From 582ecc9455a790d7122e784c8f1c8c95e8f0600e Mon Sep 17 00:00:00 2001 From: Antonio Cordeddu Date: Fri, 18 Nov 2022 14:25:44 +0100 Subject: [PATCH] modified check access REST api for admin: now is based on identity (#482) Co-authored-by: Antonio Cordeddu --- .../Controller/api/v1/AdminController.php | 45 ++++++++++++++++--- 1 file changed, 38 insertions(+), 7 deletions(-) diff --git a/src/User/Controller/api/v1/AdminController.php b/src/User/Controller/api/v1/AdminController.php index 293c798..23cbbb9 100644 --- a/src/User/Controller/api/v1/AdminController.php +++ b/src/User/Controller/api/v1/AdminController.php @@ -144,11 +144,42 @@ class AdminController extends ActiveController throw new NotFoundHttpException(Yii::t('usuario', 'The requested page does not exist.')); } // Access for admins only - if (!Yii::$app->user->can('admin')) { + if (!Yii::$app->user->identity->isAdmin) { throw new ForbiddenHttpException(Yii::t('usuario', 'User does not have sufficient permissions.')); } } + + /** + * Override beforeAction. If the api is called with parameter username get the id of the user and set it in query params + */ + public function beforeAction($action) + { + if($action == 'create'){ + return parent::beforeAction($action); + } + + $id = Yii::$app->request->getQueryParam('id'); + if(!is_null($id)){ + return parent::beforeAction($action); + } + + $username = Yii::$app->request->getQueryParam('username'); + if(is_null($username)){ + return parent::beforeAction($action); + } + + $user = $this->userQuery->where(['username' => $username])->one(); + if (is_null($user)) { // Check user, so ` $username` parameter + return parent::beforeAction($action); + } + + $params = Yii::$app->request->getQueryParams(); + $params['id'] = $user->id; + Yii::$app->request->setQueryParams($params); + + return parent::beforeAction($action); + } /** * Create a user. */ @@ -186,10 +217,11 @@ class AdminController extends ActiveController * Update a user. * @param int $id ID of the user. */ - public function actionUpdate($id) + public function actionUpdate($id = null) { // Check access $this->checkAccess($this->action); + $id = Yii::$app->request->getQueryParam('id'); // Get user model /** @var User $user */ @@ -198,11 +230,9 @@ class AdminController extends ActiveController $this->throwUser404(); } $user->setScenario($this->updateScenario); - // Create event object /** @var UserEvent $event */ $event = $this->make(UserEvent::class, [$user]); - // Save user model + response $user->load(Yii::$app->getRequest()->getBodyParams(), ''); if ($user->validate()) { @@ -217,7 +247,7 @@ class AdminController extends ActiveController } return $user; } - + /** * Delete a user. * @param int $id ID of the user. @@ -238,7 +268,7 @@ class AdminController extends ActiveController if (is_null($user)) { // Check user, so `$id` parameter $this->throwUser404(); } - + // Create event object /** @var UserEvent $event */ $event = $this->make(UserEvent::class, [$user]); @@ -348,10 +378,11 @@ class AdminController extends ActiveController * Block and unblock the user. * @param int $id ID of the user. */ - public function actionBlock($id) + public function actionBlock($id = null) { // Check access $this->checkAccess($this->action); + $id = Yii::$app->request->getQueryParam('id'); // Check ID parameter (whether own account) if ((int)$id === Yii::$app->user->getId()) {