Make sure demo user can't upload attachments.

2025-02-25 18:45:27 -06:00 · 2020-05-05 07:44:33 +02:00 · 2020-05-05 07:44:33 +02:00 · 3c3ba637b5
commit 3c3ba637b5
parent be8286b15c
8 changed files with 108 additions and 21 deletions
--- a/app/Api/V1/Controllers/AttachmentController.php
+++ b/app/Api/V1/Controllers/AttachmentController.php
@ -23,10 +23,12 @@ declare(strict_types=1);

 namespace FireflyIII\Api\V1\Controllers;

+use FireflyIII\Api\V1\Middleware\ApiDemoUser;
 use FireflyIII\Api\V1\Requests\AttachmentStoreRequest;
 use FireflyIII\Api\V1\Requests\AttachmentUpdateRequest;
 use FireflyIII\Exceptions\FireflyException;
 use FireflyIII\Helpers\Attachments\AttachmentHelperInterface;
+use FireflyIII\Http\Middleware\IsDemoUser;
 use FireflyIII\Models\Attachment;
 use FireflyIII\Repositories\Attachment\AttachmentRepositoryInterface;
 use FireflyIII\Transformers\AttachmentTransformer;
@ -58,6 +60,7 @@ class AttachmentController extends Controller
    public function __construct()
    {
        parent::__construct();
+        $this->middleware(ApiDemoUser::class)->except(['delete', 'download', 'show', 'index']);
        $this->middleware(
            function ($request, $next) {
                /** @var User $user */
@ -65,6 +68,7 @@ class AttachmentController extends Controller
                $this->repository = app(AttachmentRepositoryInterface::class);
                $this->repository->setUser($user);

