From c8ef8b4c36fbbcc6be6b804df83ff1d84f209cfd Mon Sep 17 00:00:00 2001 From: fipwmaqzufheoxq92ebc <29818044+fipwmaqzufheoxq92ebc@users.noreply.github.com> Date: Tue, 25 Aug 2020 16:38:45 +0200 Subject: [PATCH] Add some permissions. --- controllers/BatteriesApiController.php | 10 +++- controllers/ChoresApiController.php | 16 +++++-- controllers/FilesApiController.php | 9 +++- controllers/GenericEntityApiController.php | 32 +++++++++---- controllers/RecipesApiController.php | 10 +++- controllers/StockApiController.php | 53 ++++++++++++++++------ controllers/TasksApiController.php | 10 +++- controllers/Users/User.php | 20 ++++++++ migrations/0111.sql | 32 ++++++++++++- 9 files changed, 159 insertions(+), 33 deletions(-) diff --git a/controllers/BatteriesApiController.php b/controllers/BatteriesApiController.php index b0cc0700..271e6ed2 100644 --- a/controllers/BatteriesApiController.php +++ b/controllers/BatteriesApiController.php @@ -2,6 +2,8 @@ namespace Grocy\Controllers; +use Grocy\Controllers\Users\User; + class BatteriesApiController extends BaseApiController { public function __construct(\DI\Container $container) @@ -11,7 +13,9 @@ class BatteriesApiController extends BaseApiController public function TrackChargeCycle(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_BATTERY_TRACK_CHARGE_CYCLE); + + $requestBody = $request->getParsedBody(); try { @@ -49,7 +53,9 @@ class BatteriesApiController extends BaseApiController public function UndoChargeCycle(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_BATTERY_UNDO_TRACK_CHARGE_CYCLE); + + try { $this->ApiResponse($response, $this->getBatteriesService()->UndoChargeCycle($args['chargeCycleId'])); return $this->EmptyApiResponse($response); diff --git a/controllers/ChoresApiController.php b/controllers/ChoresApiController.php index e05495fa..b118e31d 100644 --- a/controllers/ChoresApiController.php +++ b/controllers/ChoresApiController.php @@ -2,6 +2,8 @@ namespace Grocy\Controllers; +use Grocy\Controllers\Users\User; + class ChoresApiController extends BaseApiController { public function __construct(\DI\Container $container) @@ -15,7 +17,9 @@ class ChoresApiController extends BaseApiController try { - $trackedTime = date('Y-m-d H:i:s'); + User::checkPermission($request, User::PERMISSION_CHORE_TRACK); + + $trackedTime = date('Y-m-d H:i:s'); if (array_key_exists('tracked_time', $requestBody) && (IsIsoDateTime($requestBody['tracked_time']) || IsIsoDate($requestBody['tracked_time']))) { $trackedTime = $requestBody['tracked_time']; @@ -26,6 +30,8 @@ class ChoresApiController extends BaseApiController { $doneBy = $requestBody['done_by']; } + if($doneBy != GROCY_USER_ID) + User::checkPermission($request, User::PERMISSION_CHORE_TRACK_OTHERS); $choreExecutionId = $this->getChoresService()->TrackChore($args['choreId'], $trackedTime, $doneBy); return $this->ApiResponse($response, $this->getDatabase()->chores_log($choreExecutionId)); @@ -57,7 +63,9 @@ class ChoresApiController extends BaseApiController { try { - $this->ApiResponse($response, $this->getChoresService()->UndoChoreExecution($args['executionId'])); + User::checkPermission($request, User::PERMISSION_CHORE_UNDO); + + $this->ApiResponse($response, $this->getChoresService()->UndoChoreExecution($args['executionId'])); return $this->EmptyApiResponse($response); } catch (\Exception $ex) @@ -70,7 +78,9 @@ class ChoresApiController extends BaseApiController { try { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_CHORE_EDIT); + + $requestBody = $request->getParsedBody(); $choreId = null; if (array_key_exists('chore_id', $requestBody) && !empty($requestBody['chore_id']) && is_numeric($requestBody['chore_id'])) diff --git a/controllers/FilesApiController.php b/controllers/FilesApiController.php index b12bce38..56847204 100644 --- a/controllers/FilesApiController.php +++ b/controllers/FilesApiController.php @@ -2,6 +2,7 @@ namespace Grocy\Controllers; +use Grocy\Controllers\Users\User; use \Grocy\Services\FilesService; class FilesApiController extends BaseApiController @@ -15,7 +16,9 @@ class FilesApiController extends BaseApiController { try { - if (IsValidFileName(base64_decode($args['fileName']))) + User::checkPermission($request, User::PERMISSION_UPLOAD_FILE); + + if (IsValidFileName(base64_decode($args['fileName']))) { $fileName = base64_decode($args['fileName']); } @@ -97,7 +100,9 @@ class FilesApiController extends BaseApiController { try { - if (IsValidFileName(base64_decode($args['fileName']))) + User::checkPermission($request, User::PERMISSION_DELETE_FILE); + + if (IsValidFileName(base64_decode($args['fileName']))) { $fileName = base64_decode($args['fileName']); } diff --git a/controllers/GenericEntityApiController.php b/controllers/GenericEntityApiController.php index de0775ac..72e8f3ac 100644 --- a/controllers/GenericEntityApiController.php +++ b/controllers/GenericEntityApiController.php @@ -2,6 +2,8 @@ namespace Grocy\Controllers; +use Grocy\Controllers\Users\User; + class GenericEntityApiController extends BaseApiController { public function __construct(\DI\Container $container) @@ -11,7 +13,9 @@ class GenericEntityApiController extends BaseApiController public function GetObjects(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $objects = $this->getDatabase()->{$args['entity']}(); + User::checkPermission($request, User::PERMISSION_MASTER_DATA_READ); + + $objects = $this->getDatabase()->{$args['entity']}(); $allUserfields = $this->getUserfieldsService()->GetAllValues($args['entity']); foreach ($objects as $object) @@ -41,7 +45,8 @@ class GenericEntityApiController extends BaseApiController public function GetObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity'])) + User::checkPermission($request, User::PERMISSION_MASTER_DATA_READ); + if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity'])) { $userfields = $this->getUserfieldsService()->GetValues($args['entity'], $args['objectId']); if (count($userfields) === 0) @@ -66,7 +71,9 @@ class GenericEntityApiController extends BaseApiController public function AddObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - if ($this->IsValidEntity($args['entity'])) + User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT); + + if ($this->IsValidEntity($args['entity'])) { $requestBody = $request->getParsedBody(); @@ -97,7 +104,9 @@ class GenericEntityApiController extends BaseApiController public function EditObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - if ($this->IsValidEntity($args['entity'])) + User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT); + + if ($this->IsValidEntity($args['entity'])) { $requestBody = $request->getParsedBody(); @@ -126,7 +135,9 @@ class GenericEntityApiController extends BaseApiController public function DeleteObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - if ($this->IsValidEntity($args['entity'])) + User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT); + + if ($this->IsValidEntity($args['entity'])) { $row = $this->getDatabase()->{$args['entity']}($args['objectId']); $row->delete(); @@ -141,7 +152,9 @@ class GenericEntityApiController extends BaseApiController public function SearchObjects(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity'])) + User::checkPermission($request, User::PERMISSION_MASTER_DATA_READ); + + if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity'])) { try { @@ -160,7 +173,8 @@ class GenericEntityApiController extends BaseApiController public function GetUserfields(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_MASTER_DATA_READ); + try { return $this->ApiResponse($response, $this->getUserfieldsService()->GetValues($args['entity'], $args['objectId'])); } @@ -172,7 +186,9 @@ class GenericEntityApiController extends BaseApiController public function SetUserfields(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT); + + $requestBody = $request->getParsedBody(); try { diff --git a/controllers/RecipesApiController.php b/controllers/RecipesApiController.php index cb6f6c0f..02903efa 100644 --- a/controllers/RecipesApiController.php +++ b/controllers/RecipesApiController.php @@ -2,6 +2,8 @@ namespace Grocy\Controllers; +use Grocy\Controllers\Users\User; + class RecipesApiController extends BaseApiController { public function __construct(\DI\Container $container) @@ -11,7 +13,9 @@ class RecipesApiController extends BaseApiController public function AddNotFulfilledProductsToShoppingList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD); + + $requestBody = $request->getParsedBody(); $excludedProductIds = null; if ($requestBody !