deblan/forms
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #391 from nextcloud/fix/api_userSession

Browse source 
Replace userId with userSession->UID
This commit is contained in:
Jonas 2020-05-27 17:00:39 +02:00 committed by GitHub
parent 4ea895d246 c5352a40ae
commit b031e42e1f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
lib/Controller/ApiController.php
View file

@ -74,8 +74,8 @@ class ApiController extends Controller {
/** @var IL10N */ /** @var IL10N */
private $l10n; private $l10n;
/** @var IUserSession */ /** @var IUser */
private $userSession; private $currentUser;
/** @var IUserManager */ /** @var IUserManager */
private $userManager; private $userManager;
@ -85,7 +85,6 @@ class ApiController extends Controller {
public function __construct(string $appName, public function __construct(string $appName,
IRequest $request, IRequest $request,
$userId, // TODO remove & replace with userSession below.
IUserSession $userSession, IUserSession $userSession,
IUserManager $userManager, IUserManager $userManager,
FormMapper $formMapper, FormMapper $formMapper,
@ -98,8 +97,6 @@ class ApiController extends Controller {
FormsService $formsService) { FormsService $formsService) {
parent::__construct($appName, $request); parent::__construct($appName, $request);
$this->appName = $appName; $this->appName = $appName;
$this->userId = $userId;
$this->userSession = $userSession;
$this->userManager = $userManager; $this->userManager = $userManager;
$this->formMapper = $formMapper; $this->formMapper = $formMapper;
$this->questionMapper = $questionMapper; $this->questionMapper = $questionMapper;
@ -111,6 +108,8 @@ class ApiController extends Controller {
$this->logger = $logger; $this->logger = $logger;
$this->l10n = $l10n; $this->l10n = $l10n;
$this->formsService = $formsService; $this->formsService = $formsService;
$this->currentUser = $userSession->getUser();
} }
/** /**
@ -119,7 +118,7 @@ class ApiController extends Controller {
* Read Form-List only with necessary information for Listing. * Read Form-List only with necessary information for Listing.
*/ */
public function getForms(): Http\JSONResponse { public function getForms(): Http\JSONResponse {
$forms = $this->formMapper->findAllByOwnerId($this->userId); $forms = $this->formMapper->findAllByOwnerId($this->currentUser->getUID());
$result = []; $result = [];
foreach ($forms as $form) { foreach ($forms as $form) {
@ -164,8 +163,7 @@ class ApiController extends Controller {
public function newForm(): Http\JSONResponse { public function newForm(): Http\JSONResponse {
$form = new Form(); $form = new Form();
$currentUser = \OC::$server->getUserSession()->getUser()->getUID(); $form->setOwnerId($this->currentUser->getUID());
$form->setOwnerId($currentUser);
$form->setCreated(time()); $form->setCreated(time());
$form->setHash(\OC::$server->getSecureRandom()->generate( $form->setHash(\OC::$server->getSecureRandom()->generate(
16, 16,
@ -207,7 +205,7 @@ class ApiController extends Controller {
return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -252,7 +250,7 @@ class ApiController extends Controller {
return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -287,7 +285,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -336,7 +334,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -425,7 +423,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form or question'], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse(['message' => 'Could not find form or question'], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -461,7 +459,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form or question'], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse(['message' => 'Could not find form or question'], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -503,7 +501,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form or question'], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse(['message' => 'Could not find form or question'], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -542,7 +540,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find option, question or form'], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse(['message' => 'Could not find option, question or form'], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -574,7 +572,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form or option'], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse(['message' => 'Could not find form or option'], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -614,7 +612,7 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -710,14 +708,13 @@ class ApiController extends Controller {
$submission = new Submission(); $submission = new Submission();
$submission->setFormId($formId); $submission->setFormId($formId);
$submission->setTimestamp(time()); $submission->setTimestamp(time());
$user = $this->userSession->getUser();
// If not logged in or anonymous use anonID // If not logged in or anonymous use anonID
if (!$user || $form->getIsAnonymous()) { if (!$this->currentUser || $form->getIsAnonymous()) {
$anonID = "anon-user-". hash('md5', (time() + rand())); $anonID = "anon-user-". hash('md5', (time() + rand()));
$submission->setUserId($anonID); $submission->setUserId($anonID);
} else { } else {
$submission->setUserId($user->getUID()); $submission->setUserId($this->currentUser->getUID());
} }
// Insert new submission // Insert new submission
@ -777,7 +774,7 @@ class ApiController extends Controller {
return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }
@ -803,7 +800,7 @@ class ApiController extends Controller {
return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST); return new Http\JSONResponse([], Http::STATUS_BAD_REQUEST);
} }
if ($form->getOwnerId() !== $this->userId) { if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user'); $this->logger->debug('This form is not owned by the current user');
return new Http\JSONResponse([], Http::STATUS_FORBIDDEN); return new Http\JSONResponse([], Http::STATUS_FORBIDDEN);
} }

