EZP-29536: User isn't redirected to the login page when UnauthorizedE…

…xception is thrown (ezsystems#2419) * User isn't redirected to the login page when UnauthorizedException is thrown * Improve canRead to take embed into account * fixup! Improve canRead to take embed into account * Missing typehint
ezpublishlegacy · Aug 17, 2018 · da6a849 · da6a849
1 parent bd4f00b
commit da6a849
Showing 1 changed file with 16 additions and 4 deletions.
diff --git a/eZ/Publish/Core/MVC/Symfony/View/Builder/ContentViewBuilder.php b/eZ/Publish/Core/MVC/Symfony/View/Builder/ContentViewBuilder.php
@@ -100,6 +100,17 @@ public function buildView(array $parameters)
         } elseif ($location instanceof Location) {
             // if we already have location load content true it so we avoid dual loading in case user does that in view
             $content = $location->getContent();
+            if (!$this->canRead($content, $location, $view->isEmbed())) {
+                $missingPermission = 'read' . ($view->isEmbed() ? '|view_embed' : '');
+                throw new UnauthorizedException(
+                    'content',
+                    $missingPermission,
+                    [
+                        'contentId' => $content->id,
+                        'locationId' => $location->id,
+                    ]
+                );
+            }
         } else {
             if (isset($parameters['contentId'])) {
                 $contentId = $parameters['contentId'];
@@ -230,12 +241,13 @@ function (Repository $repository) use ($locationId) {
     /**
      * Checks if a user can read a content, or view it as an embed.
      *
-     * @param Content $content
-     * @param $location
+     * @param \eZ\Publish\API\Repository\Values\Content\Content $content
+     * @param \eZ\Publish\API\Repository\Values\Content\Location $location
+     * @param bool $isEmbed
      *
      * @return bool
      */
-    private function canRead(Content $content, Location $location = null)
+    private function canRead(Content $content, Location $location = null, bool $isEmbed = true): bool
     {
         $limitations = ['valueObject' => $content->contentInfo];
         if (isset($location)) {
@@ -247,7 +259,7 @@ private function canRead(Content $content, Location $location = null)
 
         return
             $this->authorizationChecker->isGranted($readAttribute) ||
-            $this->authorizationChecker->isGranted($viewEmbedAttribute);
+            ($isEmbed && $this->authorizationChecker->isGranted($viewEmbedAttribute));
     }
 
     /**