Merge branch '6.13' into 7.0

eZ/Publish/API/Repository/Tests/ContentServiceAuthorizationTest.php

@@ -1577,6 +1577,7 @@ public function testCopyContentToAuthorizedLocation()
         );
         $roleCreateStruct->addPolicy($roleService->newPolicyCreateStruct('content', 'read'));
         $roleCreateStruct->addPolicy($roleService->newPolicyCreateStruct('content', 'versionread'));
+        $roleCreateStruct->addPolicy($roleService->newPolicyCreateStruct('content', 'manage_locations'));
 
         $policyCreateStruct = $roleService->newPolicyCreateStruct('content', 'create');
         $policyCreateStruct->addLimitation($locationLimitation);

eZ/Publish/API/Repository/Tests/LocationServiceAuthorizationTest.php

@@ -10,6 +10,7 @@
 
 use eZ\Publish\API\Repository\Values\Content\Location;
 use eZ\Publish\API\Repository\Values\User\Limitation\OwnerLimitation;
+use eZ\Publish\API\Repository\Values\User\Limitation\SubtreeLimitation;
 
 /**
  * Test case for operations in the LocationService using in memory storage.
@@ -61,6 +62,64 @@ public function testCreateLocationThrowsUnauthorizedException()
         /* END: Use Case */
     }
 
+    /**
+     * Test for the createLocation() method. Tests a case when user doesn't have content/manage_locations policy for the new location ID.
+     *
+     * @see \eZ\Publish\API\Repository\LocationService::createLocation()
+     * @expectedException \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
+     * @depends eZ\Publish\API\Repository\Tests\LocationServiceTest::testCreateLocation
+     */
+    public function testCreateLocationThrowsUnauthorizedExceptionDueToLackOfContentManageLocationsPolicy()
+    {
+        $repository = $this->getRepository();
+
+        $mediaDirectoryLocationId = $this->generateId('location', '43');
+
+        /* BEGIN: Use Case */
+        $locationService = $repository->getLocationService();
+        // Location for "Media" directory
+        $contentLocation = $locationService->loadLocation($mediaDirectoryLocationId);
+
+        // Create the new "Dummy" user group
+        $userService = $repository->getUserService();
+        $userGroupCreateStruct = $userService->newUserGroupCreateStruct('eng-GB');
+        $userGroupCreateStruct->setField('name', 'Dummy');
+        $dummyUserGroup = $userService->createUserGroup($userGroupCreateStruct, $userService->loadUserGroup(4));
+
+        // Create the new "Dummy" role with content/* policy limited by Subtree to "Media" folder
+        $roleService = $repository->getRoleService();
+        $role = $this->createRoleWithPolicies('Dummy', [
+            [
+                'module' => 'content',
+                'function' => 'read',
+                'limitations' => [],
+            ],
+            [
+                'module' => 'content',
+                'function' => 'manage_locations',
+                'limitations' => [new SubtreeLimitation(['limitationValues' => [$contentLocation->pathString]])],
+            ],
+        ]);
+
+        $user = $this->createUser('johndoe', 'John', 'Doe', $dummyUserGroup);
+        $roleService->assignRoleToUser($role, $user);
+        // Set current user to newly created user
+        $repository->setCurrentUser($user);
+
+        $locationCreateStruct = $locationService->newLocationCreateStruct('2');
+        $locationCreateStruct->priority = 12;
+        $locationCreateStruct->hidden = false;
+        $locationCreateStruct->sortField = Location::SORT_FIELD_NODE_ID;
+        $locationCreateStruct->sortOrder = Location::SORT_ORDER_DESC;
+
+        // This call will fail with an "UnauthorizedException"
+        $locationService->createLocation(
+            $contentLocation->contentInfo,
+            $locationCreateStruct
+        );
+        /* END: Use Case */
+    }
+
     /**
      * Test for the loadLocation() method.
      *

