Skip to content

Commit

Permalink
Refactor permission check
Browse files Browse the repository at this point in the history
  • Loading branch information
@weisswurstkanone
weisswurstkanone committed May 28, 2020
1 parent b62b2be commit 75c82db
Show file tree
Hide file tree
Showing 27 changed files with 122 additions and 160 deletions.
3 changes: 2 additions & 1 deletion doc/graphl/Security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,5 @@ pimcore_data_hub:
not_allowed_policy: 2
```


It is also possible to disable the permission checks entirely by setting the configuration option
in the security definition tab.
Binary file modified doc/img/graphql/security1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
8 changes: 8 additions & 0 deletions src/Configuration.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,14 @@ public function isActive()
return $this->configuration && $this->configuration['general'] ? $this->configuration['general']['active'] : false;
}

/**
* @return string|bool
*/
public function skipPermisssionCheck()
{
return $this->configuration && $this->configuration['security'] ? $this->configuration['security']['skipPermissionCheck'] : false;
}

/**
* @param string $path
*/
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/DataObjectQueryFieldConfigGenerator/Helper/AssetBase.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,12 +82,8 @@ public function resolve($value = null, $args = [], $context = [], ResolveInfo $r

$assetElement = $this->getAssetElement($asset);

if (!WorkspaceHelper::isAllowed($assetElement, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view ' . $asset->getFullPath());
} else {
return null;
}
if (!WorkspaceHelper::checkPermission($assetElement, 'read')) {
return null;
}

$data = new ElementDescriptor($assetElement);
Expand Down
17 changes: 8 additions & 9 deletions src/GraphQL/DataObjectQueryFieldConfigGenerator/Helper/Hotspotimage.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,17 +87,16 @@ public function resolve($value = null, $args = [], $context = [], ResolveInfo $r
if ($container instanceof \Pimcore\Model\DataObject\Data\Hotspotimage) {
$image = $container->getImage();
if ($image instanceof Asset) {
if (!WorkspaceHelper::isAllowed($image, $context['configuration'], 'read')) {
throw new NotAllowedException('permission denied. check your workspace settings');
}
if (WorkspaceHelper::checkPermission($image, 'read')) {

$data = new ElementDescriptor($image);
$this->getGraphQlService()->extractData($data, $image, $args, $context, $resolveInfo);
$data = new ElementDescriptor($image);
$this->getGraphQlService()->extractData($data, $image, $args, $context, $resolveInfo);

$data['crop'] = $container->getCrop();
$data['hotspots'] = $container->getHotspots();
$data['marker'] = $container->getMarker();
return $data;
$data['crop'] = $container->getCrop();
$data['hotspots'] = $container->getHotspots();
$data['marker'] = $container->getMarker();
return $data;
}
}
}

Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/DataObjectQueryFieldConfigGenerator/Helper/Href.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,8 @@ public function resolve($value = null, $args = [], $context = [], ResolveInfo $r
$relation = \Pimcore\Bundle\DataHubBundle\GraphQL\Service::resolveValue($value, $this->fieldDefinition, $this->attribute, $args);

if ($relation instanceof ElementInterface) {
if (!WorkspaceHelper::isAllowed($relation, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view ' . $relation->getFullPath());
} else {
return null;
}
if (!WorkspaceHelper::checkPermission($relation, 'read')) {
return null;
}

$data = new ElementDescriptor($relation);
Expand Down
4 changes: 2 additions & 2 deletions src/GraphQL/DataObjectQueryFieldConfigGenerator/Helper/ImageGallery.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,8 +95,8 @@ public function resolve($value = null, $args = [], $context = [], ResolveInfo $r
}

if ($image instanceof Asset) {
if (!WorkspaceHelper::isAllowed($image, $context['configuration'], 'read')) {
throw new NotAllowedException('permission denied. check your workspace settings');
if (!WorkspaceHelper::checkPermission($image, 'read')) {
continue;
}

$data = new ElementDescriptor($image);
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/DataObjectQueryFieldConfigGenerator/Helper/Multihref.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,8 @@ public function resolve($value = null, $args = [], $context = [], ResolveInfo $r
if ($relations) {
/** @var $relation AbstractElement */
foreach ($relations as $relation) {
if (!WorkspaceHelper::isAllowed($relation, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view ' . $relation->getFullPath());
} else {
continue;
}
if (!WorkspaceHelper::checkPermission($relation, 'read')) {
continue;
}

$data = new ElementDescriptor($relation);
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/DataObjectQueryFieldConfigGenerator/Helper/MultihrefMetadata.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,8 @@ public function resolve($value = null, $args = [], $context = [], ResolveInfo $r
