verdigado-public/organization_folders
0
0
Fork 0
mirror of https://github.com/verdigado/organization_folders.git synced 2024-12-06 11:22:41 +01:00
Code Projects Activity
organization_folders/lib/Controller/ResourceController.php

178 lines
No EOL
5.8 KiB
PHP
Raw Permalink Blame History

<?php
namespace OCA\OrganizationFolders\Controller;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCA\OrganizationFolders\Db\Resource;
use OCA\OrganizationFolders\Service\ResourceService;
use OCA\OrganizationFolders\Service\ResourceMemberService;
use OCA\OrganizationFolders\Service\OrganizationFolderService;
use OCA\OrganizationFolders\Traits\ApiObjectController;
class ResourceController extends BaseController {
use Errors;
use ApiObjectController;
public const MEMBERS_INCLUDE = 'members';
public const SUBRESOURCES_INCLUDE = 'subresources';
public function __construct(
private ResourceService $service,
private ResourceMemberService $memberService,
private OrganizationFolderService $organizationFolderService,
private string $userId,
) {
parent::__construct();
}
private function getApiObjectFromEntity(Resource $resource, ?string $include): array {
$includes = $this->parseIncludesString($include);
$result = [];
if ($this->shouldInclude(self::MODEL_INCLUDE, $includes)) {
$result = $resource->jsonSerialize();
}
if ($this->shouldInclude(self::MEMBERS_INCLUDE, $includes)) {
$result["members"] = $this->memberService->findAll($resource->getId());
}
if($this->shouldInclude(self::SUBRESOURCES_INCLUDE, $includes)) {
$result["subResources"] = $this->getSubResources($resource->getId());
}
return $result;
}
#[NoAdminRequired]
public function show(int $resourceId, ?string $include): JSONResponse {
return $this->handleNotFound(function () use ($resourceId, $include) {
$resource = $this->service->find($resourceId);
$this->denyAccessUnlessGranted(['READ'], $resource);
return $this->getApiObjectFromEntity($resource, $include);
});
}
#[NoAdminRequired]
public function create(
int $organizationFolderId,
string $type,
string $name,
?int $parentResourceId = null,
bool $active = true,
bool $inheritManagers = true,
// for type folder
?int $membersAclPermission = null,
?int $managersAclPermission = null,
?int $inheritedAclPermission = null,
?string $include,
): JSONResponse {
return $this->handleErrors(function () use ($organizationFolderId, $type, $name, $parentResourceId, $active, $inheritManagers, $membersAclPermission, $managersAclPermission, $inheritedAclPermission, $include) {
$organizationFolder = $this->organizationFolderService->find($organizationFolderId);
if(!is_null($parentResourceId)) {
$parentResource = $this->service->find($parentResourceId);
$this->denyAccessUnlessGranted(['CREATE_SUBRESOURCE'], $parentResource);
} else {
$this->denyAccessUnlessGranted(['CREATE_RESOURCE'], $organizationFolder);
}
$resource = $this->service->create(
organizationFolderId: $organizationFolder->getId(),
type: $type,
name: $name,
parentResourceId: $parentResourceId,
active: $active,
inheritManagers: $inheritManagers,
membersAclPermission: $membersAclPermission,
managersAclPermission: $managersAclPermission,
inheritedAclPermission: $inheritedAclPermission,
);
return $this->getApiObjectFromEntity($resource, $include);
});
}
#[NoAdminRequired]
public function update(
int $resourceId,
?string $name = null,
?bool $active = null,
?bool $inheritManagers = null,
// for type folder
?int $membersAclPermission = null,
?int $managersAclPermission = null,
?int $inheritedAclPermission = null,
?string $include,
): JSONResponse {
return $this->handleErrors(function () use ($resourceId, $name, $active, $inheritManagers, $membersAclPermission, $managersAclPermission, $inheritedAclPermission, $include) {
$resource = $this->service->find($resourceId);
$this->denyAccessUnlessGranted(['UPDATE'], $resource);
$resource = $this->service->update(
id: $resourceId,
name: $name,
active: $active,
inheritManagers: $inheritManagers,
membersAclPermission: $membersAclPermission,
managersAclPermission: $managersAclPermission,
inheritedAclPermission: $inheritedAclPermission,
);
return $this->getApiObjectFromEntity($resource, $include);
});
}
#[NoAdminRequired]
public function subResources(int $resourceId): JSONResponse {
return $this->handleNotFound(function () use ($resourceId) {
return $this->getSubResources($resourceId);
});
}
protected function getSubResources(int $resourceId): array {
$resource = $this->service->find($resourceId);
$organizationFolder = $this->organizationFolderService->find($resource->getOrganizationFolderId());
$subresources = $this->service->getSubResources($resource);
$result = [];
if($this->authorizationService->isGranted(['MANAGE_ALL_RESOURCES'], $organizationFolder)) {
/* fastpath: access to all subresources */
$result = $subresources;
} else {
foreach($subresources as $subresource) {
// Future optimization potential 1: the following will potentially check the permissions of each of these subresources all the way up the resource tree.
// As sibling resources these subresources share the same resources above them in the tree.
// So if access to the parent resource is granted, all subresources with inheritManagers can be granted immediately.
// For all other subresources only a check if user has direct (non-inherited) manager rights is neccessary.
// Future optimization potential 2: READ permission check checks MANAGE_ALL_RESOURCES again, at this point we know this to be false, because of the fastpath.
// Could be replaced with something like a READ_DIRECT (name TBD) permission check, which does not check this again.
if($this->authorizationService->isGranted(['READ'], $resource)) {
$result[] = $subresource;
} else if($this->authorizationService->isGranted(['READ_LIMITED'], $resource)) {
$result[] = $subresource->limitedJsonSerialize();
}
}
}
return $result;
}
}
View git blame Copy permalink