Add Voter for permissions (#56)

* Add Voter for permissions, rename Permission constants, refactor openapi crud operations to small case

* Load permissions from database

* Deactivate voter in controller

* Remove test 4

* use interface

composer.json

@@ -18,7 +18,7 @@
   "minimum-stability": "dev",
   "require": {
     "php": "~8.2",
-    "pimcore/static-resolver-bundle": "^1.3",
+    "pimcore/static-resolver-bundle": "1.x-dev",
     "pimcore/generic-data-index-bundle": "1.x-dev",
     "pimcore/pimcore": "^11.0",
     "zircote/swagger-php": "^4.8"

config/security.yaml

@@ -9,6 +9,10 @@ services:
     tags:
       - { name: security.voter }
 
+  Pimcore\Bundle\StudioBackendBundle\Security\Voter\UserPermissionVoter:
+    tags:
+      - { name: security.voter }
+
   Pimcore\Bundle\StudioBackendBundle\Security\Voter\PublicAuthorizationVoter:
     arguments: [ '@request_stack' ]
     tags:

src/Asset/Controller/CollectionController.php

@@ -67,7 +67,8 @@ public function __construct(
      */
     #[Route('/assets', name: 'pimcore_studio_api_assets', methods: ['GET'])]
     //#[IsGranted('STUDIO_API')]
-    #[GET(
+    //#[IsGranted(UserPermissions::ASSETS->value)]
+    #[Get(
         path: self::API_PATH . '/assets',
         operationId: 'getAssets',
         description: 'Get paginated assets',

src/Asset/Controller/GetController.php

@@ -46,7 +46,8 @@ public function __construct(
 
     #[Route('/assets/{id}', name: 'pimcore_studio_api_get_asset', methods: ['GET'])]
     //#[IsGranted('STUDIO_API')]
-    #[GET(
+    //#[IsGranted(UserPermissions::ASSETS->value)]
+    #[Get(
         path: self::API_PATH . '/assets/{id}',
         operationId: 'getAssetById',
         description: 'Get assets by id by path parameter',

src/Authorization/Controller/AuthorizationController.php

@@ -57,7 +57,7 @@ public function __construct(
      * @throws AccessDeniedException
      */
     #[Route('/login', name: 'pimcore_studio_api_login', methods: ['POST'])]
-    #[POST(
+    #[Post(
         path: self::API_PATH . '/login',
         operationId: 'login',
         summary: 'Login with user credentials and get access token',

src/DataObject/Controller/CollectionController.php

@@ -64,7 +64,7 @@ public function __construct(
      */
     #[Route('/data-objects', name: 'pimcore_studio_api_data_objects', methods: ['GET'])]
     //#[IsGranted(self::VOTER_STUDIO_API)]
-    #[GET(
+    #[Get(
         path: self::API_PATH . '/data-objects',
         operationId: 'getDataObjects',
         description: 'Get paginated data objects',

src/DataObject/Controller/GetController.php

@@ -47,7 +47,7 @@ public function __construct(
 
     #[Route('/data-objects/{id}', name: 'pimcore_studio_api_get_data_object', methods: ['GET'])]
     //#[IsGranted('STUDIO_API')]
-    #[GET(
+    #[Get(
         path: self::API_PATH . '/data-objects/{id}',
         operationId: 'getDataObjectById',
         description: 'Get data object by id by path parameter',

src/Security/Voter/UserPermissionVoter.php

@@ -0,0 +1,95 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ *  @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+namespace Pimcore\Bundle\StudioBackendBundle\Security\Voter;
+
+use Doctrine\DBAL\Exception;
+use Pimcore\Bundle\StaticResolverBundle\Db\DbResolverInterface;
+use Pimcore\Bundle\StaticResolverBundle\Lib\CacheResolverInterface;
+use Pimcore\Bundle\StudioBackendBundle\Exception\AccessDeniedException;
+use Pimcore\Bundle\StudioBackendBundle\Security\Service\SecurityServiceInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+/**
+ * @internal
+ */
+final class UserPermissionVoter extends Voter
+{
+    private const USER_PERMISSIONS_CACHE_KEY = 'studio_backend_user_permissions';
+
+    private array $userPermissions;
+
+    public function __construct(
+        private readonly CacheResolverInterface $cacheResolver,
+        private readonly DbResolverInterface $dbResolver,
+        private readonly SecurityServiceInterface $securityService
+
+    ) {
+        $this->getUserPermissions();
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return in_array($attribute, $this->userPermissions, true);
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    {
+        if (!$this->securityService->getCurrentUser()->isAllowed($attribute)) {
+            throw new AccessDeniedException(sprintf('User does not have permission: %s', $attribute));
+        }
+
+        return true;
+    }
+
+    /**
+     * @throws AccessDeniedException
+     */
+    private function getUserPermissions(): void
+    {
+        $userPermissions = $this->cacheResolver->load(self::USER_PERMISSIONS_CACHE_KEY);
+
+        if($userPermissions !== false && is_array($userPermissions)) {
+            $this->userPermissions = $userPermissions;
+            return;
+        }
+
+        $userPermissions = $this->getUserPermissionsFromDataBase();
+
+        $this->cacheResolver->save(
+            $userPermissions,
+            self::USER_PERMISSIONS_CACHE_KEY
+        );
+
+        $this->userPermissions = $userPermissions;
+    }
+
+    private function getUserPermissionsFromDataBase(): array
+    {
+        try {
+            $userPermissions = $this->dbResolver->getConnection()->fetchFirstColumn(
+                'SELECT `key` FROM users_permission_definitions'
+            );
+        } catch (Exception) {
+            throw new AccessDeniedException('Cannot resolve user permissions');
+        }
+        return $userPermissions;
+    }
+}

