added permission checking for querying content types

darryldecode · darryldecode · commit 4f238b01d6b8 · 2015-08-01T20:23:24.000-07:00
diff --git a/src/Darryldecode/Backend/Components/ContentBuilder/Commands/QueryContentCommand.php b/src/Darryldecode/Backend/Components/ContentBuilder/Commands/QueryContentCommand.php
@@ -64,6 +64,8 @@ public function handle(Dispatcher $dispatcher, ContentType $contentType, Content
         // fire before query
         $dispatcher->fire('content.beforeQuery', array($this->args));
 
+        /** @todo add permission check here: {contentType}.manage */
+
         // query
         $results = $this->query($contentType, $content, $config);
 
@@ -104,12 +106,24 @@ private function query($contentType, $content, $config)
 
         if( !is_null($this->id) && ($this->id != '') )
         {
-            return $q->find($this->id);
+            $result = $q->find($this->id);
         }
         else
         {
-            return $q->ofSlug($this->slug)->ofTitle($this->title)->first();
+            $result = $q->ofSlug($this->slug)->ofTitle($this->title)->first();
+        }
+
+        if( ! $this->disablePermissionChecking )
+        {
+            $requiredPermission = $result->type->type.'.manage';
+
+            if( ! $this->user->hasAnyPermission([$requiredPermission]) )
+            {
+                return new CommandResult(false, "Not enough permission.", null, 403);
+            }
         }
+
+        return $result;
     }
 
     /**
@@ -119,7 +133,11 @@ private function query($contentType, $content, $config)
      */
     protected function createContentModel($content, $config)
     {
-        $contentModelUsed = $config->get('backend.backend.content_model');
+        if( ! $contentModelUsed = $config->get('backend.backend.content_model') )
+        {
+            return $content;
+        };
+
         $contentModelUsed = new $contentModelUsed();
 
         if( $contentModelUsed instanceof Content )
diff --git a/src/Darryldecode/Backend/Components/ContentBuilder/Commands/QueryContentTypeCommand.php b/src/Darryldecode/Backend/Components/ContentBuilder/Commands/QueryContentTypeCommand.php
@@ -42,6 +42,15 @@ public function handle(ContentType $contentType, Dispatcher $dispatcher)
         // begin before query
         $dispatcher->fire('contentType.beforeQuery', array($this->args));
 
+        // check if has permission
+        if( ! $this->disablePermissionChecking )
+        {
+            if( ! $this->user->hasAnyPermission(['contentBuilder.manage']) )
+            {
+                return new CommandResult(false, "Not enough permission.", null, 403);
+            }
+        }
+
         // begin query
         $results = $contentType->with(array('terms.taxonomy','taxonomies','taxonomies.terms','formGroups'))->ofType($this->type)->get();
 
diff --git a/src/Darryldecode/Backend/Components/ContentBuilder/Commands/QueryContentsCommand.php b/src/Darryldecode/Backend/Components/ContentBuilder/Commands/QueryContentsCommand.php
@@ -131,6 +131,8 @@ public function handle(Dispatcher $dispatcher, ContentType $contentType, Content
         // fire before query
         $dispatcher->fire('contents.beforeQuery', array($this->args));
 
+        /** @todo add permission check here: {contentType}.manage */
+
         // query
         $results = $this->query($contentType, $content, $config);
 
@@ -175,8 +177,9 @@ protected function query($contentType, $content, $config)
             $q->where('author_id', $this->authorId);
         }
 
-        // check if type is provided so we can include it in our query conditions
-        if( !is_null($this->type) && ($this->type != '') )
+        // check if type is provided, we need to provide content type
+        // we will not allow to query all of contents
+        if( ! is_null($this->type) && ($this->type != '') )
         {
             if( is_numeric($this->type) )
             {
@@ -193,8 +196,23 @@ protected function query($contentType, $content, $config)
                 {
                     $q->where('type',$cType->type);
                 });
+
+                // let's check first if the user querying has the permission to access this kind of content
+                if( ! $this->disablePermissionChecking )
+                {
+                    $requiredPermission = $cType->type.'.manage';
+
+                    if( ! $this->user->hasAnyPermission([$requiredPermission]) )
+                    {
+                        return new CommandResult(false, "Not enough permission.", null, 403);
+                    }
+                }
             }
         }
+        else
+        {
+            return new CommandResult(false, "Content Type should be provided.", null, 400);
+        }
 
         // check if terms are provided so we can include it in query conditions
         if( !is_null($this->terms) && ($this->terms != '') )
@@ -306,7 +324,11 @@ private function extractTerms($terms)
      */
     protected function createContentModel($content, $config)
     {
-        $contentModelUsed = $config->get('backend.backend.content_model');
+        if( ! $contentModelUsed = $config->get('backend.backend.content_model') )
+        {
+            return $content;
+        };
+
         $contentModelUsed = new $contentModelUsed();
 
         if( $contentModelUsed instanceof Content )
