diff options
author | i00171 <anton.delitsch@implema.se> | 2016-06-26 18:35:25 +0200 |
---|---|---|
committer | i00171 <anton.delitsch@implema.se> | 2016-06-26 18:35:25 +0200 |
commit | 47039d32c84ba699867920d2c3cb47a34b199b9d (patch) | |
tree | 4fbc2ec34889baeab00085e0509055dca7daee6a /app/Api/Authorization | |
parent | 911be6ed00c1ece5d9ef2c16e80899bb7bffad67 (diff) | |
parent | c110dffefe259c13e60193fb81ebb9d4b79504de (diff) |
Merge branch 'master' of https://github.com/fguillot/kanboard
Diffstat (limited to 'app/Api/Authorization')
-rw-r--r-- | app/Api/Authorization/ActionAuthorization.php | 19 | ||||
-rw-r--r-- | app/Api/Authorization/CategoryAuthorization.php | 19 | ||||
-rw-r--r-- | app/Api/Authorization/ColumnAuthorization.php | 19 | ||||
-rw-r--r-- | app/Api/Authorization/CommentAuthorization.php | 19 | ||||
-rw-r--r-- | app/Api/Authorization/ProcedureAuthorization.php | 32 | ||||
-rw-r--r-- | app/Api/Authorization/ProjectAuthorization.php | 35 | ||||
-rw-r--r-- | app/Api/Authorization/SubtaskAuthorization.php | 19 | ||||
-rw-r--r-- | app/Api/Authorization/TaskAuthorization.php | 19 | ||||
-rw-r--r-- | app/Api/Authorization/TaskFileAuthorization.php | 19 | ||||
-rw-r--r-- | app/Api/Authorization/TaskLinkAuthorization.php | 19 | ||||
-rw-r--r-- | app/Api/Authorization/UserAuthorization.php | 22 |
11 files changed, 241 insertions, 0 deletions
diff --git a/app/Api/Authorization/ActionAuthorization.php b/app/Api/Authorization/ActionAuthorization.php new file mode 100644 index 00000000..4b41ad82 --- /dev/null +++ b/app/Api/Authorization/ActionAuthorization.php @@ -0,0 +1,19 @@ +<?php + +namespace Kanboard\Api\Authorization; + +/** + * Class ActionAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class ActionAuthorization extends ProjectAuthorization +{ + public function check($class, $method, $action_id) + { + if ($this->userSession->isLogged()) { + $this->checkProjectPermission($class, $method, $this->actionModel->getProjectId($action_id)); + } + } +} diff --git a/app/Api/Authorization/CategoryAuthorization.php b/app/Api/Authorization/CategoryAuthorization.php new file mode 100644 index 00000000..f17265a2 --- /dev/null +++ b/app/Api/Authorization/CategoryAuthorization.php @@ -0,0 +1,19 @@ +<?php + +namespace Kanboard\Api\Authorization; + +/** + * Class CategoryAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class CategoryAuthorization extends ProjectAuthorization +{ + public function check($class, $method, $category_id) + { + if ($this->userSession->isLogged()) { + $this->checkProjectPermission($class, $method, $this->categoryModel->getProjectId($category_id)); + } + } +} diff --git a/app/Api/Authorization/ColumnAuthorization.php b/app/Api/Authorization/ColumnAuthorization.php new file mode 100644 index 00000000..37aecda2 --- /dev/null +++ b/app/Api/Authorization/ColumnAuthorization.php @@ -0,0 +1,19 @@ +<?php + +namespace Kanboard\Api\Authorization; + +/** + * Class ColumnAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class ColumnAuthorization extends ProjectAuthorization +{ + public function check($class, $method, $column_id) + { + if ($this->userSession->isLogged()) { + $this->checkProjectPermission($class, $method, $this->columnModel->getProjectId($column_id)); + } + } +} diff --git a/app/Api/Authorization/CommentAuthorization.php b/app/Api/Authorization/CommentAuthorization.php new file mode 100644 index 00000000..ed15512e --- /dev/null +++ b/app/Api/Authorization/CommentAuthorization.php @@ -0,0 +1,19 @@ +<?php + +namespace Kanboard\Api\Authorization; + +/** + * Class CommentAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class CommentAuthorization extends ProjectAuthorization +{ + public function check($class, $method, $comment_id) + { + if ($this->userSession->isLogged()) { + $this->checkProjectPermission($class, $method, $this->commentModel->getProjectId($comment_id)); + } + } +} diff --git a/app/Api/Authorization/ProcedureAuthorization.php b/app/Api/Authorization/ProcedureAuthorization.php new file mode 100644 index 00000000..070a6371 --- /dev/null +++ b/app/Api/Authorization/ProcedureAuthorization.php @@ -0,0 +1,32 @@ +<?php + +namespace Kanboard\Api\Authorization; + +use JsonRPC\Exception\AccessDeniedException; +use Kanboard\Core\Base; + +/** + * Class ProcedureAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class ProcedureAuthorization extends Base +{ + private $userSpecificProcedures = array( + 'getMe', + 'getMyDashboard', + 'getMyActivityStream', + 'createMyPrivateProject', + 'getMyProjectsList', + 'getMyProjects', + 'getMyOverdueTasks', + ); + + public function