mirror of
https://github.com/shlinkio/shlink.git
synced 2024-11-27 08:18:24 +03:00
Add ApiKey check to tell if it has any role that is short-url restrictive
This commit is contained in:
parent
8b03532ddb
commit
12da04ef37
4 changed files with 20 additions and 5 deletions
|
@ -59,8 +59,8 @@ class TagRepository extends EntitySpecificationRepository implements TagReposito
|
|||
default => $qb,
|
||||
});
|
||||
|
||||
// For admins and when no API key is present, we'll return tags which are not linked to any short URL
|
||||
$joiningMethod = ApiKey::isAdmin($apiKey) ? 'leftJoin' : 'join';
|
||||
// For non-restricted API keys, we'll return tags which are not linked to any short URL
|
||||
$joiningMethod = ! ApiKey::isShortUrlRestricted($apiKey) ? 'leftJoin' : 'join';
|
||||
$tagsSubQb = $conn->createQueryBuilder();
|
||||
$tagsSubQb
|
||||
->select('t.id AS tag_id', 't.name AS tag', 'COUNT(DISTINCT s.id) AS short_urls_count')
|
||||
|
|
|
@ -59,7 +59,7 @@ class TagService implements TagServiceInterface
|
|||
*/
|
||||
public function deleteTags(array $tagNames, ?ApiKey $apiKey = null): void
|
||||
{
|
||||
if (! ApiKey::isAdmin($apiKey)) {
|
||||
if (ApiKey::isShortUrlRestricted($apiKey)) {
|
||||
throw ForbiddenTagOperationException::forDeletion();
|
||||
}
|
||||
|
||||
|
@ -75,7 +75,7 @@ class TagService implements TagServiceInterface
|
|||
*/
|
||||
public function renameTag(TagRenaming $renaming, ?ApiKey $apiKey = null): Tag
|
||||
{
|
||||
if (! ApiKey::isAdmin($apiKey)) {
|
||||
if (ApiKey::isShortUrlRestricted($apiKey)) {
|
||||
throw ForbiddenTagOperationException::forRenaming();
|
||||
}
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ class WithApiKeySpecsEnsuringJoin extends BaseSpecification
|
|||
|
||||
protected function getSpec(): Specification
|
||||
{
|
||||
return $this->apiKey === null || ApiKey::isAdmin($this->apiKey) ? Spec::andX() : Spec::andX(
|
||||
return $this->apiKey === null || ! ApiKey::isShortUrlRestricted($this->apiKey) ? Spec::andX() : Spec::andX(
|
||||
Spec::join($this->fieldToJoin, 's'),
|
||||
$this->apiKey->spec($this->fieldToJoin),
|
||||
);
|
||||
|
|
|
@ -122,6 +122,21 @@ class ApiKey extends AbstractEntity
|
|||
return $apiKey === null || $apiKey->roles->isEmpty();
|
||||
}
|
||||
|
||||
/**
|
||||
* Tells if provided API key has any of the roles restricting at the short URL level
|
||||
*/
|
||||
public static function isShortUrlRestricted(?ApiKey $apiKey): bool
|
||||
{
|
||||
if ($apiKey === null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return (
|
||||
$apiKey->roles->containsKey(Role::AUTHORED_SHORT_URLS->value)
|
||||
|| $apiKey->roles->containsKey(Role::DOMAIN_SPECIFIC->value)
|
||||
);
|
||||
}
|
||||
|
||||
public function hasRole(Role $role): bool
|
||||
{
|
||||
return $this->roles->containsKey($role->value);
|
||||
|
|
Loading…
Reference in a new issue