kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-10-12 15:35:15 +00:00
Code Issues Projects Releases Wiki Activity

add user group validation

Browse Source
This commit is contained in:
James Cole
2024-07-28 07:02:04 +02:00
parent adedf9c17d
commit 1515dea9fa
9 changed files with 274 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
app/Api/V2/Controllers/JsonApi/AccountController.php
View File

@@ -24,6 +24,11 @@ declare(strict_types=1);
namespace FireflyIII\Api\V2\Controllers\JsonApi; namespace FireflyIII\Api\V2\Controllers\JsonApi;
use FireflyIII\Http\Controllers\Controller; use FireflyIII\Http\Controllers\Controller;
use FireflyIII\JsonApi\V2\Accounts\AccountCollectionQuery;
use FireflyIII\JsonApi\V2\Accounts\AccountSchema;
use FireflyIII\JsonApi\V2\Accounts\Capabilities\AccountQuery;
use Illuminate\Support\Facades\Log;
use LaravelJsonApi\Core\Responses\DataResponse;
use LaravelJsonApi\Laravel\Http\Controllers\Actions; use LaravelJsonApi\Laravel\Http\Controllers\Actions;
/** /**
@@ -38,7 +43,8 @@ class AccountController extends Controller
use Actions\AttachRelationship; use Actions\AttachRelationship;
use Actions\Destroy; use Actions\Destroy;
use Actions\DetachRelationship; use Actions\DetachRelationship;
use Actions\FetchMany;
// use Actions\FetchMany;
use Actions\FetchOne; use Actions\FetchOne;
use Actions\FetchRelated; use Actions\FetchRelated;
use Actions\FetchRelationship; use Actions\FetchRelationship;
@@ -46,6 +52,28 @@ class AccountController extends Controller
use Actions\Update; use Actions\Update;
use Actions\UpdateRelationship; use Actions\UpdateRelationship;
/**
* Fetch zero to many JSON API resources.
*
* @param AccountSchema $schema
* @param AccountQuery $request
*
* @return \Illuminate\Contracts\Support\Responsable|\Illuminate\Http\Response
*/
public function index(AccountSchema $schema, AccountCollectionQuery $request)
{
Log::debug(__METHOD__);
$models = $schema
->repository()
->queryAll()
->withRequest($request)
->get();
// do something custom...
return new DataResponse($models);
}
// public function readAccountBalances(AnonymousQuery $query, AccountBalanceSchema $schema, Account $account): Responsable // public function readAccountBalances(AnonymousQuery $query, AccountBalanceSchema $schema, Account $account): Responsable
// { // {

60
app/JsonApi/V2/Accounts/AccountCollectionQuery.php Normal file
View File

@@ -0,0 +1,60 @@
<?php
namespace FireflyIII\JsonApi\V2\Accounts;
use FireflyIII\Models\Account;
use FireflyIII\Rules\IsAllowedGroupAction;
use Illuminate\Support\Facades\Log;
use LaravelJsonApi\Laravel\Http\Requests\ResourceQuery;
use LaravelJsonApi\Validation\Rule as JsonApiRule;
class AccountCollectionQuery extends ResourceQuery
{
/**
* Get the validation rules that apply to the request query parameters.
*
* @return array
*/
public function rules(): array
{
Log::debug(__METHOD__);
return [
'fields' => [
'nullable',
'array',
JsonApiRule::fieldSets(),
],
'user_group_id' => [
'nullable',
'integer',
new IsAllowedGroupAction(Account::class, request()->method()),
],
'filter' => [
'nullable',
'array',
JsonApiRule::filter(),
],
'include' => [
'nullable',
'string',
JsonApiRule::includePaths(),
],
'page' => [
'nullable',
'array',
JsonApiRule::page(),
],
'sort' => [
'nullable',
'string',
JsonApiRule::sort(),
],
'withCount' => [
'nullable',
'string',
JsonApiRule::countable(),
],
];
}
}

45
app/JsonApi/V2/Accounts/AccountQuery.php Normal file
View File

@@ -0,0 +1,45 @@
<?php
namespace FireflyIII\JsonApi\V2\Accounts;
use Illuminate\Support\Facades\Log;
use LaravelJsonApi\Laravel\Http\Requests\ResourceQuery;
use LaravelJsonApi\Validation\Rule as JsonApiRule;
class AccountQuery extends ResourceQuery
{
/**
* Get the validation rules that apply to the request query parameters.
*
* @return array
*/
public function rules(): array
{
Log::debug(__METHOD__);;
return [
'fields' => [
'nullable',
'array',
JsonApiRule::fieldSets(),
],
'filter' => [
'nullable',
'array',
JsonApiRule::filter()->forget('id'),
],
'include' => [
'nullable',
'string',
JsonApiRule::includePaths(),
],
'page' => JsonApiRule::notSupported(),
'sort' => JsonApiRule::notSupported(),
'withCount' => [
'nullable',
'string',
JsonApiRule::countable(),
],
];
}
}

