[#250] fix security checks in report controller

H2-invent · Apr 9, 2024 · f6138d5 · f6138d5
1 parent 60153ae
commit f6138d5
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 39 deletions.
diff --git a/src/Controller/BerichtController.php b/src/Controller/BerichtController.php
@@ -27,6 +27,7 @@
 use App\Repository\VorfallRepository;
 use App\Repository\VVTRepository;
 use App\Service\CurrentTeamService;
+use App\Service\SecurityService;
 use Nucleos\DompdfBundle\Wrapper\DompdfWrapper;
 use PhpOffice\PhpWord\IOFactory;
 use PhpOffice\PhpWord\PhpWord;
@@ -54,6 +55,7 @@ public function backupSoftware(
         CurrentTeamService $currentTeamService,
         SoftwareRepository $softwareRepository,
         VVTRepository      $vvtRepository,
+        SecurityService    $securityService,
     )
     {
         $team = $currentTeamService->getCurrentTeam($this->getUser());
@@ -65,8 +67,7 @@ public function backupSoftware(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $software[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $software[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -93,6 +94,7 @@ public function recoverySoftware(
         Request            $request,
         CurrentTeamService $currentTeamService,
         SoftwareRepository $softwareRepository,
+        SecurityService    $securityService,
     )
     {
         $team = $currentTeamService->getCurrentTeam($this->getUser());
@@ -102,8 +104,7 @@ public function recoverySoftware(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $software[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $software[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -127,12 +128,12 @@ public function recoverySoftware(
     public function report(
         Request            $request,
         CurrentTeamService $currentTeamService,
+        SecurityService    $securityService,
     ): Response
     {
         $team = $currentTeamService->getCurrentTeam($this->getUser());
 
-        // Center Team authentication
-        if (!$team) {
+        if (!$securityService->teamCheck($team)) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -144,12 +145,13 @@ public function report(
     #[Route(path: '/akademie', name: '_akademie')]
     public function reportAcademy(
         AkademieBuchungenRepository $academyBillingRepository,
+        SecurityService             $securityService,
     ): Response
     {
         $user = $this->getUser();
         $team = $user->getAkademieUser();
-        // Admin Team authentication
-        if (!$user->hasAdminRole($team)) {
+
+        if (!$securityService->adminCheck($user, $team)) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -167,6 +169,7 @@ public function reportAudit(
         Request            $request,
         CurrentTeamService $currentTeamService,
         AuditTomRepository $auditTomRepository,
+        SecurityService    $securityService,
     )
     {
 
@@ -188,8 +191,7 @@ public function reportAudit(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $audit[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $audit[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -212,27 +214,29 @@ public function reportDataTransfer(
         Request                   $request,
         CurrentTeamService        $currentTeamService,
         DatenweitergabeRepository $dataTransferRepository,
+        SecurityService           $securityService,
     )
     {
         $id = $request->get('id');
         $team = $currentTeamService->getCurrentTeam($this->getUser());
 
+
         if ($id) {
             $daten = $dataTransferRepository->findBy(['id'=>$id]);
         } else {
-            $daten = $dataTransferRepository->findBy([
-                'team' => $team,
-                'activ' => true,
-                'art' => $request->get('art')
-            ]);
+            $type = $request->get('art');
+            if ($type == '1') {
+                $daten = $dataTransferRepository->findActiveTransfersByTeam($team);
+            } else if ($type == '2') {
+                $daten = $dataTransferRepository->findActiveOrderProcessingsByTeam($team);
+            }
         }
 
