Fix ACL issues for custom pages

GEWIS · Aug 17, 2022 · f9ad924 · f9ad924
1 parent a1f94fc
commit f9ad924
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 14 deletions.
diff --git a/module/Frontpage/src/Controller/Factory/PageAdminControllerFactory.php b/module/Frontpage/src/Controller/Factory/PageAdminControllerFactory.php
@@ -3,8 +3,9 @@
 namespace Frontpage\Controller\Factory;
 
 use Frontpage\Controller\PageAdminController;
-use Psr\Container\ContainerInterface;
+use Laminas\Mvc\I18n\Translator as MvcTranslator;
 use Laminas\ServiceManager\Factory\FactoryInterface;
+use Psr\Container\ContainerInterface;
 
 class PageAdminControllerFactory implements FactoryInterface
 {
@@ -21,6 +22,8 @@ public function __invoke(
         ?array $options = null,
     ): PageAdminController {
         return new PageAdminController(
+            $container->get('frontpage_service_acl'),
+            $container->get(MvcTranslator::class),
             $container->get('frontpage_service_page'),
         );
     }

diff --git a/module/Frontpage/src/Controller/PageAdminController.php b/module/Frontpage/src/Controller/PageAdminController.php
@@ -3,7 +3,11 @@
 namespace Frontpage\Controller;
 
 use Exception;
-use Frontpage\Service\Page as PageService;
+use Frontpage\Service\{
+    AclService,
+    Page as PageService,
+};
+use Laminas\Mvc\I18n\Translator;
 use Laminas\Http\{
     Request,
     Response,
@@ -13,26 +17,40 @@
     JsonModel,
     ViewModel,
 };
+use User\Permissions\NotAllowedException;
 
 class PageAdminController extends AbstractActionController
 {
-    public function __construct(private readonly PageService $pageService)
-    {
+    public function __construct(
+        private readonly AclService $aclService,
+        private readonly Translator $translator,
+        private readonly PageService $pageService,
+    ) {
     }
 
     public function indexAction(): ViewModel
     {
-        $pages = $this->pageService->getPages();
+        if (!$this->aclService->isAllowed('list', 'page')) {
+            throw new NotAllowedException(
+                $this->translator->translate('You are not allowed to view the list of pages.')
+            );
+        }
 
         return new ViewModel(
             [
-                'pages' => $pages,
+                'pages' => $this->pageService->getPages(),
             ]
         );
     }
 
     public function createAction(): Response|ViewModel
     {
+        if (!$this->aclService->isAllowed('create', 'page')) {
+            throw new NotAllowedException(
+                $this->translator->translate('You are not allowed to create new pages.')
+            );
+        }
+
         /** @var Request $request */
         $request = $this->getRequest();
 
@@ -59,6 +77,10 @@ public function createAction(): Response|ViewModel
 
     public function editAction(): Response|ViewModel
     {
+        if (!$this->aclService->isAllowed('edit', 'page')) {
+            throw new NotAllowedException($this->translator->translate('You are not allowed to edit pages.'));
+        }
+
         $pageId = $this->params()->fromRoute('page_id');
         /** @var Request $request */
         $request = $this->getRequest();
@@ -82,6 +104,10 @@ public function editAction(): Response|ViewModel
 
     public function deleteAction(): Response
     {
+        if (!$this->aclService->isAllowed('delete', 'page')) {
+            throw new NotAllowedException($this->translator->translate('You are not allowed to delete pages.'));
+        }
+
         $pageId = $this->params()->fromRoute('page_id');
         $this->pageService->deletePage($pageId);
 
@@ -90,14 +116,23 @@ public function deleteAction(): Response
 
     public function uploadAction(): JsonModel
     {
+        if (
+            !$this->aclService->isAllowed('create', 'page')
+            && !$this->aclService->isAllowed('edit', 'page')
+            && !$this->aclService->isAllowed('create', 'news_item')
+            && !$this->aclService->isAllowed('edit', 'news_item')
+        ) {
+            throw new NotAllowedException($this->translator->translate('You are not allowed to upload images.'));
+        }
+
         /** @var Request $request */
         $request = $this->getRequest();
         $result = [];
         $result['uploaded'] = 0;
 
         if ($request->isPost()) {
             try {
-                $path = $this->pageService->uploadImage($request->getFiles());
+                $path = $this->pageService->uploadImage($request->getFiles()->toArray());
                 $result['url'] = '/' . $path;
                 $result['fileName'] = $path;
                 $result['uploaded'] = 1;

diff --git a/module/Frontpage/src/Service/Page.php b/module/Frontpage/src/Service/Page.php
@@ -228,14 +228,8 @@ public function deletePage(int $pageId): void
 
     /**
      * Upload an image to be displayed on a page.
-     *
-     * @param Parameters $files
-     *
-     * @return string
-     *
-     * @throws Exception
      */
-    public function uploadImage(Parameters $files): string
+    public function uploadImage(array $files): string
     {
         $imageValidator = new IsImage(
             ['magicFile' => false]
@@ -252,10 +246,12 @@ public function uploadImage(Parameters $files): string
 
                 return $config['public_dir'] . '/' . $fileName;
             }
+
             throw new InvalidArgumentException(
                 $this->translator->translate('The uploaded file does not have a valid extension')
             );
         }
+
         throw new InvalidArgumentException(
             $this->translator->translate('The uploaded file is not a valid image')
         );