groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-02-13 04:59:36 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed voters.

Browse source
This commit is contained in:
Jan Böhmer 2022-11-13 21:01:40 +01:00
parent ae4cb23b18
commit 5829d42968
4 changed files with 142 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

20
src/Security/Voter/ParameterVoter.php
View file

@ -46,17 +46,31 @@ class ParameterVoter extends ExtendedVoter
$target_element = $subject->getElement();
if ($target_element !== null) {
//Depending on the operation delegate either to the attachments element or to the attachment permission
switch ($attribute) {
//We can view the attachment if we can view the element
case 'read':
case 'view':
return $this->security->isGranted('read', $target_element);
$operation = 'read';
break;
//We can edit/create/delete the attachment if we can edit the element
case 'edit':
case 'create':
case 'delete':
return $this->security->isGranted('edit', $target_element);
$operation = 'edit';
break;
case 'show_history':
$operation = 'show_history';
break;
case 'revert_element':
$operation = 'revert_element';
break;
default:
throw new RuntimeException('Unknown operation: '.$attribute);
}
return $this->security->isGranted($operation, $target_element);
}
//If we do not have a concrete element, we delegate to the different categories
@ -93,7 +107,7 @@ class ParameterVoter extends ExtendedVoter
{
if (is_a($subject, AbstractParameter::class, true)) {
//These are the allowed attributes
return in_array($attribute, ['read', 'edit', 'delete', 'create'], true);
return in_array($attribute, ['read', 'edit', 'delete', 'create', 'show_history', 'revert_element'], true);
}
//Allow class name as subject