Fixes #4979 -- Prevent editing Super Admin and add test suite.
This commit is contained in:
parent
54dc25944d
commit
b7a7d8e2a1
|
@ -31,7 +31,7 @@
|
|||
</div>
|
||||
</template>
|
||||
<template #cell(actions)="row">
|
||||
<b-button-group size="sm">
|
||||
<b-button-group size="sm" v-if="!row.item.is_super_admin">
|
||||
<b-button size="sm" variant="primary" @click.prevent="doEdit(row.item.links.self)">
|
||||
<translate key="lang_btn_edit">Edit</translate>
|
||||
</b-button>
|
||||
|
|
|
@ -17,7 +17,6 @@ use Psr\Http\Message\ResponseInterface;
|
|||
use Stringable;
|
||||
use Symfony\Component\Serializer\Normalizer\AbstractNormalizer;
|
||||
use Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer;
|
||||
use Symfony\Component\Serializer\Normalizer\ObjectNormalizer;
|
||||
use Symfony\Component\Serializer\Serializer;
|
||||
use Symfony\Component\Validator\Validator\ValidatorInterface;
|
||||
|
||||
|
@ -90,6 +89,7 @@ abstract class AbstractApiCrudController
|
|||
),
|
||||
];
|
||||
}
|
||||
|
||||
return $return;
|
||||
}
|
||||
|
||||
|
|
|
@ -140,6 +140,8 @@ class RolesController extends AbstractAdminApiCrudController
|
|||
protected string $entityClass = Entity\Role::class;
|
||||
protected string $resourceRouteName = 'api:admin:role';
|
||||
|
||||
protected Entity\Role $superAdminRole;
|
||||
|
||||
public function __construct(
|
||||
protected Acl $acl,
|
||||
protected Entity\Repository\RolePermissionRepository $permissionRepo,
|
||||
|
@ -148,6 +150,8 @@ class RolesController extends AbstractAdminApiCrudController
|
|||
ValidatorInterface $validator
|
||||
) {
|
||||
parent::__construct($em, $serializer, $validator);
|
||||
|
||||
$this->superAdminRole = $permissionRepo->ensureSuperAdministratorRole();
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -179,14 +183,36 @@ class RolesController extends AbstractAdminApiCrudController
|
|||
return $this->listPaginatedFromQuery($request, $response, $qb->getQuery());
|
||||
}
|
||||
|
||||
protected function viewRecord(object $record, ServerRequest $request): mixed
|
||||
{
|
||||
$result = parent::viewRecord($record, $request);
|
||||
|
||||
if ($record instanceof Entity\Role) {
|
||||
$result['is_super_admin'] = $record->getIdRequired() === $this->superAdminRole->getIdRequired();
|
||||
}
|
||||
|
||||
return $result;
|
||||
}
|
||||
|
||||
protected function editRecord(?array $data, ?object $record = null, array $context = []): object
|
||||
{
|
||||
if (
|
||||
$record instanceof Entity\Role
|
||||
&& $this->superAdminRole->getIdRequired() === $record->getIdRequired()
|
||||
) {
|
||||
throw new RuntimeException('Cannot modify the Super Administrator role.');
|
||||
}
|
||||
|
||||
return parent::editRecord($data, $record, $context);
|
||||
}
|
||||
|
||||
protected function deleteRecord(object $record): void
|
||||
{
|
||||
if (!($record instanceof Entity\Role)) {
|
||||
throw new InvalidArgumentException(sprintf('Record must be an instance of %s.', $this->entityClass));
|
||||
}
|
||||
|
||||
$superAdminRole = $this->permissionRepo->ensureSuperAdministratorRole();
|
||||
if ($superAdminRole->getIdRequired() === $record->getIdRequired()) {
|
||||
if ($this->superAdminRole->getIdRequired() === $record->getIdRequired()) {
|
||||
throw new RuntimeException('Cannot remove the Super Administrator role.');
|
||||
}
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ class Api_Admin_RolesCest extends CestAbstract
|
|||
$I,
|
||||
'/api/admin/roles',
|
||||
[
|
||||
'name' => 'Super Administrator',
|
||||
'name' => 'Generic Admin',
|
||||
'permissions' => [
|
||||
'global' => [
|
||||
App\Enums\GlobalPermissions::All->value,
|
||||
|
@ -22,8 +22,31 @@ class Api_Admin_RolesCest extends CestAbstract
|
|||
],
|
||||
],
|
||||
[
|
||||
'name' => 'Test Super Administrator',
|
||||
'name' => 'Test Generic Administrator',
|
||||
]
|
||||
);
|
||||
}
|
||||
|
||||
public function checkSuperAdminRole(FunctionalTester $I): void
|
||||
{
|
||||
$I->wantTo('Ensure super administrator is not editable.');
|
||||
|
||||
$permissionRepo = $this->di->get(App\Entity\Repository\RolePermissionRepository::class);
|
||||
$superAdminRole = $permissionRepo->ensureSuperAdministratorRole();
|
||||
|
||||
$I->sendPut(
|
||||
'/api/admin/role/' . $superAdminRole->getIdRequired(),
|
||||
[
|
||||
'name' => 'Edited Role',
|
||||
]
|
||||
);
|
||||
|
||||
$I->seeResponseCodeIsClientError();
|
||||
|
||||
$I->sendDelete(
|
||||
'/api/admin/role/' . $superAdminRole->getIdRequired(),
|
||||
);
|
||||
|
||||
$I->seeResponseCodeIsClientError();
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue