leonardo/yii2-usuario
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modified check access REST api for admin: now is based on identity (#482)

Browse Source 
Co-authored-by: Antonio Cordeddu <coranto@yetopen.com>
This commit is contained in:
Antonio Cordeddu
2022-11-18 14:25:44 +01:00
committed by GitHub
parent ae8d9b1027
commit 582ecc9455
1 changed files with 38 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
src/User/Controller/api/v1/AdminController.php
View File

@ -144,11 +144,42 @@ class AdminController extends ActiveController
throw new NotFoundHttpException(Yii::t('usuario', 'The requested page does not exist.')); throw new NotFoundHttpException(Yii::t('usuario', 'The requested page does not exist.'));
} }
// Access for admins only // Access for admins only
if (!Yii::$app->user->can('admin')) { if (!Yii::$app->user->identity->isAdmin) {
throw new ForbiddenHttpException(Yii::t('usuario', 'User does not have sufficient permissions.')); throw new ForbiddenHttpException(Yii::t('usuario', 'User does not have sufficient permissions.'));
} }
} }
/**
* Override beforeAction. If the api is called with parameter username get the id of the user and set it in query params
*/
public function beforeAction($action)
{
if($action == 'create'){
return parent::beforeAction($action);
}
$id = Yii::$app->request->getQueryParam('id');
if(!is_null($id)){
return parent::beforeAction($action);
}
$username = Yii::$app->request->getQueryParam('username');
if(is_null($username)){
return parent::beforeAction($action);
}
$user = $this->userQuery->where(['username' => $username])->one();
if (is_null($user)) { // Check user, so ` $username` parameter
return parent::beforeAction($action);
}
$params = Yii::$app->request->getQueryParams();
$params['id'] = $user->id;
Yii::$app->request->setQueryParams($params);
return parent::beforeAction($action);
}
/** /**
* Create a user. * Create a user.
*/ */
@ -186,10 +217,11 @@ class AdminController extends ActiveController
* Update a user. * Update a user.
* @param int $id ID of the user. * @param int $id ID of the user.
*/ */
public function actionUpdate($id) public function actionUpdate($id = null)
{ {
// Check access // Check access
$this->checkAccess($this->action); $this->checkAccess($this->action);
$id = Yii::$app->request->getQueryParam('id');
// Get user model // Get user model
/** @var User $user */ /** @var User $user */
@ -198,11 +230,9 @@ class AdminController extends ActiveController
$this->throwUser404(); $this->throwUser404();
} }
$user->setScenario($this->updateScenario); $user->setScenario($this->updateScenario);
// Create event object // Create event object
/** @var UserEvent $event */ /** @var UserEvent $event */
$event = $this->make(UserEvent::class, [$user]); $event = $this->make(UserEvent::class, [$user]);
// Save user model + response // Save user model + response
$user->load(Yii::$app->getRequest()->getBodyParams(), ''); $user->load(Yii::$app->getRequest()->getBodyParams(), '');
if ($user->validate()) { if ($user->validate()) {
@ -217,7 +247,7 @@ class AdminController extends ActiveController
} }
return $user; return $user;
} }
/** /**
* Delete a user. * Delete a user.
* @param int $id ID of the user. * @param int $id ID of the user.
@ -238,7 +268,7 @@ class AdminController extends ActiveController
if (is_null($user)) { // Check user, so `$id` parameter if (is_null($user)) { // Check user, so `$id` parameter
$this->throwUser404(); $this->throwUser404();
} }
// Create event object // Create event object
/** @var UserEvent $event */ /** @var UserEvent $event */
$event = $this->make(UserEvent::class, [$user]); $event = $this->make(UserEvent::class, [$user]);
@ -348,10 +378,11 @@ class AdminController extends ActiveController
* Block and unblock the user. * Block and unblock the user.
* @param int $id ID of the user. * @param int $id ID of the user.
*/ */
public function actionBlock($id) public function actionBlock($id = null)
{ {
// Check access // Check access
$this->checkAccess($this->action); $this->checkAccess($this->action);
$id = Yii::$app->request->getQueryParam('id');
// Check ID parameter (whether own account) // Check ID parameter (whether own account)
if ((int)$id === Yii::$app->user->getId()) { if ((int)$id === Yii::$app->user->getId()) {