19
lib/Service/FormsService.php
View file

@ -60,8 +60,8 @@ class FormsService {
/** @var IUserManager */ /** @var IUserManager */
private $userManager; private $userManager;
/** @var IUserSession */ /** @var IUser */
private $userSession; private $currentUser;
/** @var ILogger */ /** @var ILogger */
private $logger; private $logger;
@ -80,8 +80,9 @@ class FormsService {
$this->submissionMapper = $submissionMapper; $this->submissionMapper = $submissionMapper;
$this->groupManager = $groupManager; $this->groupManager = $groupManager;
$this->userManager = $userManager; $this->userManager = $userManager;
$this->userSession = $userSession;
$this->logger = $logger; $this->logger = $logger;
$this->currentUser = $userSession->getUser();
} }
@ -162,7 +163,6 @@ class FormsService {
public function canSubmit($formId) { public function canSubmit($formId) {
$form = $this->formMapper->findById($formId); $form = $this->formMapper->findById($formId);
$access = $form->getAccess(); $access = $form->getAccess();
$user = $this->userSession->getUser();
// We cannot control how many time users can submit in public mode // We cannot control how many time users can submit in public mode
if ($access['type'] === 'public') { if ($access['type'] === 'public') {
@ -173,7 +173,7 @@ class FormsService {
if ($form->getSubmitOnce()) { if ($form->getSubmitOnce()) {
$participants = $this->submissionMapper->findParticipantsByForm($form->getId()); $participants = $this->submissionMapper->findParticipantsByForm($form->getId());
foreach ($participants as $participant) { foreach ($participants as $participant) {
if ($participant === $user->getUID()) { if ($participant === $this->currentUser->getUID()) {
return false; return false;
} }
} }
@ -192,19 +192,18 @@ class FormsService {
$form = $this->formMapper->findById($formId); $form = $this->formMapper->findById($formId);
$access = $form->getAccess(); $access = $form->getAccess();
$ownerId = $form->getOwnerId(); $ownerId = $form->getOwnerId();
$user = $this->userSession->getUser();
if ($access['type'] === 'public') { if ($access['type'] === 'public') {
return true; return true;
} }
// Refuse access, if not public and no user logged in. // Refuse access, if not public and no user logged in.
if (!$user) { if (!$this->currentUser) {
return false; return false;
} }
// Always grant access to owner. // Always grant access to owner.
if ($ownerId === $user->getUID()) { if ($ownerId === $this->currentUser->getUID()) {
return true; return true;
} }
@ -215,13 +214,13 @@ class FormsService {
// Selected Access remains. // Selected Access remains.
// Grant Access, if user is in users-Array. // Grant Access, if user is in users-Array.
if (in_array($user->getUID(), $access['users'])) { if (in_array($this->currentUser->getUID(), $access['users'])) {
return true; return true;
} }
// Check if access granted by group. // Check if access granted by group.
foreach ($access['groups'] as $group) { foreach ($access['groups'] as $group) {
if ($this->groupManager->isInGroup($user->getUID(), $group)) { if ($this->groupManager->isInGroup($this->currentUser->getUID(), $group)) {
return true; return true;
} }
} }