aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/Wallabag/ApiBundle/Controller
diff options
context:
space:
mode:
Diffstat (limited to 'src/Wallabag/ApiBundle/Controller')
-rw-r--r--src/Wallabag/ApiBundle/Controller/WallabagRestController.php62
1 files changed, 28 insertions, 34 deletions
diff --git a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php
index 349229f3..1fee56ad 100644
--- a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php
+++ b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php
@@ -2,8 +2,8 @@
2 2
3namespace Wallabag\ApiBundle\Controller; 3namespace Wallabag\ApiBundle\Controller;
4 4
5use FOS\RestBundle\Controller\FOSRestController;
5use Nelmio\ApiDocBundle\Annotation\ApiDoc; 6use Nelmio\ApiDocBundle\Annotation\ApiDoc;
6use Symfony\Bundle\FrameworkBundle\Controller\Controller;
7use Symfony\Component\HttpFoundation\Request; 7use Symfony\Component\HttpFoundation\Request;
8use Symfony\Component\HttpFoundation\Response; 8use Symfony\Component\HttpFoundation\Response;
9use Wallabag\CoreBundle\Entity\Entry; 9use Wallabag\CoreBundle\Entity\Entry;
@@ -11,7 +11,7 @@ use Wallabag\CoreBundle\Entity\Tag;
11use Hateoas\Configuration\Route; 11use Hateoas\Configuration\Route;
12use Hateoas\Representation\Factory\PagerfantaFactory; 12use Hateoas\Representation\Factory\PagerfantaFactory;
13 13
14class WallabagRestController extends Controller 14class WallabagRestController extends FOSRestController
15{ 15{
16 /** 16 /**
17 * @param Entry $entry 17 * @param Entry $entry
@@ -38,29 +38,11 @@ class WallabagRestController extends Controller
38 } 38 }
39 } 39 }
40 40
41 /** 41 private function validateAuthentication()
42 * Retrieve salt for a giver user.
43 *
44 * @ApiDoc(
45 * parameters={
46 * {"name"="username", "dataType"="string", "required"=true, "description"="username"}
47 * }
48 * )
49 *
50 * @return array
51 */
52 public function getSaltAction($username)
53 { 42 {
54 $user = $this 43 if (false === $this->get('security.context')->isGranted('IS_AUTHENTICATED_FULLY')) {
55 ->getDoctrine() 44 throw new AccessDeniedException();
56 ->getRepository('WallabagCoreBundle:User')
57 ->findOneByUsername($username);
58
59 if (is_null($user)) {
60 throw $this->createNotFoundException();
61 } 45 }
62
63 return array($user->getSalt() ?: null);
64 } 46 }
65 47
66 /** 48 /**
@@ -82,6 +64,8 @@ class WallabagRestController extends Controller
82 */ 64 */
83 public function getEntriesAction(Request $request) 65 public function getEntriesAction(Request $request)
84 { 66 {
67 $this->validateAuthentication();
68
85 $isArchived = $request->query->get('archive'); 69 $isArchived = $request->query->get('archive');
86 $isStarred = $request->query->get('star'); 70 $isStarred = $request->query->get('star');
87 $sort = $request->query->get('sort', 'created'); 71 $sort = $request->query->get('sort', 'created');
@@ -122,7 +106,8 @@ class WallabagRestController extends Controller
122 */ 106 */
123 public function getEntryAction(Entry $entry) 107 public function getEntryAction(Entry $entry)
124 { 108 {
125 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); 109 $this->validateAuthentication();
110 $this->validateUserAccess($entry->getUser()->getId());
126 111
127 $json = $this->get('serializer')->serialize($entry, 'json'); 112 $json = $this->get('serializer')->serialize($entry, 'json');
128 113
@@ -144,6 +129,8 @@ class WallabagRestController extends Controller
144 */ 129 */
145 public function postEntriesAction(Request $request) 130 public function postEntriesAction(Request $request)
146 { 131 {
132 $this->validateAuthentication();
133
147 $url = $request->request->get('url'); 134 $url = $request->request->get('url');
148 135
149 $entry = $this->get('wallabag_core.content_proxy')->updateEntry( 136 $entry = $this->get('wallabag_core.content_proxy')->updateEntry(
@@ -184,7 +171,8 @@ class WallabagRestController extends Controller
184 */ 171 */
185 public function patchEntriesAction(Entry $entry, Request $request) 172 public function patchEntriesAction(Entry $entry, Request $request)
186 { 173 {
187 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); 174 $this->validateAuthentication();
175 $this->validateUserAccess($entry->getUser()->getId());
188 176
189 $title = $request->request->get('title'); 177 $title = $request->request->get('title');
