vendor/shopware/core/Framework/Api/Acl/AclWriteValidator.php line 28

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\Api\Acl;
  5. use Shopware\Core\Framework\Api\Acl\Role\AclRoleDefinition;
  6. use Shopware\Core\Framework\Api\Context\AdminApiSource;
  7. use Shopware\Core\Framework\Context;
  8. use Shopware\Core\Framework\DataAbstractionLayer\EntityTranslationDefinition;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Write\Command\WriteCommand;
  10. use Shopware\Core\Framework\DataAbstractionLayer\Write\Validation\PreWriteValidationEvent;
  11. use Shopware\Core\Framework\Uuid\Uuid;
  12. use Shopware\Core\Framework\Validation\WriteConstraintViolationException;
  13. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  14. use Symfony\Component\HttpFoundation\Response;
  15. use Symfony\Component\Validator\ConstraintViolation;
  16. use Symfony\Component\Validator\ConstraintViolationInterface;
  17. use Symfony\Component\Validator\ConstraintViolationList;
  19. class AclWriteValidator implements EventSubscriberInterface
  20. {
  21.     public const VIOLATION_NO_PERMISSION 'no_permission_violation';
  23.     public static function getSubscribedEvents()
  24.     {
  25.         return [PreWriteValidationEvent::class => 'preValidate'];
  26.     }
  28.     public function preValidate(PreWriteValidationEvent $event): void
  29.     {
  30.         if ($event->getContext()->getScope() === Context::SYSTEM_SCOPE) {
  31.             return;
  32.         }
  34.         $commands $event->getCommands();
  35.         $source $event->getContext()->getSource();
  36.         if (!$source instanceof AdminApiSource || $source->isAdmin()) {
  37.             return;
  38.         }
  40.         $violationList = new ConstraintViolationList();
  42.         foreach ($commands as $command) {
  43.             $resource $command->getDefinition()->getEntityName();
  44.             $privilege $command->getPrivilege();
  46.             if ($privilege === null) {
  47.                 continue;
  48.             }
  50.             if (is_subclass_of($command->getDefinition(), EntityTranslationDefinition::class)) {
  51.                 $resource $command->getDefinition()->getParentDefinition()->getEntityName();
  53.                 if ($privilege !== AclRoleDefinition::PRIVILEGE_DELETE) {
  54.                     $privilege $this->getPrivilegeForParentWriteOperation($command$commands);
  55.                 }
  56.             }
  58.             if (!$source->isAllowed($resource ':' $privilege)) {
  59.                 $this->violates($privilege$resource$command$violationList);
  60.             }
  61.         }
  63.         $this->tryToThrow($violationList);
  64.     }
  66.     private function tryToThrow(ConstraintViolationList $violations): void
  67.     {
  68.         if ($violations->count() > 0) {
  69.             throw new WriteConstraintViolationException($violations''Response::HTTP_FORBIDDEN);
  70.         }
  71.     }
  73.     private function buildViolation(
  74.         string $messageTemplate,
  75.         array $parameters,
  76.         $root null,
  77.         ?string $propertyPath null,
  78.         $invalidValue null,
  79.         ?string $code null
  80.     ): ConstraintViolationInterface {
  81.         return new ConstraintViolation(
  82.             str_replace(array_keys($parameters), array_values($parameters), $messageTemplate),
  83.             $messageTemplate,
  84.             $parameters,
  85.             $root,
  86.             $propertyPath,
  87.             $invalidValue,
  88.             null,
  89.             $code
  90.         );
  91.     }
  93.     private function violates(
  94.         string $privilege,
  95.         string $resource,
  96.         WriteCommand $command,
  97.         ConstraintViolationList $violationList
  98.     ): void {
  99.         $violationList->add(
  100.             $this->buildViolation(
  101.                 'No permissions to %privilege%".',
  102.                 ['%privilege%' => $resource ':' $privilege],
  103.                 null,
  104.                 '/' $command->getDefinition()->getEntityName(),
  105.                 null,
  106.                 self::VIOLATION_NO_PERMISSION
  107.             )
  108.         );
  109.     }
  111.     /**
  112.      * @param WriteCommand[] $commands
  113.      */
  114.     private function getPrivilegeForParentWriteOperation(WriteCommand $command, array $commands): string
  115.     {
  116.         $pathSuffix '/translations/' Uuid::fromBytesToHex($command->getPrimaryKey()['language_id']);
  117.         $parentCommandPath str_replace($pathSuffix''$command->getPath());
  118.         $parentCommand $this->findCommandByPath($parentCommandPath$commands);
  120.         // writes to translation need privilege from parent command
  121.         // if we update e.g. a product and add translations for a new language
  122.         // the writeCommand on the translation would be an insert
  123.         if ($parentCommand) {
  124.             return $parentCommand->getPrivilege();
  125.         }
  127.         // if we don't have a parentCommand it must be a update,
  128.         // because the parentEntity must already exist
  129.         return AclRoleDefinition::PRIVILEGE_UPDATE;
  130.     }
  132.     /**
  133.      * @param WriteCommand[] $commands
  134.      */
  135.     private function findCommandByPath(string $commandPath, array $commands): ?WriteCommand
  136.     {
  137.         foreach ($commands as $command) {
  138.             if ($command->getPath() === $commandPath) {
  139.                 return $command;
  140.             }
  141.         }
  143.         return null;
  144.     }
  145. }