firefly-iii/app/Validation/Administration/ValidatesAdministrationAccess.php

<?php

declare(strict_types=1);
/*
 * ValidatesAdministrationAccess.php
 * Copyright (c) 2023 james@firefly-iii.org
 *
 * This file is part of Firefly III (https://github.com/firefly-iii).
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

namespace FireflyIII\Validation\Administration;

use FireflyIII\Exceptions\FireflyException;
use FireflyIII\Models\UserRole;
use FireflyIII\Repositories\User\UserRepositoryInterface;
use FireflyIII\User;
use Illuminate\Auth\AuthenticationException;
use Illuminate\Support\Facades\Log;
use Illuminate\Validation\Validator;

/**
 * Trait ValidatesAdministrationAccess
 */
trait ValidatesAdministrationAccess
{
    /**
     * @param  Validator  $validator
     * @param  array  $allowedRoles
     * @return void
     * @throws AuthenticationException
     * @throws FireflyException
     */
    protected function validateAdministration(Validator $validator, array $allowedRoles): void
    {
        Log::debug('Now in validateAdministration()');
        if (!auth()->check()) {
            Log::error('User is not authenticated.');
            throw new AuthenticationException('No access to validateAdministration() method.');
        }
        /** @var User $user */
        $user = auth()->user();
        // get data from request:
        $data = $validator->getData();
        // check if user is part of this administration
        $administrationId = (int)($data['administration_id'] ?? $user->getAdministrationId());
        // safety catch:
        if (0 === $administrationId) {
            Log::error('validateAdministration ran into empty administration ID.');
            throw new AuthenticationException('Cannot validate administration.');
        }
        // grab the group:
        $repository = app(UserRepositoryInterface::class);

        // collect the user's roles in this group:
        $array = $repository->getRolesInGroup($user, $administrationId);
        if (0 === count($array)) {
            Log::error(sprintf('User #%d ("%s") has no membership in group #%d.', $user->id, $user->email, $administrationId));
            $validator->errors()->add('administration', (string)trans('validation.no_access_user_group'));
            return;
        }
        if (in_array(UserRole::OWNER, $array, true)) {
            Log::debug('User is owner of this administration.');
            return;
        }
        if (in_array(UserRole::FULL, $array, true)) {
            Log::debug('User has full access to this administration.');
            return;
        }
        $access = true;
        foreach ($allowedRoles as $allowedRole) {
            if (!in_array($allowedRole, $array, true)) {
                $access = false;
            }
        }
        if (false === $access) {
            Log::error(
                sprintf(
                    'User #%d has memberships [%s] to group #%d but needs [%s].',
                    $user->id,
                    join(', ', $array),
                    $administrationId,
                    join(', ', $allowedRoles)
                )
            );
            $validator->errors()->add('administration', (string)trans('validation.no_access_user_group'));
        }
    }
}
Basic check for user's administration ID 2023-01-29 07:00:26 +01:00			`<?php`
Various fixes and cleanup 2023-01-29 15:29:42 +01:00
			`declare(strict_types=1);`
Basic check for user's administration ID 2023-01-29 07:00:26 +01:00			`/*`
			`* ValidatesAdministrationAccess.php`
			`* Copyright (c) 2023 james@firefly-iii.org`
			`*`
			`* This file is part of Firefly III (https://github.com/firefly-iii).`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as`
			`* published by the Free Software Foundation, either version 3 of the`
			`* License, or (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
			`* along with this program. If not, see <https://www.gnu.org/licenses/>.`
			`*/`

			`namespace FireflyIII\Validation\Administration;`

Clean up comments 2023-02-22 18:03:31 +01:00			`use FireflyIII\Exceptions\FireflyException;`
Basic check for user's administration ID 2023-01-29 07:00:26 +01:00			`use FireflyIII\Models\UserRole;`
			`use FireflyIII\Repositories\User\UserRepositoryInterface;`
			`use FireflyIII\User;`
			`use Illuminate\Auth\AuthenticationException;`
			`use Illuminate\Support\Facades\Log;`
			`use Illuminate\Validation\Validator;`

			`/**`
			`* Trait ValidatesAdministrationAccess`
			`*/`
			`trait ValidatesAdministrationAccess`
			`{`
			`/**`
			`* @param Validator $validator`
			`* @param array $allowedRoles`
			`* @return void`
			`* @throws AuthenticationException`
Clean up comments 2023-02-22 18:03:31 +01:00			`* @throws FireflyException`
Basic check for user's administration ID 2023-01-29 07:00:26 +01:00			`*/`
			`protected function validateAdministration(Validator $validator, array $allowedRoles): void`
			`{`
			`Log::debug('Now in validateAdministration()');`
			`if (!auth()->check()) {`
			`Log::error('User is not authenticated.');`
			`throw new AuthenticationException('No access to validateAdministration() method.');`
			`}`
			`/** @var User $user */`
			`$user = auth()->user();`
			`// get data from request:`
			`$data = $validator->getData();`
			`// check if user is part of this administration`
			`$administrationId = (int)($data['administration_id'] ?? $user->getAdministrationId());`
			`// safety catch:`
			`if (0 === $administrationId) {`
			`Log::error('validateAdministration ran into empty administration ID.');`
			`throw new AuthenticationException('Cannot validate administration.');`
			`}`
			`// grab the group:`
			`$repository = app(UserRepositoryInterface::class);`

			`// collect the user's roles in this group:`
Clean up code and comments. 2023-02-22 18:14:14 +01:00			`$array = $repository->getRolesInGroup($user, $administrationId);`
Basic check for user's administration ID 2023-01-29 07:00:26 +01:00			`if (0 === count($array)) {`
			`Log::error(sprintf('User #%d ("%s") has no membership in group #%d.', $user->id, $user->email, $administrationId));`
			`$validator->errors()->add('administration', (string)trans('validation.no_access_user_group'));`
			`return;`
			`}`
			`if (in_array(UserRole::OWNER, $array, true)) {`
			`Log::debug('User is owner of this administration.');`
			`return;`
			`}`
			`if (in_array(UserRole::FULL, $array, true)) {`
			`Log::debug('User has full access to this administration.');`
			`return;`
			`}`
			`$access = true;`
			`foreach ($allowedRoles as $allowedRole) {`
			`if (!in_array($allowedRole, $array, true)) {`
			`$access = false;`
			`}`
			`}`
			`if (false === $access) {`
			`Log::error(`
			`sprintf(`
			`'User #%d has memberships [%s] to group #%d but needs [%s].',`
			`$user->id,`
			`join(', ', $array),`
			`$administrationId,`
			`join(', ', $allowedRoles)`
			`)`
			`);`
			`$validator->errors()->add('administration', (string)trans('validation.no_access_user_group'));`
			`}`
			`}`
			`}`