Add some permissions.

2026-04-07 05:16:15 +02:00 · 2020-08-25 16:38:45 +02:00 · 2020-08-25 16:38:45 +02:00 · c8ef8b4c36
commit c8ef8b4c36
parent 359baa794a
9 changed files with 159 additions and 33 deletions
--- a/controllers/BatteriesApiController.php
+++ b/controllers/BatteriesApiController.php
@ -2,6 +2,8 @@
 namespace Grocy\Controllers;
 use Grocy\Controllers\Users\User;
 class BatteriesApiController extends BaseApiController
 {
 	public function __construct(\DI\Container $container)
@ -11,7 +13,9 @@ class BatteriesApiController extends BaseApiController
 	public function TrackChargeCycle(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_BATTERY_TRACK_CHARGE_CYCLE);
        $requestBody = $request->getParsedBody();
 		try
 		{
@ -49,7 +53,9 @@ class BatteriesApiController extends BaseApiController
 	public function UndoChargeCycle(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_BATTERY_UNDO_TRACK_CHARGE_CYCLE);
        try
 		{
 			$this->ApiResponse($response, $this->getBatteriesService()->UndoChargeCycle($args['chargeCycleId']));
 			return $this->EmptyApiResponse($response);
--- a/controllers/ChoresApiController.php
+++ b/controllers/ChoresApiController.php
@ -2,6 +2,8 @@
 namespace Grocy\Controllers;
 use Grocy\Controllers\Users\User;
 class ChoresApiController extends BaseApiController
 {
 	public function __construct(\DI\Container $container)
@ -15,7 +17,9 @@ class ChoresApiController extends BaseApiController
 		try
 		{
-			$trackedTime = date('Y-m-d H:i:s');
+            User::checkPermission($request, User::PERMISSION_CHORE_TRACK);
            $trackedTime = date('Y-m-d H:i:s');
 			if (array_key_exists('tracked_time', $requestBody) && (IsIsoDateTime($requestBody['tracked_time']) || IsIsoDate($requestBody['tracked_time'])))
 			{
 				$trackedTime = $requestBody['tracked_time'];
@ -26,6 +30,8 @@ class ChoresApiController extends BaseApiController
 			{
 				$doneBy = $requestBody['done_by'];
 			}
 			if($doneBy != GROCY_USER_ID)
 			    User::checkPermission($request, User::PERMISSION_CHORE_TRACK_OTHERS);
 			$choreExecutionId = $this->getChoresService()->TrackChore($args['choreId'], $trackedTime, $doneBy);
 			return $this->ApiResponse($response, $this->getDatabase()->chores_log($choreExecutionId));
@ -57,7 +63,9 @@ class ChoresApiController extends BaseApiController
 	{
 		try
 		{
-			$this->ApiResponse($response, $this->getChoresService()->UndoChoreExecution($args['executionId']));
+            User::checkPermission($request, User::PERMISSION_CHORE_UNDO);
            $this->ApiResponse($response, $this->getChoresService()->UndoChoreExecution($args['executionId']));
 			return $this->EmptyApiResponse($response);
 		}
 		catch (\Exception $ex)
@ -70,7 +78,9 @@ class ChoresApiController extends BaseApiController
 	{
 		try
 		{
-			$requestBody = $request->getParsedBody();
+            User::checkPermission($request, User::PERMISSION_CHORE_EDIT);
            $requestBody = $request->getParsedBody();
 			$choreId = null;
 			if (array_key_exists('chore_id', $requestBody) && !empty($requestBody['chore_id']) && is_numeric($requestBody['chore_id']))
--- a/controllers/FilesApiController.php
+++ b/controllers/FilesApiController.php
@ -2,6 +2,7 @@
 namespace Grocy\Controllers;
 use Grocy\Controllers\Users\User;
 use \Grocy\Services\FilesService;
 class FilesApiController extends BaseApiController
@ -15,7 +16,9 @@ class FilesApiController extends BaseApiController
 	{
 		try
 		{
-			if (IsValidFileName(base64_decode($args['fileName'])))
+            User::checkPermission($request, User::PERMISSION_UPLOAD_FILE);
            if (IsValidFileName(base64_decode($args['fileName'])))
 			{
 				$fileName = base64_decode($args['fileName']);
 			}
@ -97,7 +100,9 @@ class FilesApiController extends BaseApiController
 	{
 		try
 		{
-			if (IsValidFileName(base64_decode($args['fileName'])))
+            User::checkPermission($request, User::PERMISSION_DELETE_FILE);
            if (IsValidFileName(base64_decode($args['fileName'])))
 			{
 				$fileName = base64_decode($args['fileName']);
 			}