2
app/JsonApi/V2/Accounts/AccountResource.php
View File

@@ -4,6 +4,7 @@ namespace FireflyIII\JsonApi\V2\Accounts;
use FireflyIII\Models\Account; use FireflyIII\Models\Account;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
use LaravelJsonApi\Core\Resources\JsonApiResource; use LaravelJsonApi\Core\Resources\JsonApiResource;
/** /**
@@ -31,6 +32,7 @@ class AccountResource extends JsonApiResource
*/ */
public function attributes($request): iterable public function attributes($request): iterable
{ {
Log::debug(__METHOD__);
return [ return [
'created_at' => $this->resource->created_at, 'created_at' => $this->resource->created_at,
'updated_at' => $this->resource->updated_at, 'updated_at' => $this->resource->updated_at,

7
app/JsonApi/V2/Accounts/AccountSchema.php
View File

@@ -4,6 +4,7 @@ namespace FireflyIII\JsonApi\V2\Accounts;
use FireflyIII\Models\Account; use FireflyIII\Models\Account;
use FireflyIII\Support\JsonApi\Concerns\UsergroupAware; use FireflyIII\Support\JsonApi\Concerns\UsergroupAware;
use Illuminate\Support\Facades\Log;
use LaravelJsonApi\Core\Schema\Schema; use LaravelJsonApi\Core\Schema\Schema;
use LaravelJsonApi\Eloquent\Fields\Relations\HasOne; use LaravelJsonApi\Eloquent\Fields\Relations\HasOne;
use LaravelJsonApi\NonEloquent\Fields\Attribute; use LaravelJsonApi\NonEloquent\Fields\Attribute;
@@ -30,6 +31,7 @@ class AccountSchema extends Schema
*/ */
public function fields(): array public function fields(): array
{ {
Log::debug(__METHOD__);;
return [ return [
ID::make(), ID::make(),
Attribute::make('name'), Attribute::make('name'),
@@ -44,6 +46,7 @@ class AccountSchema extends Schema
*/ */
public function filters(): array public function filters(): array
{ {
Log::debug(__METHOD__);;
return [ return [
// Filter::make('id'), // Filter::make('id'),
]; ];
@@ -51,6 +54,10 @@ class AccountSchema extends Schema
public function repository(): AccountRepository public function repository(): AccountRepository
{ {
Log::debug(__METHOD__);;
// to access the repository, you need to have the necessary rights.
$this->setUserGroup($this->server->getUsergroup()); $this->setUserGroup($this->server->getUsergroup());
return AccountRepository::make() return AccountRepository::make()
->withServer($this->server) ->withServer($this->server)

2
app/JsonApi/V2/Accounts/Capabilities/AccountQuery.php
View File

@@ -29,6 +29,7 @@ use FireflyIII\Support\JsonApi\ExpandsQuery;
use FireflyIII\Support\JsonApi\FiltersPagination; use FireflyIII\Support\JsonApi\FiltersPagination;
use FireflyIII\Support\JsonApi\SortsCollection; use FireflyIII\Support\JsonApi\SortsCollection;
use FireflyIII\Support\JsonApi\ValidateSortParameters; use FireflyIII\Support\JsonApi\ValidateSortParameters;
use Illuminate\Support\Facades\Log;
use LaravelJsonApi\Contracts\Store\HasPagination; use LaravelJsonApi\Contracts\Store\HasPagination;
use LaravelJsonApi\NonEloquent\Capabilities\QueryAll; use LaravelJsonApi\NonEloquent\Capabilities\QueryAll;
use LaravelJsonApi\NonEloquent\Concerns\PaginatesEnumerables; use LaravelJsonApi\NonEloquent\Concerns\PaginatesEnumerables;
@@ -48,6 +49,7 @@ class AccountQuery extends QueryAll implements HasPagination
*/ */
public function get(): iterable public function get(): iterable
{ {
Log::debug(__METHOD__);
// collect filters // collect filters
$filters = $this->queryParameters->filter(); $filters = $this->queryParameters->filter();
// collect sort options // collect sort options

1
app/JsonApi/V2/Server.php
View File

@@ -30,6 +30,7 @@ class Server extends BaseServer
*/ */
public function serving(): void public function serving(): void
{ {
// at this point the user may not actually have access to this user group.
$res = $this->detectUserGroup(); $res = $this->detectUserGroup();
$this->setUserGroup($res); $this->setUserGroup($res);
} }