check($procedure) + { + if (! $this->userSession->isLogged() && in_array($procedure, $this->userSpecificProcedures)) { + throw new AccessDeniedException('This procedure is not available with the API credentials'); + } + } +} diff --git a/app/Api/Authorization/ProjectAuthorization.php b/app/Api/Authorization/ProjectAuthorization.php new file mode 100644 index 00000000..21ecf311 --- /dev/null +++ b/app/Api/Authorization/ProjectAuthorization.php @@ -0,0 +1,35 @@ +<?php + +namespace Kanboard\Api\Authorization; + +use JsonRPC\Exception\AccessDeniedException; +use Kanboard\Core\Base; + +/** + * Class ProjectAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class ProjectAuthorization extends Base +{ + public function check($class, $method, $project_id) + { + if ($this->userSession->isLogged()) { + $this->checkProjectPermission($class, $method, $project_id); + } + } + + protected function checkProjectPermission($class, $method, $project_id) + { + if (empty($project_id)) { + throw new AccessDeniedException('Project not found'); + } + + $role = $this->projectUserRoleModel->getUserRole($project_id, $this->userSession->getId()); + + if (! $this->apiProjectAuthorization->isAllowed($class, $method, $role)) { + throw new AccessDeniedException('Project access denied'); + } + } +} diff --git a/app/Api/Authorization/SubtaskAuthorization.php b/app/Api/Authorization/SubtaskAuthorization.php new file mode 100644 index 00000000..fcb57929 --- /dev/null +++ b/app/Api/Authorization/SubtaskAuthorization.php @@ -0,0 +1,19 @@ +<?php + +namespace Kanboard\Api\Authorization; + +/** + * Class SubtaskAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class SubtaskAuthorization extends ProjectAuthorization +{ + public function check($class, $method, $subtask_id) + { + if ($this->userSession->isLogged()) { + $this->checkProjectPermission($class, $method, $this->subtaskModel->getProjectId($subtask_id)); + } + } +} diff --git a/app/Api/Authorization/TaskAuthorization.php b/app/Api/Authorization/TaskAuthorization.php new file mode 100644 index 00000000..db93b76b --- /dev/null +++ b/app/Api/Authorization/TaskAuthorization.php @@ -0,0 +1,19 @@ +<?php + +namespace Kanboard\Api\Authorization; + +/** + * Class TaskAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class TaskAuthorization extends ProjectAuthorization +{ + public function check($class, $method, $category_id) + { + if ($this->userSession->isLogged()) { + $this->checkProjectPermission($class, $method, $this->taskFinderModel->getProjectId($category_id)); + } + } +} diff --git a/app/Api/Authorization/TaskFileAuthorization.php b/app/Api/Authorization/TaskFileAuthorization.php new file mode 100644 index 00000000..e40783eb --- /dev/null +++ b/app/Api/Authorization/TaskFileAuthorization.php @@ -0,0 +1,19 @@ +<?php + +namespace Kanboard\Api\Authorization; + +/** + * Class TaskFileAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class TaskFileAuthorization extends ProjectAuthorization +{ + public function check($class, $method, $file_id) + { + if ($this->userSession->isLogged()) { + $this->checkProjectPermission($class, $method, $this->taskFileModel->getProjectId($file_id)); + } + } +} diff --git a/app/Api/Authorization/TaskLinkAuthorization.php b/app/Api/Authorization/TaskLinkAuthorization.php new file mode 100644 index 00000000..2f5fc8d5 --- /dev/null +++ b/app/Api/Authorization/TaskLinkAuthorization.php @@ -0,0 +1,19 @@ +<?php + +namespace Kanboard\Api\Authorization; + +/** + * Class TaskLinkAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class TaskLinkAuthorization extends ProjectAuthorization +{ + public function check($class, $method, $task_link_id) + { + if ($this->userSession->isLogged()) { + $this->checkProjectPermission($class, $method, $this->taskLinkModel->getProjectId($task_link_id)); + } + } +} diff --git a/app/Api/Authorization/UserAuthorization.php b/app/Api/Authorization/UserAuthorization.php new file mode 100644 index 00000000..3fd6865c --- /dev/null +++ b/app/Api/Authorization/UserAuthorization.php @@ -0,0 +1,22 @@ +<?php + +namespace Kanboard\Api\Authorization; + +use JsonRPC\Exception\AccessDeniedException; +use Kanboard\Core\Base; + +/** + * Class UserAuthorization + * + * @package Kanboard\Api\Authorization + * @author Frederic Guillot + */ +class UserAuthorization extends Base +{ + public function check($class, $method) + { + if ($this->userSession->isLogged() && ! $this->apiAuthorization->isAllowed($class, $method, $this->userSession->getRole())) { + throw new AccessDeniedException('You are not allowed to access to this resource'); + } + } +} |