Skip to content

Commit

Permalink
EZP-21315: fixed: use SecurityContext to check access
Browse files Browse the repository at this point in the history
  • Loading branch information
@pspanja
pspanja committed Feb 28, 2014
1 parent 8a6052c commit 3ece439
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 10 deletions.
4 changes: 3 additions & 1 deletion eZ/Bundle/EzPublishCoreBundle/Resources/config/services.yml
View file
Expand Up @@ -49,7 +49,9 @@ services:

ezpublish.controller.content.view:
class: %ezpublish.controller.content.view.class%
arguments: [@ezpublish.view_manager]
arguments:
- @ezpublish.view_manager
- @security.context
parent: ezpublish.controller.base

ezpublish.controller.content.preview.core:
Expand Down
43 changes: 34 additions & 9 deletions eZ/Publish/Core/MVC/Symfony/Controller/Content/ViewController.php
View file
Expand Up @@ -20,6 +20,7 @@
use eZ\Publish\Core\MVC\Symfony\View\ViewManagerInterface;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use DateTime;
use Exception;
Expand All @@ -31,9 +32,15 @@ class ViewController extends Controller
*/
protected $viewManager;

public function __construct( ViewManagerInterface $viewManager )
/**
* @var \Symfony\Component\Security\Core\SecurityContextInterface
*/
private $securityContext;

public function __construct( ViewManagerInterface $viewManager, SecurityContextInterface $securityContext )
{
$this->viewManager = $viewManager;
$this->securityContext = $securityContext;
}

/**
Expand Down Expand Up @@ -178,11 +185,23 @@ function ( $repository ) use ( $locationId )

// Check both 'content/read' and 'content/view_embed'.
if (
!$this->getRepository()->canUser( 'content', 'read', $location->contentInfo, $location )
&& !$this->getRepository()->canUser( 'content', 'view_embed', $location->contentInfo, $location )
!$this->securityContext->isGranted(
new AuthorizationAttribute(
'content',
'read',
array( 'valueObject' => $location->contentInfo, 'targets' => $location )
)
)
&& !$this->securityContext->isGranted(
new AuthorizationAttribute(
'content',
'view_embed',
array( 'valueObject' => $location->contentInfo, 'targets' => $location )
)
)
)
{
throw new UnauthorizedException( 'content', 'read' );
throw new AccessDeniedException();
}

if ( $response->isNotModified( $this->getRequest() ) )
Expand Down Expand Up @@ -300,20 +319,26 @@ function ( $repository ) use ( $contentId )

// Check both 'content/read' and 'content/view_embed'.
if (
!$this->getRepository()->canUser( 'content', 'read', $content )
&& !$this->getRepository()->canUser( 'content', 'view_embed', $content )
!$this->securityContext->isGranted(
new AuthorizationAttribute( 'content', 'read', array( 'valueObject' => $content ) )
)
&& !$this->securityContext->isGranted(
new AuthorizationAttribute( 'content', 'view_embed', array( 'valueObject' => $content ) )
)
)
{
throw new UnauthorizedException( 'content', 'read' );
throw new AccessDeniedException();
}

// Check that Content is published, since sudo allows loading unpublished content.
if (
$content->getVersionInfo()->status !== APIVersionInfo::STATUS_PUBLISHED
&& !$this->getRepository()->canUser( 'content', 'versionread', $content )
&& !$this->securityContext->isGranted(
new AuthorizationAttribute( 'content', 'versionread', array( 'valueObject' => $content ) )
)
)
{
throw new UnauthorizedException( 'content', 'versionread' );
throw new AccessDeniedException();
}

if ( $response->isNotModified( $this->getRequest() ) )
Expand Down

0 comments on commit 3ece439

Please sign in to comment.