Fixed the management of allowed and forbidden actions

EasyCorp · Apr 15, 2015 · 40a4591 · 40a4591
1 parent e76dc74
commit 40a4591
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 29 deletions.
diff --git a/Controller/AdminController.php b/Controller/AdminController.php
@@ -42,6 +42,8 @@ class AdminController extends Controller
     /** @var EntityManager */
     protected $em;
 
+    protected $view;
+
     /**
      * @Route("/", name="admin")
      *
@@ -60,18 +62,13 @@ public function indexAction(Request $request)
         }
 
         $action = $request->query->get('action', 'list');
-        $view = $request->query->get('view', 'list');
-
-        if (true !== $forbiddenActionResponse = $this->isActionAllowed($action, $view)) {
-            return $forbiddenActionResponse;
-        }
 
         // for now, the homepage redirects to the 'list' action and view of the first entity
         if (null === $request->query->get('entity')) {
             return $this->redirect($this->generateUrl('admin', array(
                 'action' => $action,
                 'entity' => $this->getNameOfTheFirstConfiguredEntity(),
-                'view'   => $view,
+                'view'   => $this->view,
             )));
         }
 
@@ -120,19 +117,7 @@ protected function initialize(Request $request)
         $this->em = $this->getDoctrine()->getManagerForClass($this->entity['class']);
 
         $this->request = $request;
-    }
-
-    protected function isActionAllowed($action, $view)
-    {
-        if ($action === $view || array_key_exists($action, $this->entity[$view]['actions'])) {
-            return true;
-        }
-
-        return $this->render404error('@EasyAdmin/error/forbidden_action.html.twig', array(
-            'action' => $action,
-            'view'   => $view,
-            'enabled_actions' => array_keys($this->entity[$view]['actions']),
-        ));
+        $this->view = $this->request->query->get('view', 'list');
     }
 
     /**
@@ -142,6 +127,10 @@ protected function isActionAllowed($action, $view)
      */
     protected function listAction()
     {
+        if (!$this->isActionAllowed('list')) {
+            return $this->renderForbiddenActionError('list');
+        }
+
         $fields = $this->entity['list']['fields'];
         $paginator = $this->findAll($this->entity['class'], $this->request->query->get('page', 1), $this->config['list']['max_results'], $this->request->query->get('sortField'), $this->request->query->get('sortDirection'));
 
@@ -159,6 +148,10 @@ protected function listAction()
      */
     protected function editAction()
     {
+        if (!$this->isActionAllowed('edit')) {
+            return $this->renderForbiddenActionError('edit');
+        }
+
         if ($this->request->isXmlHttpRequest()) {
             return $this->ajaxEdit();
         }
@@ -196,6 +189,10 @@ protected function editAction()
      */
     protected function showAction()
     {
+        if (!$this->isActionAllowed('show')) {
+            return $this->renderForbiddenActionError('show');
+        }
+
         $id = $this->request->query->get('id');
         if (!$item = $this->em->getRepository($this->entity['class'])->find($id)) {
             throw $this->createNotFoundException(sprintf('Unable to find entity (%s #%d).', $this->entity['name'], $id));
@@ -219,6 +216,10 @@ protected function showAction()
      */
     protected function newAction()
     {
+        if (!$this->isActionAllowed('new')) {
+            return $this->renderForbiddenActionError('new');
+        }
+
         $item = $this->instantiateNewEntity();
 
         $fields = $fields = $this->entity['new']['fields'];
@@ -328,7 +329,8 @@ protected function ajaxEdit()
      *
      * @return object
      */
-    protected function instantiateNewEntity() {
+    protected function instantiateNewEntity()
+    {
         $entityFullyQualifiedClassName = $this->entity['class'];
 
