From 772732531ea1d0f9831cc5f29e11b6b11fd088f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Tue, 29 Sep 2015 14:57:46 +0200 Subject: check authentication on each API route --- .../ApiBundle/Controller/WallabagRestController.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php index 284dbb25..1fee56ad 100644 --- a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php +++ b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php @@ -38,6 +38,13 @@ class WallabagRestController extends FOSRestController } } + private function validateAuthentication() + { + if (false === $this->get('security.context')->isGranted('IS_AUTHENTICATED_FULLY')) { + throw new AccessDeniedException(); + } + } + /** * Retrieve all entries. It could be filtered by many options. * @@ -57,6 +64,8 @@ class WallabagRestController extends FOSRestController */ public function getEntriesAction(Request $request) { + $this->validateAuthentication(); + $isArchived = $request->query->get('archive'); $isStarred = $request->query->get('star'); $sort = $request->query->get('sort', 'created'); @@ -97,6 +106,7 @@ class WallabagRestController extends FOSRestController */ public function getEntryAction(Entry $entry) { + $this->validateAuthentication(); $this->validateUserAccess($entry->getUser()->getId()); $json = $this->get('serializer')->serialize($entry, 'json'); @@ -119,6 +129,8 @@ class WallabagRestController extends FOSRestController */ public function postEntriesAction(Request $request) { + $this->validateAuthentication(); + $url = $request->request->get('url'); $entry = $this->get('wallabag_core.content_proxy')->updateEntry( @@ -159,6 +171,7 @@ class WallabagRestController extends FOSRestController */ public function patchEntriesAction(Entry $entry, Request $request) { + $this->validateAuthentication(); $this->validateUserAccess($entry->getUser()->getId()); $title = $request->request->get('title'); @@ -203,6 +216,7 @@ class WallabagRestController extends FOSRestController */ public function deleteEntriesAction(Entry $entry) { + $this->validateAuthentication(); $this->validateUserAccess($entry->getUser()->getId()); $em = $this->getDoctrine()->getManager(); @@ -225,6 +239,7 @@ class WallabagRestController extends FOSRestController */ public function getEntriesTagsAction(Entry $entry) { + $this->validateAuthentication(); $this->validateUserAccess($entry->getUser()->getId()); $json = $this->get('serializer')->serialize($entry->getTags(), 'json'); @@ -246,6 +261,7 @@ class WallabagRestController extends FOSRestController */ public function postEntriesTagsAction(Request $request, Entry $entry) { + $this->validateAuthentication(); $this->validateUserAccess($entry->getUser()->getId()); $tags = $request->request->get('tags', ''); @@ -274,6 +290,7 @@ class WallabagRestController extends FOSRestController */ public function deleteEntriesTagsAction(Entry $entry, Tag $tag) { + $this->validateAuthentication(); $this->validateUserAccess($entry->getUser()->getId()); $entry->removeTag($tag); @@ -293,6 +310,7 @@ class WallabagRestController extends FOSRestController */ public function getTagsAction() { + $this->validateAuthentication(); $json = $this->get('serializer')->serialize($this->getUser()->getTags(), 'json'); return $this->renderJsonResponse($json); @@ -309,6 +327,7 @@ class WallabagRestController extends FOSRestController */ public function deleteTagAction(Tag $tag) { + $this->validateAuthentication(); $this->validateUserAccess($tag->getUser()->getId()); $em = $this->getDoctrine()->getManager(); -- cgit v1.2.3