modified check access REST api for admin: now is based on identity (#482)
Co-authored-by: Antonio Cordeddu <coranto@yetopen.com>
This commit is contained in:
Antonio Cordeddu
GitHub
@ -144,11 +144,42 @@ class AdminController extends ActiveController
|
||||
throw new NotFoundHttpException(Yii::t('usuario', 'The requested page does not exist.'));
|
||||
}
|
||||
// Access for admins only
|
||||
if (!Yii::$app->user->can('admin')) {
|
||||
if (!Yii::$app->user->identity->isAdmin) {
|
||||
throw new ForbiddenHttpException(Yii::t('usuario', 'User does not have sufficient permissions.'));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Override beforeAction. If the api is called with parameter username get the id of the user and set it in query params
|
||||
*/
|
||||
public function beforeAction($action)
|
||||
{
|
||||
if($action == 'create'){
|
||||
return parent::beforeAction($action);
|
||||
}
|
||||
|
||||
$id = Yii::$app->request->getQueryParam('id');
|
||||
if(!is_null($id)){
|
||||
return parent::beforeAction($action);
|
||||
}
|
||||
|
||||
$username = Yii::$app->request->getQueryParam('username');
|
||||
if(is_null($username)){
|
||||
return parent::beforeAction($action);
|
||||
}
|
||||
|
||||
$user = $this->userQuery->where(['username' => $username])->one();
|
||||
if (is_null($user)) { // Check user, so ` $username` parameter
|
||||
return parent::beforeAction($action);
|
||||
}
|
||||
|
||||
$params = Yii::$app->request->getQueryParams();
|
||||
$params['id'] = $user->id;
|
||||
Yii::$app->request->setQueryParams($params);
|
||||
|
||||
return parent::beforeAction($action);
|
||||
}
|
||||
/**
|
||||
* Create a user.
|
||||
*/
|
||||
@ -186,10 +217,11 @@ class AdminController extends ActiveController
|
||||
* Update a user.
|
||||
* @param int $id ID of the user.
|
||||
*/
|
||||
public function actionUpdate($id)
|
||||
public function actionUpdate($id = null)
|
||||
{
|
||||
// Check access
|
||||
$this->checkAccess($this->action);
|
||||
$id = Yii::$app->request->getQueryParam('id');
|
||||
|
||||
// Get user model
|
||||
/** @var User $user */
|
||||
@ -198,11 +230,9 @@ class AdminController extends ActiveController
|
||||
$this->throwUser404();
|
||||
}
|
||||
$user->setScenario($this->updateScenario);
|
||||
|
||||
// Create event object
|
||||
/** @var UserEvent $event */
|
||||
$event = $this->make(UserEvent::class, [$user]);
|
||||
|
||||
// Save user model + response
|
||||
$user->load(Yii::$app->getRequest()->getBodyParams(), '');
|
||||
if ($user->validate()) {
|
||||
@ -348,10 +378,11 @@ class AdminController extends ActiveController
|
||||
* Block and unblock the user.
|
||||
* @param int $id ID of the user.
|
||||
*/
|
||||
public function actionBlock($id)
|
||||
public function actionBlock($id = null)
|
||||
{
|
||||
// Check access
|
||||
$this->checkAccess($this->action);
|
||||
$id = Yii::$app->request->getQueryParam('id');
|
||||
|
||||
// Check ID parameter (whether own account)
|
||||
if ((int)$id === Yii::$app->user->getId()) {
|
||||
|
||||
Reference in New Issue
Block a user