Add ApiKey check to tell if it has any role that is short-url restrictive

2024-11-22 08:56:42 -06:00 · 2023-05-30 09:32:44 +02:00 · 2023-05-30 09:32:44 +02:00 · 12da04ef37
commit 12da04ef37
parent 8b03532ddb
4 changed files with 20 additions and 5 deletions
--- a/module/Core/src/Tag/Repository/TagRepository.php
+++ b/module/Core/src/Tag/Repository/TagRepository.php
@ -59,8 +59,8 @@ class TagRepository extends EntitySpecificationRepository implements TagReposito
                default => $qb,
            });

-        // For admins and when no API key is present, we'll return tags which are not linked to any short URL
-        $joiningMethod = ApiKey::isAdmin($apiKey) ? 'leftJoin' : 'join';
+        // For non-restricted API keys, we'll return tags which are not linked to any short URL
+        $joiningMethod = ! ApiKey::isShortUrlRestricted($apiKey) ? 'leftJoin' : 'join';
        $tagsSubQb = $conn->createQueryBuilder();
        $tagsSubQb
            ->select('t.id AS tag_id', 't.name AS tag', 'COUNT(DISTINCT s.id) AS short_urls_count')
--- a/module/Core/src/Tag/TagService.php
+++ b/module/Core/src/Tag/TagService.php
@ -59,7 +59,7 @@ class TagService implements TagServiceInterface
     */
    public function deleteTags(array $tagNames, ?ApiKey $apiKey = null): void
    {
-        if (! ApiKey::isAdmin($apiKey)) {
+        if (ApiKey::isShortUrlRestricted($apiKey)) {
            throw ForbiddenTagOperationException::forDeletion();
        }

@ -75,7 +75,7 @@ class TagService implements TagServiceInterface
     */
    public function renameTag(TagRenaming $renaming, ?ApiKey $apiKey = null): Tag
    {
-        if (! ApiKey::isAdmin($apiKey)) {
+        if (ApiKey::isShortUrlRestricted($apiKey)) {
            throw ForbiddenTagOperationException::forRenaming();
        }

--- a/module/Rest/src/ApiKey/Spec/WithApiKeySpecsEnsuringJoin.php
+++ b/module/Rest/src/ApiKey/Spec/WithApiKeySpecsEnsuringJoin.php
@ -18,7 +18,7 @@ class WithApiKeySpecsEnsuringJoin extends BaseSpecification

    protected function getSpec(): Specification
    {
-        return $this->apiKey === null || ApiKey::isAdmin($this->apiKey) ? Spec::andX() : Spec::andX(
+        return $this->apiKey === null || ! ApiKey::isShortUrlRestricted($this->apiKey) ? Spec::andX() : Spec::andX(
            Spec::join($this->fieldToJoin, 's'),
            $this->apiKey->spec($this->fieldToJoin),
        );
--- a/module/Rest/src/Entity/ApiKey.php
+++ b/module/Rest/src/Entity/ApiKey.php
@ -122,6 +122,21 @@ class ApiKey extends AbstractEntity
        return $apiKey === null || $apiKey->roles->isEmpty();
    }

+    /**
+     * Tells if provided API key has any of the roles restricting at the short URL level
+     */
+    public static function isShortUrlRestricted(?ApiKey $apiKey): bool
+    {
+        if ($apiKey === null) {
+            return false;
+        }
+
+        return (
+            $apiKey->roles->containsKey(Role::AUTHORED_SHORT_URLS->value)
+            || $apiKey->roles->containsKey(Role::DOMAIN_SPECIFIC->value)
+        );
+    }
+
    public function hasRole(Role $role): bool
    {
        return $this->roles->containsKey($role->value);