mirror of
https://github.com/MarijnDoeve/TijdVoorDeTest.git
synced 2026-07-13 13:25:19 +02:00
Add authorization checks to PrepareEliminationController
index and viewElimination had no IsGranted guard, unlike every other backoffice/elimination controller, so any authenticated user could prepare or overwrite another season's elimination screens.
This commit is contained in:
@@ -11,18 +11,21 @@ use Symfony\Component\HttpFoundation\Response;
|
||||
use Symfony\Component\Routing\Attribute\Route;
|
||||
use Symfony\Component\Routing\Requirement\Requirement;
|
||||
use Symfony\Component\Security\Http\Attribute\IsCsrfTokenValid;
|
||||
use Symfony\Component\Security\Http\Attribute\IsGranted;
|
||||
use Tvdt\Controller\AbstractController;
|
||||
use Tvdt\Entity\Elimination;
|
||||
use Tvdt\Entity\Quiz;
|
||||
use Tvdt\Entity\Season;
|
||||
use Tvdt\Enum\FlashType;
|
||||
use Tvdt\Factory\EliminationFactory;
|
||||
use Tvdt\Security\Voter\SeasonVoter;
|
||||
|
||||
final class PrepareEliminationController extends AbstractController
|
||||
{
|
||||
public function __construct(private readonly EliminationFactory $eliminationFactory, private readonly EntityManagerInterface $em) {}
|
||||
|
||||
#[IsCsrfTokenValid('prepare_elimination')]
|
||||
#[IsGranted(SeasonVoter::ELIMINATION, 'quiz')]
|
||||
#[Route(
|
||||
'/backoffice/season/{seasonCode:season}/quiz/{quiz}/elimination/prepare',
|
||||
name: 'tvdt_prepare_elimination',
|
||||
@@ -37,6 +40,7 @@ final class PrepareEliminationController extends AbstractController
|
||||
}
|
||||
|
||||
#[IsCsrfTokenValid('prepare_elimination', methods: ['POST'])]
|
||||
#[IsGranted(SeasonVoter::ELIMINATION, 'elimination')]
|
||||
#[Route(
|
||||
'/backoffice/elimination/{elimination}',
|
||||
name: 'tvdt_prepare_elimination_view',
|
||||
|
||||
@@ -117,4 +117,34 @@ final class PrepareEliminationControllerTest extends AbstractControllerWebTestCa
|
||||
|
||||
self::assertResponseRedirects(\sprintf('/elimination/%s', $elimination->id));
|
||||
}
|
||||
|
||||
public function testIndexIsDeniedForNonOwner(): void
|
||||
{
|
||||
$quiz = $this->getQuizByName('Quiz 1');
|
||||
$token = $this->getCsrfTokenFromPage(\sprintf('/backoffice/season/krtek/quiz/%s/result', $quiz->id), '/elimination/prepare');
|
||||
|
||||
$this->loginAs('test@example.org');
|
||||
|
||||
$this->client->request(Request::METHOD_POST, \sprintf('/backoffice/season/krtek/quiz/%s/elimination/prepare', $quiz->id), [
|
||||
'_token' => $token,
|
||||
]);
|
||||
|
||||
self::assertResponseStatusCodeSame(403);
|
||||
}
|
||||
|
||||
public function testViewEliminationIsDeniedForNonOwner(): void
|
||||
{
|
||||
$quiz = $this->getQuizByName('Quiz 1');
|
||||
$elimination = new Elimination($quiz);
|
||||
$elimination->data = ['Tom' => Elimination::SCREEN_GREEN];
|
||||
|
||||
$this->entityManager->persist($elimination);
|
||||
$this->entityManager->flush();
|
||||
|
||||
$this->loginAs('test@example.org');
|
||||
|
||||
$this->client->request(Request::METHOD_GET, \sprintf('/backoffice/elimination/%s', $elimination->id));
|
||||
|
||||
self::assertResponseStatusCodeSame(403);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user