--- a/controllers/GenericEntityApiController.php
+++ b/controllers/GenericEntityApiController.php
@ -2,6 +2,8 @@
 namespace Grocy\Controllers;
 use Grocy\Controllers\Users\User;
 class GenericEntityApiController extends BaseApiController
 {
 	public function __construct(\DI\Container $container)
@ -11,7 +13,9 @@ class GenericEntityApiController extends BaseApiController
 	public function GetObjects(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$objects = $this->getDatabase()->{$args['entity']}();
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_READ);
        $objects = $this->getDatabase()->{$args['entity']}();
 		$allUserfields = $this->getUserfieldsService()->GetAllValues($args['entity']);
 		foreach ($objects as $object)
@ -41,7 +45,8 @@ class GenericEntityApiController extends BaseApiController
 	public function GetObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity']))
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_READ);
        if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity']))
 		{
 			$userfields = $this->getUserfieldsService()->GetValues($args['entity'], $args['objectId']);
 			if (count($userfields) === 0)
@ -66,7 +71,9 @@ class GenericEntityApiController extends BaseApiController
 	public function AddObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		if ($this->IsValidEntity($args['entity']))
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
        if ($this->IsValidEntity($args['entity']))
 		{
 			$requestBody = $request->getParsedBody();
@ -97,7 +104,9 @@ class GenericEntityApiController extends BaseApiController
 	public function EditObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		if ($this->IsValidEntity($args['entity']))
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
        if ($this->IsValidEntity($args['entity']))
 		{
 			$requestBody = $request->getParsedBody();
@ -126,7 +135,9 @@ class GenericEntityApiController extends BaseApiController
 	public function DeleteObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		if ($this->IsValidEntity($args['entity']))
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
        if ($this->IsValidEntity($args['entity']))
 		{
 			$row = $this->getDatabase()->{$args['entity']}($args['objectId']);
 			$row->delete();
@ -141,7 +152,9 @@ class GenericEntityApiController extends BaseApiController
 	public function SearchObjects(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity']))
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_READ);
        if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithPreventedListing($args['entity']))
 		{
 			try
 			{
@ -160,7 +173,8 @@ class GenericEntityApiController extends BaseApiController
 	public function GetUserfields(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_READ);
        try
 		{
 			return $this->ApiResponse($response, $this->getUserfieldsService()->GetValues($args['entity'], $args['objectId']));
 		}
@ -172,7 +186,9 @@ class GenericEntityApiController extends BaseApiController
 	public function SetUserfields(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
        $requestBody = $request->getParsedBody();
 		try
 		{
--- a/controllers/RecipesApiController.php
+++ b/controllers/RecipesApiController.php
@ -2,6 +2,8 @@
 namespace Grocy\Controllers;
 use Grocy\Controllers\Users\User;
 class RecipesApiController extends BaseApiController
 {
 	public function __construct(\DI\Container $container)
@ -11,7 +13,9 @@ class RecipesApiController extends BaseApiController
 	public function AddNotFulfilledProductsToShoppingList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
        $requestBody = $request->getParsedBody();
 		$excludedProductIds = null;
 		if ($requestBody !== null && array_key_exists('excludedProductIds', $requestBody))
@ -25,7 +29,9 @@ class RecipesApiController extends BaseApiController
 	public function ConsumeRecipe(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_PRODUCT_CONSUME);
        try
 		{
 			$this->getRecipesService()->ConsumeRecipe($args['recipeId']);
 			return $this->EmptyApiResponse($response);