/** @var $relation ElementMetadata */
foreach ($relations as $relation) {
$element = $relation->getElement();
if (!WorkspaceHelper::isAllowed($element, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view ' . $relation->getFullPath());
} else {
continue;
}
if (!WorkspaceHelper::checkPermission($element, 'read')) {
continue;
}

$data = [];
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/DataObjectQueryFieldConfigGenerator/Helper/Objects.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,8 @@ public function resolve($value = null, $args = [], $context = [], ResolveInfo $r
$result = [];
/** @var $relation AbstractElement */
foreach ($relations as $relation) {
if (!WorkspaceHelper::isAllowed($relation, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view ' . $relation->getFullPath());
} else {
continue;
}
if (!WorkspaceHelper::checkPermission($relation, 'read')) {
continue;
}

$data = new ElementDescriptor($relation);
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/DataObjectQueryFieldConfigGenerator/Helper/ObjectsMetadata.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,8 @@ public function resolve($value = null, $args = [], $context = [], ResolveInfo $r
/** @var $relation ElementMetadata */
foreach ($relations as $relation) {
$element = $relation->getElement();
if (!WorkspaceHelper::isAllowed($element, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view ' . $element->getFullPath());
} else {
continue;
}
if (!WorkspaceHelper::checkPermission($element, 'read')) {
continue;
}

$data = [];
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/DataObjectQueryFieldConfigGenerator/Helper/ReverseManyToManyObjects.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,12 +81,8 @@ public function resolve($value = null, $args = [], $context = [], ResolveInfo $r
foreach ($relations as $relationRaw) {
$relation = Concrete::getById($relationRaw['id']);
if ($relation) {
if (!WorkspaceHelper::isAllowed($relation, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view ' . $relation->getFullPath());
} else {
continue;
}
if (!WorkspaceHelper::checkPermission($relation, 'read')) {
continue;
}

$data = new ElementDescriptor($relation);
Expand Down
24 changes: 9 additions & 15 deletions src/GraphQL/Mutation/MutationType.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ public function buildDataObjectMutations(&$config = [], $context = [])

/** @var $configuration Configuration */
$configuration = $context['configuration'];
if (!WorkspaceHelper::isAllowed($parent, $configuration, "create") && !$me->omitPermissionCheck) {
if (!$me->omitPermissionCheck && !WorkspaceHelper::checkPermission($parent, "create")) {
return [
"success" => false,
"message" => "not allowed to create object " . $entity
Expand Down Expand Up @@ -328,7 +328,7 @@ public function buildDataObjectMutations(&$config = [], $context = [])
$className = 'Pimcore\\Model\\DataObject\\' . ucfirst($entity);
$object = $className::getById($id);

if (!WorkspaceHelper::isAllowed($object, $configuration, "delete") && !$me->omitPermissionCheck) {
if (!$me->omitPermissionCheck && !WorkspaceHelper::checkPermission($object, "delete") ) {
return [
"success" => false,
"message" => "permission denied."
Expand Down Expand Up @@ -406,7 +406,7 @@ public function getUpdateObjectResolver($entity, $modelFactory, $processors, $lo
$object = $className::getById($id);
}

if (!WorkspaceHelper::isAllowed($object, $configuration, "update") && !$omitPermissionCheck) {
if (!$omitPermissionCheck && !WorkspaceHelper::checkPermission($object, "update")) {
return [
"success" => false,
"message" => "permission denied."
Expand Down Expand Up @@ -512,9 +512,7 @@ public function buildCreateAssetMutation(&$config, $context)
];
}

/** @var $configuration Configuration */
$configuration = $context['configuration'];
if (!WorkspaceHelper::isAllowed($parent, $configuration, "create") && !$omitPermissionCheck) {
if (!$omitPermissionCheck && !WorkspaceHelper::checkPermission($parent, "create")) {
return [
"success" => false,
"message" => "not allowed to create asset"
Expand Down Expand Up @@ -706,9 +704,7 @@ public function getCreateFolderResolver($elementType)
];
}

/** @var $configuration Configuration */
$configuration = $context['configuration'];
if (!WorkspaceHelper::isAllowed($parent, $configuration, "create") && !$me->omitPermissionCheck) {
if (!$me->omitPermissionCheck && !WorkspaceHelper::checkPermission($parent, "create") ) {
return [
"success" => false,
"message" => "not allowed to create " . $elementType . "folder "
Expand Down Expand Up @@ -795,7 +791,7 @@ public function buildUpdateFolderMutation($type, &$config, $context)
$element = \Pimcore\Model\DataObject\Folder::getById($id);
}

if (!WorkspaceHelper::isAllowed($element, $configuration, "update") && !$omitPermissionCheck) {
if (!$omitPermissionCheck && !WorkspaceHelper::checkPermission($element, "update") ) {
return [
"success" => false,
"message" => "permission denied."
