bug #228 Fixed the management of allowed and forbidden actions (javie…

…reguiluz) This PR was merged into the master branch. Discussion ---------- Fixed the management of allowed and forbidden actions This fixes #221. In short, to determine if an action is allowed you must have into account two things: where you are (the view) and what do you want to do (the action). We didn't detect where we are correctly and therefore, some actions were wrongly forbidden. This pull request hopefully fixes all these problems. Commits ------- 40a4591 Fixed the management of allowed and forbidden actions
EasyCorp · Apr 16, 2015 · dfb990e · dfb990e
2 parents c76aaab + 40a4591
commit dfb990e
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 29 deletions.
diff --git a/Controller/AdminController.php b/Controller/AdminController.php
@@ -42,6 +42,8 @@ class AdminController extends Controller
     /** @var EntityManager */
     protected $em;
 
+    protected $view;
+
     /**
      * @Route("/", name="admin")
      *
@@ -60,18 +62,13 @@ public function indexAction(Request $request)
         }
 
         $action = $request->query->get('action', 'list');
-        $view = $request->query->get('view', 'list');
-
-        if (true !== $forbiddenActionResponse = $this->isActionAllowed($action, $view)) {
-            return $forbiddenActionResponse;
-        }
 
         // for now, the homepage redirects to the 'list' action and view of the first entity
         if (null === $request->query->get('entity')) {
             return $this->redirect($this->generateUrl('admin', array(
                 'action' => $action,
                 'entity' => $this->getNameOfTheFirstConfiguredEntity(),
-                'view'   => $view,
+                'view'   => $this->view,
             )));
         }
 
@@ -120,19 +117,7 @@ protected function initialize(Request $request)
         $this->em = $this->getDoctrine()->getManagerForClass($this->entity['class']);
 
         $this->request = $request;
-    }
-
-    protected function isActionAllowed($action, $view)
-    {
-        if ($action === $view || array_key_exists($action, $this->entity[$view]['actions'])) {
-            return true;
-        }
-
-        return $this->render404error('@EasyAdmin/error/forbidden_action.html.twig', array(
-            'action' => $action,
-            'view'   => $view,
-            'enabled_actions' => array_keys($this->entity[$view]['actions']),
-        ));
+        $this->view = $this->request->query->get('view', 'list');
     }
 
     /**
@@ -142,6 +127,10 @@ protected function isActionAllowed($action, $view)
      */
     protected function listAction()
     {
+        if (!$this->isActionAllowed('list')) {
+            return $this->renderForbiddenActionError('list');
+        }
+
         $fields = $this->entity['list']['fields'];
         $paginator = $this->findAll($this->entity['class'], $this->request->query->get('page', 1), $this->config['list']['max_results'], $this->request->query->get('sortField'), $this->request->query->get('sortDirection'));
 
@@ -159,6 +148,10 @@ protected function listAction()
      */
     protected function editAction()
     {
+        if (!$this->isActionAllowed('edit')) {
+            return $this->renderForbiddenActionError('edit');
+        }
+
         if ($this->request->isXmlHttpRequest()) {
             return $this->ajaxEdit();
         }
@@ -196,6 +189,10 @@ protected function editAction()
      */
     protected function showAction()
     {
+        if (!$this->isActionAllowed('show')) {
+            return $this->renderForbiddenActionError('show');
+        }
+
         $id = $this->request->query->get('id');
         if (!$item = $this->em->getRepository($this->entity['class'])->find($id)) {
             throw $this->createNotFoundException(sprintf('Unable to find entity (%s #%d).', $this->entity['name'], $id));
@@ -219,6 +216,10 @@ protected function showAction()
      */
     protected function newAction()
     {
+        if (!$this->isActionAllowed('new')) {
+            return $this->renderForbiddenActionError('new');
+        }
+
         $item = $this->instantiateNewEntity();
 
         $fields = $fields = $this->entity['new']['fields'];
@@ -328,7 +329,8 @@ protected function ajaxEdit()
      *
      * @return object
      */
-    protected function instantiateNewEntity() {
+    protected function instantiateNewEntity()
+    {
         $entityFullyQualifiedClassName = $this->entity['class'];
 