         return new $entityFullyQualifiedClassName();
@@ -541,7 +543,38 @@ protected function createDeleteForm($entityName, $entityId)
      */
     protected function render404error($view, array $parameters = array())
     {
-        return $this->render($view, $parameters, new Response('', 404));
+        return $this->render($view, $parameters, new Response('', Response::HTTP_NOT_FOUND));
+    }
+
+    /**
+     * Utility method that checks if the given action is allowed for the current
+     * view of the current entity.
+     *
+     * @param string $action
+     *
+     * @return bool
+     */
+    protected function isActionAllowed($action)
+    {
+        if (array_key_exists($action, $this->entity[$this->view]['actions'])) {
+            return true;
+        }
+    }
+
+    /**
+     * Utility shortcut to render an error when the requested action is not allowed
+     * for the given view of the given entity.
+     *
+     * @param string $action
+     *
+     * @return Response
+     */
+    protected function renderForbiddenActionError($action)
+    {
+        $allowedActions = array_keys($this->entity[$this->view]['actions']);
+        $parameters = array('action' => $action, 'allowed_actions' => $allowedActions, 'view' => $this->view);
+
+        return $this->render('@EasyAdmin/error/forbidden_action.html.twig', $parameters, new Response('', Response::HTTP_FORBIDDEN));
     }
 
     /**

diff --git a/Resources/views/error/forbidden_action.html.twig b/Resources/views/error/forbidden_action.html.twig
@@ -10,7 +10,7 @@
     <ul>
         <li>
             Change this action for one of the following allowed actions:
-            <code>{{ enabled_actions|join('</code>, <code>')|raw }}</code>.
+            <code>{{ allowed_actions|join('</code>, <code>')|raw }}</code>.
         </li>
         <li>
             If the action name is correct, make sure it's included in

diff --git a/Resources/views/layout.html.twig b/Resources/views/layout.html.twig
@@ -48,7 +48,7 @@
                         {% block navigation_items %}
                         {% for item in easyadmin_config('entities') %}
                             <li class="{{ item.name|lower == app.request.get('entity')|lower ? 'active' : '' }}">
-                                <a href="{{ path('admin', { entity: item.name, action: 'list' }) }}">
+                                <a href="{{ path('admin', { entity: item.name, action: 'list', view: 'list' }) }}">
                                     {{- item.label|trans -}}
                                 </a>
                             </li>

diff --git a/Resources/views/list.html.twig b/Resources/views/list.html.twig
@@ -37,7 +37,7 @@
                 {% if easyadmin_action_is_enabled_for_list_view('new', _entity.name) %}
                     {% set _action = easyadmin_get_action_for_list_view('new', _entity.name) %}
                     <div id="content-actions">
-                        <a class="btn {{ _action.class|default('') }}" href="{{ path('admin', { entity: _entity.name, action: _action.name }) }}">
+                        <a class="btn {{ _action.class|default('') }}" href="{{ path('admin', { entity: _entity.name, action: _action.name, view: 'list' }) }}">
                             {% if _action.icon %}<i class="fa fa-{{ _action.icon }}"></i>{% endif %}
                             {{ _action.label|default('action.new')|trans(_trans_parameters) }}
                         </a>
@@ -46,11 +46,8 @@
 
                 {% if easyadmin_action_is_enabled_for_list_view('search', _entity.name) %}
                     {% set _action = easyadmin_get_action_for_list_view('search', _entity.name) %}
-                    <form id="content-search" class="col-xs-6 col-sm-8" method="get" action="{{ path('admin') }}">
+                    <form id="content-search" class="col-xs-6 col-sm-8" method="get" action="{{ path('admin', { view: 'list', action: 'search', entity: _entity.name }) }}">
                         <div class="input-group">
-                            <input type="hidden" name="action" value="search">
-                            <input type="hidden" name="view" value="list">
-                            <input type="hidden" name="entity" value="{{ _entity.name }}">
                             <input class="form-control" id="content-search-query" type="search" name="query" placeholder="{{ _action.label|default('action.search')|trans(_trans_parameters) }}" value="{{ app.request.get('query')|default('') }}">
                         </div>
                     </form>

diff --git a/Resources/views/show.html.twig b/Resources/views/show.html.twig
@@ -45,7 +45,7 @@
                 {% set _show_actions = easyadmin_get_actions_for_show_item(_entity.name) %}
                 {% for _action in _show_actions %}
                     {% if 'method' == _action.type %}
-                        {% set _action_href = path('admin', { action: _action.name, view: 'edit', entity: _entity.name, id: attribute(item, _entity.primary_key_field_name) }) %}
+                        {% set _action_href = path('admin', { action: _action.name, view: 'show', entity: _entity.name, id: attribute(item, _entity.primary_key_field_name) }) %}
                     {% elseif 'route' == _action.type %}
                         {% set _action_href = path(_action.name, { entity: _entity.name, id: attribute(item, _entity.primary_key_field_name) }) %}
                     {% endif %}