src/Util/Constants/Permissions.php → src/Util/Constants/ElementPermissions.php

@@ -19,7 +19,7 @@
 /**
  * @internal
  */
-final class Permissions
+final class ElementPermissions
 {
     public const LIST_PERMISSION = 'list';
 

src/Util/Constants/UserPermissions.php

@@ -0,0 +1,27 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ *  @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+namespace Pimcore\Bundle\StudioBackendBundle\Util\Constants;
+
+/**
+ * @internal
+ */
+enum UserPermissions: string
+{
+    case ASSETS = 'assets';
+    case DOCUMENTS = 'documents';
+    case OBJECTS = 'objects';
+}

src/Version/Controller/CollectionController.php

@@ -57,7 +57,7 @@ public function __construct(
 
     #[Route('/versions', name: 'pimcore_studio_api_versions', methods: ['GET'])]
     //#[IsGranted('STUDIO_API')]
-    #[GET(
+    #[Get(
         path: self::API_PATH . '/versions',
         operationId: 'getVersions',
         description: 'Get paginated versions',

src/Version/Controller/DeleteController.php

@@ -28,7 +28,7 @@
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Attributes\Response\SuccessResponse;
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Config\Tags;
 use Pimcore\Bundle\StudioBackendBundle\Security\Service\SecurityServiceInterface;
-use Pimcore\Bundle\StudioBackendBundle\Util\Constants\Permissions;
+use Pimcore\Bundle\StudioBackendBundle\Util\Constants\ElementPermissions;
 use Pimcore\Bundle\StudioBackendBundle\Version\RepositoryInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
@@ -74,7 +74,7 @@ public function deleteVersion(int $id): JsonResponse
         $this->securityService->hasElementPermission(
             $version->getData(),
             $user,
-            Permissions::VERSIONS_PERMISSION
+            ElementPermissions::VERSIONS_PERMISSION
         );
         $version->delete();
 

src/Version/Controller/GetController.php

@@ -48,7 +48,7 @@ public function __construct(
 
     #[Route('/versions/{id}', name: 'pimcore_studio_api_get_version', methods: ['GET'])]
     //#[IsGranted('STUDIO_API')]
-    #[GET(
+    #[Get(
         path: self::API_PATH . '/versions/{id}',
         operationId: 'getVersionById',
         description: 'Get version based on the version ID',

src/Version/Controller/PublishController.php

@@ -48,7 +48,7 @@ public function __construct(
 
     #[Route('/versions/{id}', name: 'pimcore_studio_api_publish_version', methods: ['POST'])]
     //#[IsGranted('STUDIO_API')]
-    #[POST(
+    #[Post(
         path: self::API_PATH . '/versions/{id}',
         operationId: 'publishVersion',
         description: 'Publish element based on the version ID',

src/Version/Publisher/VersionPublisherService.php

@@ -20,7 +20,7 @@
 use Pimcore\Bundle\StudioBackendBundle\Exception\ElementPublishingFailedException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\InvalidElementTypeException;
 use Pimcore\Bundle\StudioBackendBundle\Security\Service\SecurityServiceInterface;
-use Pimcore\Bundle\StudioBackendBundle\Util\Constants\Permissions;
+use Pimcore\Bundle\StudioBackendBundle\Util\Constants\ElementPermissions;
 use Pimcore\Bundle\StudioBackendBundle\Util\Traits\ElementProviderTrait;
 use Pimcore\Bundle\StudioBackendBundle\Version\RepositoryInterface;
 use Pimcore\Model\UserInterface;
@@ -61,7 +61,7 @@ public function publishVersion(
         $this->securityService->hasElementPermission(
             $currentElement,
             $user,
-            Permissions::PUBLISH_PERMISSION
+            ElementPermissions::PUBLISH_PERMISSION
         );
 
         $class = $this->getElementClass($currentElement);

src/Version/Repository.php

@@ -19,7 +19,7 @@
 use Pimcore\Bundle\StaticResolverBundle\Models\Version\VersionResolver;
 use Pimcore\Bundle\StudioBackendBundle\Exception\ElementNotFoundException;
 use Pimcore\Bundle\StudioBackendBundle\Security\Service\SecurityServiceInterface;
-use Pimcore\Bundle\StudioBackendBundle\Util\Constants\Permissions;
+use Pimcore\Bundle\StudioBackendBundle\Util\Constants\ElementPermissions;
 use Pimcore\Bundle\StudioBackendBundle\Util\Traits\ElementProviderTrait;
 use Pimcore\Bundle\StudioBackendBundle\Version\Request\VersionCleanupParameters;
 use Pimcore\Bundle\StudioBackendBundle\Version\Request\VersionParameters;
@@ -50,7 +50,7 @@ public function listVersions(
         $this->securityService->hasElementPermission(
             $element,
             $user,
-            Permissions::VERSIONS_PERMISSION
+            ElementPermissions::VERSIONS_PERMISSION
         );
 
         $limit = $parameters->getPageSize();
@@ -95,7 +95,7 @@ public function getElementFromVersion(
         $this->securityService->hasElementPermission(
             $element,
             $user,
-            Permissions::VERSIONS_PERMISSION
+            ElementPermissions::VERSIONS_PERMISSION
         );
 
         return $element;