+
                return $next($request);
            }
        );
--- a/app/Api/V1/Middleware/ApiDemoUser.php
+++ b/app/Api/V1/Middleware/ApiDemoUser.php
@ -0,0 +1,61 @@
+<?php
+/**
+ * ApiDemoUser.php
+ * Copyright (c) 2019 james@firefly-iii.org
+ *
+ * This file is part of Firefly III (https://github.com/firefly-iii).
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+declare(strict_types=1);
+
+namespace FireflyIII\Api\V1\Middleware;
+
+use Closure;
+use FireflyIII\Repositories\User\UserRepositoryInterface;
+use FireflyIII\User;
+use Illuminate\Http\Request;
+
+/**
+ * Class ApiDemoUser.
+ */
+class ApiDemoUser
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param Request $request
+     * @param Closure $next
+     *
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        /** @var User $user */
+        $user = $request->user();
+
+        if (null === $user) {
+            return $next($request);
+        }
+
+        /** @var UserRepositoryInterface $repository */
+        $repository = app(UserRepositoryInterface::class);
+
+        if ($repository->hasRole($user, 'demo')) {
+            return response('', 403);
+        }
+
+        return $next($request);
+    }
+}
--- a/composer.lock
+++ b/composer.lock
@ -8,16 +8,16 @@
    "packages": [
        {
            "name": "adldap2/adldap2",
-            "version": "v10.2.3",
+            "version": "v10.3.0",
            "source": {
                "type": "git",
                "url": "https://github.com/Adldap2/Adldap2.git",
-                "reference": "2baffac2dfef308f0a94afa360b6a77540730fd2"
+                "reference": "1294c92746e3fb3bb59cd7756ca7838a1e705a2a"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/Adldap2/Adldap2/zipball/2baffac2dfef308f0a94afa360b6a77540730fd2",
-                "reference": "2baffac2dfef308f0a94afa360b6a77540730fd2",
+                "url": "https://api.github.com/repos/Adldap2/Adldap2/zipball/1294c92746e3fb3bb59cd7756ca7838a1e705a2a",
+                "reference": "1294c92746e3fb3bb59cd7756ca7838a1e705a2a",
                "shasum": ""
            },
            "require": {
@ -63,7 +63,7 @@
                "ldap",
                "windows"
            ],
-            "time": "2020-03-08T23:04:47+00:00"
+            "time": "2020-05-04T21:10:15+00:00"
        },
        {
            "name": "adldap2/adldap2-laravel",
@ -1748,16 +1748,16 @@
        },
        {
            "name": "league/commonmark",
-            "version": "1.4.2",
+            "version": "1.4.3",
            "source": {
                "type": "git",
                "url": "https://github.com/thephpleague/commonmark.git",
-                "reference": "9e780d972185e4f737a03bade0fd34a9e67bbf31"
+                "reference": "412639f7cfbc0b31ad2455b2fe965095f66ae505"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/commonmark/zipball/9e780d972185e4f737a03bade0fd34a9e67bbf31",
-                "reference": "9e780d972185e4f737a03bade0fd34a9e67bbf31",
+                "url": "https://api.github.com/repos/thephpleague/commonmark/zipball/412639f7cfbc0b31ad2455b2fe965095f66ae505",
+                "reference": "412639f7cfbc0b31ad2455b2fe965095f66ae505",
                "shasum": ""
            },
            "require": {
@ -1844,7 +1844,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2020-04-24T13:39:56+00:00"
+            "time": "2020-05-04T22:15:21+00:00"
        },
        {
            "name": "league/csv",
@ -8014,12 +8014,12 @@
            "source": {
                "type": "git",
                "url": "https://github.com/Roave/SecurityAdvisories.git",
-                "reference": "478dd17a48d0eb007ff854f4b885034df5db7c29"
+                "reference": "f46390d28af4fdb07c09d9aabf4c4e35149a7a08"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/Roave/SecurityAdvisories/zipball/478dd17a48d0eb007ff854f4b885034df5db7c29",
-                "reference": "478dd17a48d0eb007ff854f4b885034df5db7c29",
+                "url": "https://api.github.com/repos/Roave/SecurityAdvisories/zipball/f46390d28af4fdb07c09d9aabf4c4e35149a7a08",
+                "reference": "f46390d28af4fdb07c09d9aabf4c4e35149a7a08",
                "shasum": ""
            },
            "conflict": {
@ -8109,7 +8109,7 @@
                "magento/product-community-edition": ">=2,<2.2.10|>=2.3,<2.3.2-p.2",
                "monolog/monolog": ">=1.8,<1.12",
                "namshi/jose": "<2.2",
-                "nzo/url-encryptor-bundle": "<5.0.1",
+                "nzo/url-encryptor-bundle": ">=4,<4.3.2|>=5,<5.0.1",
                "onelogin/php-saml": "<2.10.4",
                "oneup/uploader-bundle": "<1.9.3|>=2,<2.1.5",
                "openid/php-openid": "<2.3",
@ -8283,7 +8283,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2020-05-03T18:57:18+00:00"
+            "time": "2020-05-04T14:37:25+00:00"
        },
        {
            "name": "sebastian/code-unit-reverse-lookup",
--- a/config/import.php
+++ b/config/import.php
@ -47,11 +47,11 @@ return [
        'file'    => false,
        'bunq'    => false,
        'spectre' => true,
-        'ynab'    => true,
+        'ynab'    => false,
        'plaid'   => false,
        'quovo'   => false,
        'yodlee'  => false,
-        'fints'   => true,
+        'fints'   => false,
        'bad'     => false, // always disabled
    ],
    // demo user can use these import providers (when enabled):
--- a/public/v1/js/create_transaction.js
+++ b/public/v1/js/create_transaction.js
--- a/public/v1/js/edit_transaction.js
+++ b/public/v1/js/edit_transaction.js
--- a/resources/assets/js/components/transactions/CreateTransaction.vue
+++ b/resources/assets/js/components/transactions/CreateTransaction.vue
@ -598,7 +598,18 @@
                                    // console.log('Upload complete!');
                                    return false;
                                });
-                            });
+                            }).catch(error => {
+                            console.error('Could not create upload.');
+                            console.error(error);
+                            uploads++;
+                            if (uploads === count) {
+                                // finally we can redirect the user onwards.
+                                // console.log('FINAL UPLOAD');
+                                this.redirectUser(groupId, transactionData);
+                            }
+                            // console.log('Upload complete!');
+                            return false;
+                        });
                    }
                }

--- a/resources/assets/js/components/transactions/EditTransaction.vue
+++ b/resources/assets/js/components/transactions/EditTransaction.vue
@ -773,7 +773,18 @@
                                    // console.error(error);
                                    return false;
                                });
-                            });
+                            }).catch(error => {
+                            console.error('Could not create upload.');
+                            console.error(error);
+                            uploads++;
+                            if (uploads === count) {
+                                // finally we can redirect the user onwards.
+                                // console.log('FINAL UPLOAD');
+                                this.redirectUser(groupId, null);
+                            }
+                            // console.log('Upload complete!');
+                            return false;
+                        });
                    }
                }