Permissions for fingerprint endpoints created

2020-08-23 11:44:12 +02:00 · 2020-08-23 11:44:12 +02:00 · 37f220b561
parent 39d14451b2
commit 37f220b561
4 changed files with 35 additions and 5 deletions
--- a/backend/classes/controller/FingerprintDeleteController.php
+++ b/backend/classes/controller/FingerprintDeleteController.php
@ -17,6 +17,10 @@ final class FingerprintDeleteController extends AbstractController

 	public function handle(): void
 	{
+		if (!$this->isUserLoggedIn()) {
+			return;
+		}
+
 		parent::handle();

 		if ($this->response->getStatus() !== ServerStatus::OK) {
@ -25,16 +29,21 @@ final class FingerprintDeleteController extends AbstractController

 		try {
 			$db = new MySqlDatabase();
+			$this->response = new ApiJsonResponse();
+
 			$db->startTransaction();

 			$fingerprint = new Fingerprint($this->fingerprintId, $db);
+
+			if (!$this->hasUserPermission($fingerprint->getUserId())) {
+				return;
+			}
+
 			$qrCode = new QrCode($fingerprint->getFingerprintId(), $fingerprint->getFingerprint());
 			$fingerprint->Delete();
 			$qrCode->delete();

 			$db->commit();
-
-			$this->response = new ApiJsonResponse();
 		} catch (Throwable $e) {
 			$this->response = new ApiJsonResponse(ServerStatus::BAD_REQUEST);
 			$this->response->setParameter('success', false);
--- a/backend/classes/controller/FingerprintGetController.php
+++ b/backend/classes/controller/FingerprintGetController.php
@ -18,8 +18,16 @@ final class FingerprintGetController extends AbstractController
    public function handle(): void
    {
        try {
+			if (!$this->isUserLoggedIn()) {
+				return;
+			}
+
            $fingerprint = new Fingerprint($this->fingerprintId);

+            if (!$this->hasUserPermission($fingerprint->getUserId())) {
+            	return;
+            }
+
            $this->response = new ApiJsonResponse();
            $this->response->setResult($fingerprint);
        } catch (Throwable $e) {
--- a/backend/classes/controller/FingerprintPostController.php
+++ b/backend/classes/controller/FingerprintPostController.php
@ -12,6 +12,10 @@ final class FingerprintPostController extends AbstractController

    public function handle(): void
    {
+    	if (!$this->isUserLoggedIn()) {
+    		return;
+		}
+
        parent::handle();

        $db = new MySqlDatabase();
@ -20,8 +24,12 @@ final class FingerprintPostController extends AbstractController
 		$this->response = new ApiJsonResponse();

        try {
-            $fingerprint->setFingerprint($json->fingerprint);
-            $fingerprint->setUserId($json->userId);
+			if (!$this->hasUserPermission((int)$json->userId)) {
+				return;
+			}
+
+            $fingerprint->setFingerprint((string)$json->fingerprint);
+            $fingerprint->setUserId((int)$json->userId);

            if (!$db->hasTransaction()) {
                $db->startTransaction();
--- a/backend/classes/controller/FingerprintPutController.php
+++ b/backend/classes/controller/FingerprintPutController.php
@ -20,6 +20,10 @@ final class FingerprintPutController extends AbstractController

 	public function handle(): void
 	{
+		if (!$this->isUserLoggedIn()) {
+			return;
+		}
+
 		parent::handle();

 		if ($this->response->getStatus() !== ServerStatus::OK) {
@ -30,9 +34,10 @@ final class FingerprintPutController extends AbstractController

 		try {
 			$json = json_decode($this->requestBody, true);
+
 			$fingerprint = new Fingerprint($this->fingerprintId);

-			if ($this->handleFingerprint($fingerprint, $json)) {
+			if ($this->hasUserPermission($fingerprint->getUserId()) || $this->handleFingerprint($fingerprint, $json)) {
 				return;
 			}