add user group validation

2025-10-12 15:35:15 +00:00 · 2024-07-28 07:02:04 +02:00
parent adedf9c17d
commit 1515dea9fa
9 changed files with 274 additions and 1 deletions
--- a/app/Api/V2/Controllers/JsonApi/AccountController.php
+++ b/app/Api/V2/Controllers/JsonApi/AccountController.php
@@ -24,6 +24,11 @@ declare(strict_types=1);
 namespace FireflyIII\Api\V2\Controllers\JsonApi;

 use FireflyIII\Http\Controllers\Controller;
+use FireflyIII\JsonApi\V2\Accounts\AccountCollectionQuery;
+use FireflyIII\JsonApi\V2\Accounts\AccountSchema;
+use FireflyIII\JsonApi\V2\Accounts\Capabilities\AccountQuery;
+use Illuminate\Support\Facades\Log;
+use LaravelJsonApi\Core\Responses\DataResponse;
 use LaravelJsonApi\Laravel\Http\Controllers\Actions;

 /**
@@ -38,7 +43,8 @@ class AccountController extends Controller
    use Actions\AttachRelationship;
    use Actions\Destroy;
    use Actions\DetachRelationship;
-    use Actions\FetchMany;
+
+//    use Actions\FetchMany;
    use Actions\FetchOne;
    use Actions\FetchRelated;
    use Actions\FetchRelationship;
@@ -46,6 +52,28 @@ class AccountController extends Controller
    use Actions\Update;
    use Actions\UpdateRelationship;

+    /**
+     * Fetch zero to many JSON API resources.
+     *
+     * @param AccountSchema $schema
+     * @param AccountQuery  $request
+     *
+     * @return \Illuminate\Contracts\Support\Responsable|\Illuminate\Http\Response
+     */
+    public function index(AccountSchema $schema, AccountCollectionQuery $request)
+    {
+        Log::debug(__METHOD__);
+        $models = $schema
+            ->repository()
+            ->queryAll()
+            ->withRequest($request)
+            ->get();
+
+        // do something custom...
+
+        return new DataResponse($models);
+    }
+

 //    public function readAccountBalances(AnonymousQuery $query, AccountBalanceSchema $schema, Account $account): Responsable
 //    {
--- a/app/JsonApi/V2/Accounts/AccountCollectionQuery.php
+++ b/app/JsonApi/V2/Accounts/AccountCollectionQuery.php
@@ -0,0 +1,60 @@
+<?php
+
+namespace FireflyIII\JsonApi\V2\Accounts;
+
+use FireflyIII\Models\Account;
+use FireflyIII\Rules\IsAllowedGroupAction;
+use Illuminate\Support\Facades\Log;
+use LaravelJsonApi\Laravel\Http\Requests\ResourceQuery;
+use LaravelJsonApi\Validation\Rule as JsonApiRule;
+
+class AccountCollectionQuery extends ResourceQuery
+{
+
+    /**
+     * Get the validation rules that apply to the request query parameters.
+     *
+     * @return array
+     */
+    public function rules(): array
+    {
+        Log::debug(__METHOD__);
+        return [
+            'fields' => [
+                'nullable',
+                'array',
+                JsonApiRule::fieldSets(),
+            ],
+            'user_group_id' => [
+                'nullable',
+                'integer',
+                new IsAllowedGroupAction(Account::class, request()->method()),
+            ],
+            'filter' => [
+                'nullable',
+                'array',
+                JsonApiRule::filter(),
+            ],
+            'include' => [
+                'nullable',
+                'string',
+                JsonApiRule::includePaths(),
+            ],
+            'page' => [
+                'nullable',
+                'array',
+                JsonApiRule::page(),
+            ],
+            'sort' => [
+                'nullable',
+                'string',
+                JsonApiRule::sort(),
+            ],
+            'withCount' => [
+                'nullable',
+                'string',
+                JsonApiRule::countable(),
+            ],
+        ];
+    }
+}
--- a/app/JsonApi/V2/Accounts/AccountQuery.php
+++ b/app/JsonApi/V2/Accounts/AccountQuery.php
@@ -0,0 +1,45 @@
+<?php
+
+namespace FireflyIII\JsonApi\V2\Accounts;
+
+use Illuminate\Support\Facades\Log;
+use LaravelJsonApi\Laravel\Http\Requests\ResourceQuery;
+use LaravelJsonApi\Validation\Rule as JsonApiRule;
+
+class AccountQuery extends ResourceQuery
+{
+
+    /**
+     * Get the validation rules that apply to the request query parameters.
+     *
+     * @return array
+     */
+    public function rules(): array
+    {
+        Log::debug(__METHOD__);;
+        return [
+            'fields' => [
+                'nullable',
+                'array',
+                JsonApiRule::fieldSets(),
+            ],
+            'filter' => [
+                'nullable',
+                'array',
+                JsonApiRule::filter()->forget('id'),
+            ],
+            'include' => [
+                'nullable',
+                'string',
+                JsonApiRule::includePaths(),
+            ],
+            'page' => JsonApiRule::notSupported(),
+            'sort' => JsonApiRule::notSupported(),
+            'withCount' => [
+                'nullable',
+                'string',
+                JsonApiRule::countable(),
+            ],
+        ];
+    }
+}
--- a/app/JsonApi/V2/Accounts/AccountResource.php
+++ b/app/JsonApi/V2/Accounts/AccountResource.php
@@ -4,6 +4,7 @@ namespace FireflyIII\JsonApi\V2\Accounts;

