Skip to content

Commit

Permalink
fix(Rows): return correct status code when row update/delete lacks ac…
Browse files Browse the repository at this point in the history 
…cess

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
  • Loading branch information
@blizzz
blizzz committed Oct 15, 2024
1 parent b15395b commit 8ecd70d
Showing 1 changed file with 20 additions and 0 deletions.
20 changes: 20 additions & 0 deletions lib/Service/RowService.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -365,6 +365,11 @@ public function updateSet(

if ($viewId) {
// security
if (!$this->permissionsService->canReadRowsByElementId($viewId, 'view', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canUpdateRowsByViewId($viewId)) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
Expand Down Expand Up @@ -400,6 +405,11 @@ public function updateSet(
$tableId = $item->getTableId();

// security
if (!$this->permissionsService->canReadRowsByElementId($item->getTableId(), 'table', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canUpdateRowsByTableId($tableId)) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
Expand Down Expand Up @@ -457,6 +467,11 @@ public function delete(int $id, ?int $viewId, string $userId): Row2 {

if ($viewId) {
// security
if (!$this->permissionsService->canReadRowsByElementId($viewId, 'view', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canDeleteRowsByViewId($viewId)) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
Expand All @@ -475,6 +490,11 @@ public function delete(int $id, ?int $viewId, string $userId): Row2 {
}
} else {
// security
if (!$this->permissionsService->canReadRowsByElementId($item->getTableId(), 'table', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canDeleteRowsByTableId($item->getTableId())) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
Expand Down

0 comments on commit 8ecd70d

Please sign in to comment.