-        if (count($daten) < 1) {
+        if (!isset($daten) || count($daten) < 1) {
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $daten[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToTransfer($daten[0], $team)) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -257,6 +261,7 @@ public function reportDeletionConcept(
         DompdfWrapper           $wrapper,
         Request                 $request,
         CurrentTeamService      $currentTeamService,
+        SecurityService         $securityService,
         LoeschkonzeptRepository $deletionConceptRepository,
     )
     {
@@ -274,8 +279,7 @@ public function reportDeletionConcept(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $loeschkonzept[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $loeschkonzept[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -297,6 +301,7 @@ public function reportGenerateReports(
         Request            $request,
         CurrentTeamService $currentTeamService,
         ReportRepository   $reportRepository,
+        SecurityService    $securityService,
     ): Response
     {
         $team = $currentTeamService->getCurrentTeam($this->getUser());
@@ -326,8 +331,7 @@ public function reportGenerateReports(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $report[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $report[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -403,6 +407,7 @@ public function reportGlobalTom(
         DompdfWrapper      $wrapper,
         CurrentTeamService $currentTeamService,
         AuditTomRepository $auditTomRepository,
+        SecurityService    $securityService,
     )
     {
         $team = $currentTeamService->getCurrentTeam($this->getUser());
@@ -412,8 +417,7 @@ public function reportGlobalTom(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $audit[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $audit[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -438,6 +442,7 @@ public function reportIncident(
         Request            $request,
         CurrentTeamService $currentTeamService,
         VorfallRepository  $vorfallRepository,
+        SecurityService    $securityService,
     )
     {
         $id = $request->get('id');
@@ -454,8 +459,7 @@ public function reportIncident(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $daten[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $daten[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -481,6 +485,7 @@ public function reportPolicy(
         Request            $request,
         CurrentTeamService $currentTeamService,
         PoliciesRepository $policiesRepository,
+        SecurityService    $securityService,
     )
     {
         $id = $request->get('id');
@@ -496,8 +501,7 @@ public function reportPolicy(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $policies[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $policies[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -523,6 +527,7 @@ public function reportRequest(
         Request                 $request,
         CurrentTeamService      $currentTeamService,
         ClientRequestRepository $clientRequestRepository,
+        SecurityService         $securityService,
     )
     {
 
@@ -541,8 +546,7 @@ public function reportRequest(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $clientRequest[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $clientRequest[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -565,6 +569,7 @@ public function reportSoftware(
         Request            $request,
         CurrentTeamService $currentTeamService,
         SoftwareRepository $softwareRepository,
+        SecurityService    $securityService,
     )
     {
         $id = $request->get('id');
@@ -580,10 +585,10 @@ public function reportSoftware(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $software[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $software[0])) {
             return $this->redirectToRoute('dashboard');
         }
+
         // Retrieve the HTML generated in our twig file
         $html = $this->renderView('bericht/software.html.twig', [
             'daten' => $software,
@@ -606,6 +611,7 @@ public function reportTom(
         Request            $request,
         CurrentTeamService $currentTeamService,
         TomRepository      $tomRepository,
+        SecurityService    $securityService,
     )
     {
 
@@ -622,8 +628,7 @@ public function reportTom(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $tom[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $tom[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -647,6 +652,7 @@ public function reportVvt(
         Request            $request,
         CurrentTeamService $currentTeamService,
         VVTRepository      $vvtRepository,
+        SecurityService    $securityService,
     )
     {
         ini_set('max_execution_time', '900');
@@ -669,8 +675,7 @@ public function reportVvt(
             return $this->redirectNoReport();
         }
 
-        // Center Team authentication
-        if ($team === null || $vvt[0]->getTeam() !== $team) {
+        if (!$securityService->checkTeamAccessToData($team, $vvt[0])) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -693,6 +698,7 @@ public function reports(
         Request            $request,
         CurrentTeamService $currentTeamService,
         ReportRepository   $reportRepository,
+        SecurityService    $securityService,
     )
     {
         $team = $currentTeamService->getCurrentTeam($this->getUser());
@@ -735,12 +741,10 @@ public function reports(
                 return $this->redirectNoReport();
             }
 
-            // Center Team authentication
-            if ($team === null || $report[0]->getTeam() !== $team) {
+            if ($securityService->checkTeamAccessToData($team, $report[0])) {
                 return $this->redirectToRoute('dashboard');
             }
 
-
             // Create a new Word document
             $phpWord = new PhpWord();
             $phpWord->addTitleStyle(1, ['bold' => true], ['spaceAfter' => 240]);

diff --git a/src/Service/SecurityService.php b/src/Service/SecurityService.php
@@ -134,6 +134,19 @@ public function teamDataCheck($data, $team): bool
         return true;
     }
 
+    public function checkTeamAccessToData($team, $data): bool
+    {
+        $teamPath = $team ? $this->teamRepository->getPath($team) : null;
+        $dataTeam = $data->getTeam();
+
+        if ($dataTeam === $team || in_array($dataTeam, $teamPath) && $data->isInherited()) {
+            return true;
+        }
+
+        $this->logAccessDenied($team);
+        return false;
+    }
+
     public function checkTeamAccessToProcess(VVT $process, $team): bool
     {
         $teamPath = $team ? $this->teamRepository->getPath($team) : null;