 use FireflyIII\Models\Account;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
 use LaravelJsonApi\Core\Resources\JsonApiResource;

 /**
@@ -31,6 +32,7 @@ class AccountResource extends JsonApiResource
     */
    public function attributes($request): iterable
    {
+        Log::debug(__METHOD__);
        return [
            'created_at' => $this->resource->created_at,
            'updated_at' => $this->resource->updated_at,
--- a/app/JsonApi/V2/Accounts/AccountSchema.php
+++ b/app/JsonApi/V2/Accounts/AccountSchema.php
@@ -4,6 +4,7 @@ namespace FireflyIII\JsonApi\V2\Accounts;

 use FireflyIII\Models\Account;
 use FireflyIII\Support\JsonApi\Concerns\UsergroupAware;
+use Illuminate\Support\Facades\Log;
 use LaravelJsonApi\Core\Schema\Schema;
 use LaravelJsonApi\Eloquent\Fields\Relations\HasOne;
 use LaravelJsonApi\NonEloquent\Fields\Attribute;
@@ -30,6 +31,7 @@ class AccountSchema extends Schema
     */
    public function fields(): array
    {
+        Log::debug(__METHOD__);;
        return [
            ID::make(),
            Attribute::make('name'),
@@ -44,6 +46,7 @@ class AccountSchema extends Schema
     */
    public function filters(): array
    {
+        Log::debug(__METHOD__);;
        return [
            // Filter::make('id'),
        ];
@@ -51,6 +54,10 @@ class AccountSchema extends Schema

