[FEATURE] Respect permissions in default actions

in2code-de · Mar 1, 2024 · 163112e · 163112e
1 parent d8bf863
commit 163112e
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 33 deletions.
diff --git a/Classes/Controller/NewsletterController.php b/Classes/Controller/NewsletterController.php
@@ -84,6 +84,10 @@ public function resetFilterAction(string $redirectAction): ResponseInterface
 
     public function editAction(Newsletter $newsletter): ResponseInterface
     {
+        if ($newsletter->canBeRead() === false) {
+            throw new AuthenticationFailedException('You are not allowed to see this record', 1709329205);
+        }
+
         $this->view->assignMultiple([
             'newsletter' => $newsletter,
             'configurations' => $this->configurationRepository->findAllAuthorized(),
@@ -104,6 +108,10 @@ public function initializeUpdateAction(): void
 
     public function updateAction(Newsletter $newsletter): ResponseInterface
     {
+        if ($newsletter->canBeRead() === false) {
+            throw new AuthenticationFailedException('You are not allowed to see this record', 1709329247);
+        }
+
         $this->setBodytextInNewsletter($newsletter, $newsletter->getLanguage());
         if (ConfigurationUtility::isMultiLanguageModeActivated()) {
             $newsletter->setSubject(
@@ -140,6 +148,10 @@ public function initializeCreateAction(): void
 
     public function createAction(Newsletter $newsletter): ResponseInterface
     {
+        if ($newsletter->canBeRead() === false) {
+            throw new AuthenticationFailedException('You are not allowed to see this record', 1709329276);
+        }
+
         $languages = $this->pageRepository->getLanguagesFromOrigin($newsletter->getOrigin());
         foreach ($languages as $language) {
             $newsletterLanguage = clone $newsletter;
@@ -170,20 +182,32 @@ public function createAction(Newsletter $newsletter): ResponseInterface
 
     public function disableAction(Newsletter $newsletter): ResponseInterface
     {
+        if ($newsletter->canBeRead() === false) {
+            throw new AuthenticationFailedException('You are not allowed to see this record', 1709329304);
+        }
+
         $newsletter->disable();
         $this->newsletterRepository->update($newsletter);
         return $this->redirect('list');
     }
 
     public function enableAction(Newsletter $newsletter): ResponseInterface
     {
+        if ($newsletter->canBeRead() === false) {
+            throw new AuthenticationFailedException('You are not allowed to see this record', 1709329338);
+        }
+
         $newsletter->enable();
         $this->newsletterRepository->update($newsletter);
         return $this->redirect('list');
     }
 
     public function deleteAction(Newsletter $newsletter): ResponseInterface
     {
+        if ($newsletter->canBeRead() === false) {
+            throw new AuthenticationFailedException('You are not allowed to see this record', 1709329345);
+        }
+
         $this->newsletterRepository->removeNewsletterAndQueues($newsletter);
         $this->addFlashMessage(LocalizationUtility::translate('module.newsletter.delete.message'));
         return $this->redirect('list');
@@ -229,19 +253,6 @@ public function wizardUserPreviewAjax(ServerRequestInterface $request): Response
         return $response;
     }
 
-    /**
-     * @param ServerRequestInterface $request
-     * @return ResponseInterface
-     * @throws AuthenticationFailedException
-     * @throws ExceptionDbalDriver
-     * @throws ApiConnectionException
-     * @throws InvalidUrlException
-     * @throws MisconfigurationException
-     * @throws JsonException
-     * @throws ExtensionConfigurationExtensionNotConfiguredException
-     * @throws ExtensionConfigurationPathDoesNotExistException
-     * @throws InvalidConfigurationTypeException
-     */
     public function testMailAjax(ServerRequestInterface $request): ResponseInterface
     {
         if (BackendUserUtility::isBackendUserAuthenticated() === false) {
@@ -277,16 +288,6 @@ public function testMailAjax(ServerRequestInterface $request): ResponseInterface
         return $response;
     }
 
-    /**
-     * @param ServerRequestInterface $request
-     * @return ResponseInterface
-     * @throws AuthenticationFailedException
-     * @throws ExceptionDbalDriver
-     * @throws ExtensionConfigurationExtensionNotConfiguredException
-     * @throws ExtensionConfigurationPathDoesNotExistException
-     * @throws InvalidConfigurationTypeException
-     * @throws MisconfigurationException
-     */
     public function previewSourcesAjax(ServerRequestInterface $request): ResponseInterface
     {
         if (BackendUserUtility::isBackendUserAuthenticated() === false) {
@@ -299,10 +300,6 @@ public function previewSourcesAjax(ServerRequestInterface $request): ResponseInt
         return $response;
     }
 
-    /**
-     * @param ServerRequestInterface $request
-     * @return ResponseInterface
-     */
     public function receiverDetailAjax(ServerRequestInterface $request): ResponseInterface
     {
         $userRepository = GeneralUtility::makeInstance(UserRepository::class);
@@ -323,11 +320,6 @@ public function receiverDetailAjax(ServerRequestInterface $request): ResponseInt
         return $response;
     }
 
-    /**
-     * @return void
-     * @throws ExtensionConfigurationExtensionNotConfiguredException
-     * @throws ExtensionConfigurationPathDoesNotExistException
-     */
     protected function addDocumentHeaderForNewsletterController(): void
     {
         $menuConfiguration = [

diff --git a/Classes/Domain/Model/Newsletter.php b/Classes/Domain/Model/Newsletter.php
@@ -403,7 +403,7 @@ public function getUnsubscribeRate(): float
      *
      * @return bool
      */
-    private function canBeRead(): bool
+    public function canBeRead(): bool
     {
         if (BackendUserUtility::isAdministrator()) {
             return true;