modified check access REST api for admin: now is based on identity (#482)
Co-authored-by: Antonio Cordeddu <coranto@yetopen.com>
This commit is contained in:
		| @ -144,11 +144,42 @@ class AdminController extends ActiveController | |||||||
|             throw new NotFoundHttpException(Yii::t('usuario', 'The requested page does not exist.')); |             throw new NotFoundHttpException(Yii::t('usuario', 'The requested page does not exist.')); | ||||||
|         } |         } | ||||||
|         // Access for admins only |         // Access for admins only | ||||||
|         if (!Yii::$app->user->can('admin')) { |         if (!Yii::$app->user->identity->isAdmin) { | ||||||
|             throw new ForbiddenHttpException(Yii::t('usuario', 'User does not have sufficient permissions.')); |             throw new ForbiddenHttpException(Yii::t('usuario', 'User does not have sufficient permissions.')); | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |  | ||||||
|  |     /** | ||||||
|  |      * Override beforeAction. If the api is called with parameter username get the id of the user and set it in query params | ||||||
|  |      */ | ||||||
|  |     public function beforeAction($action) | ||||||
|  |     { | ||||||
|  |         if($action == 'create'){ | ||||||
|  |             return parent::beforeAction($action); | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |         $id = Yii::$app->request->getQueryParam('id'); | ||||||
|  |         if(!is_null($id)){ | ||||||
|  |             return parent::beforeAction($action); | ||||||
|  |         } | ||||||
|  |          | ||||||
|  |         $username = Yii::$app->request->getQueryParam('username'); | ||||||
|  |         if(is_null($username)){ | ||||||
|  |             return parent::beforeAction($action); | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |         $user = $this->userQuery->where(['username' => $username])->one(); | ||||||
|  |         if (is_null($user)) { // Check user, so ` $username` parameter | ||||||
|  |             return parent::beforeAction($action); | ||||||
|  |         }    | ||||||
|  |        | ||||||
|  |         $params = Yii::$app->request->getQueryParams(); | ||||||
|  |         $params['id'] = $user->id; | ||||||
|  |         Yii::$app->request->setQueryParams($params); | ||||||
|  |  | ||||||
|  |         return parent::beforeAction($action); | ||||||
|  |     } | ||||||
|     /** |     /** | ||||||
|      * Create a user. |      * Create a user. | ||||||
|      */ |      */ | ||||||
| @ -186,10 +217,11 @@ class AdminController extends ActiveController | |||||||
|      * Update a user. |      * Update a user. | ||||||
|      * @param int $id ID of the user. |      * @param int $id ID of the user. | ||||||
|      */ |      */ | ||||||
|     public function actionUpdate($id) |     public function actionUpdate($id = null) | ||||||
|     { |     { | ||||||
|         // Check access |         // Check access | ||||||
|         $this->checkAccess($this->action); |         $this->checkAccess($this->action); | ||||||
|  |         $id = Yii::$app->request->getQueryParam('id'); | ||||||
|  |  | ||||||
|         // Get user model |         // Get user model | ||||||
|         /** @var User $user */ |         /** @var User $user */ | ||||||
| @ -198,11 +230,9 @@ class AdminController extends ActiveController | |||||||
|             $this->throwUser404(); |             $this->throwUser404(); | ||||||
|         } |         } | ||||||
|         $user->setScenario($this->updateScenario); |         $user->setScenario($this->updateScenario); | ||||||
|  |  | ||||||
|         // Create event object |         // Create event object | ||||||
|         /** @var UserEvent $event */ |         /** @var UserEvent $event */ | ||||||
|         $event = $this->make(UserEvent::class, [$user]); |         $event = $this->make(UserEvent::class, [$user]); | ||||||
|  |  | ||||||
|         // Save user model + response |         // Save user model + response | ||||||
|         $user->load(Yii::$app->getRequest()->getBodyParams(), ''); |         $user->load(Yii::$app->getRequest()->getBodyParams(), ''); | ||||||
|         if ($user->validate()) { |         if ($user->validate()) { | ||||||
| @ -348,10 +378,11 @@ class AdminController extends ActiveController | |||||||
|      * Block and unblock the user. |      * Block and unblock the user. | ||||||
|      * @param int $id ID of the user. |      * @param int $id ID of the user. | ||||||
|      */ |      */ | ||||||
|     public function actionBlock($id) |     public function actionBlock($id = null) | ||||||
|     { |     { | ||||||
|         // Check access |         // Check access | ||||||
|         $this->checkAccess($this->action); |         $this->checkAccess($this->action); | ||||||
|  |         $id = Yii::$app->request->getQueryParam('id'); | ||||||
|  |  | ||||||
|         // Check ID parameter (whether own account) |         // Check ID parameter (whether own account) | ||||||
|         if ((int)$id === Yii::$app->user->getId()) { |         if ((int)$id === Yii::$app->user->getId()) { | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user