From 23406ca3f12303759ecb46974d6bcb22fb0e037b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= <nicolas@loeuillet.org>
Date: Mon, 24 Oct 2016 21:56:28 +0200
Subject: Added relation between API Client and User Fix #2062

---
 app/DoctrineMigrations/Version20161024212538.php   | 47 ++++++++++++++++++++++
 .../ApiBundle/Controller/DeveloperController.php   |  8 +++-
 src/Wallabag/ApiBundle/Entity/Client.php           | 17 +++++++-
 src/Wallabag/UserBundle/Entity/User.php            | 26 ++++++++++++
 4 files changed, 95 insertions(+), 3 deletions(-)
 create mode 100644 app/DoctrineMigrations/Version20161024212538.php

diff --git a/app/DoctrineMigrations/Version20161024212538.php b/app/DoctrineMigrations/Version20161024212538.php
new file mode 100644
index 00000000..75973b33
--- /dev/null
+++ b/app/DoctrineMigrations/Version20161024212538.php
@@ -0,0 +1,47 @@
+<?php
+
+namespace Application\Migrations;
+
+use Doctrine\DBAL\Migrations\AbstractMigration;
+use Doctrine\DBAL\Schema\Schema;
+use Symfony\Component\DependencyInjection\ContainerAwareInterface;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+class Version20161024212538 extends AbstractMigration implements ContainerAwareInterface
+{
+    /**
+     * @var ContainerInterface
+     */
+    private $container;
+
+    public function setContainer(ContainerInterface $container = null)
+    {
+        $this->container = $container;
+    }
+
+    private function getTable($tableName)
+    {
+        return $this->container->getParameter('database_table_prefix') . $tableName;
+    }
+
+    /**
+     * @param Schema $schema
+     */
+    public function up(Schema $schema)
+    {
+        $this->skipIf($this->connection->getDatabasePlatform()->getName() == 'sqlite', 'Migration can only be executed safely on \'mysql\' or \'postgresql\'.');
+
+        $this->addSql('ALTER TABLE '.$this->getTable('oauth2_clients').' ADD CONSTRAINT FK_clients_user_clients FOREIGN KEY (user_id) REFERENCES '.$this->getTable('user').' (id) ON DELETE CASCADE');
+    }
+
+    /**
+     * @param Schema $schema
+     */
+    public function down(Schema $schema)
+    {
+
+    }
+}
diff --git a/src/Wallabag/ApiBundle/Controller/DeveloperController.php b/src/Wallabag/ApiBundle/Controller/DeveloperController.php
index 5a36a260..550c0608 100644
--- a/src/Wallabag/ApiBundle/Controller/DeveloperController.php
+++ b/src/Wallabag/ApiBundle/Controller/DeveloperController.php
@@ -19,7 +19,7 @@ class DeveloperController extends Controller
      */
     public function indexAction()
     {
-        $clients = $this->getDoctrine()->getRepository('WallabagApiBundle:Client')->findAll();
+        $clients = $this->getDoctrine()->getRepository('WallabagApiBundle:Client')->findByUser($this->getUser()->getId());
 
         return $this->render('@WallabagCore/themes/common/Developer/index.html.twig', [
             'clients' => $clients,
@@ -38,7 +38,7 @@ class DeveloperController extends Controller
     public function createClientAction(Request $request)
     {
         $em = $this->getDoctrine()->getManager();
-        $client = new Client();
+        $client = new Client($this->getUser());
         $clientForm = $this->createForm(ClientType::class, $client);
         $clientForm->handleRequest($request);
 
@@ -75,6 +75,10 @@ class DeveloperController extends Controller
      */
     public function deleteClientAction(Client $client)
     {
+        if (null === $this->getUser() || $client->getUser()->getId() != $this->getUser()->getId()) {
+            throw $this->createAccessDeniedException('You can not access this client.');
+        }
+
         $em = $this->getDoctrine()->getManager();
         $em->remove($client);
         $em->flush();
diff --git a/src/Wallabag/ApiBundle/Entity/Client.php b/src/Wallabag/ApiBundle/Entity/Client.php
index f7898ac8..427a4c7f 100644
--- a/src/Wallabag/ApiBundle/Entity/Client.php
+++ b/src/Wallabag/ApiBundle/Entity/Client.php
@@ -4,6 +4,7 @@ namespace Wallabag\ApiBundle\Entity;
 
 use Doctrine\ORM\Mapping as ORM;
 use FOS\OAuthServerBundle\Entity\Client as BaseClient;
+use Wallabag\UserBundle\Entity\User;
 
