Fix CourseRelUserExtension.php access

4 years ago · db06820d69
parent 42f8d38c85
commit db06820d69
2 changed files with 18 additions and 7 deletions
--- a/src/CoreBundle/DataProvider/Extension/CourseRelUserExtension.php
+++ b/src/CoreBundle/DataProvider/Extension/CourseRelUserExtension.php
@ -25,6 +25,21 @@ final class CourseRelUserExtension implements QueryCollectionExtensionInterface
    public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, string $operationName = null): void
    {
        if ($this->security->isGranted('ROLE_ADMIN')) {
            return;
        }
        // Blocks a ROLE_USER to access CourseRelUsers from another User.
        if ('collection_query' === $operationName) {
            if (null === $user = $this->security->getUser()) {
                throw new AccessDeniedException('Access Denied.');
            }
            $rootAlias = $queryBuilder->getRootAliases()[0];
            $queryBuilder->andWhere(sprintf('%s.user = :current_user', $rootAlias));
            $queryBuilder->setParameter('current_user', $user);
        }
        $this->addWhere($queryBuilder, $resourceClass);
    }
@ -44,12 +59,9 @@ final class CourseRelUserExtension implements QueryCollectionExtensionInterface
            return;
        }
        // Need to be login to access the list.
        if (null === $user = $this->security->getUser()) {
            throw new AccessDeniedException('Access Denied.');
        }
        $rootAlias = $queryBuilder->getRootAliases()[0];
        $queryBuilder->andWhere(sprintf('%s.user = :current_user', $rootAlias));
        $queryBuilder->setParameter('current_user', $user);
    }
 }
--- a/src/CoreBundle/Entity/User.php
+++ b/src/CoreBundle/Entity/User.php
@ -36,6 +36,8 @@ use Symfony\Component\Validator\Mapping\ClassMetadata;
 use UserManager;
 /**
 * EquatableInterface is needed to check if the user needs to be refreshed.
 *
 * @ApiResource(
 *     attributes={"security"="is_granted('ROLE_ADMIN')"},
 *     iri="http://schema.org/Person",
@ -68,9 +70,6 @@ use UserManager;
 ])]
 #[ApiFilter(BooleanFilter::class, properties: ['isActive'])]
 /**
 * EquatableInterface is needed to check if user need to be refreshed.
 */
 class User implements UserInterface, EquatableInterface, ResourceInterface, ResourceIllustrationInterface, PasswordAuthenticatedUserInterface, LegacyPasswordAuthenticatedUserInterface
 {
    use TimestampableEntity;