From 39d14451b2baf29cee2594a25fa5d0a35fab674d Mon Sep 17 00:00:00 2001 From: Mal <=> Date: Sat, 22 Aug 2020 23:08:05 +0200 Subject: [PATCH] Permission architecture implemented --- backend/classes/core/AbstractController.php | 31 +++++++++++++++++++++ backend/classes/core/Session.php | 7 +++-- backend/classes/database/User.php | 13 ++++++++- 3 files changed, 47 insertions(+), 4 deletions(-) diff --git a/backend/classes/core/AbstractController.php b/backend/classes/core/AbstractController.php index ea1acef..5da32a4 100644 --- a/backend/classes/core/AbstractController.php +++ b/backend/classes/core/AbstractController.php @@ -7,6 +7,7 @@ abstract class AbstractController protected string $route; protected ApiResponse $response; + protected Session $session; protected string $requestUrl; protected ?string $requestBody = null; protected ?string $contentType = null; @@ -16,6 +17,7 @@ abstract class AbstractController { $this->requestUrl = $url; $this->response = new ApiResponse(); + $this->session = new Session(); } public function setRequestBody(string $contentType, string $content): void @@ -56,6 +58,35 @@ abstract class AbstractController return $param !== null ? (int)$param : null; } + public function isUserLoggedIn(): bool + { + if (!$this->session->IsLoggedIn()) { + $this->response = new ApiJsonResponse(ServerStatus::UNAUTHORIZED); + + $this->response->setParameter('success', false); + $this->response->setMessage('You are not logged in!'); + + return false; + } + + return true; + } + + public function hasUserPermission(int $userId): bool + { + $this->response = new ApiJsonResponse(); + + $hasPermission = $this->session->isAdmin() || $this->session->getUserId() === $userId; + + if (!$hasPermission) { + $this->response->setParameter('success', false); + $this->response->setMessage('You don\'t have the permission to do that!'); + $this->response->setStatus(ServerStatus::UNAUTHORIZED); + } + + return $hasPermission; + } + protected function validateJsonBody(): bool { if (count($this->mandatoryAttributes) === 0) { diff --git a/backend/classes/core/Session.php b/backend/classes/core/Session.php index ec9a5c8..31a2a50 100644 --- a/backend/classes/core/Session.php +++ b/backend/classes/core/Session.php @@ -11,7 +11,7 @@ final class Session private const IS_LOGGED_IN = 'is_logged_in'; private const USER_ID = 'account_id'; private const USERNAME = 'username'; - private const PERMISSION = 'permission'; + private const IS_ADMIN = 'admin'; private const EMAIL = 'email'; private const JABBER_ADDRESS = 'jabber'; @@ -46,6 +46,7 @@ final class Session $this->SetString(self::USERNAME, $user->getUsername()); $this->SetString(self::EMAIL, $user->getEmail()); $this->SetString(self::JABBER_ADDRESS, $user->getJabberAddress()); + $this->SetBool(self::IS_ADMIN, $user->isAdmin()); return true; } @@ -95,9 +96,9 @@ final class Session return $this->GetInt(self::USER_ID); } - public function GetPermission(): ?int + public function isAdmin(): bool { - return $this->GetInt(self::PERMISSION); + return $this->GetBool(self::IS_ADMIN); } public static function HasSession(): bool diff --git a/backend/classes/database/User.php b/backend/classes/database/User.php index 4ff6e8e..72a2369 100644 --- a/backend/classes/database/User.php +++ b/backend/classes/database/User.php @@ -9,8 +9,9 @@ final class User extends MySqlTable implements JsonSerializable public const FIELD_PASSWORD = 'Password'; public const FIELD_EMAIL = 'Email'; public const FIELD_JABBER_ADDRESS = 'JabberAddress'; + public const FIELD_ADMIN = 'IsAdmin'; - public function __construct($id = null, DatabaseInterface &$database = null) + public function __construct($id = null, DatabaseInterface &$database = null) { parent::__construct(self::class, $id, $database); } @@ -44,6 +45,11 @@ final class User extends MySqlTable implements JsonSerializable return $this->getField(self::FIELD_JABBER_ADDRESS); } + public function isAdmin(): bool + { + return $this->getField(self::FIELD_ADMIN); + } + public function setUsername(string $username): void { $this->setField(self::FIELD_USERNAME, $username); @@ -64,6 +70,11 @@ final class User extends MySqlTable implements JsonSerializable $this->setField(self::FIELD_JABBER_ADDRESS, $jabberAddress); } + public function setAdmin(bool $isAdmin): void + { + $this->setField(self::FIELD_ADMIN, $isAdmin); + } + public static function getFromUsername(string $username, DatabaseInterface &$database = null): self { $databaseGiven = true;