From f412ccc02e72f8f29ea5a222fb0e182ef175ee32 Mon Sep 17 00:00:00 2001 From: Vincent Langlet Date: Tue, 31 Aug 2021 22:03:58 +0200 Subject: [PATCH] Introduce HISTORY role --- UPGRADE-4.0.md | 6 ++++++ docs/reference/configuration.rst | 1 + docs/reference/security.rst | 5 +++-- src/Admin/AbstractAdmin.php | 6 +++--- src/DependencyInjection/Configuration.php | 1 + src/Security/Acl/Permission/AdminPermissionMap.php | 8 ++++++++ src/Security/Acl/Permission/MaskBuilder.php | 6 +++++- tests/Security/Acl/Permission/AdminPermissionMapTest.php | 1 + tests/Util/AdminObjectAclDataTest.php | 4 ++-- 9 files changed, 30 insertions(+), 8 deletions(-) diff --git a/UPGRADE-4.0.md b/UPGRADE-4.0.md index bd223c1085..0a40dccd7d 100644 --- a/UPGRADE-4.0.md +++ b/UPGRADE-4.0.md @@ -259,3 +259,9 @@ protected function configureListFields(ListMapper $listMapper) } ``` but the best is to use the constant `ListMapper::NAME_ACTIONS`. + +## History actions + +Instead of relying on the `ROLE_MYADMIN_EDIT` role, a new `ROLE_MYADMIN_HISTORY` +role was introduced to get access to the history actions. If you use the +revisions be sure to add this role to your users. diff --git a/docs/reference/configuration.rst b/docs/reference/configuration.rst index d8aeaa2a1a..a69424fd00 100644 --- a/docs/reference/configuration.rst +++ b/docs/reference/configuration.rst @@ -61,6 +61,7 @@ Full Configuration Options # Defaults: - VIEW - EDIT + - HISTORY - DELETE - UNDELETE - OPERATOR diff --git a/docs/reference/security.rst b/docs/reference/security.rst index 0cb546c599..6b8f8d1ad3 100644 --- a/docs/reference/security.rst +++ b/docs/reference/security.rst @@ -90,7 +90,7 @@ Using ACL: # acl security information information: GUEST: [VIEW, LIST] - STAFF: [EDIT, LIST, CREATE] + STAFF: [EDIT, HISTORY, LIST, CREATE] EDITOR: [OPERATOR, EXPORT] ADMIN: [MASTER] @@ -99,7 +99,7 @@ Using ACL: admin_permissions: [CREATE, LIST, DELETE, UNDELETE, EXPORT, OPERATOR, MASTER] # permission related to the objects - object_permissions: [VIEW, EDIT, DELETE, UNDELETE, OPERATOR, MASTER, OWNER] + object_permissions: [VIEW, EDIT, HISTORY, DELETE, UNDELETE, OPERATOR, MASTER, OWNER] Later, we will explain how to set up ACL with the ``FriendsOfSymfony/UserBundle``. @@ -126,6 +126,7 @@ LIST view the list of objects VIEW view the detail of one object CREATE create a new object EDIT update an existing object +HISTORY access to the history of edition of an object DELETE delete an existing object EXPORT (for the native Sonata export links) **ALL** **grants LIST, VIEW, CREATE, EDIT, DELETE and EXPORT** diff --git a/src/Admin/AbstractAdmin.php b/src/Admin/AbstractAdmin.php index 9fc3ce5230..e1af33dcdb 100644 --- a/src/Admin/AbstractAdmin.php +++ b/src/Admin/AbstractAdmin.php @@ -2206,9 +2206,9 @@ final protected function getAccess(): array $access = array_merge([ 'acl' => AdminPermissionMap::PERMISSION_MASTER, 'export' => AdminPermissionMap::PERMISSION_EXPORT, - 'historyCompareRevisions' => AdminPermissionMap::PERMISSION_EDIT, - 'historyViewRevision' => AdminPermissionMap::PERMISSION_EDIT, - 'history' => AdminPermissionMap::PERMISSION_EDIT, + 'historyCompareRevisions' => AdminPermissionMap::PERMISSION_HISTORY, + 'historyViewRevision' => AdminPermissionMap::PERMISSION_HISTORY, + 'history' => AdminPermissionMap::PERMISSION_HISTORY, 'edit' => AdminPermissionMap::PERMISSION_EDIT, 'show' => AdminPermissionMap::PERMISSION_VIEW, 'create' => AdminPermissionMap::PERMISSION_CREATE, diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php index 5462e5f078..be606afdb5 100644 --- a/src/DependencyInjection/Configuration.php +++ b/src/DependencyInjection/Configuration.php @@ -88,6 +88,7 @@ public function getConfigTreeBuilder(): TreeBuilder ->defaultValue([ AdminPermissionMap::PERMISSION_VIEW, AdminPermissionMap::PERMISSION_EDIT, + AdminPermissionMap::PERMISSION_HISTORY, AdminPermissionMap::PERMISSION_DELETE, AdminPermissionMap::PERMISSION_UNDELETE, AdminPermissionMap::PERMISSION_OPERATOR, diff --git a/src/Security/Acl/Permission/AdminPermissionMap.php b/src/Security/Acl/Permission/AdminPermissionMap.php index a4e23d69f0..59ce7eead3 100644 --- a/src/Security/Acl/Permission/AdminPermissionMap.php +++ b/src/Security/Acl/Permission/AdminPermissionMap.php @@ -26,6 +26,7 @@ final class AdminPermissionMap implements PermissionMapInterface { public const PERMISSION_VIEW = 'VIEW'; public const PERMISSION_EDIT = 'EDIT'; + public const PERMISSION_HISTORY = 'HISTORY'; public const PERMISSION_CREATE = 'CREATE'; public const PERMISSION_DELETE = 'DELETE'; public const PERMISSION_UNDELETE = 'UNDELETE'; @@ -58,6 +59,13 @@ final class AdminPermissionMap implements PermissionMapInterface MaskBuilder::MASK_OWNER, ], + self::PERMISSION_HISTORY => [ + MaskBuilder::MASK_HISTORY, + MaskBuilder::MASK_OPERATOR, + MaskBuilder::MASK_MASTER, + MaskBuilder::MASK_OWNER, + ], + self::PERMISSION_CREATE => [ MaskBuilder::MASK_CREATE, MaskBuilder::MASK_OPERATOR, diff --git a/src/Security/Acl/Permission/MaskBuilder.php b/src/Security/Acl/Permission/MaskBuilder.php index 6472a42c97..018ee05795 100644 --- a/src/Security/Acl/Permission/MaskBuilder.php +++ b/src/Security/Acl/Permission/MaskBuilder.php @@ -18,12 +18,16 @@ /** * {@inheritdoc} * - LIST: the SID is allowed to view a list of the domain objects / fields. + * - EXPORT: the SID is allowed to export the list of the domain objects / fields. + * - HISTORY: the SID is allowed to see the history of edition of a domain objects / fields. */ final class MaskBuilder extends BaseMaskBuilder { public const MASK_LIST = 4096; // 1 << 12 - public const MASK_EXPORT = 8192; // 1 << 13 + public const MASK_EXPORT = 8192; // 1 << 13 + public const MASK_HISTORY = 16384; // 1 << 14 public const CODE_LIST = 'L'; public const CODE_EXPORT = 'E'; + public const CODE_HISTORY = 'H'; } diff --git a/tests/Security/Acl/Permission/AdminPermissionMapTest.php b/tests/Security/Acl/Permission/AdminPermissionMapTest.php index f25e914318..189f2d48ac 100644 --- a/tests/Security/Acl/Permission/AdminPermissionMapTest.php +++ b/tests/Security/Acl/Permission/AdminPermissionMapTest.php @@ -62,6 +62,7 @@ public function permissionProvider(): array return [ [true, AdminPermissionMap::PERMISSION_VIEW], [true, AdminPermissionMap::PERMISSION_EDIT], + [true, AdminPermissionMap::PERMISSION_HISTORY], [true, AdminPermissionMap::PERMISSION_CREATE], [true, AdminPermissionMap::PERMISSION_DELETE], [true, AdminPermissionMap::PERMISSION_UNDELETE], diff --git a/tests/Util/AdminObjectAclDataTest.php b/tests/Util/AdminObjectAclDataTest.php index dccf28781c..aa40450cdb 100644 --- a/tests/Util/AdminObjectAclDataTest.php +++ b/tests/Util/AdminObjectAclDataTest.php @@ -15,11 +15,11 @@ use PHPUnit\Framework\TestCase; use Sonata\AdminBundle\Admin\AdminInterface; +use Sonata\AdminBundle\Security\Acl\Permission\MaskBuilder; use Sonata\AdminBundle\Security\Handler\AclSecurityHandlerInterface; use Sonata\AdminBundle\Util\AdminObjectAclData; use Symfony\Component\Form\Form; use Symfony\Component\Security\Acl\Domain\Acl; -use Symfony\Component\Security\Acl\Permission\MaskBuilder; /** * @author Kévin Dunglas @@ -223,7 +223,7 @@ protected function createAdmin(bool $isOwner = true, bool $isAclEnabled = true): $securityHandler ->method('getObjectPermissions') - ->willReturn(['VIEW', 'EDIT', 'DELETE', 'UNDELETE', 'OPERATOR', 'MASTER', 'OWNER']); + ->willReturn(['VIEW', 'EDIT', 'HISTORY', 'DELETE', 'UNDELETE', 'OPERATOR', 'MASTER', 'OWNER']); $securityHandler ->method('buildSecurityInformation')