Skip to content

Commit

Permalink
Check permissions in API and Fiber
Browse files Browse the repository at this point in the history
Co-authored-by: Ahmet Bora <[email protected]>
  • Loading branch information
lukasbestle and afbora committed Dec 19, 2024
1 parent fa48d1e commit d38b8c5
Show file tree
Hide file tree
Showing 4 changed files with 67 additions and 11 deletions.
10 changes: 5 additions & 5 deletions config/api/routes/languages.php
Original file line number Diff line number Diff line change
Expand Up @@ -8,35 +8,35 @@
'pattern' => 'languages',
'method' => 'GET',
'action' => function () {
return $this->kirby()->languages();
return $this->languages();
}
],
[
'pattern' => 'languages',
'method' => 'POST',
'action' => function () {
return $this->kirby()->languages()->create($this->requestBody());
return $this->languages()->create($this->requestBody());
}
],
[
'pattern' => 'languages/(:any)',
'method' => 'GET',
'action' => function (string $code) {
return $this->kirby()->languages()->find($code);
return $this->languages()->find($code);
}
],
[
'pattern' => 'languages/(:any)',
'method' => 'PATCH',
'action' => function (string $code) {
return $this->kirby()->languages()->find($code)?->update($this->requestBody());
return $this->languages()->find($code)?->update($this->requestBody());
}
],
[
'pattern' => 'languages/(:any)',
'method' => 'DELETE',
'action' => function (string $code) {
return $this->kirby()->languages()->find($code)?->delete();
return $this->languages()->find($code)?->delete();
}
]
];
20 changes: 17 additions & 3 deletions src/Cms/Api.php
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,14 @@ public function language(): string|null
$this->requestHeaders('x-language');
}

/**
* Returns the languages collection
*/
public function languages(): Languages
{
return $this->kirby()->languages()->filter('isAccessible', true);
}

/**
* Returns the page object for the given id
*
Expand Down Expand Up @@ -225,9 +233,15 @@ public function session(array $options = []): Session
/**
* Returns the site object
*/
public function site(): Site
public function site(): Site|null
{
return $this->kirby->site();
$site = $this->kirby->site();

if ($site->isAccessible() === true) {
return $site;
}

return null;
}

/**
Expand Down Expand Up @@ -255,6 +269,6 @@ public function user(string|null $id = null): User|null
*/
public function users(): Users
{
return $this->kirby->users();
return $this->kirby->users()->filter('isAccessible', true);
}
}
18 changes: 15 additions & 3 deletions src/Cms/Find.php
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,9 @@ public static function file(
*/
public static function language(string $code): Language|null
{
if ($language = App::instance()->language($code)) {
$language = App::instance()->language($code);

if ($language?->isAccessible() === true) {
return $language;
}

Expand Down Expand Up @@ -158,13 +160,23 @@ public static function user(string|null $id = null): User|null
$kirby->option('api.allowImpersonation', false)
);

return $user ?? throw new NotFoundException(
if ($user?->isAccessible() === true) {
return $user;
}

throw new NotFoundException(
key: 'user.undefined'
);
}

// get a specific user by id
return $kirby->user($id) ?? throw new NotFoundException(
$user = $kirby->user($id);

if ($user?->isAccessible() === true) {
return $user;
}

throw new NotFoundException(
key: 'user.notFound',
data: ['name' => $id]
);
Expand Down
30 changes: 30 additions & 0 deletions tests/Cms/Api/ApiTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -436,6 +436,36 @@ public function testUsers()
$this->assertSame($this->app->users(), $this->api->users());

Check failure on line 436 in tests/Cms/Api/ApiTest.php

View workflow job for this annotation

GitHub Actions / Unit tests - PHP 8.2

Failed asserting that two variables reference the same object.

Check failure on line 436 in tests/Cms/Api/ApiTest.php

View workflow job for this annotation

GitHub Actions / Unit tests - PHP 8.3

Failed asserting that two variables reference the same object.

Check failure on line 436 in tests/Cms/Api/ApiTest.php

View workflow job for this annotation

GitHub Actions / Unit tests - PHP 8.4

Failed asserting that two variables reference the same object.
}

public function testUsersWithoutPermissions()
{
$app = $this->app->clone([
'users' => [
['email' => '[email protected]']
]
]);
$app->impersonate('[email protected]');

$this->assertNotSame($app->users(), $app->api()->users());
}

public function testUsersWithoutPermissionsDebugEnabled()
{
$app = $this->app->clone([
'options' => [
'debug' => true
],
'users' => [
['email' => '[email protected]']
]
]);
$app->impersonate('[email protected]');

$this->expectException(AuthException::class);
$this->expectExceptionMessage('You are not allowed to access the users');

$app->api()->users();
}

public function testFileGetRoute()
{
// regular
Expand Down

0 comments on commit d38b8c5

Please sign in to comment.