summaryrefslogtreecommitdiff
path: root/app/ServiceProvider
diff options
context:
space:
mode:
authorFrederic Guillot <fred@kanboard.net>2016-06-26 10:25:13 -0400
committerFrederic Guillot <fred@kanboard.net>2016-06-26 10:25:13 -0400
commit4a230d331ec220fc32a48525afb308af0d9787fa (patch)
tree514aa3d703155b7f97a2c77147c9fd74cef60f84 /app/ServiceProvider
parent922e0fb6de06a98774418612e0b0f75af72b6dbb (diff)
Added application and project roles validation for API procedure calls
Diffstat (limited to 'app/ServiceProvider')
-rw-r--r--app/ServiceProvider/ApiProvider.php83
-rw-r--r--app/ServiceProvider/AuthenticationProvider.php57
2 files changed, 99 insertions, 41 deletions
diff --git a/app/ServiceProvider/ApiProvider.php b/app/ServiceProvider/ApiProvider.php
index e0312056..f88d9b4f 100644
--- a/app/ServiceProvider/ApiProvider.php
+++ b/app/ServiceProvider/ApiProvider.php
@@ -3,26 +3,26 @@
namespace Kanboard\ServiceProvider;
use JsonRPC\Server;
-use Kanboard\Api\ActionApi;
-use Kanboard\Api\AppApi;
-use Kanboard\Api\BoardApi;
-use Kanboard\Api\CategoryApi;
-use Kanboard\Api\ColumnApi;
-use Kanboard\Api\CommentApi;
-use Kanboard\Api\TaskFileApi;
-use Kanboard\Api\GroupApi;
-use Kanboard\Api\GroupMemberApi;
-use Kanboard\Api\LinkApi;
-use Kanboard\Api\MeApi;
-use Kanboard\Api\Middleware\AuthenticationApiMiddleware;
-use Kanboard\Api\ProjectApi;
-use Kanboard\Api\ProjectPermissionApi;
-use Kanboard\Api\SubtaskApi;
-use Kanboard\Api\SubtaskTimeTrackingApi;
-use Kanboard\Api\SwimlaneApi;
-use Kanboard\Api\TaskApi;
-use Kanboard\Api\TaskLinkApi;
-use Kanboard\Api\UserApi;
+use Kanboard\Api\Procedure\ActionProcedure;
+use Kanboard\Api\Procedure\AppProcedure;
+use Kanboard\Api\Procedure\BoardProcedure;
+use Kanboard\Api\Procedure\CategoryProcedure;
+use Kanboard\Api\Procedure\ColumnProcedure;
+use Kanboard\Api\Procedure\CommentProcedure;
+use Kanboard\Api\Procedure\TaskFileProcedure;
+use Kanboard\Api\Procedure\GroupProcedure;
+use Kanboard\Api\Procedure\GroupMemberProcedure;
+use Kanboard\Api\Procedure\LinkProcedure;
+use Kanboard\Api\Procedure\MeProcedure;
+use Kanboard\Api\Middleware\AuthenticationMiddleware;
+use Kanboard\Api\Procedure\ProjectProcedure;
+use Kanboard\Api\Procedure\ProjectPermissionProcedure;
+use Kanboard\Api\Procedure\SubtaskProcedure;
+use Kanboard\Api\Procedure\SubtaskTimeTrackingProcedure;
+use Kanboard\Api\Procedure\SwimlaneProcedure;
+use Kanboard\Api\Procedure\TaskProcedure;
+use Kanboard\Api\Procedure\TaskLinkProcedure;
+use Kanboard\Api\Procedure\UserProcedure;
use Pimple\Container;
use Pimple\ServiceProviderInterface;
@@ -45,31 +45,32 @@ class ApiProvider implements ServiceProviderInterface
$server = new Server();
$server->setAuthenticationHeader(API_AUTHENTICATION_HEADER);
$server->getMiddlewareHandler()
- ->withMiddleware(new AuthenticationApiMiddleware($container))
+ ->withMiddleware(new AuthenticationMiddleware($container))
;
$server->getProcedureHandler()
- ->withObject(new MeApi($container))
- ->withObject(new ActionApi($container))
- ->withObject(new AppApi($container))
- ->withObject(new BoardApi($container))
- ->withObject(new ColumnApi($container))
- ->withObject(new CategoryApi($container))
- ->withObject(new CommentApi($container))
- ->withObject(new TaskFileApi($container))
- ->withObject(new LinkApi($container))
- ->withObject(new ProjectApi($container))
- ->withObject(new ProjectPermissionApi($container))
- ->withObject(new SubtaskApi($container))
- ->withObject(new SubtaskTimeTrackingApi($container))
- ->withObject(new SwimlaneApi($container))
- ->withObject(new TaskApi($container))
- ->withObject(new TaskLinkApi($container))
- ->withObject(new UserApi($container))
- ->withObject(new GroupApi($container))
- ->withObject(new GroupMemberApi($container))
+ ->withObject(new MeProcedure($container))
+ ->withObject(new ActionProcedure($container))
+ ->withObject(new AppProcedure($container))
+ ->withObject(new BoardProcedure($container))
+ ->withObject(new ColumnProcedure($container))
+ ->withObject(new CategoryProcedure($container))
+ ->withObject(new CommentProcedure($container))
