Add permission checks where missing, refs #7356

artefactual · Jan 28, 2015 · d0a3711 · d0a3711
1 parent 6247f18
commit d0a3711
Show file tree

Hide file tree

Showing 19 changed files with 137 additions and 3 deletions.
diff --git a/apps/qubit/modules/actor/actions/deleteAction.class.php b/apps/qubit/modules/actor/actions/deleteAction.class.php
@@ -31,6 +31,12 @@ public function execute($request)
       $this->forward404();
     }
 
+    // Check user authorization
+    if (!QubitAcl::check($this->resource, 'delete'))
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     if ($request->isMethod('delete'))
     {
       foreach ($this->resource->events as $item)

diff --git a/apps/qubit/modules/contactinformation/actions/indexAction.class.php b/apps/qubit/modules/contactinformation/actions/indexAction.class.php
@@ -21,6 +21,12 @@ class ContactInformationIndexAction extends sfAction
 {
   public function execute($request)
   {
+    // Check user authorization
+    if (!$this->getUser()->isAuthenticated())
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     $this->resource = QubitContactInformation::getById($request->id);
 
     if (!isset($this->resource))

diff --git a/apps/qubit/modules/default/actions/editAction.class.php b/apps/qubit/modules/default/actions/editAction.class.php
@@ -187,6 +187,12 @@ protected function processForm()
 
   public function execute($request)
   {
+    // Force subclassing
+    if ('default' == $this->context->getModuleName() && 'edit' == $this->context->getActionName())
+    {
+      $this->forward404();
+    }
+
     $this->form = new sfForm;
 
     $this->earlyExecute();

diff --git a/apps/qubit/modules/event/actions/indexAction.class.php b/apps/qubit/modules/event/actions/indexAction.class.php
@@ -21,6 +21,11 @@ class EventIndexAction extends sfAction
 {
   public function execute($request)
   {
+    if (!$this->getUser()->isAuthenticated())
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     $this->resource = $this->getRoute()->resource;
 
     $value = array();

diff --git a/apps/qubit/modules/function/actions/editAction.class.php b/apps/qubit/modules/function/actions/editAction.class.php
@@ -35,11 +35,25 @@ protected function earlyExecute()
     {
       $this->resource = $this->getRoute()->resource;
 
+      // Check user authorization
+      if (!QubitAcl::check($this->resource, 'update') && !QubitAcl::check($this->resource, 'translate'))
+      {
+        QubitAcl::forwardUnauthorized();
+      }
+
       // Add optimistic lock
       $this->form->setDefault('serialNumber', $this->resource->serialNumber);
       $this->form->setValidator('serialNumber', new sfValidatorInteger);
       $this->form->setWidget('serialNumber', new sfWidgetFormInputHidden);
     }
+    else
+    {
+      // Check authorization
+      if (!QubitAcl::check($this->parent, 'create'))
+      {
+        QubitAcl::forwardUnauthorized();
+      }
+    }
   }
 
   public function execute($request)

diff --git a/apps/qubit/modules/informationobject/actions/editAction.class.php b/apps/qubit/modules/informationobject/actions/editAction.class.php
@@ -527,6 +527,12 @@ protected function processForm()
 
   public function execute($request)
   {
+    // Force subclassing
+    if ('informationobject' == $this->context->getModuleName() && 'edit' == $this->context->getActionName())
+    {
+      $this->forward404();
+    }
+
     parent::execute($request);
 
     if ($request->hasParameter('csvimport'))

diff --git a/apps/qubit/modules/informationobject/actions/physicalObjectsAction.class.php b/apps/qubit/modules/informationobject/actions/physicalObjectsAction.class.php
@@ -34,6 +34,12 @@ public function execute($request)
       $this->forward404();
     }
 
+    // Check user authorization
+    if (!QubitAcl::check($this->resource, 'update'))
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     $criteria = new Criteria;
     $criteria->add(QubitRelation::OBJECT_ID, $this->resource->id);
     $criteria->add(QubitRelation::TYPE_ID, QubitTerm::HAS_PHYSICAL_OBJECT_ID);

diff --git a/apps/qubit/modules/menu/config/security.yml b/apps/qubit/modules/menu/config/security.yml
@@ -1,3 +1,11 @@
-list:
+delete:
+  credentials: administrator
+  is_secure: true
+
+edit:
   credentials: administrator
   is_secure: true
+
+list:
+  credentials: administrator
+  is_secure: true
diff --git a/apps/qubit/modules/physicalobject/config/security.yml b/apps/qubit/modules/physicalobject/config/security.yml
@@ -5,3 +5,6 @@ delete:
 edit:
   credentials: [[ contributor, editor, administrator, translator ]]
   is_secure: true
+
+all:
+  is_secure: true
diff --git a/apps/qubit/modules/relation/actions/indexAction.class.php b/apps/qubit/modules/relation/actions/indexAction.class.php
@@ -28,6 +28,12 @@ class RelationIndexAction extends sfAction
 {
   public function execute($request)
   {
+    // Check user authorization
+    if (!$this->getUser()->isAuthenticated())
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     $this->resource = $this->getRoute()->resource;
 