--- a/controllers/StockApiController.php
+++ b/controllers/StockApiController.php
@ -2,6 +2,7 @@
 namespace Grocy\Controllers;
 use Grocy\Controllers\Users\User;
 use \Grocy\Services\StockService;
 class StockApiController extends BaseApiController
@ -62,7 +63,9 @@ class StockApiController extends BaseApiController
 	public function AddProduct(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_PRODUCT_ADD);
        $requestBody = $request->getParsedBody();
 		try
 		{
@ -136,7 +139,9 @@ class StockApiController extends BaseApiController
 	public function EditStockEntry(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_STOCK_EDIT);
        $requestBody = $request->getParsedBody();
 		try
 		{
@ -185,7 +190,9 @@ class StockApiController extends BaseApiController
 	public function TransferProduct(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_STOCK_TRANSFER);
        $requestBody = $request->getParsedBody();
 		try
 		{
@ -239,7 +246,9 @@ class StockApiController extends BaseApiController
 	public function ConsumeProduct(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_PRODUCT_CONSUME);
        $requestBody = $request->getParsedBody();
 		$result = null;
@ -310,7 +319,9 @@ class StockApiController extends BaseApiController
 	public function InventoryProduct(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_STOCK_CORRECTION);
        $requestBody = $request->getParsedBody();
 		try
 		{
@ -372,7 +383,9 @@ class StockApiController extends BaseApiController
 	public function OpenProduct(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_PRODUCT_OPEN);
        $requestBody = $request->getParsedBody();
 		try
 		{
@ -439,7 +452,9 @@ class StockApiController extends BaseApiController
 	public function AddMissingProductsToShoppingList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
        try
 		{
 			$requestBody = $request->getParsedBody();
@ -460,7 +475,9 @@ class StockApiController extends BaseApiController
 	public function ClearShoppingList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_DELETE);
        try
 		{
 			$requestBody = $request->getParsedBody();
@ -482,7 +499,9 @@ class StockApiController extends BaseApiController
 	public function AddProductToShoppingList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
        try
 		{
 			$requestBody = $request->getParsedBody();
@ -523,7 +542,9 @@ class StockApiController extends BaseApiController
 	public function RemoveProductFromShoppingList(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_DELETE);
        try
 		{
 			$requestBody = $request->getParsedBody();
@ -559,7 +580,9 @@ class StockApiController extends BaseApiController
 	public function ExternalBarcodeLookup(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_PRODUCT_ADD);
        try
 		{
 			$addFoundProduct = false;
 			if (isset($request->getQueryParams()['add']) && ($request->getQueryParams()['add'] === 'true' || $request->getQueryParams()['add'] === 1))
@ -577,7 +600,9 @@ class StockApiController extends BaseApiController
 	public function UndoBooking(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_STOCK_CORRECTION);
        try
 		{
 			$this->ApiResponse($response, $this->getStockService()->UndoBooking($args['bookingId']));
 			return $this->EmptyApiResponse($response);
@ -590,7 +615,9 @@ class StockApiController extends BaseApiController
 	public function UndoTransaction(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_STOCK_CORRECTION);
        try
 		{
 			$this->ApiResponse($response, $this->getStockService()->UndoTransaction($args['transactionId']));
 			return $this->EmptyApiResponse($response);
--- a/controllers/TasksApiController.php
+++ b/controllers/TasksApiController.php
@ -2,6 +2,8 @@
 namespace Grocy\Controllers;
 use Grocy\Controllers\Users\User;
 class TasksApiController extends BaseApiController
 {
 	public function __construct(\DI\Container $container)
@ -16,7 +18,9 @@ class TasksApiController extends BaseApiController
 	public function MarkTaskAsCompleted(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		$requestBody = $request->getParsedBody();
