commit e103a3755184c96f51262124ce3ee0e0b1171d8c Author: smarcet Date: Fri Oct 16 23:09:28 2020 -0300 Fixed Presentation Slides AUTHZ Change-Id: I65e60320b5af07107aebefa643a36262c3d23864 Signed-off-by: smarcet diff --git a/app/Http/Controllers/Apis/Protected/Summit/OAuth2PresentationApiController.php b/app/Http/Controllers/Apis/Protected/Summit/OAuth2PresentationApiController.php index f6200f3..0d08678 100644 --- a/app/Http/Controllers/Apis/Protected/Summit/OAuth2PresentationApiController.php +++ b/app/Http/Controllers/Apis/Protected/Summit/OAuth2PresentationApiController.php @@ -597,14 +597,14 @@ final class OAuth2PresentationApiController extends OAuth2ProtectedController $current_member = $this->resource_server_context->getCurrentUser(); if (is_null($current_member)) return $this->error403(); - - if(!$current_member->isAdmin()){ + $isAdmin = $current_member->isAdmin() || $current_member->hasPermissionForOnGroup($summit, IGroup::SummitAdministrators); + if(!$isAdmin){ // check if we could edit presentation $presentation = $summit->getEvent($presentation_id); if(is_null($presentation) || !$presentation instanceof Presentation) return $this->error404(); if(!$current_member->hasSpeaker() || !$presentation->canEdit($current_member->getSpeaker())) - return $this->error403(); + return $this->error403(); } $data = $request->all(); @@ -676,8 +676,8 @@ final class OAuth2PresentationApiController extends OAuth2ProtectedController $current_member = $this->resource_server_context->getCurrentUser(); if (is_null($current_member)) return $this->error403(); - - if(!$current_member->isAdmin()){ + $isAdmin = $current_member->isAdmin() || $current_member->hasPermissionForOnGroup($summit, IGroup::SummitAdministrators); + if(!$isAdmin){ // check if we could edit presentation $presentation = $summit->getEvent($presentation_id); if(is_null($presentation) || !$presentation instanceof Presentation) @@ -754,6 +754,18 @@ final class OAuth2PresentationApiController extends OAuth2ProtectedController $summit = SummitFinderStrategyFactory::build($this->summit_repository, $this->resource_server_context)->find($summit_id); if (is_null($summit)) return $this->error404(); + $current_member = $this->resource_server_context->getCurrentUser(); + if (is_null($current_member)) return $this->error403(); + $isAdmin = $current_member->isAdmin() || $current_member->hasPermissionForOnGroup($summit, IGroup::SummitAdministrators); + if(!$isAdmin){ + // check if we could edit presentation + $presentation = $summit->getEvent($presentation_id); + if(is_null($presentation) || !$presentation instanceof Presentation) + return $this->error404(); + if(!$current_member->hasSpeaker() || !$presentation->canEdit($current_member->getSpeaker())) + return $this->error403(); + } + $this->presentation_service->deleteSlide($presentation_id, $slide_id); return $this->deleted(); @@ -857,6 +869,18 @@ final class OAuth2PresentationApiController extends OAuth2ProtectedController $summit = SummitFinderStrategyFactory::build($this->summit_repository, $this->resource_server_context)->find($summit_id); if (is_null($summit)) return $this->error404(); + $current_member = $this->resource_server_context->getCurrentUser(); + if (is_null($current_member)) return $this->error403(); + $isAdmin = $current_member->isAdmin() || $current_member->hasPermissionForOnGroup($summit, IGroup::SummitAdministrators); + if(!$isAdmin){ + // check if we could edit presentation + $presentation = $summit->getEvent($presentation_id); + if(is_null($presentation) || !$presentation instanceof Presentation) + return $this->error404(); + if(!$current_member->hasSpeaker() || !$presentation->canEdit($current_member->getSpeaker())) + return $this->error403(); + } + $data = $request->all(); $data = MultipartFormDataCleaner::cleanBool('display_on_site', $data); $data = MultipartFormDataCleaner::cleanBool('featured', $data); @@ -917,6 +941,18 @@ final class OAuth2PresentationApiController extends OAuth2ProtectedController $summit = SummitFinderStrategyFactory::build($this->summit_repository, $this->resource_server_context)->find($summit_id); if (is_null($summit)) return $this->error404(); + $current_member = $this->resource_server_context->getCurrentUser(); + if (is_null($current_member)) return $this->error403(); + $isAdmin = $current_member->isAdmin() || $current_member->hasPermissionForOnGroup($summit, IGroup::SummitAdministrators); + if(!$isAdmin){ + // check if we could edit presentation + $presentation = $summit->getEvent($presentation_id); + if(is_null($presentation) || !$presentation instanceof Presentation) + return $this->error404(); + if(!$current_member->hasSpeaker() || !$presentation->canEdit($current_member->getSpeaker())) + return $this->error403(); + } + $data = $request->all(); $data = MultipartFormDataCleaner::cleanBool('display_on_site', $data); $data = MultipartFormDataCleaner::cleanBool('featured', $data); @@ -978,6 +1014,18 @@ final class OAuth2PresentationApiController extends OAuth2ProtectedController $summit = SummitFinderStrategyFactory::build($this->summit_repository, $this->resource_server_context)->find($summit_id); if (is_null($summit)) return $this->error404(); + $current_member = $this->resource_server_context->getCurrentUser(); + if (is_null($current_member)) return $this->error403(); + $isAdmin = $current_member->isAdmin() || $current_member->hasPermissionForOnGroup($summit, IGroup::SummitAdministrators); + if(!$isAdmin){ + // check if we could edit presentation + $presentation = $summit->getEvent($presentation_id); + if(is_null($presentation) || !$presentation instanceof Presentation) + return $this->error404(); + if(!$current_member->hasSpeaker() || !$presentation->canEdit($current_member->getSpeaker())) + return $this->error403(); + } + $this->presentation_service->deleteLink($presentation_id, $link_id); return $this->deleted();