Merge remote-tracking branch 'upstream/master' into feature/routing

AlexejKossmann · Jul 10, 2020 · c60854c · c60854c
2 parents ece1376 + 4e7cfbf
commit c60854c
Show file tree

Hide file tree

Showing 7 changed files with 418 additions and 6 deletions.
diff --git a/calendar-bundle/src/Security/ContaoCalendarPermissions.php b/calendar-bundle/src/Security/ContaoCalendarPermissions.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of Contao.
+ *
+ * (c) Leo Feyer
+ *
+ * @license LGPL-3.0-or-later
+ */
+
+namespace Contao\CalendarBundle\Security;
+
+final class ContaoCalendarPermissions
+{
+    public const USER_CAN_EDIT_CALENDAR = 'contao_user.calendars';
+    public const USER_CAN_CREATE_CALENDARS = 'contao_user.calendarp.create';
+    public const USER_CAN_DELETE_CALENDARS = 'contao_user.calendarp.delete';
+
+    public const USER_CAN_EDIT_FEED = 'contao_user.calendarfeeds';
+    public const USER_CAN_CREATE_FEEDS = 'contao_user.calendarfeedp.create';
+    public const USER_CAN_DELETE_FEEDS = 'contao_user.calendarfeedp.delete';
+}
diff --git a/core-bundle/src/Security/ContaoCorePermissions.php b/core-bundle/src/Security/ContaoCorePermissions.php
@@ -0,0 +1,152 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of Contao.
+ *
+ * (c) Leo Feyer
+ *
+ * @license LGPL-3.0-or-later
+ */
+
+namespace Contao\CoreBundle\Security;
+
+final class ContaoCorePermissions
+{
+    /**
+     * Access is granted if the current user can edit the given page.
+     * Subject must be a PageModel or a tl_page record as array.
+     */
+    public const USER_CAN_EDIT_PAGE = 'contao_user.can_edit_page';
+
+    /**
+     * Access is granted if the current user can change the hierarchy of the given page.
+     * Subject must be a PageModel or a tl_page record as array.
+     */
+    public const USER_CAN_EDIT_PAGE_HIERARCHY = 'contao_user.can_edit_page_hierarchy';
+
+    /**
+     * Access is granted if the current user can can delete the given page.
+     * Subject must be a PageModel or a tl_page record as array.
+     */
+    public const USER_CAN_DELETE_PAGE = 'contao_user.can_delete_page';
+
+    /**
+     * Access is granted if the current user can edit articles of the given page.
+     * Subject must be a PageModel or a tl_page record as array.
+     */
+    public const USER_CAN_EDIT_ARTICLES = 'contao_user.can_edit_articles';
+
+    /**
+     * Access is granted if the current user can change the hierarchy of articles of the given page.
+     * Subject must be a PageModel or a tl_page record as array.
+     */
+    public const USER_CAN_EDIT_ARTICLE_HIERARCHY = 'contao_user.can_edit_article_hierarchy';
+
+    /**
+     * Access is granted if the current user can delete articles of the given page.
+     * Subject must be a PageModel or a tl_page record as array.
+     */
+    public const USER_CAN_DELETE_ARTICLES = 'contao_user.can_delete_articles';
+
+    /**
+     * Access is granted if the current user can upload files to the server.
+     */
+    public const USER_CAN_UPLOAD_FILES = 'contao_user.fop.f1';
+
+    /**
+     * Access is granted if the current user can edit, copy or move files and folders.
+     */
+    public const USER_CAN_RENAME_FILE = 'contao_user.fop.f2';
+
+    /**
+     * Access is granted if the current user can delete single files and empty folders.
+     */
+    public const USER_CAN_DELETE_FILE = 'contao_user.fop.f3';
+
+    /**
+     * Access is granted if the current user can delete folders including all files and subfolders.
+     */
+    public const USER_CAN_DELETE_RECURSIVELY = 'contao_user.fop.f4';
+
+    /**
+     * Access is granted if the current user can edit files in the source editor.
+     */
+    public const USER_CAN_EDIT_FILE = 'contao_user.fop.f5';
+
+    /**
+     * Access is granted if the current user can synchronize the file system with the database.
+     */
+    public const USER_CAN_SYNC_DBAFS = 'contao_user.fop.f6';
+
+    /**
+     * Access is granted if the current user can edit at least one field of the table.
+     * Subject must be a table name (e.g. "tl_page").
+     */
+    public const USER_CAN_EDIT_FIELDS_OF_TABLE = 'contao_user.can_edit_fields';
+
+    /**
+     * Access is granted if the current user can edit the field of a table.
+     * Subject must be a table and field separated by two colons (e.g. "tl_page::title").
+     */
+    public const USER_CAN_EDIT_FIELD_OF_TABLE = 'contao_user.alexf';
+
+    /**
+     * Access is granted if the current user can access the back end module.
+     * Subject must be a module name (e.g. "article").
+     */
+    public const USER_CAN_ACCESS_MODULE = 'contao_user.modules';
+
+    /**
+     * Access is granted if the current user can access the content element type.
+     * Subject must be a content element type (e.g. "text").
+     */
+    public const USER_CAN_ACCESS_ELEMENT_TYPE = 'contao_user.elements';
+
+    /**
+     * Access is granted if the current user can access the form field type.
+     * Subject must be a content element type (e.g. "hidden").
+     */
+    public const USER_CAN_ACCESS_FIELD_TYPE = 'contao_user.fields';
+
+    /**
+     * Access is granted if the current user can access the theme.
+     * Subject must be an ID of table tl_theme.
+     */
+    public const USER_CAN_ACCESS_THEME = 'contao_user.themes';
+
+    /**
+     * Access is granted if the current user can access the page type.
+     * Subject must be a page type as string (e.g. "regular").
+     */
+    public const USER_CAN_ACCESS_PAGE_TYPE = 'contao_user.alpty';
+
+    /**
+     * Access is granted if the given path is mounted for the current user.
+     * Subject must be path as string (e.g. "files/content/foo").
+     */
+    public const USER_CAN_ACCESS_PATH = 'contao_user.filemounts';
+
+    /**
+     * Access is granted if the current user can access the image size.
+     * Subject must be an image size ID from tl_image_size or a configuration name (e.g. "crop").
+     */
+    public const USER_CAN_ACCESS_IMAGE_SIZE = 'contao_user.imageSizes';
+
+    /**
+     * Access is granted if the current user can access the form.
+     * Subject must be a form ID from tl_form.
+     */
+    public const USER_CAN_ACCESS_FORM = 'contao_user.forms';
+
+    /**
+     * Access is granted if the current user can create forms.
+     */
+    public const USER_CAN_CREATE_FORMS = 'contao_user.formp.create';
+
+    /**
+     * Access is granted if the current user can delete forms.
+     */
+    public const USER_CAN_DELETE_FORMS = 'contao_user.formp.delete';
+}
diff --git a/core-bundle/src/Security/Voter/BackendAccessVoter.php b/core-bundle/src/Security/Voter/BackendAccessVoter.php
@@ -13,11 +13,21 @@
 namespace Contao\CoreBundle\Security\Voter;
 
