 @@ class OptionsController extends AbstractController
*/
public function systemOptions(Schemes $schemes): Response
{
$this->ensurePermission('options.system');
if (!$this->hasPermission('options.system')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$scheme = $schemes->get('config.system');
$fields = $scheme->fields();
@ -79,7 +83,9 @@ class OptionsController extends AbstractController
*/
public function siteOptions(Schemes $schemes): Response
{
$this->ensurePermission('options.site');
if (!$this->hasPermission('options.site')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$scheme = $schemes->get('config.site');
$fields = $scheme->fields();

55
formwork/src/Panel/Controllers/PagesController.php
View File

@ -10,7 +10,6 @@ use Formwork\Files\FileCollection;
use Formwork\Files\Services\FileUploader;
use Formwork\Http\Files\UploadedFile;
use Formwork\Http\JsonResponse;
use Formwork\Http\RedirectResponse;
use Formwork\Http\Request;
use Formwork\Http\RequestData;
use Formwork\Http\RequestMethod;
@ -49,7 +48,9 @@ class PagesController extends AbstractController
*/
public function index(): Response
{
$this->ensurePermission('pages.index');
if (!$this->hasPermission('pages.index')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$this->modal('newPage');
@ -79,9 +80,11 @@ class PagesController extends AbstractController
/**
* Pages@create action
*/
public function create(): RedirectResponse
public function create(): Response
{
$this->ensurePermission('pages.create');
if (!$this->hasPermission('pages.create')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$requestData = $this->request->input();
@ -115,7 +118,9 @@ class PagesController extends AbstractController
*/
public function edit(RouteParams $routeParams): Response
{
$this->ensurePermission('pages.edit');
if (!$this->hasPermission('pages.edit')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$page = $this->site()->findPage($routeParams->get('page'));
@ -263,9 +268,11 @@ class PagesController extends AbstractController
/**
* Pages@reorder action
*/
public function reorder(): JsonResponse
public function reorder(): JsonResponse|Response
{
$this->ensurePermission('pages.reorder');
if (!$this->hasPermission('pages.reorder')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$requestData = $this->request->input();
@ -306,9 +313,11 @@ class PagesController extends AbstractController
/**
* Pages@delete action
*/
public function delete(RouteParams $routeParams): RedirectResponse
public function delete(RouteParams $routeParams): Response
{
$this->ensurePermission('pages.delete');
if (!$this->hasPermission('pages.delete')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$page = $this->site()->findPage($routeParams->get('page'));
@ -353,9 +362,11 @@ class PagesController extends AbstractController
/**
* Pages@uploadFile action
*/
public function uploadFile(RouteParams $routeParams): RedirectResponse
public function uploadFile(RouteParams $routeParams): Response
{
$this->ensurePermission('pages.uploadFiles');
if (!$this->hasPermission('pages.uploadFiles')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$page = $this->site()->findPage($routeParams->get('page'));
@ -380,9 +391,11 @@ class PagesController extends AbstractController
/**
* Pages@deleteFile action
*/
public function deleteFile(RouteParams $routeParams): RedirectResponse
public function deleteFile(RouteParams $routeParams): Response
{
$this->ensurePermission('pages.deleteFiles');
if (!$this->hasPermission('pages.deleteFiles')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$page = $this->site()->findPage($routeParams->get('page'));
@ -405,9 +418,11 @@ class PagesController extends AbstractController
/**
* Pages@renameFile action
*/
public function renameFile(RouteParams $routeParams, Request $request): RedirectResponse
public function renameFile(RouteParams $routeParams, Request $request): Response
{
$this->ensurePermission('pages.renameFiles');
if (!$this->hasPermission('pages.renameFiles')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$page = $this->site()->findPage($routeParams->get('page'));
@ -449,9 +464,11 @@ class PagesController extends AbstractController
/**
* Pages@replaceFile action
*/
public function replaceFile(RouteParams $routeParams): RedirectResponse
public function replaceFile(RouteParams $routeParams): Response
{
$this->ensurePermission('pages.replaceFiles');
if (!$this->hasPermission('pages.replaceFiles')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$page = $this->site()->findPage($routeParams->get('page'));
@ -492,7 +509,9 @@ class PagesController extends AbstractController
*/
public function file(RouteParams $routeParams): Response
{
$this->ensurePermission('pages.file');
if (!$this->hasPermission('pages.file')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$page = $this->site()->findPage($routeParams->get('page'));

