vendor/shopware/core/Framework/DataAbstractionLayer/EntityProtection/EntityProtectionValidator.php line 69

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\DataAbstractionLayer\EntityProtection;
  5. use Shopware\Core\Framework\Context;
  6. use Shopware\Core\Framework\DataAbstractionLayer\EntityDefinition;
  7. use Shopware\Core\Framework\DataAbstractionLayer\Event\EntitySearchedEvent;
  8. use Shopware\Core\Framework\DataAbstractionLayer\Field\AssociationField;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
  10. use Shopware\Core\Framework\DataAbstractionLayer\Write\Validation\PreWriteValidationEvent;
  11. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  12. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  14. class EntityProtectionValidator implements EventSubscriberInterface
  15. {
  16.     public static function getSubscribedEvents()
  17.     {
  18.         return [
  19.             PreWriteValidationEvent::class => 'validateWriteCommands',
  20.             EntitySearchedEvent::class => 'validateEntitySearch',
  21.         ];
  22.     }
  24.     /**
  25.      * @param string[] $protections FQCN of the protections that need to be validated
  26.      */
  27.     public function validateEntityPath(array $pathSegments, array $protectionsContext $context): void
  28.     {
  29.         foreach ($pathSegments as $pathSegment) {
  30.             /** @var EntityDefinition $definition */
  31.             $definition $pathSegment['definition'];
  33.             foreach ($protections as $protection) {
  34.                 $protectionInstance $definition->getProtections()->get($protection);
  35.                 if (!$protectionInstance || $protectionInstance->isAllowed($context->getScope())) {
  36.                     continue;
  37.                 }
  39.                 throw new AccessDeniedHttpException(
  40.                     sprintf('API access for entity "%s" not allowed.'$pathSegment['entity'])
  41.                 );
  42.             }
  43.         }
  44.     }
  46.     public function validateEntitySearch(EntitySearchedEvent $event): void
  47.     {
  48.         $definition $event->getDefinition();
  49.         $readProtection $definition->getProtections()->get(ReadProtection::class);
  50.         $context $event->getContext();
  52.         if ($readProtection && !$readProtection->isAllowed($context->getScope())) {
  53.             throw new AccessDeniedHttpException(
  54.                 sprintf(
  55.                     'Read access to entity "%s" not allowed for scope "%s".',
  56.                     $definition->getEntityName(),
  57.                     $context->getScope()
  58.                 )
  59.             );
  60.         }
  62.         $this->validateCriteriaAssociation(
  63.             $definition,
  64.             $event->getCriteria()->getAssociations(),
  65.             $context
  66.         );
  67.     }
  69.     public function validateWriteCommands(PreWriteValidationEvent $event): void
  70.     {
  71.         foreach ($event->getCommands() as $command) {
  72.             // Don't validate commands that fake operations on DB level, e.g. cascade deletes
  73.             if (!$command->isValid()) {
  74.                 continue;
  75.             }
  77.             $writeProtection $command->getDefinition()->getProtections()->get(WriteProtection::class);
  78.             if ($writeProtection && !$writeProtection->isAllowed($event->getContext()->getScope())) {
  79.                 throw new AccessDeniedHttpException(
  80.                     sprintf(
  81.                         'Write access to entity "%s" are not allowed in scope "%s".',
  82.                         $command->getDefinition()->getEntityName(),
  83.                         $event->getContext()->getScope()
  84.                     )
  85.                 );
  86.             }
  87.         }
  88.     }
  90.     private function validateCriteriaAssociation(EntityDefinition $definition, array $associationsContext $context): void
  91.     {
  92.         /** @var Criteria $criteria */
  93.         foreach ($associations as $associationName => $criteria) {
  94.             $field $definition->getField($associationName);
  95.             if (!$field instanceof AssociationField) {
  96.                 continue;
  97.             }
  99.             $associationDefinition $field->getReferenceDefinition();
  100.             $readProtection $associationDefinition->getProtections()->get(ReadProtection::class);
  101.             if ($readProtection && !$readProtection->isAllowed($context->getScope())) {
  102.                 throw new AccessDeniedHttpException(
  103.                     sprintf(
  104.                         'Read access to nested association "%s" on entity "%s" not allowed for scope "%s".',
  105.                         $associationName,
  106.                         $definition->getEntityName(),
  107.                         $context->getScope()
  108.                     )
  109.                 );
  110.             }
  112.             $this->validateCriteriaAssociation($associationDefinition$criteria->getAssociations(), $context);
  113.         }
  114.     }
  115. }