+ ->withObject(new TaskFileProcedure($container))
+ ->withObject(new LinkProcedure($container))
+ ->withObject(new ProjectProcedure($container))
+ ->withObject(new ProjectPermissionProcedure($container))
+ ->withObject(new SubtaskProcedure($container))
+ ->withObject(new SubtaskTimeTrackingProcedure($container))
+ ->withObject(new SwimlaneProcedure($container))
+ ->withObject(new TaskProcedure($container))
+ ->withObject(new TaskLinkProcedure($container))
+ ->withObject(new UserProcedure($container))
+ ->withObject(new GroupProcedure($container))
+ ->withObject(new GroupMemberProcedure($container))
+ ->withBeforeMethod('beforeProcedure')
;
-
+
$container['api'] = $server;
return $container;
}
diff --git a/app/ServiceProvider/AuthenticationProvider.php b/app/ServiceProvider/AuthenticationProvider.php
index 84e4354d..751fe514 100644
--- a/app/ServiceProvider/AuthenticationProvider.php
+++ b/app/ServiceProvider/AuthenticationProvider.php
@@ -46,9 +46,13 @@ class AuthenticationProvider implements ServiceProviderInterface
$container['projectAccessMap'] = $this->getProjectAccessMap();
$container['applicationAccessMap'] = $this->getApplicationAccessMap();
+ $container['apiAccessMap'] = $this->getApiAccessMap();
+ $container['apiProjectAccessMap'] = $this->getApiProjectAccessMap();
$container['projectAuthorization'] = new Authorization($container['projectAccessMap']);
$container['applicationAuthorization'] = new Authorization($container['applicationAccessMap']);
+ $container['apiAuthorization'] = new Authorization($container['apiAccessMap']);
+ $container['apiProjectAuthorization'] = new Authorization($container['apiProjectAccessMap']);
return $container;
}
@@ -151,4 +155,57 @@ class AuthenticationProvider implements ServiceProviderInterface
return $acl;
}
+
+ /**
+ * Get ACL for the API
+ *
+ * @access public
+ * @return AccessMap
+ */
+ public function getApiAccessMap()
+ {
+ $acl = new AccessMap;
+ $acl->setDefaultRole(Role::APP_USER);
+ $acl->setRoleHierarchy(Role::APP_ADMIN, array(Role::APP_MANAGER, Role::APP_USER, Role::APP_PUBLIC));
+ $acl->setRoleHierarchy(Role::APP_MANAGER, array(Role::APP_USER, Role::APP_PUBLIC));
+
+ $acl->add('UserProcedure', '*', Role::APP_ADMIN);
+ $acl->add('GroupMemberProcedure', '*', Role::APP_ADMIN);
+ $acl->add('GroupProcedure', '*', Role::APP_ADMIN);
+ $acl->add('LinkProcedure', '*', Role::APP_ADMIN);
+ $acl->add('TaskProcedure', array('getOverdueTasks'), Role::APP_ADMIN);
+ $acl->add('ProjectProcedure', array('getAllProjects'), Role::APP_ADMIN);
+ $acl->add('ProjectProcedure', array('createProject'), Role::APP_MANAGER);
+
+ return $acl;
+ }
+
+ /**
+ * Get ACL for the API
+ *
+ * @access public
+ * @return AccessMap
+ */
+ public function getApiProjectAccessMap()
+ {
+ $acl = new AccessMap;
+ $acl->setDefaultRole(Role::PROJECT_VIEWER);
+ $acl->setRoleHierarchy(Role::PROJECT_MANAGER, array(Role::PROJECT_MEMBER, Role::PROJECT_VIEWER));
+ $acl->setRoleHierarchy(Role::PROJECT_MEMBER, array(Role::PROJECT_VIEWER));
+
+ $acl->add('ActionProcedure', array('removeAction', 'getActions', 'createAction'), Role::PROJECT_MANAGER);
+ $acl->add('CategoryProcedure', '*', Role::PROJECT_MANAGER);
+ $acl->add('ColumnProcedure', '*', Role::PROJECT_MANAGER);
+ $acl->add('CommentProcedure', array('removeComment', 'createComment', 'updateComment'), Role::PROJECT_MEMBER);
+ $acl->add('ProjectPermissionProcedure', '*', Role::PROJECT_MANAGER);
+ $acl->add('ProjectProcedure', array('updateProject', 'removeProject', 'enableProject', 'disableProject', 'enableProjectPublicAccess', 'disableProjectPublicAccess'), Role::PROJECT_MANAGER);
+ $acl->add('SubtaskProcedure', '*', Role::PROJECT_MEMBER);
+ $acl->add('SubtaskTimeTrackingProcedure', '*', Role::PROJECT_MEMBER);
+ $acl->add('SwimlaneProcedure', '*', Role::PROJECT_MANAGER);
+ $acl->add('TaskFileProcedure', '*', Role::PROJECT_MEMBER);
+ $acl->add('TaskLinkProcedure', '*', Role::PROJECT_MEMBER);
+ $acl->add('TaskProcedure', '*', Role::PROJECT_MEMBER);
+
+ return $acl;
+ }
}
generated by cgit v1.2.3 (git 2.46.0) at 2024-11-22 23:37:55 +0000