 use Contao\BackendUser;
+use Contao\PageModel;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 
 class BackendAccessVoter extends Voter
 {
+    private const PAGE_PERMISSIONS = [
+        'can_edit_page' => BackendUser::CAN_EDIT_PAGE,
+        'can_edit_page_hierarchy' => BackendUser::CAN_EDIT_PAGE_HIERARCHY,
+        'can_delete_page' => BackendUser::CAN_DELETE_PAGE,
+        'can_edit_articles' => BackendUser::CAN_EDIT_ARTICLES,
+        'can_edit_article_hierarchy' => BackendUser::CAN_EDIT_ARTICLE_HIERARCHY,
+        'can_delete_articles' => BackendUser::CAN_DELETE_ARTICLES,
+    ];
+
     protected function supports($attribute, $subject): bool
     {
         return \is_string($attribute) && 0 === strncmp($attribute, 'contao_user.', 12);
@@ -26,12 +36,72 @@ protected function supports($attribute, $subject): bool
     protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
     {
         $user = $token->getUser();
-        [, $field] = explode('.', $attribute, 2);
 
-        if (!$user instanceof BackendUser || (!is_scalar($subject) && !\is_array($subject))) {
+        if (!$user instanceof BackendUser) {
+            return false;
+        }
+
+        $permission = explode('.', $attribute, 3);
+
+        if ('contao_user' !== $permission[0] || !isset($permission[1])) {
+            return false;
+        }
+
+        $field = $permission[1];
+
+        if (!$subject && isset($permission[2])) {
+            $subject = $permission[2];
+        }
+
+        if ('can_edit_fields' === $field) {
+            return $this->canEditFieldsOf($subject, $user);
+        }
+
+        if (isset(self::PAGE_PERMISSIONS[$field])) {
+            return $this->isAllowed($subject, self::PAGE_PERMISSIONS[$field], $user);
+        }
+
+        return $this->hasAccess($subject, $field, $user);
+    }
+
+    /**
+     * Checks the user permissions against a field in tl_user(_group).
+     */
+    private function hasAccess($subject, string $field, BackendUser $user): bool
+    {
+        if (!is_scalar($subject) && !\is_array($subject)) {
             return false;
         }
 
         return $user->hasAccess($subject, $field);
     }
+
+    /**
+     * Checks if the user has access to a given page (tl_page.includeChmod et al.).
+     */
+    private function isAllowed($subject, int $flag, BackendUser $user): bool
+    {
+        if ($subject instanceof PageModel) {
+            $subject->loadDetails();
+            $subject = $subject->row();
+        }
+
+        if (!\is_array($subject)) {
+            return false;
+        }
+
+        return $user->isAllowed($flag, $subject);
+    }
+
+    /**
+     * Checks if the user has access to any field of a table (against tl_user(_group).alexf).
+     */
+    private function canEditFieldsOf($subject, BackendUser $user): bool
+    {
+        if (!\is_string($subject)) {
+            return false;
+        }
+
+        return $user->canEditFieldsOf($subject);
+    }
 }