diff options
Diffstat (limited to 'src/Wallabag/ApiBundle/Controller/WallabagRestController.php')
-rw-r--r-- | src/Wallabag/ApiBundle/Controller/WallabagRestController.php | 62 |
1 files changed, 28 insertions, 34 deletions
diff --git a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php index 349229f3..1fee56ad 100644 --- a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php +++ b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php | |||
@@ -2,8 +2,8 @@ | |||
2 | 2 | ||
3 | namespace Wallabag\ApiBundle\Controller; | 3 | namespace Wallabag\ApiBundle\Controller; |
4 | 4 | ||
5 | use FOS\RestBundle\Controller\FOSRestController; | ||
5 | use Nelmio\ApiDocBundle\Annotation\ApiDoc; | 6 | use Nelmio\ApiDocBundle\Annotation\ApiDoc; |
6 | use Symfony\Bundle\FrameworkBundle\Controller\Controller; | ||
7 | use Symfony\Component\HttpFoundation\Request; | 7 | use Symfony\Component\HttpFoundation\Request; |
8 | use Symfony\Component\HttpFoundation\Response; | 8 | use Symfony\Component\HttpFoundation\Response; |
9 | use Wallabag\CoreBundle\Entity\Entry; | 9 | use Wallabag\CoreBundle\Entity\Entry; |
@@ -11,7 +11,7 @@ use Wallabag\CoreBundle\Entity\Tag; | |||
11 | use Hateoas\Configuration\Route; | 11 | use Hateoas\Configuration\Route; |
12 | use Hateoas\Representation\Factory\PagerfantaFactory; | 12 | use Hateoas\Representation\Factory\PagerfantaFactory; |
13 | 13 | ||
14 | class WallabagRestController extends Controller | 14 | class WallabagRestController extends FOSRestController |
15 | { | 15 | { |
16 | /** | 16 | /** |
17 | * @param Entry $entry | 17 | * @param Entry $entry |
@@ -38,29 +38,11 @@ class WallabagRestController extends Controller | |||
38 | } | 38 | } |
39 | } | 39 | } |
40 | 40 | ||
41 | /** | 41 | private function validateAuthentication() |
42 | * Retrieve salt for a giver user. | ||
43 | * | ||
44 | * @ApiDoc( | ||
45 | * parameters={ | ||
46 | * {"name"="username", "dataType"="string", "required"=true, "description"="username"} | ||
47 | * } | ||
48 | * ) | ||
49 | * | ||
50 | * @return array | ||
51 | */ | ||
52 | public function getSaltAction($username) | ||
53 | { | 42 | { |
54 | $user = $this | 43 | if (false === $this->get('security.context')->isGranted('IS_AUTHENTICATED_FULLY')) { |
55 | ->getDoctrine() | 44 | throw new AccessDeniedException(); |
56 | ->getRepository('WallabagCoreBundle:User') | ||
57 | ->findOneByUsername($username); | ||
58 | |||
59 | if (is_null($user)) { | ||
60 | throw $this->createNotFoundException(); | ||
61 | } | 45 | } |
62 | |||
63 | return array($user->getSalt() ?: null); | ||
64 | } | 46 | } |
65 | 47 | ||
66 | /** | 48 | /** |
@@ -82,6 +64,8 @@ class WallabagRestController extends Controller | |||
82 | */ | 64 | */ |
83 | public function getEntriesAction(Request $request) | 65 | public function getEntriesAction(Request $request) |
84 | { | 66 | { |
67 | $this->validateAuthentication(); | ||
68 | |||
85 | $isArchived = $request->query->get('archive'); | 69 | $isArchived = $request->query->get('archive'); |
86 | $isStarred = $request->query->get('star'); | 70 | $isStarred = $request->query->get('star'); |
87 | $sort = $request->query->get('sort', 'created'); | 71 | $sort = $request->query->get('sort', 'created'); |
@@ -122,7 +106,8 @@ class WallabagRestController extends Controller | |||
122 | */ | 106 | */ |
123 | public function getEntryAction(Entry $entry) | 107 | public function getEntryAction(Entry $entry) |
124 | { | 108 | { |
125 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 109 | $this->validateAuthentication(); |
110 | $this->validateUserAccess($entry->getUser()->getId()); | ||
126 | 111 | ||
127 | $json = $this->get('serializer')->serialize($entry, 'json'); | 112 | $json = $this->get('serializer')->serialize($entry, 'json'); |
128 | 113 | ||
@@ -144,6 +129,8 @@ class WallabagRestController extends Controller | |||
144 | */ | 129 | */ |
145 | public function postEntriesAction(Request $request) | 130 | public function postEntriesAction(Request $request) |
146 | { | 131 | { |
132 | $this->validateAuthentication(); | ||
133 | |||
147 | $url = $request->request->get('url'); | 134 | $url = $request->request->get('url'); |
148 | 135 | ||
149 | $entry = $this->get('wallabag_core.content_proxy')->updateEntry( | 136 | $entry = $this->get('wallabag_core.content_proxy')->updateEntry( |
@@ -184,7 +171,8 @@ class WallabagRestController extends Controller | |||
184 | */ | 171 | */ |
185 | public function patchEntriesAction(Entry $entry, Request $request) | 172 | public function patchEntriesAction(Entry $entry, Request $request) |
186 | { | 173 | { |
187 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 174 | $this->validateAuthentication(); |
175 | $this->validateUserAccess($entry->getUser()->getId()); | ||
188 | 176 | ||
189 | $title = $request->request->get('title'); | 177 | $title = $request->request->get('title'); |
