feat(middleware): added page owner can edit middleware

Allow routes to validate page owner canEdit rights in route definition
Elgg · Oct 8, 2019 · b81fc72 · b81fc72
1 parent 7e86f57
commit b81fc72
Show file tree

Hide file tree

Showing 6 changed files with 1,289 additions and 0 deletions.
diff --git a/engine/classes/Elgg/Router/Middleware/GroupPageOwnerCanEditGatekeeper.php b/engine/classes/Elgg/Router/Middleware/GroupPageOwnerCanEditGatekeeper.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Elgg\Router\Middleware;
+
+/**
+ * Check if the current route page owner can be edited (by the current logged in user) and is an user
+ *
+ * @since 3.2
+ */
+class GroupPageOwnerCanEditGatekeeper extends PageOwnerCanEditGatekeeper {
+
+	/**
+	 * {@inheritDoc}
+	 * @see \Elgg\Router\Middleware\PageOwnerCanEditGatekeeper::__invoke()
+	 */
+	public function __invoke(\Elgg\Request $request) {
+		$this->assertAccess($request, 'group');
+	}
+}
diff --git a/engine/classes/Elgg/Router/Middleware/PageOwnerCanEditGatekeeper.php b/engine/classes/Elgg/Router/Middleware/PageOwnerCanEditGatekeeper.php
@@ -0,0 +1,61 @@
+<?php
+
+namespace Elgg\Router\Middleware;
+
+use Elgg\Router\Route;
+use Elgg\EntityPermissionsException;
+
+/**
+ * Check if the current route page owner can be edited (by the current logged in user)
+ *
+ * @since 3.2
+ */
+class PageOwnerCanEditGatekeeper {
+
+	/**
+	 * Validate the current request
+	 *
+	 * @param \Elgg\Request $request the current request
+	 *
+	 * @return void
+	 * @throws EntityPermissionsException
+	 */
+	public function __invoke(\Elgg\Request $request) {
+		$this->assertAccess($request);
+	}
+
+	/**
+	 * Validate the current request
+	 *
+	 * @param \Elgg\Request $request the current request
+	 * @param string        $type    (optional) the required type of the page owner
+	 * @param string        $subtype (optional) the required subtype of the page owner
+	 *
+	 * @return void
+	 * @throws EntityPermissionsException
+	 */
+	protected function assertAccess(\Elgg\Request $request, string $type = '', string $subtype = '') {
+
+		$route = $request->getHttpRequest()->getRoute();
+		if (!$route instanceof Route) {
+			return;
+		}
+
+		$page_owner = $route->resolvePageOwner();
+		if (!$page_owner instanceof \ElggEntity) {
+			return;
+		}
+
+		if (!$page_owner->canEdit()) {
+			throw new EntityPermissionsException();
+		}
+
+		if (!empty($type) && $page_owner->getType() !== $type) {
+			throw new EntityPermissionsException();
+		}
+
+		if (!empty($subtype) && $page_owner->getSubtype() !== $subtype) {
+			throw new EntityPermissionsException();
+		}
+	}
+}
diff --git a/engine/classes/Elgg/Router/Middleware/UserPageOwnerCanEditGatekeeper.php b/engine/classes/Elgg/Router/Middleware/UserPageOwnerCanEditGatekeeper.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Elgg\Router\Middleware;
+
+/**
+ * Check if the current route page owner can be edited (by the current logged in user) and is an user
+ *
+ * @since 3.2
+ */
+class UserPageOwnerCanEditGatekeeper extends PageOwnerCanEditGatekeeper {
+
+	/**
+	 * {@inheritDoc}
+	 * @see \Elgg\Router\Middleware\PageOwnerCanEditGatekeeper::__invoke()
+	 */
+	public function __invoke(\Elgg\Request $request) {
+		$this->assertAccess($request, 'user');
+	}
+}