verdigado-public/organization_folders
0
0
Fork 0
mirror of https://github.com/verdigado/organization_folders.git synced 2024-11-24 05:30:27 +01:00
Code Projects Activity

Allow organization folder admins to view/update/... all resources of organization folder, regardless of manager rights inheritance

Browse source
This commit is contained in:
Jonathan Treffler 2024-11-16 03:23:19 +01:00
parent fb3f9836a2
commit 24b8b615d3
1 changed files with 27 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
lib/Security/ResourceVoter.php
View file

@ -6,14 +6,17 @@ use OCP\IUser;
use OCP\IGroupManager; use OCP\IGroupManager;
use OCA\OrganizationFolders\Db\Resource; use OCA\OrganizationFolders\Db\Resource;
use OCA\OrganizationFolders\Service\OrganizationFolderMemberService;
use OCA\OrganizationFolders\Service\ResourceService; use OCA\OrganizationFolders\Service\ResourceService;
use OCA\OrganizationFolders\Service\ResourceMemberService; use OCA\OrganizationFolders\Service\ResourceMemberService;
use OCA\OrganizationFolders\Enum\OrganizationFolderMemberPermissionLevel;
use OCA\OrganizationFolders\Enum\ResourceMemberPermissionLevel; use OCA\OrganizationFolders\Enum\ResourceMemberPermissionLevel;
use OCA\OrganizationFolders\Enum\PrincipalType; use OCA\OrganizationFolders\Enum\PrincipalType;
use OCA\OrganizationFolders\OrganizationProvider\OrganizationProviderManager; use OCA\OrganizationFolders\OrganizationProvider\OrganizationProviderManager;
class ResourceVoter extends Voter { class ResourceVoter extends Voter {
public function __construct( public function __construct(
private OrganizationFolderMemberService $organizationFolderMemberService,
private ResourceService $resourceService, private ResourceService $resourceService,
private ResourceMemberService $resourceMemberService, private ResourceMemberService $resourceMemberService,
private IGroupManager $groupManager, private IGroupManager $groupManager,
@ -45,7 +48,29 @@ class ResourceVoter extends Voter {
} }
private function isResourceOrganizationFolderAdmin(IUser $user, Resource $resource): bool { private function isResourceOrganizationFolderAdmin(IUser $user, Resource $resource): bool {
// TODO: implement $organizationFolderMembers = $this->organizationFolderMemberService->findAll($resource->getOrganizationFolderId(), [
"permissionLevel" => OrganizationFolderMemberPermissionLevel::ADMIN,
]);
foreach($organizationFolderMembers as $organizationFolderMember) {
// should be true for all returned members because of the filter, double check because of the big security implications
if($organizationFolderMember->getPermissionLevel() === OrganizationFolderMemberPermissionLevel::ADMIN->value) {
$principal = $organizationFolderMember->getPrincipal();
if($principal->getType() === PrincipalType::GROUP) {
if($this->userIsInGroup($user, $principal->getId())) {
return true;
}
} else if($principal->getType() === PrincipalType::ROLE) {
[$organizationProviderId, $roleId] = explode(":", $principal->getId(), 2);
if($this->userHasRole($user, $organizationProviderId, $roleId)) {
return true;
}
}
}
}
return false; return false;
} }