deblan/forms
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #391 from nextcloud/fix/api_userSession

Browse source 
Replace userId with userSession->UID
This commit is contained in:
Jonas 2020-05-27 17:00:39 +02:00 committed by GitHub
parent 4ea895d246 c5352a40ae
commit b031e42e1f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
lib/Controller/ApiController.php
View file

@ -74,8 +74,8 @@ class ApiController extends Controller {
/** @var IL10N */
private $l10n;
/** @var IUserSession */
private $userSession;
/** @var IUser */
private $currentUser;
/** @var IUserManager */
private $userManager;
@ -85,7 +85,6 @@ class ApiController extends Controller {
public function __construct(string $appName,
IRequest $request,
$userId, // TODO remove & replace with userSession below.
IUserSession $userSession,
IUserManager $userManager,
FormMapper $formMapper,
@ -98,8 +97,6 @@ class ApiController extends Controller {
FormsService $formsService) {
parent::__construct($appName, $request);
$this->appName = $appName;
$this->userId = $userId;
$this->userSession = $userSession;
$this->userManager = $userManager;
$this->formMapper = $formMapper;
$this->questionMapper = $questionMapper;
@ -111,6 +108,8 @@ class ApiController extends Controller {
$this->logger = $logger;
$this->l10n = $l10n;
$this->formsService = $formsService;
$this->currentUser = $userSession->getUser();
}
/**
@ -119,7 +118,7 @@ class ApiController extends Controller {
* Read Form-List only with necessary information for Listing.
*/
public function getForms(): Http\JSONResponse {
$forms = $this->formMapper->findAllByOwnerId($this->userId);
$forms = $this->formMapper->findAllByOwnerId($this->currentUser->getUID());
$result = [];
foreach ($forms as $form) {
@ -164,8 +163,7 @@ class ApiController extends Controller {
public function newForm(): Http\JSONResponse {
$form = new Form();
$currentUser = \OC::$server->getUserSession()->getUser()->getUID();
$form->setOwnerId($currentUser);
$form->setOwnerId($this->currentUser->getUID());
$form->setCreated(time());
$form->setHash(\OC::$server->getSecureRandom()->generate(
16,
@ -207,7 +205,7 @@ class ApiController extends Controller {
return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -252,7 +250,7 @@ class ApiController extends Controller {
return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -287,7 +285,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -336,7 +334,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -425,7 +423,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form or question'], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -461,7 +459,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form or question'], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -503,7 +501,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form or question'], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -542,7 +540,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find option, question or form'], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -574,7 +572,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form or option'], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -614,7 +612,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -710,14 +708,13 @@ class ApiController extends Controller {
$submission = new Submission();
$submission->setFormId($formId);
$submission->setTimestamp(time());
$user = $this->userSession->getUser();
// If not logged in or anonymous use anonID
if (!$user || $form->getIsAnonymous()) {
if (!$this->currentUser || $form->getIsAnonymous()) {
$anonID = "anon-user-". hash('md5', (time() + rand()));
$submission->setUserId($anonID);
} else {
$submission->setUserId($user->getUID());
$submission->setUserId($this->currentUser->getUID());
}
// Insert new submission
@ -777,7 +774,7 @@ class ApiController extends Controller {
return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}
@ -803,7 +800,7 @@ class ApiController extends Controller {
return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST);
}
if ($form->getOwnerId() !== $this->userId) {
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
}

19
lib/Service/FormsService.php
View file

@ -60,8 +60,8 @@ class FormsService {
/** @var IUserManager */
private $userManager;
/** @var IUserSession */
private $userSession;
/** @var IUser */
private $currentUser;
/** @var ILogger */
private $logger;
@ -80,8 +80,9 @@ class FormsService {
$this->submissionMapper = $submissionMapper;
$this->groupManager = $groupManager;
$this->userManager = $userManager;
$this->userSession = $userSession;
$this->logger = $logger;
$this->currentUser = $userSession->getUser();
}
@ -162,7 +163,6 @@ class FormsService {
public function canSubmit($formId) {
$form = $this->formMapper->findById($formId);
$access = $form->getAccess();
$user = $this->userSession->getUser();
// We cannot control how many time users can submit in public mode
if ($access['type'] === 'public') {
@ -173,7 +173,7 @@ class FormsService {
if ($form->getSubmitOnce()) {
$participants = $this->submissionMapper->findParticipantsByForm($form->getId());
foreach ($participants as $participant) {
if ($participant === $user->getUID()) {
if ($participant === $this->currentUser->getUID()) {
return false;
}
}
@ -192,19 +192,18 @@ class FormsService {
$form = $this->formMapper->findById($formId);
$access = $form->getAccess();
$ownerId = $form->getOwnerId();
$user = $this->userSession->getUser();
if ($access['type'] === 'public') {
return true;
}
// Refuse access, if not public and no user logged in.
if (!$user) {
if (!$this->currentUser) {
return false;
}
// Always grant access to owner.
if ($ownerId === $user->getUID()) {
if ($ownerId === $this->currentUser->getUID()) {
return true;
}
@ -215,13 +214,13 @@ class FormsService {
// Selected Access remains.
// Grant Access, if user is in users-Array.
if (in_array($user->getUID(), $access['users'])) {
if (in_array($this->currentUser->getUID(), $access['users'])) {
return true;
}
// Check if access granted by group.
foreach ($access['groups'] as $group) {
if ($this->groupManager->isInGroup($user->getUID(), $group)) {
if ($this->groupManager->isInGroup($this->currentUser->getUID(), $group)) {
return true;
}
}