         return new $entityFullyQualifiedClassName();
@@ -541,7 +543,38 @@ protected function createDeleteForm($entityName, $entityId)
      */
     protected function render404error($view, array $parameters = array())
     {
-        return $this->render($view, $parameters, new Response('', 404));
+        return $this->render($view, $parameters, new Response('', Response::HTTP_NOT_FOUND));
+    }
+
+    /**
+     * Utility method that checks if the given action is allowed for the current
+     * view of the current entity.
+     *
+     * @param string $action
+     *
+     * @return bool
+     */
+    protected function isActionAllowed($action)
+    {
+        if (array_key_exists($action, $this->entity[$this->view]['actions'])) {
+            return true;
+        }
+    }
+
+    /**
+     * Utility shortcut to render an error when the requested action is not allowed
+     * for the given view of the given entity.
+     *
+     * @param string $action
+     *
+     * @return Response
+     */
+    protected function renderForbiddenActionError($action)
+    {
+        $allowedActions = array_keys($this->entity[$this->view]['actions']);
+        $parameters = array('action' => $action, 'allowed_actions' => $allowedActions, 'view' => $this->view);
+
+        return $this->render('@EasyAdmin/error/forbidden_action.html.twig', $parameters, new Response('', Response::HTTP_FORBIDDEN));
     }
 
     /**

diff --git a/Resources/views/error/forbidden_action.html.twig b/Resources/views/error/forbidden_action.html.twig
@@ -10,7 +10,7 @@
     <ul>
         <li>
             Change this action for one of the following allowed actions:
-            <code>{{ enabled_actions|join('</code>, <code>')|raw }}</code>.
+            <code>{{ allowed_actions|join('</code>, <code>')|raw }}</code>.
         </li>
         <li>
             If the action name is correct, make sure it's included in

diff --git a/Resources/views/layout.html.twig b/Resources/views/layout.html.twig
@@ -48,7 +48,7 @@
                         {% block navigation_items %}
                         {% for item in easyadmin_config('entities') %}
                             <li class="{{ item.name|lower == app.request.get('entity')|lower ? 'active' : '' }}">
-                                <a href="{{ path('admin', { entity: item.name, action: 'list' }) }}">
+                                <a href="{{ path('admin', { entity: item.name, action: 'list', view: 'list' }) }}">
                                     {{- item.label|trans -}}
                                 </a>
                             </li>

diff --git a/Resources/views/list.html.twig b/Resources/views/list.html.twig
@@ -37,7 +37,7 @@
                 {% if easyadmin_action_is_enabled_for_list_view('new', _entity.name) %}
                     {% set _action = easyadmin_get_action_for_list_view('new', _entity.name) %}
                     <div id="content-actions">
-                        <a class="btn {{ _action.class|default('') }}" href="{{ path('admin', { entity: _entity.name, action: _action.name }) }}">
+                        <a class="btn {{ _action.class|default('') }}" href="{{ path('admin', { entity: _entity.name, action: _action.name, view: 'list' }) }}">
                             {% if _action.icon %}<i class="fa fa-{{ _action.icon }}"></i>{% endif %}
                             {{ _action.label|default('action.new')|trans(_trans_parameters) }}
                         </a>
@@ -46,11 +46,8 @@
 
                 {% if easyadmin_action_is_enabled_for_list_view('search', _entity.name) %}
                     {% set _action = easyadmin_get_action_for_list_view('search', _entity.name) %}
-                    <form id="content-search" class="col-xs-6 col-sm-8" method="get" action="{{ path('admin') }}">
+                    <form id="content-search" class="col-xs-6 col-sm-8" method="get" action="{{ path('admin', { view: 'list', action: 'search', entity: _entity.name }) }}">
                         <div class="input-group">
-                            <input type="hidden" name="action" value="search">
-                            <input type="hidden" name="view" value="list">
-                            <input type="hidden" name="entity" value="{{ _entity.name }}">
                             <input class="form-control" id="content-search-query" type="search" name="query" placeholder="{{ _action.label|default('action.search')|trans(_trans_parameters) }}" value="{{ app.request.get('query')|default('') }}">
                         </div>
                     </form>

diff --git a/Resources/views/show.html.twig b/Resources/views/show.html.twig
@@ -45,7 +45,7 @@
                 {% set _show_actions = easyadmin_get_actions_for_show_item(_entity.name) %}
                 {% for _action in _show_actions %}
                     {% if 'method' == _action.type %}
-                        {% set _action_href = path('admin', { action: _action.name, view: 'edit', entity: _entity.name, id: attribute(item, _entity.primary_key_field_name) }) %}
+                        {% set _action_href = path('admin', { action: _action.name, view: 'show', entity: _entity.name, id: attribute(item, _entity.primary_key_field_name) }) %}
                     {% elseif 'route' == _action.type %}
                         {% set _action_href = path(_action.name, { entity: _entity.name, id: attribute(item, _entity.primary_key_field_name) }) %}
                     {% endif %}