vendor/shopware/core/Framework/Api/Acl/Resource/AclPermissionValidator.php line 27

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\Api\Acl\Resource;
  5. use Shopware\Core\Framework\Api\Context\AdminApiSource;
  6. use Shopware\Core\Framework\Context;
  7. use Shopware\Core\Framework\DataAbstractionLayer\EntityTranslationDefinition;
  8. use Shopware\Core\Framework\DataAbstractionLayer\Write\Command\WriteCommand;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Write\Validation\PreWriteValidationEvent;
  10. use Shopware\Core\Framework\Uuid\Uuid;
  11. use Shopware\Core\Framework\Validation\WriteConstraintViolationException;
  12. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  13. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  14. use Symfony\Component\Validator\ConstraintViolation;
  15. use Symfony\Component\Validator\ConstraintViolationInterface;
  16. use Symfony\Component\Validator\ConstraintViolationList;
  18. class AclPermissionValidator implements EventSubscriberInterface
  19. {
  20.     public const VIOLATION_NO_PERMISSION 'no_permission_violation';
  22.     public static function getSubscribedEvents()
  23.     {
  24.         return [PreWriteValidationEvent::class => 'preValidate'];
  25.     }
  27.     public function preValidate(PreWriteValidationEvent $event): void
  28.     {
  29.         if ($event->getContext()->getScope() === Context::SYSTEM_SCOPE) {
  30.             return;
  31.         }
  33.         $commands $event->getCommands();
  34.         $source $event->getContext()->getSource();
  35.         if (!$source instanceof AdminApiSource || $source->isAdmin()) {
  36.             return;
  37.         }
  39.         $violationList = new ConstraintViolationList();
  41.         foreach ($commands as $command) {
  42.             $resource $command->getDefinition()->getEntityName();
  43.             $privilege $command->getPrivilege();
  45.             if (is_subclass_of($command->getDefinition(), EntityTranslationDefinition::class)) {
  46.                 $resource $command->getDefinition()->getParentDefinition()->getEntityName();
  48.                 if ($privilege !== AclResourceDefinition::PRIVILEGE_DELETE) {
  49.                     $privilege $this->getPrivilegeForParentWriteOperation($command$commands);
  50.                 }
  51.             }
  53.             if (!$source->isAllowed($resource$privilege)) {
  54.                 $this->violates($privilege$resource$command$violationList);
  55.             }
  56.         }
  58.         $this->tryToThrow($violationList);
  59.     }
  61.     private function tryToThrow(ConstraintViolationList $violations): void
  62.     {
  63.         if ($violations->count() > 0) {
  64.             $violationException = new WriteConstraintViolationException($violations);
  66.             throw new AccessDeniedHttpException('You don\'t have all necessary permissions.'$violationException);
  67.         }
  68.     }
  70.     private function buildViolation(
  71.         string $messageTemplate,
  72.         array $parameters,
  73.         $root null,
  74.         ?string $propertyPath null,
  75.         $invalidValue null,
  76.         ?string $code null
  77.     ): ConstraintViolationInterface {
  78.         return new ConstraintViolation(
  79.             str_replace(array_keys($parameters), array_values($parameters), $messageTemplate),
  80.             $messageTemplate,
  81.             $parameters,
  82.             $root,
  83.             $propertyPath,
  84.             $invalidValue,
  85.             null,
  86.             $code
  87.         );
  88.     }
  90.     private function violates(
  91.         string $privilege,
  92.         string $resource,
  93.         WriteCommand $command,
  94.         ConstraintViolationList $violationList
  95.     ): void {
  96.         $violationList->add(
  97.             $this->buildViolation(
  98.                 'No permissions to %privilege% "%resource%".',
  99.                 ['%privilege%' => $privilege'%resource%' => $resource],
  100.                 null,
  101.                 '/' $command->getDefinition()->getEntityName(),
  102.                 null,
  103.                 self::VIOLATION_NO_PERMISSION
  104.             )
  105.         );
  106.     }
  108.     /**
  109.      * @param WriteCommand[] $commands
  110.      */
  111.     private function getPrivilegeForParentWriteOperation(WriteCommand $command, array $commands): string
  112.     {
  113.         $pathSuffix '/translations/' Uuid::fromBytesToHex($command->getPrimaryKey()['language_id']);
  114.         $parentCommandPath str_replace($pathSuffix''$command->getPath());
  115.         $parentCommand $this->findCommandByPath($parentCommandPath$commands);
  117.         // writes to translation need privilege from parent command
  118.         // if we update e.g. a product and add translations for a new language
  119.         // the writeCommand on the translation would be an insert
  120.         if ($parentCommand) {
  121.             return $parentCommand->getPrivilege();
  122.         }
  124.         // if we don't have a parentCommand it must be a update,
  125.         // because the parentEntity must already exist
  126.         return AclResourceDefinition::PRIVILEGE_UPDATE;
  127.     }
  129.     /**
  130.      * @param WriteCommand[] $commands
  131.      */
  132.     private function findCommandByPath(string $commandPath, array $commands): ?WriteCommand
  133.     {
  134.         foreach ($commands as $command) {
  135.             if ($command->getPath() === $commandPath) {
  136.                 return $command;
  137.             }
  138.         }
  140.         return null;
  141.     }
  142. }