 /**
  * @ORM\Table("oauth2_clients")
@@ -35,9 +36,15 @@ class Client extends BaseClient
      */
     protected $accessTokens;
 
-    public function __construct()
+    /**
+     * @ORM\ManyToOne(targetEntity="Wallabag\UserBundle\Entity\User", inversedBy="clients")
+     */
+    private $user;
+
+    public function __construct(User $user)
     {
         parent::__construct();
+        $this->user = $user;
     }
 
     /**
@@ -63,4 +70,12 @@ class Client extends BaseClient
 
         return $this;
     }
+
+    /**
+     * @return User
+     */
+    public function getUser()
+    {
+        return $this->user;
+    }
 }
diff --git a/src/Wallabag/UserBundle/Entity/User.php b/src/Wallabag/UserBundle/Entity/User.php
index d98ae76a..3a167de7 100644
--- a/src/Wallabag/UserBundle/Entity/User.php
+++ b/src/Wallabag/UserBundle/Entity/User.php
@@ -11,6 +11,7 @@ use JMS\Serializer\Annotation\ExclusionPolicy;
 use JMS\Serializer\Annotation\Expose;
 use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
 use Symfony\Component\Security\Core\User\UserInterface;
+use Wallabag\ApiBundle\Entity\Client;
 use Wallabag\CoreBundle\Entity\Config;
 use Wallabag\CoreBundle\Entity\Entry;
 
@@ -84,6 +85,11 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf
      */
     private $trusted;
 
+    /**
+     * @ORM\OneToMany(targetEntity="Wallabag\ApiBundle\Entity\Client", mappedBy="user", cascade={"remove"})
+     */
+    protected $clients;
+
     public function __construct()
     {
         parent::__construct();
@@ -240,4 +246,24 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf
 
         return false;
     }
+
+    /**
+     * @param Client $client
+     *
+     * @return User
+     */
+    public function addClient(Client $client)
+    {
+        $this->clients[] = $client;
+
+        return $this;
+    }
+
+    /**
+     * @return ArrayCollection<Entry>
+     */
+    public function getClients()
+    {
+        return $this->clients;
+    }
 }
-- 
cgit v1.2.3


From f24ea59ea4e854d8a699f51a7347af9d4a222de8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= <nicolas@loeuillet.org>
Date: Fri, 28 Oct 2016 10:55:39 +0200
Subject: Fixed migration and added tests

---
 app/DoctrineMigrations/Version20161024212538.php      |  1 +
 .../Controller/AnnotationControllerTest.php           |  2 +-
 .../ApiBundle/Controller/DeveloperControllerTest.php  | 19 ++++++++++++++++---
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/app/DoctrineMigrations/Version20161024212538.php b/app/DoctrineMigrations/Version20161024212538.php
index 75973b33..b9dc500c 100644
--- a/app/DoctrineMigrations/Version20161024212538.php
+++ b/app/DoctrineMigrations/Version20161024212538.php
@@ -34,6 +34,7 @@ class Version20161024212538 extends AbstractMigration implements ContainerAwareI
     {
         $this->skipIf($this->connection->getDatabasePlatform()->getName() == 'sqlite', 'Migration can only be executed safely on \'mysql\' or \'postgresql\'.');
 
+        $this->addSql('ALTER TABLE '.$this->getTable('oauth2_clients').' ADD `user_id` INT(11) DEFAULT NULL');
         $this->addSql('ALTER TABLE '.$this->getTable('oauth2_clients').' ADD CONSTRAINT FK_clients_user_clients FOREIGN KEY (user_id) REFERENCES '.$this->getTable('user').' (id) ON DELETE CASCADE');
     }
 
