Securing edpoints

src/Controllers/ActionsV1Controller.php

@@ -40,6 +40,9 @@
  * @subpackage      Controllers
  *
  * @author          Adam Kadlec <adam.kadlec@fastybird.com>
+ *
+ * @Secured
+ * @Secured\User(loggedIn)
  */
 final class ActionsV1Controller extends BaseV1Controller
 {
@@ -128,6 +131,9 @@ public function read(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function create(
 		Message\ServerRequestInterface $request,
@@ -252,6 +258,9 @@ public function create(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function update(
 		Message\ServerRequestInterface $request,
@@ -334,6 +343,9 @@ public function update(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function delete(
 		Message\ServerRequestInterface $request,

src/Controllers/ConditionsV1Controller.php

@@ -40,6 +40,9 @@
  * @subpackage      Controllers
  *
  * @author          Adam Kadlec <adam.kadlec@fastybird.com>
+ *
+ * @Secured
+ * @Secured\User(loggedIn)
  */
 final class ConditionsV1Controller extends BaseV1Controller
 {
@@ -154,6 +157,9 @@ public function read(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function create(
 		Message\ServerRequestInterface $request,
@@ -292,6 +298,9 @@ public function create(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function update(
 		Message\ServerRequestInterface $request,
@@ -386,6 +395,9 @@ public function update(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function delete(
 		Message\ServerRequestInterface $request,

src/Controllers/NotificationsV1Controller.php

@@ -40,6 +40,9 @@
  * @subpackage      Controllers
  *
  * @author          Adam Kadlec <adam.kadlec@fastybird.com>
+ *
+ * @Secured
+ * @Secured\User(loggedIn)
  */
 final class NotificationsV1Controller extends BaseV1Controller
 {
@@ -133,6 +136,9 @@ public function read(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function create(
 		Message\ServerRequestInterface $request,
@@ -273,6 +279,9 @@ public function create(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function update(
 		Message\ServerRequestInterface $request,
@@ -361,6 +370,9 @@ public function update(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function delete(
 		Message\ServerRequestInterface $request,

src/Controllers/TriggersV1Controller.php

@@ -38,6 +38,9 @@
  * @subpackage      Controllers
  *
  * @author          Adam Kadlec <adam.kadlec@fastybird.com>
+ *
+ * @Secured
+ * @Secured\User(loggedIn)
  */
 final class TriggersV1Controller extends BaseV1Controller
 {
@@ -121,6 +124,9 @@ public function read(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function create(
 		Message\ServerRequestInterface $request,
@@ -235,6 +241,9 @@ public function create(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function update(
 		Message\ServerRequestInterface $request,
@@ -326,6 +335,9 @@ public function update(
 	 *
 	 * @throws NodeJsonApiExceptions\IJsonApiException
 	 * @throws Doctrine\DBAL\ConnectionException
+	 *
+	 * @Secured
+	 * @Secured\Role(manager,administrator)
 	 */
 	public function delete(
 		Message\ServerRequestInterface $request,

tests/cases/Unit/Controllers/ActionsV1ControllerTest.phpt

@@ -20,19 +20,27 @@ final class ActionsV1ControllerTest extends DbTestCase
 
 	/**
 	 * @param string $url
+	 * @param string|null $token
 	 * @param int $statusCode
 	 * @param string $fixture
 	 *
 	 * @dataProvider ./../../../fixtures/Controllers/actionsRead.php
 	 */
-	public function testRead(string $url, int $statusCode, string $fixture): void
+	public function testRead(string $url, ?string $token, int $statusCode, string $fixture): void
 	{
 		/** @var Router\Router $router */
 		$router = $this->getContainer()->getByType(Router\Router::class);
 
+		$headers = [];
+
+		if ($token !== null) {
+			$headers['authorization'] = $token;
+		}
+
 		$request = new ServerRequest(
 			RequestMethodInterface::METHOD_GET,
-			$url
+			$url,
+			$headers
 		);
 
 		$response = $router->handle($request);
@@ -47,21 +55,28 @@ final class ActionsV1ControllerTest extends DbTestCase
 
 	/**
 	 * @param string $url
+	 * @param string|null $token
 	 * @param string $body
 	 * @param int $statusCode
 	 * @param string $fixture
 	 *
 	 * @dataProvider ./../../../fixtures/Controllers/actionsCreate.php
 	 */
-	public function testCreate(string $url, string $body, int $statusCode, string $fixture): void
+	public function testCreate(string $url, ?string $token, string $body, int $statusCode, string $fixture): void
 	{
 		/** @var Router\Router $router */
 		$router = $this->getContainer()->getByType(Router\Router::class);
 
+		$headers = [];
+
+		if ($token !== null) {
+			$headers['authorization'] = $token;
+		}
+
 		$request = new ServerRequest(
 			RequestMethodInterface::METHOD_POST,
 			$url,
-			[],
+			$headers,
 			$body
 		);
 
@@ -77,21 +92,28 @@ final class ActionsV1ControllerTest extends DbTestCase
 
 	/**
 	 * @param string $url
+	 * @param string|null $token
 	 * @param string $body
 	 * @param int $statusCode
 	 * @param string $fixture
 	 *
 	 * @dataProvider ./../../../fixtures/Controllers/actionsUpdate.php
 	 */
-	public function testUpdate(string $url, string $body, int $statusCode, string $fixture): void
+	public function testUpdate(string $url, ?string $token, string $body, int $statusCode, string $fixture): void
 	{
 		/** @var Router\Router $router */
 		$router = $this->getContainer()->getByType(Router\Router::class);
 
+		$headers = [];
+
+		if ($token !== null) {
+			$headers['authorization'] = $token;
+		}
+
 		$request = new ServerRequest(
 			RequestMethodInterface::METHOD_PATCH,
 			$url,
-			[],
+			$headers,
 			$body
 		);
 
@@ -107,19 +129,27 @@ final class ActionsV1ControllerTest extends DbTestCase
 
 	/**
 	 * @param string $url
+	 * @param string|null $token
 	 * @param int $statusCode
 	 * @param string $fixture
 	 *
 	 * @dataProvider ./../../../fixtures/Controllers/actionsDelete.php
 	 */
-	public function testDelete(string $url, int $statusCode, string $fixture): void
+	public function testDelete(string $url, ?string $token, int $statusCode, string $fixture): void
 	{
 		/** @var Router\Router $router */
 		$router = $this->getContainer()->getByType(Router\Router::class);
 
+		$headers = [];
+
+		if ($token !== null) {
+			$headers['authorization'] = $token;
+		}
+
 		$request = new ServerRequest(
 			RequestMethodInterface::METHOD_DELETE,
-			$url
+			$url,
+			$headers
 		);
 
 		$response = $router->handle($request);