Cavemanon/piratepoet
8
Fork 0
Code Pull Requests Actions Releases 16 Activity

Validates global permission at the AccessControl level

Browse Source 
Changes error response code on invalid permission
This commit is contained in:
Vlad
2017-08-20 12:27:24 -04:00
parent 1b756ef0b2
commit 78429d8f91
2 changed files with 7 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/Config/AccessControl.php
View File

@@ -93,6 +93,7 @@ class AccessControl {
}
function validatePermission($permission) {
if($permission === self::NO_ACCESS_RESTRICTION) return true;
if(empty($this->permissions[$permission])) return false;
$permitted_roles = array_intersect(
$this->user_roles,

15
lib/Router/Router.php
View File

@@ -14,6 +14,7 @@ class Router {
public $data;
const NAME = 'mailpoet_router';
const RESPONSE_ERROR = 404;
const RESPONE_FORBIDDEN = 403;
function __construct($api_data = false) {
$api_data = ($api_data) ? $api_data : $_GET;
@@ -41,7 +42,7 @@ class Router {
return $this->terminateRequest(self::RESPONSE_ERROR, __('Invalid router endpoint action', 'mailpoet'));
}
if(!$this->validatePermissions($this->endpoint_action, $endpoint->permissions)) {
return $this->terminateRequest(self::RESPONSE_ERROR, __('You do not have the required permissions.', 'mailpoet'));
return $this->terminateRequest(self::RESPONE_FORBIDDEN, __('You do not have the required permissions.', 'mailpoet'));
}
do_action('mailpoet_conflict_resolver_router_url_query_parameters');
return call_user_func(
@@ -82,15 +83,9 @@ class Router {
}
function validatePermissions($endpoint_action, $permissions) {
// if method permission is defined, validate it
if(!empty($permissions['methods'][$endpoint_action])) {
return ($permissions['methods'][$endpoint_action] === AccessControl::NO_ACCESS_RESTRICTION) ?
true :
$this->access_control->validatePermission($permissions['methods'][$endpoint_action]);
}
// use global permission
return ($permissions['global'] === AccessControl::NO_ACCESS_RESTRICTION) ?
true :
// validate action permission if defined, otherwise validate global permission
return(!empty($permissions['actions'][$endpoint_action])) ?
$this->access_control->validatePermission($permissions['actions'][$endpoint_action]) :
$this->access_control->validatePermission($permissions['global']);
}
}