vendor/shopware/core/Framework/DataAbstractionLayer/EntityProtection/EntityProtectionValidator.php line 69

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\DataAbstractionLayer\EntityProtection;
  5. use Shopware\Core\Framework\Context;
  6. use Shopware\Core\Framework\DataAbstractionLayer\EntityDefinition;
  7. use Shopware\Core\Framework\DataAbstractionLayer\Event\EntitySearchedEvent;
  8. use Shopware\Core\Framework\DataAbstractionLayer\Field\AssociationField;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
  10. use Shopware\Core\Framework\DataAbstractionLayer\Write\Validation\PreWriteValidationEvent;
  11. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  12. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  14. class EntityProtectionValidator implements EventSubscriberInterface
  15. {
  16.     public static function getSubscribedEvents()
  17.     {
  18.         return [
  19.             PreWriteValidationEvent::class => 'validateWriteCommands',
  20.             EntitySearchedEvent::class => 'validateEntitySearch',
  21.         ];
  22.     }
  24.     /**
  25.      * @param string[] $protections FQCN of the protections that need to be validated
  26.      */
  27.     public function validateEntityPath(array $pathSegments, array $protectionsContext $context): void
  28.     {
  29.         foreach ($pathSegments as $pathSegment) {
  30.             /** @var EntityDefinition $definition */
  31.             $definition $pathSegment['definition'];
  33.             foreach ($protections as $protection) {
  34.                 $protectionInstance $definition->getProtections()->get($protection);
  35.                 if (!$protectionInstance || $protectionInstance->isAllowed($context->getScope())) {
  36.                     continue;
  37.                 }
  39.                 throw new AccessDeniedHttpException(
  40.                     sprintf('API access for entity "%s" not allowed.'$pathSegment['entity'])
  41.                 );
  42.             }
  43.         }
  44.     }
  46.     public function validateEntitySearch(EntitySearchedEvent $event): void
  47.     {
  48.         $definition $event->getDefinition();
  49.         $readProtection $definition->getProtections()->get(ReadProtection::class);
  50.         $context $event->getContext();
  52.         if ($readProtection && !$readProtection->isAllowed($context->getScope())) {
  53.             throw new AccessDeniedHttpException(
  54.                 sprintf(
  55.                     'Read access to entity "%s" not allowed for scope "%s".',
  56.                     $definition->getEntityName(),
  57.                     $context->getScope()
  58.                 )
  59.             );
  60.         }
  62.         $this->validateCriteriaAssociation(
  63.             $definition,
  64.             $event->getCriteria()->getAssociations(),
  65.             $context
  66.         );
  67.     }
  69.     public function validateWriteCommands(PreWriteValidationEvent $event): void
  70.     {
  71.         foreach ($event->getCommands() as $command) {
  72.             $writeProtection $command->getDefinition()->getProtections()->get(WriteProtection::class);
  73.             if ($writeProtection && !$writeProtection->isAllowed($event->getContext()->getScope())) {
  74.                 throw new AccessDeniedHttpException(
  75.                     sprintf(
  76.                         'Write access to entity %s" are not allowed in scope "%s".',
  77.                         $command->getDefinition()->getEntityName(),
  78.                         $event->getContext()->getScope()
  79.                     )
  80.                 );
  81.             }
  82.         }
  83.     }
  85.     private function validateCriteriaAssociation(EntityDefinition $definition, array $associationsContext $context): void
  86.     {
  87.         /** @var Criteria $criteria */
  88.         foreach ($associations as $associationName => $criteria) {
  89.             $field $definition->getField($associationName);
  90.             if (!$field instanceof AssociationField) {
  91.                 continue;
  92.             }
  94.             $associationDefinition $field->getReferenceDefinition();
  95.             $readProtection $associationDefinition->getProtections()->get(ReadProtection::class);
  96.             if ($readProtection && !$readProtection->isAllowed($context->getScope())) {
  97.                 throw new AccessDeniedHttpException(
  98.                     sprintf(
  99.                         'Read access to nested association "%s" on entity "%s" not allowed for scope "%s".',
  100.                         $associationName,
  101.                         $definition->getEntityName(),
  102.                         $context->getScope()
  103.                     )
  104.                 );
  105.             }
  107.             $this->validateCriteriaAssociation($associationDefinition$criteria->getAssociations(), $context);
  108.         }
  109.     }
  110. }