diff options
Diffstat (limited to 'src/Wallabag/ApiBundle/Controller/WallabagRestController.php')
| -rw-r--r-- | src/Wallabag/ApiBundle/Controller/WallabagRestController.php | 62 |
1 files changed, 28 insertions, 34 deletions
diff --git a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php index 349229f3..1fee56ad 100644 --- a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php +++ b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php | |||
| @@ -2,8 +2,8 @@ | |||
| 2 | 2 | ||
| 3 | namespace Wallabag\ApiBundle\Controller; | 3 | namespace Wallabag\ApiBundle\Controller; |
| 4 | 4 | ||
| 5 | use FOS\RestBundle\Controller\FOSRestController; | ||
| 5 | use Nelmio\ApiDocBundle\Annotation\ApiDoc; | 6 | use Nelmio\ApiDocBundle\Annotation\ApiDoc; |
| 6 | use Symfony\Bundle\FrameworkBundle\Controller\Controller; | ||
| 7 | use Symfony\Component\HttpFoundation\Request; | 7 | use Symfony\Component\HttpFoundation\Request; |
| 8 | use Symfony\Component\HttpFoundation\Response; | 8 | use Symfony\Component\HttpFoundation\Response; |
| 9 | use Wallabag\CoreBundle\Entity\Entry; | 9 | use Wallabag\CoreBundle\Entity\Entry; |
| @@ -11,7 +11,7 @@ use Wallabag\CoreBundle\Entity\Tag; | |||
| 11 | use Hateoas\Configuration\Route; | 11 | use Hateoas\Configuration\Route; |
| 12 | use Hateoas\Representation\Factory\PagerfantaFactory; | 12 | use Hateoas\Representation\Factory\PagerfantaFactory; |
| 13 | 13 | ||
| 14 | class WallabagRestController extends Controller | 14 | class WallabagRestController extends FOSRestController |
| 15 | { | 15 | { |
| 16 | /** | 16 | /** |
| 17 | * @param Entry $entry | 17 | * @param Entry $entry |
| @@ -38,29 +38,11 @@ class WallabagRestController extends Controller | |||
| 38 | } | 38 | } |
| 39 | } | 39 | } |
| 40 | 40 | ||
| 41 | /** | 41 | private function validateAuthentication() |
| 42 | * Retrieve salt for a giver user. | ||
| 43 | * | ||
| 44 | * @ApiDoc( | ||
| 45 | * parameters={ | ||
| 46 | * {"name"="username", "dataType"="string", "required"=true, "description"="username"} | ||
| 47 | * } | ||
| 48 | * ) | ||
| 49 | * | ||
| 50 | * @return array | ||
| 51 | */ | ||
| 52 | public function getSaltAction($username) | ||
| 53 | { | 42 | { |
| 54 | $user = $this | 43 | if (false === $this->get('security.context')->isGranted('IS_AUTHENTICATED_FULLY')) { |
| 55 | ->getDoctrine() | 44 | throw new AccessDeniedException(); |
| 56 | ->getRepository('WallabagCoreBundle:User') | ||
| 57 | ->findOneByUsername($username); | ||
| 58 | |||
| 59 | if (is_null($user)) { | ||
| 60 | throw $this->createNotFoundException(); | ||
| 61 | } | 45 | } |
| 62 | |||
| 63 | return array($user->getSalt() ?: null); | ||
| 64 | } | 46 | } |
| 65 | 47 | ||
| 66 | /** | 48 | /** |
| @@ -82,6 +64,8 @@ class WallabagRestController extends Controller | |||
| 82 | */ | 64 | */ |
| 83 | public function getEntriesAction(Request $request) | 65 | public function getEntriesAction(Request $request) |
| 84 | { | 66 | { |
| 67 | $this->validateAuthentication(); | ||
| 68 | |||
| 85 | $isArchived = $request->query->get('archive'); | 69 | $isArchived = $request->query->get('archive'); |
| 86 | $isStarred = $request->query->get('star'); | 70 | $isStarred = $request->query->get('star'); |
| 87 | $sort = $request->query->get('sort', 'created'); | 71 | $sort = $request->query->get('sort', 'created'); |
| @@ -122,7 +106,8 @@ class WallabagRestController extends Controller | |||
| 122 | */ | 106 | */ |
| 123 | public function getEntryAction(Entry $entry) | 107 | public function getEntryAction(Entry $entry) |
| 124 | { | 108 | { |
| 125 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 109 | $this->validateAuthentication(); |
| 110 | $this->validateUserAccess($entry->getUser()->getId()); | ||
| 126 | 111 | ||
| 127 | $json = $this->get('serializer')->serialize($entry, 'json'); | 112 | $json = $this->get('serializer')->serialize($entry, 'json'); |
| 128 | 113 | ||
| @@ -144,6 +129,8 @@ class WallabagRestController extends Controller | |||
| 144 | */ | 129 | */ |
| 145 | public function postEntriesAction(Request $request) | 130 | public function postEntriesAction(Request $request) |
| 146 | { | 131 | { |
| 132 | $this->validateAuthentication(); | ||
| 133 | |||
| 147 | $url = $request->request->get('url'); | 134 | $url = $request->request->get('url'); |
| 148 | 135 | ||
| 149 | $entry = $this->get('wallabag_core.content_proxy')->updateEntry( | 136 | $entry = $this->get('wallabag_core.content_proxy')->updateEntry( |
| @@ -184,7 +171,8 @@ class WallabagRestController extends Controller | |||
| 184 | */ | 171 | */ |
| 185 | public function patchEntriesAction(Entry $entry, Request $request) | 172 | public function patchEntriesAction(Entry $entry, Request $request) |
| 186 | { | 173 | { |
| 187 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 174 | $this->validateAuthentication(); |
| 175 | $this->validateUserAccess($entry->getUser()->getId()); | ||
| 188 | 176 | ||