190 $isArchived = $request->request->get('is_archived'); 178 $isArchived = $request->request->get('is_archived');
@@ -228,7 +216,8 @@ class WallabagRestController extends Controller
228 */ 216 */
229 public function deleteEntriesAction(Entry $entry) 217 public function deleteEntriesAction(Entry $entry)
230 { 218 {
231 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); 219 $this->validateAuthentication();
220 $this->validateUserAccess($entry->getUser()->getId());
232 221
233 $em = $this->getDoctrine()->getManager(); 222 $em = $this->getDoctrine()->getManager();
234 $em->remove($entry); 223 $em->remove($entry);
@@ -250,7 +239,8 @@ class WallabagRestController extends Controller
250 */ 239 */
251 public function getEntriesTagsAction(Entry $entry) 240 public function getEntriesTagsAction(Entry $entry)
252 { 241 {
253 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); 242 $this->validateAuthentication();
243 $this->validateUserAccess($entry->getUser()->getId());
254 244
255 $json = $this->get('serializer')->serialize($entry->getTags(), 'json'); 245 $json = $this->get('serializer')->serialize($entry->getTags(), 'json');
256 246
@@ -271,7 +261,8 @@ class WallabagRestController extends Controller
271 */ 261 */
272 public function postEntriesTagsAction(Request $request, Entry $entry) 262 public function postEntriesTagsAction(Request $request, Entry $entry)
273 { 263 {
274 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); 264 $this->validateAuthentication();
265 $this->validateUserAccess($entry->getUser()->getId());
275 266
276 $tags = $request->request->get('tags', ''); 267 $tags = $request->request->get('tags', '');
277 if (!empty($tags)) { 268 if (!empty($tags)) {
@@ -299,7 +290,8 @@ class WallabagRestController extends Controller
299 */ 290 */
300 public function deleteEntriesTagsAction(Entry $entry, Tag $tag) 291 public function deleteEntriesTagsAction(Entry $entry, Tag $tag)
301 { 292 {
302 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId()); 293 $this->validateAuthentication();
294 $this->validateUserAccess($entry->getUser()->getId());
303 295
304 $entry->removeTag($tag); 296 $entry->removeTag($tag);
305 $em = $this->getDoctrine()->getManager(); 297 $em = $this->getDoctrine()->getManager();
@@ -318,6 +310,7 @@ class WallabagRestController extends Controller
318 */ 310 */
319 public function getTagsAction() 311 public function getTagsAction()
320 { 312 {
313 $this->validateAuthentication();
321 $json = $this->get('serializer')->serialize($this->getUser()->getTags(), 'json'); 314 $json = $this->get('serializer')->serialize($this->getUser()->getTags(), 'json');
322 315
323 return $this->renderJsonResponse($json); 316 return $this->renderJsonResponse($json);
@@ -334,7 +327,8 @@ class WallabagRestController extends Controller
334 */ 327 */
335 public function deleteTagAction(Tag $tag) 328 public function deleteTagAction(Tag $tag)
336 { 329 {
337 $this->validateUserAccess($tag->getUser()->getId(), $this->getUser()->getId()); 330 $this->validateAuthentication();
331 $this->validateUserAccess($tag->getUser()->getId());
338 332
339 $em = $this->getDoctrine()->getManager(); 333 $em = $this->getDoctrine()->getManager();
340 $em->remove($tag); 334 $em->remove($tag);
@@ -350,12 +344,12 @@ class WallabagRestController extends Controller
350 * If not, throw exception. It means a user try to access information from an other user. 344 * If not, throw exception. It means a user try to access information from an other user.
351 * 345 *
352 * @param int $requestUserId User id from the requested source 346 * @param int $requestUserId User id from the requested source
353 * @param int $currentUserId User id from the retrieved source
354 */ 347 */
355 private function validateUserAccess($requestUserId, $currentUserId) 348 private function validateUserAccess($requestUserId)
356 { 349 {
357 if ($requestUserId != $currentUserId) { 350 $user = $this->get('security.context')->getToken()->getUser();
358 throw $this->createAccessDeniedException('Access forbidden. Entry user id: '.$requestUserId.', logged user id: '.$currentUserId); 351 if ($requestUserId != $user->getId()) {
352 throw $this->createAccessDeniedException('Access forbidden. Entry user id: '.$requestUserId.', logged user id: '.$user->getId());
359 } 353 }
360 } 354 }
361 355