diff --git a/tests/Wallabag/AnnotationBundle/Controller/AnnotationControllerTest.php b/tests/Wallabag/AnnotationBundle/Controller/AnnotationControllerTest.php
index cee0b847..81f9e9ec 100644
--- a/tests/Wallabag/AnnotationBundle/Controller/AnnotationControllerTest.php
+++ b/tests/Wallabag/AnnotationBundle/Controller/AnnotationControllerTest.php
@@ -11,7 +11,7 @@ class AnnotationControllerTest extends WallabagAnnotationTestCase
     /**
      * This data provider allow to tests annotation from the :
      *     - API POV (when user use the api to manage annotations)
-     *     - and User POV (when user use the web interface - using javascript - to manage annotations)
+     *     - and User POV (when user use the web interface - using javascript - to manage annotations).
      */
     public function dataForEachAnnotations()
     {
diff --git a/tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php b/tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php
index 95befa9c..6659443b 100644
--- a/tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php
+++ b/tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php
@@ -82,11 +82,24 @@ class DeveloperControllerTest extends WallabagCoreTestCase
 
     public function testRemoveClient()
     {
-        $this->logInAs('admin');
         $client = $this->getClient();
         $em = $client->getContainer()->get('doctrine.orm.entity_manager');
-        $nbClients = $em->getRepository('WallabagApiBundle:Client')->findAll();
 
+        // Try to remove an admin's client with a wrong user
+        $this->logInAs('bob');
+        $client->request('GET', '/developer');
+        $this->assertContains('no_client', $client->getResponse()->getContent());
+
+        // get an ID of a admin's client
+        $this->logInAs('admin');
+        $nbClients = $em->getRepository('WallabagApiBundle:Client')->findByUser($this->getLoggedInUserId());
+
+        $this->logInAs('bob');
+        $client->request('GET', '/developer/client/delete/'.$nbClients[0]->getId());
+        $this->assertEquals(403, $client->getResponse()->getStatusCode());
+
+        // Try to remove the admin's client with the good user
+        $this->logInAs('admin');
         $crawler = $client->request('GET', '/developer');
 
         $link = $crawler
@@ -98,7 +111,7 @@ class DeveloperControllerTest extends WallabagCoreTestCase
         $client->click($link);
         $this->assertEquals(302, $client->getResponse()->getStatusCode());
 
-        $newNbClients = $em->getRepository('WallabagApiBundle:Client')->findAll();
+        $newNbClients = $em->getRepository('WallabagApiBundle:Client')->findByUser($this->getLoggedInUserId());
         $this->assertGreaterThan(count($newNbClients), count($nbClients));
     }
 }
-- 
cgit v1.2.3


From f08ec5f88a78bfe2edf2c2148094f3f099e8389c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= <nicolas@loeuillet.org>
Date: Fri, 28 Oct 2016 11:11:32 +0200
Subject: Remove backquote in query

---
 app/DoctrineMigrations/Version20161024212538.php | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/app/DoctrineMigrations/Version20161024212538.php b/app/DoctrineMigrations/Version20161024212538.php
index b9dc500c..f8e927e4 100644
--- a/app/DoctrineMigrations/Version20161024212538.php
+++ b/app/DoctrineMigrations/Version20161024212538.php
@@ -7,9 +7,6 @@ use Doctrine\DBAL\Schema\Schema;
 use Symfony\Component\DependencyInjection\ContainerAwareInterface;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 
-/**
- * Auto-generated Migration: Please modify to your needs!
- */
 class Version20161024212538 extends AbstractMigration implements ContainerAwareInterface
 {
     /**
@@ -34,7 +31,7 @@ class Version20161024212538 extends AbstractMigration implements ContainerAwareI
     {
         $this->skipIf($this->connection->getDatabasePlatform()->getName() == 'sqlite', 'Migration can only be executed safely on \'mysql\' or \'postgresql\'.');
 
-        $this->addSql('ALTER TABLE '.$this->getTable('oauth2_clients').' ADD `user_id` INT(11) DEFAULT NULL');
+        $this->addSql('ALTER TABLE '.$this->getTable('oauth2_clients').' ADD user_id INT(11) DEFAULT NULL');
         $this->addSql('ALTER TABLE '.$this->getTable('oauth2_clients').' ADD CONSTRAINT FK_clients_user_clients FOREIGN KEY (user_id) REFERENCES '.$this->getTable('user').' (id) ON DELETE CASCADE');
     }
 
-- 
cgit v1.2.3