X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=src%2FWallabag%2FApiBundle%2FController%2FWallabagRestController.php;h=587013f68fbac8999a8f6425e2edcb3e3c2ef7f0;hb=fc73222723c7a0c9b577805d3ef51eb96b124b92;hp=349229f384524fd7c4bd03b6b13c52886ec48409;hpb=558d9aabab7e01c2e2b506aa362c70a568b953aa;p=github%2Fwallabag%2Fwallabag.git diff --git a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php index 349229f3..587013f6 100644 --- a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php +++ b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php @@ -2,8 +2,8 @@ namespace Wallabag\ApiBundle\Controller; +use FOS\RestBundle\Controller\FOSRestController; use Nelmio\ApiDocBundle\Annotation\ApiDoc; -use Symfony\Bundle\FrameworkBundle\Controller\Controller; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Wallabag\CoreBundle\Entity\Entry; @@ -11,7 +11,7 @@ use Wallabag\CoreBundle\Entity\Tag; use Hateoas\Configuration\Route; use Hateoas\Representation\Factory\PagerfantaFactory; -class WallabagRestController extends Controller +class WallabagRestController extends FOSRestController { /** * @param Entry $entry @@ -27,7 +27,7 @@ class WallabagRestController extends Controller ->findOneByLabel($label); if (is_null($tagEntity)) { - $tagEntity = new Tag($this->getUser()); + $tagEntity = new Tag(); $tagEntity->setLabel($label); } @@ -38,29 +38,11 @@ class WallabagRestController extends Controller } } - /** - * Retrieve salt for a giver user. - * - * @ApiDoc( - * parameters={ - * {"name"="username", "dataType"="string", "required"=true, "description"="username"} - * } - * ) - * - * @return array - */ - public function getSaltAction($username) + private function validateAuthentication() { - $user = $this - ->getDoctrine() - ->getRepository('WallabagCoreBundle:User') - ->findOneByUsername($username); - - if (is_null($user)) { - throw $this->createNotFoundException(); + if (false === $this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_FULLY')) { + throw new AccessDeniedException(); } - - return array($user->getSalt() ?: null); } /** @@ -82,6 +64,8 @@ class WallabagRestController extends Controller */ public function getEntriesAction(Request $request) { + $this->validateAuthentication(); + $isArchived = $request->query->get('archive'); $isStarred = $request->query->get('star'); $sort = $request->query->get('sort', 'created'); @@ -90,8 +74,7 @@ class WallabagRestController extends Controller $perPage = (int) $request->query->get('perPage', 30); $tags = $request->query->get('tags', []); - $pager = $this - ->getDoctrine() + $pager = $this->getDoctrine() ->getRepository('WallabagCoreBundle:Entry') ->findEntries($this->getUser()->getId(), $isArchived, $isStarred, $sort, $order); @@ -122,7 +105,8 @@ class WallabagRestController extends Controller */ public function getEntryAction(Entry $entry) { - $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); + $this->validateAuthentication(); + $this->validateUserAccess($entry->getUser()->getId()); $json = $this->get('serializer')->serialize($entry, 'json'); @@ -144,6 +128,8 @@ class WallabagRestController extends Controller */ public function postEntriesAction(Request $request) { + $this->validateAuthentication(); + $url = $request->request->get('url'); $entry = $this->get('wallabag_core.content_proxy')->updateEntry( @@ -184,7 +170,8 @@ class WallabagRestController extends Controller */ public function patchEntriesAction(Entry $entry, Request $request) { - $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); + $this->validateAuthentication(); + $this->validateUserAccess($entry->getUser()->getId()); $title = $request->request->get('title'); $isArchived = $request->request->get('is_archived'); @@ -228,7 +215,8 @@ class WallabagRestController extends Controller */ public function deleteEntriesAction(Entry $entry) { - $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); + $this->validateAuthentication(); + $this->validateUserAccess($entry->getUser()->getId()); $em = $this->getDoctrine()->getManager(); $em->remove($entry); @@ -250,7 +238,8 @@ class WallabagRestController extends Controller */ public function getEntriesTagsAction(Entry $entry) { - $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); + $this->validateAuthentication(); + $this->validateUserAccess($entry->getUser()->getId()); $json = $this->get('serializer')->serialize($entry->getTags(), 'json'); @@ -271,7 +260,8 @@ class WallabagRestController extends Controller */ public function postEntriesTagsAction(Request $request, Entry $entry) { - $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); + $this->validateAuthentication(); + $this->validateUserAccess($entry->getUser()->getId()); $tags = $request->request->get('tags', ''); if (!empty($tags)) { @@ -299,7 +289,8 @@ class WallabagRestController extends Controller */ public function deleteEntriesTagsAction(Entry $entry, Tag $tag) { - $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); + $this->validateAuthentication(); + $this->validateUserAccess($entry->getUser()->getId()); $entry->removeTag($tag); $em = $this->getDoctrine()->getManager(); @@ -318,7 +309,13 @@ class WallabagRestController extends Controller */ public function getTagsAction() { - $json = $this->get('serializer')->serialize($this->getUser()->getTags(), 'json'); + $this->validateAuthentication(); + + $tags = $this->getDoctrine() + ->getRepository('WallabagCoreBundle:Tag') + ->findAllTags($this->getUser()->getId()); + + $json = $this->get('serializer')->serialize($tags, 'json'); return $this->renderJsonResponse($json); } @@ -334,7 +331,11 @@ class WallabagRestController extends Controller */ public function deleteTagAction(Tag $tag) { - $this->validateUserAccess($tag->getUser()->getId(), $this->getUser()->getId()); + $this->validateAuthentication(); + + $this->getDoctrine() + ->getRepository('WallabagCoreBundle:Entry') + ->removeTag($this->getUser()->getId(), $tag); $em = $this->getDoctrine()->getManager(); $em->remove($tag); @@ -350,12 +351,12 @@ class WallabagRestController extends Controller * If not, throw exception. It means a user try to access information from an other user. * * @param int $requestUserId User id from the requested source - * @param int $currentUserId User id from the retrieved source */ - private function validateUserAccess($requestUserId, $currentUserId) + private function validateUserAccess($requestUserId) { - if ($requestUserId != $currentUserId) { - throw $this->createAccessDeniedException('Access forbidden. Entry user id: '.$requestUserId.', logged user id: '.$currentUserId); + $user = $this->get('security.token_storage')->getToken()->getUser(); + if ($requestUserId != $user->getId()) { + throw $this->createAccessDeniedException('Access forbidden. Entry user id: '.$requestUserId.', logged user id: '.$user->getId()); } }