     $value = array();

diff --git a/apps/qubit/modules/repository/actions/deleteAction.class.php b/apps/qubit/modules/repository/actions/deleteAction.class.php
@@ -25,6 +25,18 @@ public function execute($request)
 
     $this->resource = $this->getRoute()->resource;
 
+    // Check that this isn't the root
+    if (!isset($this->resource->parent))
+    {
+      $this->forward404();
+    }
+
+    // Check user authorization
+    if (!QubitAcl::check($this->resource, 'delete'))
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     if ($request->isMethod('delete'))
     {
       foreach ($this->resource->informationObjects as $item)

diff --git a/apps/qubit/modules/rightsholder/actions/autocompleteAction.class.php b/apps/qubit/modules/rightsholder/actions/autocompleteAction.class.php
@@ -21,6 +21,12 @@ class RightsHolderAutocompleteAction extends sfAction
 {
   public function execute($request)
   {
+    // Check user authorization
+    if (!$this->getUser()->isAuthenticated())
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     if (!isset($request->limit))
     {
       $request->limit = sfConfig::get('app_hits_per_page');

diff --git a/apps/qubit/modules/rightsholder/actions/browseAction.class.php b/apps/qubit/modules/rightsholder/actions/browseAction.class.php
@@ -21,7 +21,8 @@ class RightsHolderBrowseAction extends sfAction
 {
   public function execute($request)
   {
-    if (!$this->context->user->hasCredential(array('contributor', 'editor', 'administrator'), false))
+    // Check user authorization
+    if (!$this->getUser()->isAuthenticated())
     {
       QubitAcl::forwardUnauthorized();
     }

diff --git a/apps/qubit/modules/rightsholder/actions/deleteAction.class.php b/apps/qubit/modules/rightsholder/actions/deleteAction.class.php
@@ -21,6 +21,12 @@ class RightsHolderDeleteAction extends sfAction
 {
   public function execute($request)
   {
+    // Check user authorization
+    if (!$this->getUser()->isAuthenticated())
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     $this->form = new sfForm;
 
     $this->resource = $this->getRoute()->resource;

diff --git a/apps/qubit/modules/rightsholder/actions/listAction.class.php b/apps/qubit/modules/rightsholder/actions/listAction.class.php
@@ -21,7 +21,8 @@ class RightsHolderListAction extends sfAction
 {
   public function execute($request)
   {
-    if (!$this->context->user->hasCredential(array('contributor', 'editor', 'administrator'), false))
+    // Check user authorization
+    if (!$this->getUser()->isAuthenticated())
     {
       QubitAcl::forwardUnauthorized();
     }

diff --git a/apps/qubit/modules/term/actions/editAction.class.php b/apps/qubit/modules/term/actions/editAction.class.php
@@ -79,6 +79,14 @@ protected function earlyExecute()
 
       $title = $this->context->i18n->__('Edit %1%', array('%1%' => $title));
     }
+    else
+    {
+      // Check authorization
+      if (!QubitAcl::check($this->resource, 'create'))
+      {
+        QubitAcl::forwardUnauthorized();
+      }
+    }
 
     $this->response->setTitle("$title - {$this->response->getTitle()}");
   }

diff --git a/apps/qubit/modules/user/config/security.yml b/apps/qubit/modules/user/config/security.yml
@@ -25,3 +25,25 @@ passwordEdit:
 update:
   credentials: administrator
   is_secure: true
+
+indexTermAcl:
+  is_secure: true
+
+indexRepositoryAcl:
+  is_secure: true
+
+editActorAcl:
+  credentials: administrator
+  is_secure: true
+
+editInformationObjectAcl:
+  credentials: administrator
+  is_secure: true
+
+editRepositoryAcl:
+  credentials: administrator
+  is_secure: true
+
+editTermAcl:
+  credentials: administrator
+  is_secure: true
diff --git a/plugins/qtAccessionPlugin/modules/donor/actions/autocompleteAction.class.php b/plugins/qtAccessionPlugin/modules/donor/actions/autocompleteAction.class.php
@@ -21,6 +21,12 @@ class DonorAutocompleteAction extends sfAction
 {
   public function execute($request)
   {
+    // Check user authorization
+    if (!$this->getUser()->isAuthenticated())
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     if (!isset($request->limit))
     {
       $request->limit = sfConfig::get('app_hits_per_page');

diff --git a/plugins/qtAccessionPlugin/modules/donor/actions/deleteAction.class.php b/plugins/qtAccessionPlugin/modules/donor/actions/deleteAction.class.php
@@ -25,6 +25,12 @@ public function execute($request)
 
     $this->resource = $this->getRoute()->resource;
 
+    // Check user authorization
+    if (!QubitAcl::check($this->resource, 'delete'))
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     if ($request->isMethod('delete'))
     {
       foreach (QubitRelation::getBySubjectOrObjectId($this->resource->id) as $item)