Fix dwc access control

[AlanWierzchonCA]

Q	A
Bug fix? (use the a.b branch)	[Yes]
New feature/enhancement? (use the a.x branch)	[No]
Deprecations?	[No]
BC breaks? (use the c.x branch)	[No]
Automated tests included?	[Yes]
Related user documentation PR URL	mautic/mautic-documentation#...
Related developer documentation PR URL	mautic/developer-documentation#...
Issue(s) addressed	Fixes #...

Description:

User without privileges can create and delete ’Dynamic Content’

Steps to test this PR:

1. Open this PR on Gitpod or pull down for testing locally (see docs on testing PRs here)

• Create new Role with only Dynamic Content Permissions:
  Dynamic Content - User has access to View Own and View Others

• Create new User with created Role

• Login with created User

• request GET https://8080-alanwierzchonca-mautic-h31qcblosf3.ws-eu47.gitpod.io/s/dwc/new

• request POST https://8080-alanwierzchonca-mautic-h31qcblosf3.ws-eu47.gitpod.io/s/dwc/delete/1

[RCheesley]

Thanks for the PR @AlanWierzchonCA - please could you reach out to me on Slack at https://mautic.org/slack as I need to chat with you about this issue.

Works as expected, after applying the PR I am correctly getting a 403 if I try to hit the create new / delete.

Please also see the PHPSTAN issues which need some attention :)

[codecov]

Codecov Report

Merging #11278 (e1f941d) into 4.4 (acf3393) will increase coverage by 0.17%.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##                4.4   #11278      +/-   ##
============================================
+ Coverage     49.37%   49.54%   +0.17%     
  Complexity    35401    35401              
============================================
  Files          2144     2144              
  Lines        105532   105533       +1     
============================================
+ Hits          52102    52283     +181     
+ Misses        53430    53250     -180     

Impacted Files	Coverage Δ
...tentBundle/Controller/DynamicContentController.php	28.35% <100.00%> (+28.35%)	⬆️
...ndles/CampaignBundle/Entity/CampaignRepository.php	62.32% <0.00%> (+0.70%)	⬆️
app/bundles/EmailBundle/Entity/EmailRepository.php	69.25% <0.00%> (+0.74%)	⬆️
...undle/Security/Permissions/AbstractPermissions.php	50.00% <0.00%> (+2.50%)	⬆️
app/bundles/AssetBundle/Entity/AssetRepository.php	25.97% <0.00%> (+2.59%)	⬆️
...les/DynamicContentBundle/Entity/DynamicContent.php	50.95% <0.00%> (+6.36%)	⬆️
...amicContentBundle/Form/Type/DynamicContentType.php	92.92% <0.00%> (+16.16%)	⬆️
...DynamicContentBundle/Model/DynamicContentModel.php	21.31% <0.00%> (+18.03%)	⬆️
...cContentBundle/Entity/DynamicContentRepository.php	29.67% <0.00%> (+27.47%)	⬆️
... and 2 more

[escopecz]

Thanks for this! Please check my comments if it makes sense. I also suggested the fixes for PHPSTAN issues.

[escopecz]

I'm wondering how the code can know whether the entity can be deleted based on "own" or "other" permissions when the security service doesn't know who created the entity. Shouldn't we use the hasEntityAccess method instead?

Isn't that exact check slightly bellow this one on line 493?

[AlanWierzchonCA]

Hi @escopecz,
on lines 482, 483 the code checks if the logged in user has general permission to delete their own or other dynamic content.
If not, the user should not know if the entity exists or not. It should get 403, not 401.

In line 493 there is a checks base on existting entity Id.

[escopecz]

Is it necessary to check it twice? It seems like a code duplication to me.

[AlanWierzchonCA]

Ok, so how do we check if we can return 404 based on validation with the hasEntityAccess at line 493?

[AlanWierzchonCA]

It should get 403, not 401.

I mean "...not 404" (notfound).

[escopecz]

Here is an example how "not found" is implemented for landing pages:

https://github.com/mautic/mautic/blob/5.x/app/bundles/PageBundle/Controller/PageController.php#L496-L507

[AlanWierzchonCA]

But this example does not check whether the user has permission to find out whether the entity exists or not.

[escopecz]

No entity in Mautic checks whether the user has permission to find out whether the entity exists or not. I wouldn't over-complicated this :)

[AlanWierzchonCA]

Yes, secuirity issues are sometimes overcomplicated and the Department of Security gives many absurd points.
As you wish, I have removed this access checking :)

[AlanWierzchonCA]

Hi @escopecz, @RCheesley
thanks for review and tests.

I just made fixes and answered questions.

[escopecz]

Amazing! The code is good to go and the tests are amazing! Thank you for taking care of this and be patient with me. 👍

One last thing so this can be tested and merged. Can you please rebase it on top of 5.x branch and if you want to back-port it to Mautic 4 as well then create a duplicate PR against the 4.4 branch?

[AlanWierzchonCA]

Hi @escopecz,

I made rebase these changes to 4.4
and created a duplicate PR against the 5.x #11480