eZ/Publish/Core/REST/Server/Controller/Content.php

@@ -20,6 +20,7 @@
 use eZ\Publish\Core\REST\Server\Exceptions\ForbiddenException;
 use eZ\Publish\Core\REST\Server\Exceptions\BadRequestException;
 use eZ\Publish\Core\REST\Server\Exceptions\ContentFieldValidationException as RESTContentFieldValidationException;
+use eZ\Publish\Core\REST\Server\Values\RestContentCreateStruct;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 
@@ -227,50 +228,15 @@ public function loadContentInVersion($contentId, $versionNumber, Request $reques
      * object in the source server). The user has to publish the content if
      * it should be visible.
      *
+     * @param \Symfony\Component\HttpFoundation\Request $request
+     *
      * @return \eZ\Publish\Core\REST\Server\Values\CreatedContent
      */
     public function createContent(Request $request)
     {
-        $contentCreate = $this->inputDispatcher->parse(
-            new Message(
-                array('Content-Type' => $request->headers->get('Content-Type')),
-                $request->getContent()
-            )
-        );
-
-        try {
-            $content = $this->repository->getContentService()->createContent(
-                $contentCreate->contentCreateStruct,
-                array($contentCreate->locationCreateStruct)
-            );
-        } catch (ContentValidationException $e) {
-            throw new BadRequestException($e->getMessage());
-        } catch (ContentFieldValidationException $e) {
-            throw new RESTContentFieldValidationException($e);
-        }
+        $contentCreate = $this->parseCreateContentRequest($request);
 
-        $contentValue = null;
-        $contentType = null;
-        $relations = null;
-        if ($this->getMediaType($request) === 'application/vnd.ez.api.content') {
-            $contentValue = $content;
-            $contentType = $this->repository->getContentTypeService()->loadContentType(
-                $content->getVersionInfo()->getContentInfo()->contentTypeId
-            );
-            $relations = $this->repository->getContentService()->loadRelations($contentValue->getVersionInfo());
-        }
-
-        return new Values\CreatedContent(
-            array(
-                'content' => new Values\RestContent(
-                    $content->contentInfo,
-                    null,
-                    $contentValue,
-                    $contentType,
-                    $relations
-                ),
-            )
-        );
+        return $this->doCreateContent($request, $contentCreate);
     }
 
     /**
@@ -794,4 +760,66 @@ protected function forward($controller)
 
         return $this->container->get('http_kernel')->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
     }
+
+    /**
+     * @param \Symfony\Component\HttpFoundation\Request $request
+     *
+     * @return mixed
+     */
+    protected function parseCreateContentRequest(Request $request)
+    {
+        return $this->inputDispatcher->parse(
+            new Message(
+                array('Content-Type' => $request->headers->get('Content-Type'), 'Url' => $request->getPathInfo()),
+                $request->getContent()
+            )
+        );
+    }
+
+    /**
+     * @param \Symfony\Component\HttpFoundation\Request $request
+     * @param \eZ\Publish\Core\REST\Server\Values\RestContentCreateStruct $contentCreate
+     *
+     * @throws \eZ\Publish\API\Repository\Exceptions\NotFoundException
+     * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException
+     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
+     *
+     * @return \eZ\Publish\Core\REST\Server\Values\CreatedContent
+     */
+    protected function doCreateContent(Request $request, RestContentCreateStruct $contentCreate)
+    {
+        try {
+            $content = $this->repository->getContentService()->createContent(
+                $contentCreate->contentCreateStruct,
+                array($contentCreate->locationCreateStruct)
+            );
+        } catch (ContentValidationException $e) {
+            throw new BadRequestException($e->getMessage());
+        } catch (ContentFieldValidationException $e) {
+            throw new RESTContentFieldValidationException($e);
+        }
+
+        $contentValue = null;
+        $contentType = null;
+        $relations = null;
+        if ($this->getMediaType($request) === 'application/vnd.ez.api.content') {
+            $contentValue = $content;
+            $contentType = $this->repository->getContentTypeService()->loadContentType(
+                $content->getVersionInfo()->getContentInfo()->contentTypeId
+            );
+            $relations = $this->repository->getContentService()->loadRelations($contentValue->getVersionInfo());
+        }
+
+        return new Values\CreatedContent(
+            array(
+                'content' => new Values\RestContent(
+                    $content->contentInfo,
+                    null,
+                    $contentValue,
+                    $contentType,
+                    $relations
+                ),
+            )
+        );
+    }
 }

eZ/Publish/Core/Repository/LocationService.php

@@ -382,6 +382,10 @@ public function createLocation(ContentInfo $contentInfo, LocationCreateStruct $l
         $content = $this->repository->getContentService()->loadContent($contentInfo->id);
         $parentLocation = $this->loadLocation($locationCreateStruct->parentLocationId);
 
+        if (!$this->repository->canUser('content', 'manage_locations', $content->contentInfo, $parentLocation)) {
+            throw new UnauthorizedException('content', 'manage_locations');
+        }
+
         if (!$this->repository->canUser('content', 'create', $content->contentInfo, $parentLocation)) {
             throw new UnauthorizedException('content', 'create');
         }