Don't expose uihelper views via the API / allow to get stock_log via generic entity interaction endpoints (no edit)

controllers/GenericEntityApiController.php

@@ -11,7 +11,7 @@ class GenericEntityApiController extends BaseApiController
 	{
 		User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
 
-		if ($this->IsValidEntity($args['entity']))
+		if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
 		{
 			if ($this->IsEntityWithEditRequiresAdmin($args['entity']))
 			{
@@ -27,10 +27,10 @@ class GenericEntityApiController extends BaseApiController
 					throw new \Exception('Request body could not be parsed (probably invalid JSON format or missing/wrong Content-Type header)');
 				}
 
-				$newRow = $this->getDatabase()->{$args['entity']}
-				()->createRow($requestBody);
+				$newRow = $this->getDatabase()->{$args['entity']}()->createRow($requestBody);
 				$newRow->save();
 				$success = $newRow->isClean();
+
 				return $this->ApiResponse($response, [
 					'created_object_id' => $this->getDatabase()->lastInsertId()
 				]);
@@ -50,16 +50,17 @@ class GenericEntityApiController extends BaseApiController
 	{
 		User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
 
-		if ($this->IsValidEntity($args['entity']))
+		if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
 		{
 			if ($this->IsEntityWithEditRequiresAdmin($args['entity']))
 			{
 				User::checkPermission($request, User::PERMISSION_ADMIN);
 			}
-			$row = $this->getDatabase()->{$args['entity']}
-			($args['objectId']);
+
+			$row = $this->getDatabase()->{$args['entity']}($args['objectId']);
 			$row->delete();
 			$success = $row->isClean();
+
 			return $this->EmptyApiResponse($response);
 		}
 		else
@@ -72,7 +73,7 @@ class GenericEntityApiController extends BaseApiController
 	{
 		User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
 
-		if ($this->IsValidEntity($args['entity']))
+		if ($this->IsValidEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
 		{
 			if ($this->IsEntityWithEditRequiresAdmin($args['entity']))
 			{
@@ -88,10 +89,10 @@ class GenericEntityApiController extends BaseApiController
 					throw new \Exception('Request body could not be parsed (probably invalid JSON format or missing/wrong Content-Type header)');
 				}
 
-				$row = $this->getDatabase()->{$args['entity']}
-				($args['objectId']);
+				$row = $this->getDatabase()->{$args['entity']}($args['objectId']);
 				$row->update($requestBody);
 				$success = $row->isClean();
+
 				return $this->EmptyApiResponse($response);
 			}
 			catch (\Exception $ex)
@@ -213,6 +214,11 @@ class GenericEntityApiController extends BaseApiController
 		return !in_array($entity, $this->getOpenApiSpec()->components->internalSchemas->ExposedEntityButNoListing->enum);
 	}
 
+	private function IsEntityWithNoEdit($entity)
+	{
+		return in_array($entity, $this->getOpenApiSpec()->components->internalSchemas->ExposedEntityNoEdit->enum);
+	}
+
 	private function IsValidEntity($entity)
 	{
 		return in_array($entity, $this->getOpenApiSpec()->components->internalSchemas->ExposedEntity->enum);

controllers/OpenApiController.php

@@ -28,14 +28,24 @@ class OpenApiController extends BaseApiController
 
 	public function DocumentationSpec(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
+		$spec = $this->getOpenApiSpec();
+
 		$applicationService = $this->getApplicationService();
-
 		$versionInfo = $applicationService->GetInstalledVersion();
-		$this->getOpenApiSpec()->info->version = $versionInfo->Version;
-		$this->getOpenApiSpec()->info->description = str_replace('PlaceHolderManageApiKeysUrl', $this->AppContainer->get('UrlManager')->ConstructUrl('/manageapikeys'), $this->getOpenApiSpec()->info->description);
-		$this->getOpenApiSpec()->servers[0]->url = $this->AppContainer->get('UrlManager')->ConstructUrl('/api');
+		$spec->info->version = $versionInfo->Version;
+		$spec->info->description = str_replace('PlaceHolderManageApiKeysUrl', $this->AppContainer->get('UrlManager')->ConstructUrl('/manageapikeys'), $spec->info->description);
+		$spec->servers[0]->url = $this->AppContainer->get('UrlManager')->ConstructUrl('/api');
 
-		return $this->ApiResponse($response, $this->getOpenApiSpec());
+		$spec->components->internalSchemas->ExposedEntity_NotIncludingNotEditable = clone $spec->components->internalSchemas->StringEnumTemplate;
+		foreach ($spec->components->internalSchemas->ExposedEntity->enum as $value)
+		{
+			if (!in_array($value, $spec->components->internalSchemas->ExposedEntityNoEdit->enum))
+			{
+				array_push($spec->components->internalSchemas->ExposedEntity_NotIncludingNotEditable->enum, $value);
+			}
+		}
+
+		return $this->ApiResponse($response, $spec);
 	}
 
 	public function DocumentationUi(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)