oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-08-26 18:21:02 +00:00
Code Wiki Activity

Add IsGranted to ExportController

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-10 23:17:43 +01:00
parent deae27bdae
commit d2dd7f78d3
7 changed files with 83 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

21
src/Controller/ExportController.php
View file

@ -2,10 +2,12 @@
namespace Wallabag\Controller;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Routing\Annotation\Route;
use Wallabag\Entity\Entry;
use Wallabag\Helper\EntriesExport;
use Wallabag\Repository\EntryRepository;
use Wallabag\Repository\TagRepository;
@ -19,27 +21,17 @@ class ExportController extends AbstractController
/**
* Gets one entry content.
*
* @Route("/export/{id}.{format}", name="export_entry", methods={"GET"}, requirements={
* @Route("/export/{entry}.{format}", name="export_entry", methods={"GET"}, requirements={
* "format": "epub|pdf|json|xml|txt|csv|md",
* "id": "\d+"
* "entry": "\d+"
* })
* @IsGranted("EXPORT", subject="entry")
*
* @return Response
*/
public function downloadEntryAction(Request $request, EntryRepository $entryRepository, EntriesExport $entriesExport, string $format, int $id)
public function downloadEntryAction(Request $request, EntryRepository $entryRepository, EntriesExport $entriesExport, string $format, Entry $entry)
{
try {
$entry = $entryRepository->find($id);
/*
* We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
*
* This should be eventually rewritten
*/
if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
throw new NotFoundHttpException();
}
return $entriesExport
->setEntries($entry)
->updateTitle('entry')
@ -57,6 +49,7 @@ class ExportController extends AbstractController
* "format": "epub|pdf|json|xml|txt|csv|md",
* "category": "all|unread|starred|archive|tag_entries|untagged|search|annotated|same_domain"
* })
* @IsGranted("EXPORT_ENTRIES")
*
* @return Response
*/

4
src/Security/Voter/EntryVoter.php
View file

@ -16,6 +16,7 @@ class EntryVoter extends Voter
public const ARCHIVE = 'ARCHIVE';
public const SHARE = 'SHARE';
public const UNSHARE = 'UNSHARE';
public const EXPORT = 'EXPORT';
public const DELETE = 'DELETE';
public const LIST_ANNOTATIONS = 'LIST_ANNOTATIONS';
public const CREATE_ANNOTATIONS = 'CREATE_ANNOTATIONS';
@ -26,7 +27,7 @@ class EntryVoter extends Voter
return false;
}
if (!\in_array($attribute, [self::VIEW, self::EDIT, self::RELOAD, self::STAR, self::ARCHIVE, self::SHARE, self::UNSHARE, self::DELETE, self::LIST_ANNOTATIONS, self::CREATE_ANNOTATIONS], true)) {
if (!\in_array($attribute, [self::VIEW, self::EDIT, self::RELOAD, self::STAR, self::ARCHIVE, self::SHARE, self::UNSHARE, self::EXPORT, self::DELETE, self::LIST_ANNOTATIONS, self::CREATE_ANNOTATIONS], true)) {
return false;
}
@ -51,6 +52,7 @@ class EntryVoter extends Voter
case self::ARCHIVE:
case self::SHARE:
case self::UNSHARE:
case self::EXPORT:
case self::DELETE:
case self::LIST_ANNOTATIONS:
case self::CREATE_ANNOTATIONS:

4
src/Security/Voter/MainVoter.php
View file

@ -11,6 +11,7 @@ class MainVoter extends Voter
public const LIST_ENTRIES = 'LIST_ENTRIES';
public const CREATE_ENTRIES = 'CREATE_ENTRIES';
public const EDIT_ENTRIES = 'EDIT_ENTRIES';
public const EXPORT_ENTRIES = 'EXPORT_ENTRIES';
public const LIST_SITE_CREDENTIALS = 'LIST_SITE_CREDENTIALS';
public const CREATE_SITE_CREDENTIALS = 'CREATE_SITE_CREDENTIALS';
@ -27,7 +28,7 @@ class MainVoter extends Voter
return false;
}
if (!\in_array($attribute, [self::LIST_ENTRIES, self::CREATE_ENTRIES, self::EDIT_ENTRIES, self::LIST_SITE_CREDENTIALS, self::CREATE_SITE_CREDENTIALS], true)) {
if (!\in_array($attribute, [self::LIST_ENTRIES, self::CREATE_ENTRIES, self::EDIT_ENTRIES, self::EXPORT_ENTRIES, self::LIST_SITE_CREDENTIALS, self::CREATE_SITE_CREDENTIALS], true)) {
return false;
}
@ -40,6 +41,7 @@ class MainVoter extends Voter
case self::LIST_ENTRIES:
case self::CREATE_ENTRIES:
case self::EDIT_ENTRIES:
case self::EXPORT_ENTRIES:
case self::LIST_SITE_CREDENTIALS:
case self::CREATE_SITE_CREDENTIALS:
return $this->security->isGranted('ROLE_USER');