Skip to content

[stable0.8] refactor: Extend Permission Middleware usage and replace deprecated annotations with attributes #1407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
blizzz merged 5 commits into from
Oct 8, 2024
Merged

[stable0.8] refactor: Extend Permission Middleware usage and replace deprecated annotations with attributes #1407

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
af61266
fix(Middleware): handle checking plain read/access permissions
blizzz Sep 19, 2024
d7abd30
refactor(Controller): make use of read permission check in middleware
blizzz Sep 20, 2024
2e9f9e7
refactor(Controller): extend usage of PermissionMiddleware
blizzz Sep 20, 2024
6c1dad1
fix(Controller): replace deprecated annotations with attributes
blizzz Sep 20, 2024
fc5e463
test(integration): inaccessible table shall respond 404
blizzz Sep 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
277 changes: 128 additions & 149 deletions lib/Controller/Api1Controller.php
View file
Open in desktop

Large diffs are not rendered by default.

30 changes: 16 additions & 14 deletions lib/Controller/ApiColumnsController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,16 @@
*/
namespace OCA\Tables\Controller;

use OCA\Tables\AppInfo\Application;
use OCA\Tables\Dto\Column as ColumnDto;
use OCA\Tables\Errors\InternalError;
use OCA\Tables\Errors\NotFoundError;
use OCA\Tables\Errors\PermissionError;
use OCA\Tables\Middleware\Attribute\RequirePermission;
use OCA\Tables\ResponseDefinitions;
use OCA\Tables\Service\ColumnService;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\DataResponse;
use OCP\IL10N;
use OCP\IRequest;
Expand All @@ -39,8 +42,6 @@ public function __construct(
*
* Return an empty array if no columns were found
*
* @NoAdminRequired
*
* @param int $nodeId Node ID
* @param 'table'|'view' $nodeType Node type
* @return DataResponse<Http::STATUS_OK, TablesColumn[], array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
Expand All @@ -49,6 +50,8 @@ public function __construct(
* 403: No permissions
* 404: Not found
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_READ)]
public function index(int $nodeId, string $nodeType): DataResponse {
try {
if($nodeType === 'table') {
Expand All @@ -71,15 +74,14 @@ public function index(int $nodeId, string $nodeType): DataResponse {
/**
* [api v2] Get a column object
*
* @NoAdminRequired
*
* @param int $id Column ID
* @return DataResponse<Http::STATUS_OK, TablesColumn, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
*
* 200: Column returned
* 403: No permissions
* 404: Not found
*/
#[NoAdminRequired]
public function show(int $id): DataResponse {
try {
return new DataResponse($this->service->find($id)->jsonSerialize());
Expand All @@ -97,8 +99,6 @@ public function show(int $id): DataResponse {
*
* Specify a subtype to use any special numbered column
*
* @NoAdminRequired
*
* @param int $baseNodeId Context of the column creation
* @param string $title Title
* @param boolean $mandatory Is mandatory
Expand All @@ -121,6 +121,8 @@ public function show(int $id): DataResponse {
* @throws NotFoundError
* @throws PermissionError
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
public function createNumberColumn(int $baseNodeId, string $title, ?float $numberDefault, ?int $numberDecimals, ?string $numberPrefix, ?string $numberSuffix, ?float $numberMin, ?float $numberMax, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
Expand Down Expand Up @@ -151,8 +153,6 @@ public function createNumberColumn(int $baseNodeId, string $title, ?float $numbe
*
* Specify a subtype to use any special text column
*
* @NoAdminRequired
*
* @param int $baseNodeId Context of the column creation
* @param string $title Title
* @param string|null $textDefault Default
Expand All @@ -172,6 +172,8 @@ public function createNumberColumn(int $baseNodeId, string $title, ?float $numbe
* @throws NotFoundError
* @throws PermissionError
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
public function createTextColumn(int $baseNodeId, string $title, ?string $textDefault, ?string $textAllowedPattern, ?int $textMaxLength, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
Expand Down Expand Up @@ -199,8 +201,6 @@ public function createTextColumn(int $baseNodeId, string $title, ?string $textDe
*
* Specify a subtype to use any special selection column
*
* @NoAdminRequired
*
* @param int $baseNodeId Context of the column creation
* @param string $title Title
* @param string $selectionOptions Json array{id: int, label: string} with options that can be selected, eg [{"id": 1, "label": "first"},{"id": 2, "label": "second"}]
Expand All @@ -219,6 +219,8 @@ public function createTextColumn(int $baseNodeId, string $title, ?string $textDe
* @throws NotFoundError
* @throws PermissionError
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
public function createSelectionColumn(int $baseNodeId, string $title, string $selectionOptions, ?string $selectionDefault, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
Expand All @@ -245,8 +247,6 @@ public function createSelectionColumn(int $baseNodeId, string $title, string $se
*
* Specify a subtype to use any special datetime column
*
* @NoAdminRequired
*
* @param int $baseNodeId Context of the column creation
* @param string $title Title
* @param 'today'|'now'|null $datetimeDefault For a subtype 'date' you can set 'today'. For a main type or subtype 'time' you can set to 'now'.
Expand All @@ -264,6 +264,8 @@ public function createSelectionColumn(int $baseNodeId, string $title, string $se
* @throws NotFoundError
* @throws PermissionError
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
public function createDatetimeColumn(int $baseNodeId, string $title, ?string $datetimeDefault, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
Expand All @@ -287,8 +289,6 @@ public function createDatetimeColumn(int $baseNodeId, string $title, ?string $da
/**
* [api v2] Create new usergroup column
*
* @NoAdminRequired
*
* @param int $baseNodeId Context of the column creation
* @param string $title Title
* @param string|null $usergroupDefault Json array{id: string, type: int}, eg [{"id": "admin", "type": 0}, {"id": "user1", "type": 0}]
Expand All @@ -309,6 +309,8 @@ public function createDatetimeColumn(int $baseNodeId, string $title, ?string $da
* @throws NotFoundError
* @throws PermissionError
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
public function createUsergroupColumn(int $baseNodeId, string $title, ?string $usergroupDefault, bool $usergroupMultipleItems = null, bool $usergroupSelectUsers = null, bool $usergroupSelectGroups = null, bool $showUserStatus = null, string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
Expand Down
11 changes: 7 additions & 4 deletions lib/Controller/ApiFavoriteController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,15 @@
namespace OCA\Tables\Controller;

