From 74135648e758cf985d2bd8d7d0241a78d40493e6 Mon Sep 17 00:00:00 2001 From: Markus Opolka Date: Mon, 5 Aug 2024 16:54:28 +0200 Subject: [PATCH] Fix restrictions for form operations --- application/forms/EditForm.php | 8 +++++--- library/Toplevelview/ViewConfig.php | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/application/forms/EditForm.php b/application/forms/EditForm.php index 63a7a27..83c4098 100644 --- a/application/forms/EditForm.php +++ b/application/forms/EditForm.php @@ -56,23 +56,25 @@ public function onSuccess() $this->view->getMetaData(); $this->view->getTree(); - // Store the view to the session - $this->viewconfig->storeToSession($this->view); - $cancel = $this->getElement('btn_submit_cancel'); $delete = $this->getElement('btn_submit_delete'); if ($this->getElement('btn_submit_save_file')->getValue() !== null) { + // Store the view to its YAML file $this->viewconfig->storeToFile($this->view); Notification::success($this->translate('Top Level View successfully saved')); } elseif ($cancel !== null && $cancel->getValue() !== null) { + // Clear the stored session data for the view $this->viewconfig->clearSession($this->view); Notification::success($this->translate('Top Level View restored from disk')); } elseif ($delete != null && $delete->getValue() !== null) { + // Delte the view's YAML file $this->viewconfig->delete($this->view); $this->setRedirectUrl('toplevelview'); Notification::success($this->translate('Top Level View successfully deleted')); } else { + // Store the view to the user's session by default + $this->viewconfig->storeToSession($this->view); Notification::success($this->translate('Top Level View successfully saved for the current session')); } return true; diff --git a/library/Toplevelview/ViewConfig.php b/library/Toplevelview/ViewConfig.php index a4ef99c..b368186 100644 --- a/library/Toplevelview/ViewConfig.php +++ b/library/Toplevelview/ViewConfig.php @@ -246,6 +246,10 @@ public function loadAll($format = self::FORMAT_YAML): array */ public function storeToSession($view): void { + // Assert the user has rights to edit this view + $restrictions = $this->getRestrictions('toplevelview/filter/edit'); + $this->assertAccessToView($restrictions, $view->getName()); + Session::getSession()->set(self::SESSION_PREFIX . $view->getName(), $view->getText()); } @@ -266,6 +270,12 @@ public function clearSession($view): void */ public function storeToFile($view): void { + // Assert the user has rights to edit this file + $restrictions = $this->getRestrictions('toplevelview/filter/edit'); + $this->assertAccessToView($restrictions, $view->getName()); + + var_dump($restrictions); + $file_path = $this->getConfigDir() . DIRECTORY_SEPARATOR . $view->getName() . '.' . $view->getFormat(); // Store a backup of the existing config if (file_exists($file_path)) { @@ -283,6 +293,10 @@ public function storeToFile($view): void */ public function delete($view): void { + // Assert the user has rights to edit this view + $restrictions = $this->getRestrictions('toplevelview/filter/edit'); + $this->assertAccessToView($restrictions, $view->getName()); + $file_path = $this->getConfigDir() . DIRECTORY_SEPARATOR . $view->getName() . '.' . $view->getFormat(); $this->clearSession($view);