Added application and project roles validation for API procedure calls

2016-06-26 10:25:13 -04:00
parent 922e0fb6de
commit 4a230d331e
79 changed files with 1772 additions and 761 deletions
--- a/app/Api/Authorization/ActionAuthorization.php
+++ b/app/Api/Authorization/ActionAuthorization.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class ActionAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class ActionAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $action_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->actionModel->getProjectId($action_id));
+        }
+    }
+}
--- a/app/Api/Authorization/CategoryAuthorization.php
+++ b/app/Api/Authorization/CategoryAuthorization.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class CategoryAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class CategoryAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $category_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->categoryModel->getProjectId($category_id));
+        }
+    }
+}
--- a/app/Api/Authorization/ColumnAuthorization.php
+++ b/app/Api/Authorization/ColumnAuthorization.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class ColumnAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class ColumnAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $column_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->columnModel->getProjectId($column_id));
+        }
+    }
+}
--- a/app/Api/Authorization/CommentAuthorization.php
+++ b/app/Api/Authorization/CommentAuthorization.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class CommentAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class CommentAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $comment_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->commentModel->getProjectId($comment_id));
+        }
+    }
+}
--- a/app/Api/Authorization/ProcedureAuthorization.php
+++ b/app/Api/Authorization/ProcedureAuthorization.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+use JsonRPC\Exception\AccessDeniedException;
+use Kanboard\Core\Base;
+
+/**
+ * Class ProcedureAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class ProcedureAuthorization extends Base
+{
+    private $userSpecificProcedures = array(
+        'getMe',
+        'getMyDashboard',
+        'getMyActivityStream',
+        'createMyPrivateProject',
+        'getMyProjectsList',
+        'getMyProjects',
+        'getMyOverdueTasks',
+    );
+
+    public function check($procedure)
+    {
+        if (! $this->userSession->isLogged() && in_array($procedure, $this->userSpecificProcedures)) {
+            throw new AccessDeniedException('This procedure is not available with the API credentials');
+        }
+    }
+}
--- a/app/Api/Authorization/ProjectAuthorization.php
+++ b/app/Api/Authorization/ProjectAuthorization.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+use JsonRPC\Exception\AccessDeniedException;
+use Kanboard\Core\Base;
+
+/**
+ * Class ProjectAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class ProjectAuthorization extends Base
+{
+    public function check($class, $method, $project_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $project_id);
+        }
+    }
+    
+    protected function checkProjectPermission($class, $method, $project_id)
+    {
+        if (empty($project_id)) {
+            throw new AccessDeniedException('Project not found');
+        }
+        
+        $role = $this->projectUserRoleModel->getUserRole($project_id, $this->userSession->getId());
+
+        if (! $this->apiProjectAuthorization->isAllowed($class, $method, $role)) {
+            throw new AccessDeniedException('Project access denied');
+        }
+    }
+}
--- a/app/Api/Authorization/SubtaskAuthorization.php
+++ b/app/Api/Authorization/SubtaskAuthorization.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class SubtaskAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class SubtaskAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $subtask_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->subtaskModel->getProjectId($subtask_id));
+        }
+    }
+}
--- a/app/Api/Authorization/TaskAuthorization.php
+++ b/app/Api/Authorization/TaskAuthorization.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class TaskAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class TaskAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $category_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->taskFinderModel->getProjectId($category_id));
+        }
+    }
+}
--- a/app/Api/Authorization/TaskFileAuthorization.php
+++ b/app/Api/Authorization/TaskFileAuthorization.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class TaskFileAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class TaskFileAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $file_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->taskFileModel->getProjectId($file_id));
+        }
+    }
+}
--- a/app/Api/Authorization/TaskLinkAuthorization.php
+++ b/app/Api/Authorization/TaskLinkAuthorization.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class TaskLinkAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class TaskLinkAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $task_link_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->taskLinkModel->getProjectId($task_link_id));
+        }
+    }
+}
--- a/app/Api/Authorization/UserAuthorization.php
+++ b/app/Api/Authorization/UserAuthorization.php
@@ -0,0 +1,22 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+use JsonRPC\Exception\AccessDeniedException;
+use Kanboard\Core\Base;
+
+/**
+ * Class UserAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class UserAuthorization extends Base
+{
+    public function check($class, $method)
+    {
+        if ($this->userSession->isLogged() && ! $this->apiAuthorization->isAllowed($class, $method, $this->userSession->getRole())) {
+            throw new AccessDeniedException('You are not allowed to access to this resource');
+        }
+    }
+}