Expand Down Expand Up @@ -882,7 +878,7 @@ public function buildDeleteElementMutation(&$config, $context, $type)
$element = DataObject::getById($id);
}

if (!WorkspaceHelper::isAllowed($element, $configuration, "delete") && !$omitPermissionCheck) {
if (!$omitPermissionCheck && !WorkspaceHelper::checkPermission($element, "delete")) {
return [
"success" => false,
"message" => "delete " . $type . " permission denied."
Expand Down Expand Up @@ -958,7 +954,7 @@ public function buildDeleteFolderMutation($type, &$config, $context)
$element = \Pimcore\Model\DataObject\Folder::getById($id);
}

if (!WorkspaceHelper::isAllowed($element, $configuration, "delete") && !$omitPermissionCheck) {
if (!$omitPermissionCheck && !WorkspaceHelper::checkPermission($element, "delete")) {
return [
"success" => false,
"message" => "delete " . $type . " permission denied."
Expand Down Expand Up @@ -1006,9 +1002,7 @@ public function getUpdateFolderResolver($elementType)
];
}

/** @var $configuration Configuration */
$configuration = $context['configuration'];
if (!WorkspaceHelper::isAllowed($parent, $configuration, "update") && !$me->omitPermissionCheck) {
if (!$me->omitPermissionCheck && !WorkspaceHelper::checkPermission($parent, "update") ) {
return [
"success" => false,
"message" => "not allowed to create " . $elementType . "folder "
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/PropertyType/AssetFolderType.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,12 +74,8 @@ public function __construct(Service $graphQlService)
$element = $value->getData();
}
if ($element) {
if (!WorkspaceHelper::isAllowed($element, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view document');
} else {
return null;
}
if (!WorkspaceHelper::checkPermission($element, 'read')) {
return null;
}
/** @var $element Folder */
$data = new ElementDescriptor($element);
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/PropertyType/AssetType.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,12 +74,8 @@ public function __construct(Service $graphQlService)
}

if ($element) {
if (!WorkspaceHelper::isAllowed($element, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view object');
} else {
return null;
}
if (!WorkspaceHelper::checkPermission($element, 'read')) {
return null;
}

$data = new ElementDescriptor($element);
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/PropertyType/DataObjectType.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,12 +73,8 @@ public function __construct(Service $graphQlService, ObjectsType $objectUnionTyp
}

if ($element) {
if (!WorkspaceHelper::isAllowed($element, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view object');
} else {
return null;
}
if (!WorkspaceHelper::checkPermission($element, 'read')) {
return null;
}

/** @var $element AbstractObject */
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/PropertyType/DocumentFolderType.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,12 +73,8 @@ public function __construct(Service $graphQlService)
$element = $value->getData();
}
if ($element) {
if (!WorkspaceHelper::isAllowed($element, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view document');
} else {
return null;
}
if (!WorkspaceHelper::checkPermission($element, 'read')) {
return null;
}
/** @var $element Document\Folder */
$data = new ElementDescriptor($element);
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/PropertyType/DocumentType.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,12 +73,8 @@ public function __construct(Service $graphQlService)
$element = $value->getData();
}
if ($element) {
if (!WorkspaceHelper::isAllowed($element, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view document');
} else {
return null;
}
if (!WorkspaceHelper::checkPermission($element, 'read')) {
return null;
}
/** @var $element Document */
$data = new ElementDescriptor($element);
Expand Down
8 changes: 2 additions & 6 deletions src/GraphQL/PropertyType/ObjectFolderType.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,12 +74,8 @@ public function __construct(Service $graphQlService)
$element = $value->getData();
}
if ($element) {
if (!WorkspaceHelper::isAllowed($element, $context['configuration'], 'read')) {
if (PimcoreDataHubBundle::getNotAllowedPolicy() == PimcoreDataHubBundle::NOT_ALLOWED_POLICY_EXCEPTION) {
throw new NotAllowedException('not allowed to view document');
} else {
return null;
}
if (!WorkspaceHelper::checkPermission($element, 'read')) {
return null;
}
/** @var $element Folder */
$data = new ElementDescriptor($element);
Expand Down
Loading

0 comments on commit 75c82db

Please sign in to comment.