WIP unauthorized access management

vincent-peugnet · Nov 7, 2023 · 4fe95f6 · 4fe95f6
1 parent f1dd2fc
commit 4fe95f6
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 22 deletions.
diff --git a/app/class/Controller.php b/app/class/Controller.php
@@ -191,4 +191,20 @@ protected function workspace2session(): void
     {
         $_SESSION['user' . Config::basepath()]['workspace'] = $this->workspace->dry();
     }
+
+    /**
+     * Tell if the current user can edit the given Page
+     *
+     * @param Page $page
+     */
+    protected function canedit(Page $page): bool
+    {
+        if ($this->user->issupereditor()) {
+            return true;
+        } elseif ($this->user->isinvite() || $this->user->iseditor()) {
+            return (in_array($this->user->id(), $page->authors()));
+        } else {
+            return false;
+        }
+    }
 }
diff --git a/app/class/Controllerapipage.php b/app/class/Controllerapipage.php
@@ -44,7 +44,7 @@ protected function importpage(string $id): bool
     public function get(string $page)
     {
         if ($this->importpage($page)) {
-            if ($this->canedit()) {
+            if ($this->canedit($this->page)) {
                 http_response_code(200);
                 header('Content-type: application/json; charset=utf-8');
                 echo json_encode($this->page->dry(), JSON_PRETTY_PRINT);
@@ -66,7 +66,7 @@ public function get(string $page)
     public function update(string $page)
     {
         if ($this->importpage($page)) {
-            if ($this->canedit()) {
+            if ($this->canedit($this->page)) {
                 if (!empty($_POST)) {
                     $datas = $_POST;
                 } else {
@@ -132,7 +132,7 @@ public function put(string $page)
         if (!$exist && !$this->user->iseditor()) {
             $this->shortresponse(401, 'User cannot create pages');
         }
-        if ($exist && !$this->canedit()) {
+        if ($exist && !$this->canedit($this->page)) {
             $this->shortresponse(401, 'Page already exist but user cannot update it');
         }
         $this->page = new Page(array_merge($this->recievejson(), ['id' => $page]));

diff --git a/app/class/Controllerpage.php b/app/class/Controllerpage.php
@@ -223,7 +223,7 @@ public function read($page)
             http_response_code(404);
             $this->showtemplate(
                 'alertexistnot',
-                ['page' => $this->page, 'canedit' => $this->canedit(), 'subtitle' => Config::existnot()]
+                ['page' => $this->page, 'canedit' => $this->canedit($this->page), 'subtitle' => Config::existnot()]
             );
         }
     }
@@ -234,8 +234,13 @@ public function edit($page)
 
         $this->pageconnect('pageedit');
 
+        if ($this->importpage()) {
+
+            if (!$this->canedit($this->page)) {
+                $this->showtemplate('unauthorized', ['route' => 'pageedit', 'id' => $this->page->id()]);
+                exit;
+            }
 
-        if ($this->importpage() && $this->canedit()) {
             $datas['tablist'] = [
                 'main' => $this->page->main(),
                 'css' => $this->page->css(),
@@ -431,7 +436,7 @@ public function copy(string $srcid, string $targetid)
         if ($this->user->iseditor()) {
             try {
                 $this->page = $this->pagemanager->get($srcid);
-                if ($this->canedit() && !$this->pagemanager->exist($targetid)) {
+                if ($this->canedit($this->page) && !$this->pagemanager->exist($targetid)) {
                     $this->page->setid($targetid);
                     $this->page->setdatecreation(true); // Reset date of creation
                     $this->page->setdatemodif(new DateTimeImmutable());
@@ -453,8 +458,8 @@ public function update($page)
 
 
         if ($this->importpage()) {
-            if ($this->canedit()) {
-                // Check if someone else edited the page during the editing.
+            if ($this->canedit($this->page)) {
+                // Check if someone esle edited the page during the editing.
                 $oldpage = clone $this->page;
                 $this->page->hydrate($_POST);
 

diff --git a/app/class/Voterpage.php b/app/class/Voterpage.php
@@ -4,18 +4,14 @@
 
 trait Voterpage
 {
-    public function canedit(): bool
-    {
-        if ($this->user->issupereditor()) {
-            return true;
-        } elseif ($this->user->isinvite() || $this->user->iseditor()) {
-            if (in_array($this->user->id(), $this->page->authors())) {
-                return true;
-            } else {
-                return false;
-            }
-        } else {
-            return false;
-        }
-    }
+    // public function canedit(): bool
+    // {
+    //     if ($this->user->issupereditor()) {
+    //         return true;
+    //     } elseif ($this->user->isinvite() || $this->user->iseditor()) {
+    //         return (in_array($this->user->id(), $this->page->authors()));
+    //     } else {
+    //         return false;
+    //     }
+    // }
 }
diff --git a/app/view/templates/unauthorized.php b/app/view/templates/unauthorized.php
@@ -0,0 +1,20 @@
+<?php $this->layout('layout', ['title' => 'Unauthorized', 'description' => 'unauthorized', 'stylesheets' => [$css . 'home.css']]) ?>
+
+
+
+
+<?php $this->start('page') ?>
+
+<h1>Unauthorized</h1>
+
+<span>
+<?= $user->level() ?>
+</span>
+
+<?php
+if(in_array($route, ['pageedit', 'pageread', 'pageadd'])) {
+    echo '<p><a href="' . $this->upage('pageread', $id) . '">back to page read view</a></p>';
+}
+?>
+
+<?php $this->stop() ?>