mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
Enforce permissions in campaigns section
This commit is contained in:
Ingo Schommer
parent
312bab8a6f
commit
a615dae3ac
@ -335,14 +335,22 @@ JSON;
|
||||
|
||||
if ($request->getHeader('Accept') == 'text/json') {
|
||||
$response->addHeader('Content-Type', 'application/json');
|
||||
if ($request->param('Name')) {
|
||||
$changeSet = ChangeSet::get()->byId($request->param('ID'));
|
||||
$response->setBody(Convert::raw2json($this->getChangeSetResource($changeSet)));
|
||||
} else {
|
||||
$response->setBody('{"message":"Resource not found"}');
|
||||
if (!$request->param('Name')) {
|
||||
return (new SS_HTTPResponse(null, 400));
|
||||
}
|
||||
|
||||
return $response;
|
||||
$changeSet = ChangeSet::get()->byId($request->param('ID'));
|
||||
if(!$changeSet) {
|
||||
return (new SS_HTTPResponse(null, 404));
|
||||
}
|
||||
|
||||
if(!$changeSet->canView()) {
|
||||
return (new SS_HTTPResponse(null, 403));
|
||||
}
|
||||
|
||||
$body = Convert::raw2json($this->getChangeSetResource($changeSet));
|
||||
return (new SS_HTTPResponse($body, 200))
|
||||
->addHeader('Content-Type', 'application/json');
|
||||
} else {
|
||||
return $this->index($request);
|
||||
}
|
||||
@ -358,24 +366,21 @@ JSON;
|
||||
public function deleteCampaign(SS_HTTPRequest $request) {
|
||||
$id = $request->param('ID');
|
||||
if (!$id || !is_numeric($id)) {
|
||||
return (new SS_HTTPResponse(json_encode(['status' => 'error']), 400))
|
||||
->addHeader('Content-Type', 'application/json');
|
||||
return (new SS_HTTPResponse(null, 400));
|
||||
}
|
||||
|
||||
$record = ChangeSet::get()->byID($id);
|
||||
if(!$record) {
|
||||
return (new SS_HTTPResponse(json_encode(['status' => 'error']), 404))
|
||||
->addHeader('Content-Type', 'application/json');
|
||||
return (new SS_HTTPResponse(null, 404));
|
||||
}
|
||||
|
||||
if(!$record->canDelete()) {
|
||||
return (new SS_HTTPResponse(json_encode(['status' => 'error']), 401))
|
||||
->addHeader('Content-Type', 'application/json');
|
||||
return (new SS_HTTPResponse(null, 403));
|
||||
}
|
||||
|
||||
$record->delete();
|
||||
|
||||
return (new SS_HTTPResponse('', 204));
|
||||
return (new SS_HTTPResponse(null, 204));
|
||||
}
|
||||
|
||||
/**
|
||||
@ -388,25 +393,21 @@ JSON;
|
||||
public function publishCampaign(SS_HTTPRequest $request) {
|
||||
// Protect against CSRF on destructive action
|
||||
if(!SecurityToken::inst()->checkRequest($request)) {
|
||||
return (new SS_HTTPResponse(json_encode(['status' => 'error']), 400))
|
||||
->addHeader('Content-Type', 'application/json');
|
||||
return (new SS_HTTPResponse(null, 400));
|
||||
}
|
||||
|
||||
$id = $request->param('ID');
|
||||
if(!$id || !is_numeric($id)) {
|
||||
return (new SS_HTTPResponse(json_encode(['status' => 'error']), 400))
|
||||
->addHeader('Content-Type', 'application/json');
|
||||
return (new SS_HTTPResponse(null, 400));
|
||||
}
|
||||
|
||||
$record = ChangeSet::get()->byID($id);
|
||||
if(!$record) {
|
||||
return (new SS_HTTPResponse(json_encode(['status' => 'error']), 404))
|
||||
->addHeader('Content-Type', 'application/json');
|
||||
return (new SS_HTTPResponse(null, 404));
|
||||
}
|
||||
|
||||
if(!$record->canPublish()) {
|
||||
return (new SS_HTTPResponse(json_encode(['status' => 'error']), 401))
|
||||
->addHeader('Content-Type', 'application/json');
|
||||
return (new SS_HTTPResponse(null, 403));
|
||||
}
|
||||
|
||||
try {
|
||||
@ -445,10 +446,15 @@ JSON;
|
||||
$record = null;
|
||||
if($id) {
|
||||
$record = ChangeSet::get()->byId($id);
|
||||
if(!$record || !$record->canView()) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
if(!$record) {
|
||||
$record = ChangeSet::singleton();
|
||||
}
|
||||
|
||||
$fields = $record->getCMSFields();
|
||||
|
||||
// Add standard fields
|
||||
@ -467,6 +473,7 @@ JSON;
|
||||
$form->setValidationResponseCallback(function() use ($form) {
|
||||
return $this->getSchemaResponse($form);
|
||||
});
|
||||
|
||||
return $form;
|
||||
}
|
||||
|
||||
|
||||
@ -104,7 +104,7 @@ class LeftAndMain extends Controller implements PermissionProvider {
|
||||
'BatchActionsForm',
|
||||
'schema',
|
||||
];
|
||||
|
||||
|
||||
private static $url_handlers = [
|
||||
'GET schema/$FormName/$RecordType/$ItemID' => 'schema'
|
||||
];
|
||||
@ -235,30 +235,28 @@ class LeftAndMain extends Controller implements PermissionProvider {
|
||||
$itemID = $request->param('ItemID');
|
||||
|
||||
if (!$formName || !$recordType) {
|
||||
throw new SS_HTTPResponse_Exception(
|
||||
'Missing request params',
|
||||
400
|
||||
);
|
||||
return (new SS_HTTPResponse('Missing request params', 400));
|
||||
}
|
||||
|
||||
if(!$this->hasMethod("get{$formName}")) {
|
||||
throw new SS_HTTPResponse_Exception(
|
||||
'Form not found',
|
||||
400
|
||||
);
|
||||
return (new SS_HTTPResponse('Form not found', 404));
|
||||
}
|
||||
|
||||
if(!$this->hasAction($formName)) {
|
||||
throw new SS_HTTPResponse_Exception(
|
||||
'Form not accessible',
|
||||
401
|
||||
);
|
||||
return (new SS_HTTPResponse('Form not accessible', 401));
|
||||
}
|
||||
|
||||
$form = $this->{"get{$formName}"}($itemID);
|
||||
|
||||
if ($itemID) {
|
||||
$form->loadDataFrom($recordType::get()->byId($itemID));
|
||||
if($itemID) {
|
||||
$record = $recordType::get()->byId($itemID);
|
||||
if(!$record) {
|
||||
return (new SS_HTTPResponse('Record not found', 404));
|
||||
}
|
||||
if(!$record->canView()) {
|
||||
return (new SS_HTTPResponse('Record not accessible', 403));
|
||||
}
|
||||
$form->loadDataFrom($record);
|
||||
}
|
||||
|
||||
$response->addHeader('Content-Type', 'application/json');
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user