== null && array_key_exists('excludedProductIds', $requestBody)) @@ -25,7 +29,9 @@ class RecipesApiController extends BaseApiController public function ConsumeRecipe(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_PRODUCT_CONSUME); + + try { $this->getRecipesService()->ConsumeRecipe($args['recipeId']); return $this->EmptyApiResponse($response); diff --git a/controllers/StockApiController.php b/controllers/StockApiController.php index 3eb360a5..eab324ad 100644 --- a/controllers/StockApiController.php +++ b/controllers/StockApiController.php @@ -2,6 +2,7 @@ namespace Grocy\Controllers; +use Grocy\Controllers\Users\User; use \Grocy\Services\StockService; class StockApiController extends BaseApiController @@ -62,7 +63,9 @@ class StockApiController extends BaseApiController public function AddProduct(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_PRODUCT_ADD); + + $requestBody = $request->getParsedBody(); try { @@ -136,7 +139,9 @@ class StockApiController extends BaseApiController public function EditStockEntry(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_STOCK_EDIT); + + $requestBody = $request->getParsedBody(); try { @@ -185,7 +190,9 @@ class StockApiController extends BaseApiController public function TransferProduct(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_STOCK_TRANSFER); + + $requestBody = $request->getParsedBody(); try { @@ -239,7 +246,9 @@ class StockApiController extends BaseApiController public function ConsumeProduct(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_PRODUCT_CONSUME); + + $requestBody = $request->getParsedBody(); $result = null; @@ -310,7 +319,9 @@ class StockApiController extends BaseApiController public function InventoryProduct(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_STOCK_CORRECTION); + + $requestBody = $request->getParsedBody(); try { @@ -372,7 +383,9 @@ class StockApiController extends BaseApiController public function OpenProduct(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_PRODUCT_OPEN); + + $requestBody = $request->getParsedBody(); try { @@ -439,7 +452,9 @@ class StockApiController extends BaseApiController public function AddMissingProductsToShoppingList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD); + + try { $requestBody = $request->getParsedBody(); @@ -460,7 +475,9 @@ class StockApiController extends BaseApiController public function ClearShoppingList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_DELETE); + + try { $requestBody = $request->getParsedBody(); @@ -482,7 +499,9 @@ class StockApiController extends BaseApiController public function AddProductToShoppingList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD); + + try { $requestBody = $request->getParsedBody(); @@ -523,7 +542,9 @@ class StockApiController extends BaseApiController public function RemoveProductFromShoppingList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_DELETE); + + try { $requestBody = $request->getParsedBody(); @@ -559,7 +580,9 @@ class StockApiController extends BaseApiController public function ExternalBarcodeLookup(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_PRODUCT_ADD); + + try { $addFoundProduct = false; if (isset($request->getQueryParams()['add']) && ($request->getQueryParams()['add'] === 'true' || $request->getQueryParams()['add'] === 1)) @@ -577,7 +600,9 @@ class StockApiController extends BaseApiController public function UndoBooking(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_STOCK_CORRECTION); + + try { $this->ApiResponse($response, $this->getStockService()->UndoBooking($args['bookingId'])); return $this->EmptyApiResponse($response); @@ -590,7 +615,9 @@ class StockApiController extends BaseApiController public function UndoTransaction(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_STOCK_CORRECTION); + + try { $this->ApiResponse($response, $this->getStockService()->UndoTransaction($args['transactionId'])); return $this->EmptyApiResponse($response); diff --git a/controllers/TasksApiController.php b/controllers/TasksApiController.php index fb8ad72a..657a5cd6 100644 --- a/controllers/TasksApiController.php +++ b/controllers/TasksApiController.php @@ -2,6 +2,8 @@ namespace Grocy\Controllers; +use Grocy\Controllers\Users\User; + class TasksApiController extends BaseApiController { public function __construct(\DI\Container $container) @@ -16,7 +18,9 @@ class TasksApiController extends BaseApiController public function MarkTaskAsCompleted(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + User::checkPermission($request, User::PERMISSION_TASKS_MARK_COMPLETED); + + $requestBody = $request->getParsedBody(); try { @@ -37,7 +41,9 @@ class TasksApiController extends BaseApiController public function UndoTask(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - try + User::checkPermission($request, User::PERMISSION_TASKS_UNDO); + + try { $this->getTasksService()->UndoTask($args['taskId']); return $this->EmptyApiResponse($response); diff --git a/controllers/Users/User.php b/controllers/Users/User.php index 0f5ab5fa..9987c699 100644 --- a/controllers/Users/User.php +++ b/controllers/Users/User.php @@ -9,6 +9,26 @@ abstract class User const PERMISSION_EDIT_USER = 'EDIT_USER'; const PERMISSION_READ_USER = 'READ_USER'; const PERMISSION_EDIT_SELF = 'EDIT_SELF'; + const PERMISSION_BATTERY_UNDO_TRACK_CHARGE_CYCLE = 'BATTERY_UNDO_TRACK_CHARGE_CYCLE'; + const PERMISSION_BATTERY_TRACK_CHARGE_CYCLE = 'BATTERY_TRACK_CHARGE_CYCLE'; + const PERMISSION_CHORE_TRACK = 'CHORE_TRACK'; + const PERMISSION_CHORE_TRACK_OTHERS = 'CHORE_TRACK_OTHERS'; + const PERMISSION_CHORE_EDIT = 'CHORE_EDIT'; + const PERMISSION_CHORE_UNDO = 'CHORE_UNDO'; + const PERMISSION_UPLOAD_FILE = 'UPLOAD_FILE'; + const PERMISSION_DELETE_FILE = 'DELETE_FILE'; + const PERMISSION_MASTER_DATA_EDIT = 'MASTER_DATA_EDIT'; + const PERMISSION_MASTER_DATA_READ = 'MASTER_DATA_READ'; + const PERMISSION_TASKS_UNDO = 'TASKS_UNDO'; + const PERMISSION_TASKS_MARK_COMPLETED = 'TASKS_MARK_COMPLETED'; + const PERMISSION_PRODUCT_ADD = 'PRODUCT_ADD'; + const PERMISSION_STOCK_TRANSFER = 'STOCK_TRANSFER'; + const PERMISSION_STOCK_EDIT = 'STOCK_EDIT'; + const PERMISSION_PRODUCT_CONSUME = 'PRODUCT_CONSUME'; + const PERMISSION_STOCK_CORRECTION = 'STOCK_CORRECTION'; + const PERMISSION_PRODUCT_OPEN = 'PRODUCT_OPEN'; + const PERMISSION_SHOPPINGLIST_ITEMS_ADD = 'SHOPPINGLIST_ITEMS_ADD'; + const PERMISSION_SHOPPINGLIST_ITEMS_DELETE = 'SHOPPINGLIST_ITEMS_DELETE'; public abstract function hasPermission(string $permission): bool; diff --git a/migrations/0111.sql b/migrations/0111.sql index c621e6be..9db3f5cc 100644 --- a/migrations/0111.sql +++ b/migrations/0111.sql @@ -69,4 +69,34 @@ VALUES ('EDIT_USER', last_insert_rowid()); INSERT INTO permission_hierarchy(name, parent) VALUES ('READ_USER', last_insert_rowid()), - ('EDIT_SELF', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')); \ No newline at end of file + ('EDIT_SELF', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')); + +INSERT INTO permission_hierarchy(name, parent) +VALUES + -- Batteries +('BATTERY_UNDO_TRACK_CHARGE_CYCLE', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('BATTERY_TRACK_CHARGE_CYCLE', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), + -- Chores +('CHORE_TRACK', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('CHORE_TRACK_OTHERS', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('CHORE_EDIT', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('CHORE_UNDO', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), + -- Files +('UPLOAD_FILE', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('DELETE_FILE', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), + -- master data +('MASTER_DATA_EDIT', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('MASTER_DATA_READ', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), + -- Tasks +('TASKS_UNDO', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('TASKS_MARK_COMPLETED', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), + -- Stock / Products +('STOCK_EDIT', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('STOCK_TRANSFER', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('STOCK_CORRECTION', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('PRODUCT_ADD', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('PRODUCT_CONSUME', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('PRODUCT_OPEN', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), + -- shopping list +('SHOPPINGLIST_ITEMS_ADD', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')), +('SHOPPINGLIST_ITEMS_DELETE', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')); \ No newline at end of file