use Exception;
use OCA\Tables\AppInfo\Application;
use OCA\Tables\Errors\InternalError;
use OCA\Tables\Errors\NotFoundError;
use OCA\Tables\Errors\PermissionError;
use OCA\Tables\Middleware\Attribute\RequirePermission;
use OCA\Tables\ResponseDefinitions;
use OCA\Tables\Service\FavoritesService;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\DataResponse;
use OCP\DB\Exception as DBException;
use OCP\IL10N;
Expand All @@ -39,8 +42,6 @@ public function __construct(
/**
* [api v2] Add a node (table or view) to user favorites
*
* @NoAdminRequired
*
* @param int $nodeType any Application::NODE_TYPE_* constant
* @param int $nodeId identifier of the node
* @return DataResponse<Http::STATUS_OK, array{}, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
Expand All @@ -49,6 +50,8 @@ public function __construct(
* 403: No permissions
* 404: Not found
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_READ)]
public function create(int $nodeType, int $nodeId): DataResponse {
try {
$this->service->addFavorite($nodeType, $nodeId);
Expand All @@ -66,8 +69,6 @@ public function create(int $nodeType, int $nodeId): DataResponse {
/**
* [api v2] Remove a node (table or view) to from favorites
*
* @NoAdminRequired
*
* @param int $nodeType any Application::NODE_TYPE_* constant
* @param int $nodeId identifier of the node
* @return DataResponse<Http::STATUS_OK, array{}, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
Expand All @@ -76,6 +77,8 @@ public function create(int $nodeType, int $nodeId): DataResponse {
* 403: No permissions
* 404: Not found
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_READ)]
public function destroy(int $nodeType, int $nodeId): DataResponse {
try {
$this->service->removeFavorite($nodeType, $nodeId);
Expand Down
4 changes: 2 additions & 2 deletions lib/Controller/ApiGeneralController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
use OCA\Tables\Service\TableService;
use OCA\Tables\Service\ViewService;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\DataResponse;
use OCP\IL10N;
use OCP\IRequest;
Expand Down Expand Up @@ -46,12 +47,11 @@ public function __construct(
*
* Tables and views incl. shares
*
* @NoAdminRequired
*
* @return DataResponse<Http::STATUS_OK, TablesIndex, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
*
* 200: Index returned
*/
#[NoAdminRequired]
public function index(): DataResponse {
try {
$tables = $this->tableService->formatTables($this->tableService->findAll($this->userId));
Expand Down
31 changes: 15 additions & 16 deletions lib/Controller/ApiTablesController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,19 @@
namespace OCA\Tables\Controller;

