vendor/shopware/core/Framework/DataAbstractionLayer/EntityProtection/EntityProtectionValidator.php line 49

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\DataAbstractionLayer\EntityProtection;
  5. use Shopware\Core\Framework\Context;
  6. use Shopware\Core\Framework\DataAbstractionLayer\EntityDefinition;
  7. use Shopware\Core\Framework\DataAbstractionLayer\Event\EntitySearchedEvent;
  8. use Shopware\Core\Framework\DataAbstractionLayer\Field\AssociationField;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
  10. use Shopware\Core\Framework\DataAbstractionLayer\Write\Validation\PreWriteValidationEvent;
  11. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  12. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  14. class EntityProtectionValidator implements EventSubscriberInterface
  15. {
  16.     /**
  17.      * @return array<string, string|array{0: string, 1: int}|list<array{0: string, 1?: int}>>
  18.      */
  19.     public static function getSubscribedEvents()
  20.     {
  21.         return [
  22.             PreWriteValidationEvent::class => 'validateWriteCommands',
  23.             EntitySearchedEvent::class => 'validateEntitySearch',
  24.         ];
  25.     }
  27.     /**
  28.      * @param array<string> $protections FQCN of the protections that need to be validated
  29.      */
  30.     public function validateEntityPath(array $pathSegments, array $protectionsContext $context): void
  31.     {
  32.         foreach ($pathSegments as $pathSegment) {
  33.             /** @var EntityDefinition $definition */
  34.             $definition $pathSegment['definition'];
  36.             foreach ($protections as $protection) {
  37.                 $protectionInstance $definition->getProtections()->get($protection);
  38.                 if (!$protectionInstance || $protectionInstance->isAllowed($context->getScope())) {
  39.                     continue;
  40.                 }
  42.                 throw new AccessDeniedHttpException(
  43.                     sprintf('API access for entity "%s" not allowed.'$pathSegment['entity'])
  44.                 );
  45.             }
  46.         }
  47.     }
  49.     public function validateEntitySearch(EntitySearchedEvent $event): void
  50.     {
  51.         $definition $event->getDefinition();
  52.         $readProtection $definition->getProtections()->get(ReadProtection::class);
  53.         $context $event->getContext();
  55.         if ($readProtection && !$readProtection->isAllowed($context->getScope())) {
  56.             throw new AccessDeniedHttpException(
  57.                 sprintf(
  58.                     'Read access to entity "%s" not allowed for scope "%s".',
  59.                     $definition->getEntityName(),
  60.                     $context->getScope()
  61.                 )
  62.             );
  63.         }
  65.         $this->validateCriteriaAssociation(
  66.             $definition,
  67.             $event->getCriteria()->getAssociations(),
  68.             $context
  69.         );
  70.     }
  72.     public function validateWriteCommands(PreWriteValidationEvent $event): void
  73.     {
  74.         foreach ($event->getCommands() as $command) {
  75.             // Don't validate commands that fake operations on DB level, e.g. cascade deletes
  76.             if (!$command->isValid()) {
  77.                 continue;
  78.             }
  80.             $writeProtection $command->getDefinition()->getProtections()->get(WriteProtection::class);
  81.             if ($writeProtection && !$writeProtection->isAllowed($event->getContext()->getScope())) {
  82.                 throw new AccessDeniedHttpException(
  83.                     sprintf(
  84.                         'Write access to entity "%s" are not allowed in scope "%s".',
  85.                         $command->getDefinition()->getEntityName(),
  86.                         $event->getContext()->getScope()
  87.                     )
  88.                 );
  89.             }
  90.         }
  91.     }
  93.     private function validateCriteriaAssociation(EntityDefinition $definition, array $associationsContext $context): void
  94.     {
  95.         /** @var Criteria $criteria */
  96.         foreach ($associations as $associationName => $criteria) {
  97.             $field $definition->getField($associationName);
  98.             if (!$field instanceof AssociationField) {
  99.                 continue;
  100.             }
  102.             $associationDefinition $field->getReferenceDefinition();
  103.             $readProtection $associationDefinition->getProtections()->get(ReadProtection::class);
  104.             if ($readProtection && !$readProtection->isAllowed($context->getScope())) {
  105.                 throw new AccessDeniedHttpException(
  106.                     sprintf(
  107.                         'Read access to nested association "%s" on entity "%s" not allowed for scope "%s".',
  108.                         $associationName,
  109.                         $definition->getEntityName(),
  110.                         $context->getScope()
  111.                     )
  112.                 );
  113.             }
  115.             $this->validateCriteriaAssociation($associationDefinition$criteria->getAssociations(), $context);
  116.         }
  117.     }
  118. }