Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix return status in a few cases and add integration tests against content modification through Applications #1421

Merged
merged 8 commits into from
Oct 16, 2024
Merged

fix return status in a few cases and add integration tests against content modification through Applications #1421

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
af1c932
tests(Behat): add CRUD tests on table issued via context
blizzz Oct 15, 2024
629febb
fix(Rows): return correct status code when row update lacks permissions
blizzz Oct 15, 2024
9eb081b
tests(Behat): add CRUD tests on table issued via context
blizzz Oct 15, 2024
14b636a
fix(Api1): return correct status code when row delete lacks permissions
blizzz Oct 15, 2024
b15395b
tests(Behat): ensure folks without access cannot modify res via context
blizzz Oct 15, 2024
8ecd70d
fix(Rows): return correct status code when row update/delete lacks ac…
blizzz Oct 15, 2024
9b5a3b3
style(PHP): satisfy code style linter
blizzz Oct 15, 2024
0ee59a2
test(Behat): remove table from collection manager upon delete
blizzz Oct 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 24 additions & 3 deletions lib/Service/RowService.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,7 @@ private function getRowById(int $rowId): Row2 {
*
* @throws InternalError
* @throws NotFoundError
* @throws PermissionError
* @noinspection DuplicatedCode
*/
public function updateSet(
Expand All @@ -364,10 +365,15 @@ public function updateSet(

if ($viewId) {
// security
if (!$this->permissionsService->canReadRowsByElementId($viewId, 'view', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canUpdateRowsByViewId($viewId)) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
throw new PermissionError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}

try {
Expand Down Expand Up @@ -399,10 +405,15 @@ public function updateSet(
$tableId = $item->getTableId();

// security
if (!$this->permissionsService->canReadRowsByElementId($item->getTableId(), 'table', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canUpdateRowsByTableId($tableId)) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
throw new PermissionError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
try {
$columns = $this->columnMapper->findAllByTable($tableId);
Expand Down Expand Up @@ -456,10 +467,15 @@ public function delete(int $id, ?int $viewId, string $userId): Row2 {

if ($viewId) {
// security
if (!$this->permissionsService->canReadRowsByElementId($viewId, 'view', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canDeleteRowsByViewId($viewId)) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
throw new PermissionError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
try {
$view = $this->viewMapper->find($viewId);
Expand All @@ -474,6 +490,11 @@ public function delete(int $id, ?int $viewId, string $userId): Row2 {
}
} else {
// security
if (!$this->permissionsService->canReadRowsByElementId($item->getTableId(), 'table', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canDeleteRowsByTableId($item->getTableId())) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
Expand Down
Loading
Loading