4
formwork/src/Panel/Controllers/StatisticsController.php
View File

@ -13,7 +13,9 @@ class StatisticsController extends AbstractController
*/
public function index(Statistics $statistics): Response
{
$this->ensurePermission('statistics');
if (!$this->hasPermission('statistics')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$pageViews = $statistics->getPageViews();

17
formwork/src/Panel/Controllers/ToolsController.php
View File

@ -25,7 +25,10 @@ class ToolsController extends AbstractController
*/
public function index(): Response
{
$this->ensurePermission('tools.backups');
if (!$this->hasPermission('tools.backups')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
return $this->redirect($this->generateRoute('panel.tools.backups'));
}
@ -34,7 +37,9 @@ class ToolsController extends AbstractController
*/
public function backups(RouteParams $routeParams): Response
{
$this->ensurePermission('tools.backups');
if (!$this->hasPermission('tools.backups')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$backupper = new Backupper($this->config);
@ -62,7 +67,9 @@ class ToolsController extends AbstractController
*/
public function updates(): Response
{
$this->ensurePermission('tools.updates');
if (!$this->hasPermission('tools.updates')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
return new Response($this->view('tools.updates', [
'title' => $this->translate('panel.tools.updates'),
@ -79,7 +86,9 @@ class ToolsController extends AbstractController
*/
public function info(): Response
{
$this->ensurePermission('tools.info');
if (!$this->hasPermission('tools.info')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$opcacheStatus = extension_loaded('zend opcache') ? (opcache_get_status(false) ?: []) : [];

15
formwork/src/Panel/Controllers/UpdatesController.php
View File

@ -6,6 +6,7 @@ use Formwork\Backupper;
use Formwork\Cache\AbstractCache;
use Formwork\Exceptions\TranslatedException;
use Formwork\Http\JsonResponse;
use Formwork\Http\Response;
use Formwork\Http\ResponseStatus;
use Formwork\Updater\Updater;
use RuntimeException;
@ -15,9 +16,12 @@ class UpdatesController extends AbstractController
/**
* Updates@check action
*/
public function check(Updater $updater): JsonResponse
public function check(Updater $updater): JsonResponse|Response
{
$this->ensurePermission('updates.check');
if (!$this->hasPermission('updates.check')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
try {
$upToDate = $updater->checkUpdates();
} catch (RuntimeException) {
@ -39,9 +43,12 @@ class UpdatesController extends AbstractController
/**
* Updates@update action
*/
public function update(Updater $updater, AbstractCache $cache): JsonResponse
public function update(Updater $updater, AbstractCache $cache): JsonResponse|Response
{
$this->ensurePermission('updates.update');
if (!$this->hasPermission('updates.update')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
if ($this->config->get('system.updates.backupBefore')) {
$backupper = new Backupper($this->config);
try {

23
formwork/src/Panel/Controllers/UsersController.php
View File

@ -8,7 +8,6 @@ use Formwork\Fields\FieldCollection;
use Formwork\Files\Services\FileUploader;
use Formwork\Http\FileResponse;
use Formwork\Http\Files\UploadedFile;
use Formwork\Http\RedirectResponse;
use Formwork\Http\RequestMethod;
use Formwork\Http\Response;
use Formwork\Images\Image;
@ -29,7 +28,9 @@ class UsersController extends AbstractController
*/
public function index(Schemes $schemes): Response
{
$this->ensurePermission('users.index');
if (!$this->hasPermission('users.index')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$this->modal('newUser');
@ -44,9 +45,11 @@ class UsersController extends AbstractController
/**
* Users@create action
*/
public function create(Schemes $schemes): RedirectResponse
public function create(Schemes $schemes): Response
{
$this->ensurePermission('users.create');
if (!$this->hasPermission('users.create')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$requestData = $this->request->input();
@ -83,9 +86,11 @@ class UsersController extends AbstractController
/**
* Users@delete action
*/
public function delete(RouteParams $routeParams): RedirectResponse
public function delete(RouteParams $routeParams): Response
{
$this->ensurePermission('users.delete');
if (!$this->hasPermission('users.delete')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$user = $this->site->users()->get($routeParams->get('user'));
@ -121,8 +126,12 @@ class UsersController extends AbstractController
/**
* Users@deleteImage action
*/
public function deleteImage(RouteParams $routeParams): RedirectResponse
public function deleteImage(RouteParams $routeParams): Response
{
if (!$this->hasPermission('users.deleteImage')) {
return $this->forward(ErrorsController::class, 'forbidden');
}
$user = $this->site->users()->get($routeParams->get('user'));
if ($user === null) {