190 | $isArchived = $request->request->get('is_archived'); | 178 | $isArchived = $request->request->get('is_archived'); |
@@ -228,7 +216,8 @@ class WallabagRestController extends Controller | |||
228 | */ | 216 | */ |
229 | public function deleteEntriesAction(Entry $entry) | 217 | public function deleteEntriesAction(Entry $entry) |
230 | { | 218 | { |
231 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 219 | $this->validateAuthentication(); |
220 | $this->validateUserAccess($entry->getUser()->getId()); | ||
232 | 221 | ||
233 | $em = $this->getDoctrine()->getManager(); | 222 | $em = $this->getDoctrine()->getManager(); |
234 | $em->remove($entry); | 223 | $em->remove($entry); |
@@ -250,7 +239,8 @@ class WallabagRestController extends Controller | |||
250 | */ | 239 | */ |
251 | public function getEntriesTagsAction(Entry $entry) | 240 | public function getEntriesTagsAction(Entry $entry) |
252 | { | 241 | { |
253 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 242 | $this->validateAuthentication(); |
243 | $this->validateUserAccess($entry->getUser()->getId()); | ||
254 | 244 | ||
255 | $json = $this->get('serializer')->serialize($entry->getTags(), 'json'); | 245 | $json = $this->get('serializer')->serialize($entry->getTags(), 'json'); |
256 | 246 | ||
@@ -271,7 +261,8 @@ class WallabagRestController extends Controller | |||
271 | */ | 261 | */ |
272 | public function postEntriesTagsAction(Request $request, Entry $entry) | 262 | public function postEntriesTagsAction(Request $request, Entry $entry) |
273 | { | 263 | { |
274 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 264 | $this->validateAuthentication(); |
265 | $this->validateUserAccess($entry->getUser()->getId()); | ||
275 | 266 | ||
276 | $tags = $request->request->get('tags', ''); | 267 | $tags = $request->request->get('tags', ''); |
277 | if (!empty($tags)) { | 268 | if (!empty($tags)) { |
@@ -299,7 +290,8 @@ class WallabagRestController extends Controller | |||
299 | */ | 290 | */ |
300 | public function deleteEntriesTagsAction(Entry $entry, Tag $tag) | 291 | public function deleteEntriesTagsAction(Entry $entry, Tag $tag) |
301 | { | 292 | { |
302 | $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); | 293 | $this->validateAuthentication(); |
294 | $this->validateUserAccess($entry->getUser()->getId()); | ||
303 | 295 | ||
304 | $entry->removeTag($tag); | 296 | $entry->removeTag($tag); |
305 | $em = $this->getDoctrine()->getManager(); | 297 | $em = $this->getDoctrine()->getManager(); |
@@ -318,6 +310,7 @@ class WallabagRestController extends Controller | |||
318 | */ | 310 | */ |
319 | public function getTagsAction() | 311 | public function getTagsAction() |
320 | { | 312 | { |
313 | $this->validateAuthentication(); | ||
321 | $json = $this->get('serializer')->serialize($this->getUser()->getTags(), 'json'); | 314 | $json = $this->get('serializer')->serialize($this->getUser()->getTags(), 'json'); |
322 | 315 | ||
323 | return $this->renderJsonResponse($json); | 316 | return $this->renderJsonResponse($json); |
@@ -334,7 +327,8 @@ class WallabagRestController extends Controller | |||
334 | */ | 327 | */ |
335 | public function deleteTagAction(Tag $tag) | 328 | public function deleteTagAction(Tag $tag) |
336 | { | 329 | { |
337 | $this->validateUserAccess($tag->getUser()->getId(), $this->getUser()->getId()); | 330 | $this->validateAuthentication(); |
331 | $this->validateUserAccess($tag->getUser()->getId()); | ||
338 | 332 | ||
339 | $em = $this->getDoctrine()->getManager(); | 333 | $em = $this->getDoctrine()->getManager(); |
340 | $em->remove($tag); | 334 | $em->remove($tag); |
@@ -350,12 +344,12 @@ class WallabagRestController extends Controller | |||
350 | * If not, throw exception. It means a user try to access information from an other user. | 344 | * If not, throw exception. It means a user try to access information from an other user. |
351 | * | 345 | * |
352 | * @param int $requestUserId User id from the requested source | 346 | * @param int $requestUserId User id from the requested source |
353 | * @param int $currentUserId User id from the retrieved source | ||
354 | */ | 347 | */ |
355 | private function validateUserAccess($requestUserId, $currentUserId) | 348 | private function validateUserAccess($requestUserId) |
356 | { | 349 | { |
357 | if ($requestUserId != $currentUserId) { | 350 | $user = $this->get('security.context')->getToken()->getUser(); |
358 | throw $this->createAccessDeniedException('Access forbidden. Entry user id: '.$requestUserId.', logged user id: '.$currentUserId); | 351 | if ($requestUserId != $user->getId()) { |
352 | throw $this->createAccessDeniedException('Access forbidden. Entry user id: '.$requestUserId.', logged user id: '.$user->getId()); | ||
359 | } | 353 | } |
360 | } | 354 | } |
361 | 355 | ||