From 1b90aa14a1f83e50407b663d89c4e39f67fa073f Mon Sep 17 00:00:00 2001
From: mattamon <matthias.schuhmayer@pimcore.com>
Date: Tue, 5 Mar 2024 08:39:39 +0100
Subject: [PATCH] Add public voter

---
 .../api_platform/resources/translation.yaml   |  1 +
 config/services.yaml                          |  8 ++-
 src/Exception/NoRequestException.php          | 25 +++++++
 src/Security/Trait/PublicTranslationTrait.php | 41 +++++++++++
 src/Security/Voter/PublicTokenVoter.php       | 70 +++++++++++++++++++
 5 files changed, 144 insertions(+), 1 deletion(-)
 create mode 100644 src/Exception/NoRequestException.php
 create mode 100644 src/Security/Trait/PublicTranslationTrait.php
 create mode 100644 src/Security/Voter/PublicTokenVoter.php

diff --git a/config/api_platform/resources/translation.yaml b/config/api_platform/resources/translation.yaml
index c10adbbea..4f2d2d77c 100644
--- a/config/api_platform/resources/translation.yaml
+++ b/config/api_platform/resources/translation.yaml
@@ -1,5 +1,6 @@
 resources:
   Pimcore\Bundle\StudioApiBundle\Dto\Translation:
+      security: 'is_granted("PUBLIC_API_PLATFORM", "translation")'
       operations:
           ApiPlatform\Metadata\Post:
               processor: Pimcore\Bundle\StudioApiBundle\State\TranslationProcessor
diff --git a/config/services.yaml b/config/services.yaml
index e128801a5..5eb9c4be8 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -85,4 +85,10 @@ services:
         class: Pimcore\Bundle\StudioApiBundle\Service\GenericData\V1\AssetQueryProvider
 
     Pimcore\Bundle\StudioApiBundle\Service\TranslatorServiceInterface:
-        class: Pimcore\Bundle\StudioApiBundle\Service\TranslatorService
\ No newline at end of file
+        class: Pimcore\Bundle\StudioApiBundle\Service\TranslatorService
+
+    #Voters
+    Pimcore\Bundle\StudioApiBundle\Security\Voter\PublicTokenVoter:
+        arguments: [ '@request_stack' ]
+        tags:
+            - { name: security.voter }
\ No newline at end of file
diff --git a/src/Exception/NoRequestException.php b/src/Exception/NoRequestException.php
new file mode 100644
index 000000000..d86875cd4
--- /dev/null
+++ b/src/Exception/NoRequestException.php
@@ -0,0 +1,25 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ *  @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+namespace Pimcore\Bundle\StudioApiBundle\Exception;
+
+use RuntimeException;
+
+
+final class NoRequestException extends RuntimeException
+{
+
+}
\ No newline at end of file
diff --git a/src/Security/Trait/PublicTranslationTrait.php b/src/Security/Trait/PublicTranslationTrait.php
new file mode 100644
index 000000000..6643a9e0d
--- /dev/null
+++ b/src/Security/Trait/PublicTranslationTrait.php
@@ -0,0 +1,41 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ *  @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+namespace Pimcore\Bundle\StudioApiBundle\Security\Trait;
+
+use Pimcore\Bundle\StudioApiBundle\Util\Constants\PublicTranslations;
+use Symfony\Component\HttpFoundation\InputBag;
+
+trait PublicTranslationTrait
+{
+    private const ARRAY_KEYS_INDEX = 'keys';
+    private function voteOnTranslation(InputBag $payload): bool
+    {
+        $parameters = $payload->all();
+        if(!array_key_exists(self::ARRAY_KEYS_INDEX, $parameters)) {
+            return false;
+        }
+
+        foreach($parameters[self::ARRAY_KEYS_INDEX] as $key) {
+            // Allow only public keys
+            if(!in_array($key, PublicTranslations::PUBLIC_KEYS, true)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+}
\ No newline at end of file
diff --git a/src/Security/Voter/PublicTokenVoter.php b/src/Security/Voter/PublicTokenVoter.php
new file mode 100644
index 000000000..c76e78517
--- /dev/null
+++ b/src/Security/Voter/PublicTokenVoter.php
@@ -0,0 +1,70 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ *  @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+namespace Pimcore\Bundle\StudioApiBundle\Security\Voter;
+
+use Pimcore\Bundle\StudioApiBundle\Exception\NoRequestException;
+use Pimcore\Bundle\StudioApiBundle\Security\Trait\PublicTranslationTrait;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+final class PublicTokenVoter extends Voter
+{
+    use PublicTranslationTrait;
+
+    private const SUPPORTED_ATTRIBUTE = 'PUBLIC_API_PLATFORM';
+
+    private const SUPPORTED_SUBJECTS = ['translation'];
+
+    public function __construct(
+        private readonly RequestStack $requestStack,
+    ) {
+    }
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return $attribute === self::SUPPORTED_ATTRIBUTE && in_array((string)$subject, self::SUPPORTED_SUBJECTS, true);
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    {
+
+        $request = $this->getCurrentRequest();
+
+        // TODO Add security service once merged with PR#5
+        return $this->voteOnRequest($request, $subject);
+    }
+
+    private function getCurrentRequest(): Request
+    {
+        $request = $this->requestStack->getCurrentRequest();
+        if(!$request) {
+            throw new NoRequestException('No request found');
+        }
+
+        return $request;
+    }
+
+    private function voteOnRequest(Request $request, string $subject): bool
+    {
+        return match ($subject) {
+            'translation' => $this->voteOnTranslation($request->getPayload()),
+            default => false,
+        };
+    }
+}
\ No newline at end of file