    public function repository(): AccountRepository
    {
+        Log::debug(__METHOD__);;
+        // to access the repository, you need to have the necessary rights.
+
+
        $this->setUserGroup($this->server->getUsergroup());
        return AccountRepository::make()
                                ->withServer($this->server)
--- a/app/JsonApi/V2/Accounts/Capabilities/AccountQuery.php
+++ b/app/JsonApi/V2/Accounts/Capabilities/AccountQuery.php
@@ -29,6 +29,7 @@ use FireflyIII\Support\JsonApi\ExpandsQuery;
 use FireflyIII\Support\JsonApi\FiltersPagination;
 use FireflyIII\Support\JsonApi\SortsCollection;
 use FireflyIII\Support\JsonApi\ValidateSortParameters;
+use Illuminate\Support\Facades\Log;
 use LaravelJsonApi\Contracts\Store\HasPagination;
 use LaravelJsonApi\NonEloquent\Capabilities\QueryAll;
 use LaravelJsonApi\NonEloquent\Concerns\PaginatesEnumerables;
@@ -48,6 +49,7 @@ class AccountQuery extends QueryAll implements HasPagination
     */
    public function get(): iterable
    {
+        Log::debug(__METHOD__);
        // collect filters
        $filters    = $this->queryParameters->filter();
        // collect sort options
--- a/app/JsonApi/V2/Server.php
+++ b/app/JsonApi/V2/Server.php
@@ -30,6 +30,7 @@ class Server extends BaseServer
     */
    public function serving(): void
    {
+        // at this point the user may not actually have access to this user group.
        $res = $this->detectUserGroup();
        $this->setUserGroup($res);
    }
--- a/app/Rules/IsAllowedGroupAction.php
+++ b/app/Rules/IsAllowedGroupAction.php
@@ -0,0 +1,127 @@
+<?php
+/*
+ * IsAllowedGroupAction.php
+ * Copyright (c) 2024 james@firefly-iii.org.
+ *
+ * This file is part of Firefly III (https://github.com/firefly-iii).
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see https://www.gnu.org/licenses/.
+ */
+
+declare(strict_types=1);
+
+namespace FireflyIII\Rules;
+
+use Closure;
+use FireflyIII\Enums\UserRoleEnum;
+use FireflyIII\Models\Account;
+use FireflyIII\Repositories\UserGroup\UserGroupRepositoryInterface;
+use FireflyIII\User;
+use Illuminate\Auth\AuthenticationException;
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Support\Facades\Log;
+
+class IsAllowedGroupAction implements ValidationRule
+{
+
+    private string $className;
+    private string $methodName;
+
+    private array $acceptedRoles;
+    private UserGroupRepositoryInterface $repository;
+
+    public function __construct(string $className, string $methodName)
+    {
+        $this->className = $className;
+        $this->methodName = $methodName;
+        // you need these roles to do anything with any endpoint.
+        $this->acceptedRoles = [UserRoleEnum::OWNER, UserRoleEnum::FULL];
+        $this->repository = app(UserGroupRepositoryInterface::class);
+    }
+
+    /**
+     * @inheritDoc
+     * @throws AuthorizationException
+     */
+    #[\Override] public function validate(string $attribute, mixed $value, Closure $fail): void
+    {
+        if('GET' === $this->methodName) {
+            // need at least "read only rights".
+            $this->acceptedRoles[] = UserRoleEnum::READ_ONLY;
+        }
+        if('GET' !== $this->methodName) {
+            // either post, put or delete or something else.. you need more access rights.
+            switch ($this->className) {
+                default:
+                    throw new AuthorizationException(sprintf('Cannot handle class "%s"', $this->className));
+                case Account::class:
+                    $this->acceptedRoles[] = UserRoleEnum::MANAGE_TRANSACTIONS;
+                    break;
+            }
+        }
+        $this->validateUserGroup((int)$value, $fail);
+    }
+
+    private function validateUserGroup(int $userGroupId, Closure $fail): void {
+        Log::debug(sprintf('validateUserGroup: %s', static::class));
+        if (!auth()->check()) {
+            Log::debug('validateUserGroup: user is not logged in, return NULL.');
+            $fail('validation.no_auth_user_group')->translate();
+            return;
+        }
+
+        /** @var User $user */
+        $user        = auth()->user();
+        if(0 !== $userGroupId) {
+            Log::debug(sprintf('validateUserGroup: user group submitted, search for memberships in group #%d.', $userGroupId));
+        }
+        if (0 === $userGroupId) {
+            $userGroupId = $user->user_group_id;
+            Log::debug(sprintf('validateUserGroup: no user group submitted, use default group #%d.', $userGroupId));
+        }
+
+        $this->repository->setUser($user);
+        $memberships = $this->repository->getMembershipsFromGroupId($userGroupId);
+
+        if (0 === $memberships->count()) {
+            Log::debug(sprintf('validateUserGroup: user has no access to group #%d.', $userGroupId));
+            $fail('validation.no_access_user_group')->translate();
+            return;
+        }
+
+        // need to get the group from the membership:
+        $userGroup       = $this->repository->getById($userGroupId);
+        if (null === $userGroup) {
+            Log::debug(sprintf('validateUserGroup: group #%d does not exist.', $userGroupId));
+            $fail('validation.belongs_user_or_user_group')->translate();
+            return;
+        }
+        Log::debug(sprintf('validateUserGroup: validate access of user to group #%d ("%s").', $userGroupId, $userGroup->title));
+        Log::debug(sprintf('validateUserGroup: have %d roles to check.', count($this->acceptedRoles)), $this->acceptedRoles);
+
+        /** @var UserRoleEnum $role */
+        foreach ($this->acceptedRoles as $role) {
+            if ($user->hasRoleInGroupOrOwner($userGroup, $role)) {
+                Log::debug(sprintf('validateUserGroup: User has role "%s" in group #%d, return.', $role->value, $userGroupId));
+
+                return;
+            }
+            Log::debug(sprintf('validateUserGroup: User does NOT have role "%s" in group #%d, continue searching.', $role->value, $userGroupId));
+        }
+
+        Log::debug('validateUserGroup: User does NOT have enough rights to access endpoint.');
+        $fail('validation.belongs_user_or_user_group')->translate();
+    }
+}
--- a/resources/lang/en_US/validation.php
+++ b/resources/lang/en_US/validation.php
@@ -268,6 +268,7 @@ return [
    'auto_budget_period_mandatory'    => 'The auto budget period is a mandatory field.',

    // no access to administration:
+    'no_auth_user_group'            => 'You have to be logged in to access this administration.',
    'no_access_user_group'            => 'You do not have the correct access rights for this administration.',
    'administration_owner_rename'     => 'You can\'t rename your standard administration.',
 ];