| 189 | $title = $request->request->get('title'); | 177 | $title = $request->request->get('title'); |
| 190 | $isArchived = $request->request->get('is_archived'); | 178 | $isArchived = $request->request->get('is_archived'); |
| @@ -228,7 +216,8 @@ class WallabagRestController extends Controller | |||
| 228 | */ | 216 | */ |
| 229 | public function deleteEntriesAction(Entry $entry) | 217 | public function deleteEntriesAction(Entry $entry) |
| 230 | { | 218 | { |
| 231 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 219 | $this->validateAuthentication(); |
| 220 | $this->validateUserAccess($entry->getUser()->getId()); | ||
| 232 | 221 | ||
| 233 | $em = $this->getDoctrine()->getManager(); | 222 | $em = $this->getDoctrine()->getManager(); |
| 234 | $em->remove($entry); | 223 | $em->remove($entry); |
| @@ -250,7 +239,8 @@ class WallabagRestController extends Controller | |||
| 250 | */ | 239 | */ |
| 251 | public function getEntriesTagsAction(Entry $entry) | 240 | public function getEntriesTagsAction(Entry $entry) |
| 252 | { | 241 | { |
| 253 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 242 | $this->validateAuthentication(); |
| 243 | $this->validateUserAccess($entry->getUser()->getId()); | ||
| 254 | 244 | ||
| 255 | $json = $this->get('serializer')->serialize($entry->getTags(), 'json'); | 245 | $json = $this->get('serializer')->serialize($entry->getTags(), 'json'); |
| 256 | 246 | ||
| @@ -271,7 +261,8 @@ class WallabagRestController extends Controller | |||
| 271 | */ | 261 | */ |
| 272 | public function postEntriesTagsAction(Request $request, Entry $entry) | 262 | public function postEntriesTagsAction(Request $request, Entry $entry) |
| 273 | { | 263 | { |
| 274 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 264 | $this->validateAuthentication(); |
| 265 | $this->validateUserAccess($entry->getUser()->getId()); | ||
| 275 | 266 | ||
| 276 | $tags = $request->request->get('tags', ''); | 267 | $tags = $request->request->get('tags', ''); |
| 277 | if (!empty($tags)) { | 268 | if (!empty($tags)) { |
| @@ -299,7 +290,8 @@ class WallabagRestController extends Controller | |||
| 299 | */ | 290 | */ |
| 300 | public function deleteEntriesTagsAction(Entry $entry, Tag $tag) | 291 | public function deleteEntriesTagsAction(Entry $entry, Tag $tag) |
| 301 | { | 292 | { |
| 302 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 293 | $this->validateAuthentication(); |
| 294 | $this->validateUserAccess($entry->getUser()->getId()); | ||
| 303 | 295 | ||
| 304 | $entry->removeTag($tag); | 296 | $entry->removeTag($tag); |
| 305 | $em = $this->getDoctrine()->getManager(); | 297 | $em = $this->getDoctrine()->getManager(); |
| @@ -318,6 +310,7 @@ class WallabagRestController extends Controller | |||
| 318 | */ | 310 | */ |
| 319 | public function getTagsAction() | 311 | public function getTagsAction() |
| 320 | { | 312 | { |
| 313 | $this->validateAuthentication(); | ||
| 321 | $json = $this->get('serializer')->serialize($this->getUser()->getTags(), 'json'); | 314 | $json = $this->get('serializer')->serialize($this->getUser()->getTags(), 'json'); |
| 322 | 315 | ||
| 323 | return $this->renderJsonResponse($json); | 316 | return $this->renderJsonResponse($json); |
| @@ -334,7 +327,8 @@ class WallabagRestController extends Controller | |||
| 334 | */ | 327 | */ |
| 335 | public function deleteTagAction(Tag $tag) | 328 | public function deleteTagAction(Tag $tag) |
| 336 | { | 329 | { |
| 337 | $this->validateUserAccess($tag->getUser()->getId(), $this->getUser()->getId()); | 330 | $this->validateAuthentication(); |
| 331 | $this->validateUserAccess($tag->getUser()->getId()); | ||
| 338 | 332 | ||
| 339 | $em = $this->getDoctrine()->getManager(); | 333 | $em = $this->getDoctrine()->getManager(); |
| 340 | $em->remove($tag); | 334 | $em->remove($tag); |
| @@ -350,12 +344,12 @@ class WallabagRestController extends Controller | |||
| 350 | * If not, throw exception. It means a user try to access information from an other user. | 344 | * If not, throw exception. It means a user try to access information from an other user. |
| 351 | * | 345 | * |
| 352 | * @param int $requestUserId User id from the requested source | 346 | * @param int $requestUserId User id from the requested source |
| 353 | * @param int $currentUserId User id from the retrieved source | ||
| 354 | */ | 347 | */ |
| 355 | private function validateUserAccess($requestUserId, $currentUserId) | 348 | private function validateUserAccess($requestUserId) |
| 356 | { | 349 | { |
| 357 | if ($requestUserId != $currentUserId) { | 350 | $user = $this->get('security.context')->getToken()->getUser(); |
| 358 | throw $this->createAccessDeniedException('Access forbidden. Entry user id: '.$requestUserId.', logged user id: '.$currentUserId); | 351 | if ($requestUserId != $user->getId()) { |
| 352 | throw $this->createAccessDeniedException('Access forbidden. Entry user id: '.$requestUserId.', logged user id: '.$user->getId()); | ||
| 359 | } | 353 | } |
| 360 | } | 354 | } |
| 361 | 355 | ||