Sessions: Secure access to /api/users/{id}/sessions_rel_users.json

src/CoreBundle/DataProvider/Extension/CDocumentExtension.php

@@ -25,7 +25,6 @@ final class CDocumentExtension implements QueryCollectionExtensionInterface //,
 
     public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, string $operationName = null): void
     {
-        error_log('applyToCollection');
         $this->addWhere($queryBuilder, $resourceClass);
     }
 
@@ -37,7 +36,6 @@ final class CDocumentExtension implements QueryCollectionExtensionInterface //,
 
     private function addWhere(QueryBuilder $queryBuilder, string $resourceClass): void
     {
-        error_log('addWhere');
         if (CDocument::class !== $resourceClass ||
             $this->security->isGranted('ROLE_ADMIN') ||
             null === $user = $this->security->getUser()
@@ -45,6 +43,7 @@ final class CDocumentExtension implements QueryCollectionExtensionInterface //,
             return;
         }
 
+        error_log('addWhere');
         error_log('here!');
         $rootAlias = $queryBuilder->getRootAliases()[0];
 

src/CoreBundle/DataProvider/Extension/CourseRelUserExtension.php

@@ -25,7 +25,6 @@ final class CourseRelUserExtension implements QueryCollectionExtensionInterface
 
     public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, string $operationName = null): void
     {
-        error_log('applyToCollection CourseRelUserExtension');
         $this->addWhere($queryBuilder, $resourceClass);
     }
 
@@ -37,7 +36,6 @@ final class CourseRelUserExtension implements QueryCollectionExtensionInterface
 
     private function addWhere(QueryBuilder $queryBuilder, string $resourceClass): void
     {
-        //error_log('addWhere CourseRelUserExtension');
         if (CourseRelUser::class !== $resourceClass) {
             return;
         }
@@ -48,15 +46,10 @@ final class CourseRelUserExtension implements QueryCollectionExtensionInterface
 
         if (null === $user = $this->security->getUser()) {
             throw new AccessDeniedException('Access Denied.');
-
-            return;
         }
 
         $rootAlias = $queryBuilder->getRootAliases()[0];
-        $queryBuilder->
-            andWhere($rootAlias.'.user = :current_user')
-        ;
-        //$queryBuilder->andWhere(sprintf('%s.node.creator = :current_user', $rootAlias));
-        $queryBuilder->setParameter('current_user', $user->getId());
+        $queryBuilder->andWhere(sprintf('%s.user = :current_user', $rootAlias));
+        $queryBuilder->setParameter('current_user', $user);
     }
 }

src/CoreBundle/DataProvider/Extension/SessionRelUserExtension.php

@@ -0,0 +1,55 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+declare(strict_types=1);
+
+namespace Chamilo\CoreBundle\DataProvider\Extension;
+
+use ApiPlatform\Core\Bridge\Doctrine\Orm\Extension\QueryCollectionExtensionInterface;
+//use ApiPlatform\Core\Bridge\Doctrine\Orm\Extension\QueryItemExtensionInterface;
+use ApiPlatform\Core\Bridge\Doctrine\Orm\Util\QueryNameGeneratorInterface;
+use Chamilo\CoreBundle\Entity\SessionRelUser;
+use Doctrine\ORM\QueryBuilder;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Core\Security;
+
+final class SessionRelUserExtension implements QueryCollectionExtensionInterface //, QueryItemExtensionInterface
+{
+    private Security $security;
+
+    public function __construct(Security $security)
+    {
+        $this->security = $security;
+    }
+
+    public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, string $operationName = null): void
+    {
+        $this->addWhere($queryBuilder, $resourceClass);
+    }
+
+    /*public function applyToItem(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, array $identifiers, string $operationName = null, array $context = []): void
+    {
+        error_log('applyToItem');
+        $this->addWhere($queryBuilder, $resourceClass);
+    }*/
+
+    private function addWhere(QueryBuilder $queryBuilder, string $resourceClass): void
+    {
+        if (SessionRelUser::class !== $resourceClass) {
+            return;
+        }
+
+        if ($this->security->isGranted('ROLE_ADMIN')) {
+            return;
+        }
+
+        if (null === $user = $this->security->getUser()) {
+            throw new AccessDeniedException('Access Denied.');
+        }
+
+        $rootAlias = $queryBuilder->getRootAliases()[0];
+        $queryBuilder->andWhere(sprintf('%s.user = :current_user', $rootAlias));
+        $queryBuilder->setParameter('current_user', $user);
+    }
+}