use Exception;
use OCA\Tables\AppInfo\Application;
use OCA\Tables\Dto\Column as ColumnDto;
use OCA\Tables\Errors\InternalError;
use OCA\Tables\Errors\NotFoundError;
use OCA\Tables\Errors\PermissionError;
use OCA\Tables\Middleware\Attribute\RequirePermission;
use OCA\Tables\ResponseDefinitions;
use OCA\Tables\Service\ColumnService;
use OCA\Tables\Service\TableService;
use OCA\Tables\Service\ViewService;
use OCP\App\IAppManager;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\DataResponse;
use OCP\IDBConnection;
use OCP\IL10N;
Expand Down Expand Up @@ -57,12 +60,11 @@ public function __construct(
/**
* [api v2] Returns all Tables
*
* @NoAdminRequired
*
* @return DataResponse<Http::STATUS_OK, TablesTable[], array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
*
* 200: Tables returned
*/
#[NoAdminRequired]
public function index(): DataResponse {
try {
return new DataResponse($this->service->formatTables($this->service->findAll($this->userId)));
Expand All @@ -74,15 +76,15 @@ public function index(): DataResponse {
/**
* [api v2] Get a table object
*
* @NoAdminRequired
*
* @param int $id Table ID
* @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
*
* 200: Table returned
* 403: No permissions
* 404: Not found
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
public function show(int $id): DataResponse {
try {
return new DataResponse($this->service->find($id)->jsonSerialize());
Expand All @@ -98,15 +100,15 @@ public function show(int $id): DataResponse {
/**
* [api v2] Get a table Scheme
*
* @NoAdminRequired
*
* @param int $id Table ID
* @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
*
* 200: Scheme returned
* 403: No permissions
* 404: Not found
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
public function showScheme(int $id): DataResponse {
try {
return new DataResponse($this->service->getScheme($id)->jsonSerialize());
Expand All @@ -120,8 +122,6 @@ public function showScheme(int $id): DataResponse {
}

/**
* @NoAdminRequired
*
* creates table from scheme
*
* @param string $title title of new table
Expand All @@ -133,6 +133,7 @@ public function showScheme(int $id): DataResponse {
*
* 200: Tables returned
*/
#[NoAdminRequired]
public function createFromScheme(string $title, string $emoji, string $description, array $columns, array $views): DataResponse {
try {
$this->db->beginTransaction();
Expand Down Expand Up @@ -191,8 +192,6 @@ public function createFromScheme(string $title, string $emoji, string $descripti
/**
* [api v2] Create a new table and return it
*
* @NoAdminRequired
*
* @param string $title Title of the table
* @param string|null $emoji Emoji for the table
* @param string|null $description Description for the table
Expand All @@ -202,6 +201,7 @@ public function createFromScheme(string $title, string $emoji, string $descripti
*
* 200: Tables returned
*/
#[NoAdminRequired]
public function create(string $title, ?string $emoji, ?string $description, string $template = 'custom'): DataResponse {
try {
return new DataResponse($this->service->create($title, $template, $emoji, $description)->jsonSerialize());
Expand All @@ -213,8 +213,6 @@ public function create(string $title, ?string $emoji, ?string $description, stri
/**
* [api v2] Update tables properties
*
* @NoAdminRequired
*
* @param int $id Table ID
* @param string|null $title New table title
* @param string|null $emoji New table emoji
Expand All @@ -226,6 +224,8 @@ public function create(string $title, ?string $emoji, ?string $description, stri
* 403: No permissions
* 404: Not found
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
public function update(int $id, ?string $title = null, ?string $emoji = null, ?string $description = null, ?bool $archived = null): DataResponse {
try {
return new DataResponse($this->service->update($id, $title, $emoji, $description, $archived, $this->userId)->jsonSerialize());
Expand All @@ -241,15 +241,15 @@ public function update(int $id, ?string $title = null, ?string $emoji = null, ?s
/**
* [api v2] Delete a table
*
* @NoAdminRequired
*
* @param int $id Table ID
* @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
*
* 200: Deleted table returned
* 403: No permissions
* 404: Not found
*/
#[NoAdminRequired]
#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
public function destroy(int $id): DataResponse {
try {
return new DataResponse($this->service->delete($id)->jsonSerialize());
Expand All @@ -267,8 +267,6 @@ public function destroy(int $id): DataResponse {
*
* Transfer table from one user to another
*
* @NoAdminRequired
*
* @param int $id Table ID
* @param string $newOwnerUserId New user ID
*
Expand All @@ -278,6 +276,7 @@ public function destroy(int $id): DataResponse {
* 403: No permissions
* 404: Not found
*/
#[NoAdminRequired]
public function transfer(int $id, string $newOwnerUserId): DataResponse {
try {
return new DataResponse($this->service->setOwner($id, $newOwnerUserId)->jsonSerialize());
Expand Down
Loading