127
app/Rules/IsAllowedGroupAction.php Normal file
View File

@@ -0,0 +1,127 @@
<?php
/*
* IsAllowedGroupAction.php
* Copyright (c) 2024 james@firefly-iii.org.
*
* This file is part of Firefly III (https://github.com/firefly-iii).
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see https://www.gnu.org/licenses/.
*/
declare(strict_types=1);
namespace FireflyIII\Rules;
use Closure;
use FireflyIII\Enums\UserRoleEnum;
use FireflyIII\Models\Account;
use FireflyIII\Repositories\UserGroup\UserGroupRepositoryInterface;
use FireflyIII\User;
use Illuminate\Auth\AuthenticationException;
use Illuminate\Contracts\Validation\ValidationRule;
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Support\Facades\Log;
class IsAllowedGroupAction implements ValidationRule
{
private string $className;
private string $methodName;
private array $acceptedRoles;
private UserGroupRepositoryInterface $repository;
public function __construct(string $className, string $methodName)
{
$this->className = $className;
$this->methodName = $methodName;
// you need these roles to do anything with any endpoint.
$this->acceptedRoles = [UserRoleEnum::OWNER, UserRoleEnum::FULL];
$this->repository = app(UserGroupRepositoryInterface::class);
}
/**
* @inheritDoc
* @throws AuthorizationException
*/
#[\Override] public function validate(string $attribute, mixed $value, Closure $fail): void
{
if('GET' === $this->methodName) {
// need at least "read only rights".
$this->acceptedRoles[] = UserRoleEnum::READ_ONLY;
}
if('GET' !== $this->methodName) {
// either post, put or delete or something else.. you need more access rights.
switch ($this->className) {
default:
throw new AuthorizationException(sprintf('Cannot handle class "%s"', $this->className));
case Account::class:
$this->acceptedRoles[] = UserRoleEnum::MANAGE_TRANSACTIONS;
break;
}
}
$this->validateUserGroup((int)$value, $fail);
}
private function validateUserGroup(int $userGroupId, Closure $fail): void {
Log::debug(sprintf('validateUserGroup: %s', static::class));
if (!auth()->check()) {
Log::debug('validateUserGroup: user is not logged in, return NULL.');
$fail('validation.no_auth_user_group')->translate();
return;
}
/** @var User $user */
$user = auth()->user();
if(0 !== $userGroupId) {
Log::debug(sprintf('validateUserGroup: user group submitted, search for memberships in group #%d.', $userGroupId));
}
if (0 === $userGroupId) {
$userGroupId = $user->user_group_id;
Log::debug(sprintf('validateUserGroup: no user group submitted, use default group #%d.', $userGroupId));
}
$this->repository->setUser($user);
$memberships = $this->repository->getMembershipsFromGroupId($userGroupId);
if (0 === $memberships->count()) {
Log::debug(sprintf('validateUserGroup: user has no access to group #%d.', $userGroupId));
$fail('validation.no_access_user_group')->translate();
return;
}
// need to get the group from the membership:
$userGroup = $this->repository->getById($userGroupId);
if (null === $userGroup) {
Log::debug(sprintf('validateUserGroup: group #%d does not exist.', $userGroupId));
$fail('validation.belongs_user_or_user_group')->translate();
return;
}
Log::debug(sprintf('validateUserGroup: validate access of user to group #%d ("%s").', $userGroupId, $userGroup->title));
Log::debug(sprintf('validateUserGroup: have %d roles to check.', count($this->acceptedRoles)), $this->acceptedRoles);
/** @var UserRoleEnum $role */
foreach ($this->acceptedRoles as $role) {
if ($user->hasRoleInGroupOrOwner($userGroup, $role)) {
Log::debug(sprintf('validateUserGroup: User has role "%s" in group #%d, return.', $role->value, $userGroupId));
return;
}
Log::debug(sprintf('validateUserGroup: User does NOT have role "%s" in group #%d, continue searching.', $role->value, $userGroupId));
}
Log::debug('validateUserGroup: User does NOT have enough rights to access endpoint.');
$fail('validation.belongs_user_or_user_group')->translate();
}
}

1
resources/lang/en_US/validation.php
View File

@@ -268,6 +268,7 @@ return [
'auto_budget_period_mandatory' => 'The auto budget period is a mandatory field.', 'auto_budget_period_mandatory' => 'The auto budget period is a mandatory field.',
// no access to administration: // no access to administration:
'no_auth_user_group' => 'You have to be logged in to access this administration.',
'no_access_user_group' => 'You do not have the correct access rights for this administration.', 'no_access_user_group' => 'You do not have the correct access rights for this administration.',
'administration_owner_rename' => 'You can\'t rename your standard administration.', 'administration_owner_rename' => 'You can\'t rename your standard administration.',
]; ];