github-mirror/grocy
1
0
Fork 0
mirror of https://github.com/grocy/grocy.git synced 2026-04-07 05:16:15 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Allow only admin users to create custom API-Keys

Browse Source
This commit is contained in:
fipwmaqzufheoxq92ebc 2020-09-02 11:28:49 +02:00
parent 1546a823c5
commit e3666cfb4b
No known key found for this signature in database
GPG Key ID: F4DF989490C2ADB7
2 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
controllers/GenericEntityApiController.php
View File

@ -13,6 +13,9 @@ class GenericEntityApiController extends BaseApiController
if ($this->IsValidEntity($args['entity'])) if ($this->IsValidEntity($args['entity']))
{ {
if($this->IsEntityWithEditRequiresAdmin($args['entity']))
User::checkPermission($request, User::PERMISSION_ADMIN);
$requestBody = $request->getParsedBody(); $requestBody = $request->getParsedBody();
try try
@ -49,6 +52,8 @@ class GenericEntityApiController extends BaseApiController
if ($this->IsValidEntity($args['entity'])) if ($this->IsValidEntity($args['entity']))
{ {
if($this->IsEntityWithEditRequiresAdmin($args['entity']))
User::checkPermission($request, User::PERMISSION_ADMIN);
$row = $this->getDatabase()->{$args['entity']} $row = $this->getDatabase()->{$args['entity']}
($args['objectId']); ($args['objectId']);
$row->delete(); $row->delete();
@ -68,6 +73,8 @@ class GenericEntityApiController extends BaseApiController
if ($this->IsValidEntity($args['entity'])) if ($this->IsValidEntity($args['entity']))
{ {
if($this->IsEntityWithEditRequiresAdmin($args['entity']))
User::checkPermission($request, User::PERMISSION_ADMIN);
$requestBody = $request->getParsedBody(); $requestBody = $request->getParsedBody();
try try
@ -223,6 +230,10 @@ class GenericEntityApiController extends BaseApiController
{ {
parent::__construct($container); parent::__construct($container);
} }
private function IsEntityWithEditRequiresAdmin($entity)
{
return !in_array($entity, $this->getOpenApiSpec()->components->internalSchemas->EntityEditRequiresAdmin->enum);
}
private function IsEntityWithPreventedListing($entity) private function IsEntityWithPreventedListing($entity)
{ {

6
grocy.openapi.json
View File

@ -3483,6 +3483,12 @@
"meal_plan" "meal_plan"
] ]
}, },
"EntityEditRequiresAdmin": {
"type": "string",
"enum": [
"api_keys"
]
},
"StockTransactionType": { "StockTransactionType": {
"type": "string", "type": "string",
"enum": [ "enum": [