+        User::checkPermission($request, User::PERMISSION_TASKS_MARK_COMPLETED);
        $requestBody = $request->getParsedBody();
 		try
 		{
@ -37,7 +41,9 @@ class TasksApiController extends BaseApiController
 	public function UndoTask(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		try
+        User::checkPermission($request, User::PERMISSION_TASKS_UNDO);
        try
 		{
 			$this->getTasksService()->UndoTask($args['taskId']);
 			return $this->EmptyApiResponse($response);
--- a/controllers/Users/User.php
+++ b/controllers/Users/User.php
@ -9,6 +9,26 @@ abstract class User
    const PERMISSION_EDIT_USER = 'EDIT_USER';
    const PERMISSION_READ_USER = 'READ_USER';
    const PERMISSION_EDIT_SELF = 'EDIT_SELF';
    const PERMISSION_BATTERY_UNDO_TRACK_CHARGE_CYCLE = 'BATTERY_UNDO_TRACK_CHARGE_CYCLE';
    const PERMISSION_BATTERY_TRACK_CHARGE_CYCLE = 'BATTERY_TRACK_CHARGE_CYCLE';
    const PERMISSION_CHORE_TRACK = 'CHORE_TRACK';
    const PERMISSION_CHORE_TRACK_OTHERS = 'CHORE_TRACK_OTHERS';
    const PERMISSION_CHORE_EDIT = 'CHORE_EDIT';
    const PERMISSION_CHORE_UNDO = 'CHORE_UNDO';
    const PERMISSION_UPLOAD_FILE = 'UPLOAD_FILE';
    const PERMISSION_DELETE_FILE = 'DELETE_FILE';
    const PERMISSION_MASTER_DATA_EDIT = 'MASTER_DATA_EDIT';
    const PERMISSION_MASTER_DATA_READ = 'MASTER_DATA_READ';
    const PERMISSION_TASKS_UNDO = 'TASKS_UNDO';
    const PERMISSION_TASKS_MARK_COMPLETED = 'TASKS_MARK_COMPLETED';
    const PERMISSION_PRODUCT_ADD = 'PRODUCT_ADD';
    const PERMISSION_STOCK_TRANSFER = 'STOCK_TRANSFER';
    const PERMISSION_STOCK_EDIT = 'STOCK_EDIT';
    const PERMISSION_PRODUCT_CONSUME = 'PRODUCT_CONSUME';
    const PERMISSION_STOCK_CORRECTION = 'STOCK_CORRECTION';
    const PERMISSION_PRODUCT_OPEN = 'PRODUCT_OPEN';
    const PERMISSION_SHOPPINGLIST_ITEMS_ADD = 'SHOPPINGLIST_ITEMS_ADD';
    const PERMISSION_SHOPPINGLIST_ITEMS_DELETE = 'SHOPPINGLIST_ITEMS_DELETE';
    public abstract function hasPermission(string $permission): bool;
--- a/migrations/0111.sql
+++ b/migrations/0111.sql
@ -69,4 +69,34 @@ VALUES ('EDIT_USER', last_insert_rowid());
 INSERT INTO permission_hierarchy(name, parent)
 VALUES ('READ_USER', last_insert_rowid()),
-       ('EDIT_SELF', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN'));
+       ('EDIT_SELF', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN'));
 INSERT INTO permission_hierarchy(name, parent)
 VALUES
       -- Batteries
 ('BATTERY_UNDO_TRACK_CHARGE_CYCLE', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('BATTERY_TRACK_CHARGE_CYCLE', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
       -- Chores
 ('CHORE_TRACK', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('CHORE_TRACK_OTHERS', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('CHORE_EDIT', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('CHORE_UNDO', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
       -- Files
 ('UPLOAD_FILE', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('DELETE_FILE', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
       -- master data
 ('MASTER_DATA_EDIT', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('MASTER_DATA_READ', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
       -- Tasks
 ('TASKS_UNDO', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('TASKS_MARK_COMPLETED', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
       -- Stock / Products
 ('STOCK_EDIT', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('STOCK_TRANSFER', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('STOCK_CORRECTION', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('PRODUCT_ADD', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('PRODUCT_CONSUME', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('PRODUCT_OPEN', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
       -- shopping list
 ('SHOPPINGLIST_ITEMS_ADD', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN')),
 ('SHOPPINGLIST_ITEMS_DELETE', (SELECT id FROM permission_hierarchy WHERE name = 'ADMIN'));