🎉 inital commit

.github/workflows/tasks.yml

@@ -0,0 +1,77 @@
+name: Tasks
+
+on: [push, pull_request]
+
+jobs:
+  lint-php:
+    name: "php: ${{ matrix.php }} TYPO3: ${{ matrix.typo3 }}"
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        php: [ '8.0', '8.1', '8.2' ]
+        typo3: [ '11', '12' ]
+        exclude:
+          - php: '7.4'
+            typo3: '12'
+          - php: '8.0'
+            typo3: '12'
+    steps:
+      - name: Setup PHP with PECL extension
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/.composer/cache/files
+          key: ${{ runner.os }}-${{ matrix.php }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ matrix.php }}-composer-
+      - run: composer require typo3/minimal="^${{ matrix.typo3 }}" --dev --ignore-platform-req=php+
+      - run: composer install --no-interaction --no-progress --ignore-platform-req=php+
+      - run: ./vendor/bin/grumphp run --ansi
+
+  ter-release:
+    name: TER release
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    needs: [ lint-php ]
+    env:
+      TYPO3_EXTENSION_KEY: 'group_access'
+      REPOSITORY_URL: 'https://github.com/andersundsehr/group_access'
+      TYPO3_API_TOKEN: ${{ secrets.TYPO3_API_TOKEN }}
+      TYPO3_API_USERNAME: ${{ secrets.TYPO3_API_USERNAME }}
+      TYPO3_API_PASSWORD: ${{ secrets.TYPO3_API_PASSWORD }}
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Get the version
+        id: get_version
+        run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '7.4'
+          extensions: intl, mbstring, xml, soap, zip, curl
+
+      - name: Install typo3/tailor
+        run: composer global require typo3/tailor --prefer-dist --no-progress
+
+      - name: Upload EXT:group_access to TER
+        run: |
+          sed -i 's/\\Composer\\InstalledVersions::getPrettyVersion('\''andersundsehr\/group_access'\'')/'\''${{ steps.get_version.outputs.VERSION }}'\''/g' ext_emconf.php \
+          && git config --global user.email "no@one" \
+          && git config --global user.name "No One" \
+          && git add ext_emconf.php \
+          && git commit -m 'x' -n \
+          && git archive -o archive.zip HEAD --prefix=group_access-${{ steps.get_version.outputs.VERSION }}/ \
+          && git reset --hard HEAD~ \
+          && curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/andersundsehr/group_access/releases/tags/${{ steps.get_version.outputs.VERSION }} > release.json \
+          && php ~/.composer/vendor/bin/tailor ter:publish ${{ steps.get_version.outputs.VERSION }} --artefact=archive.zip \
+          --comment="$(cat release.json | jq -r '.name')
+
+          $(cat release.json | jq -r '.body')
+
+          $(cat release.json | jq -r '.html_url')"

.gitignore

@@ -0,0 +1,3 @@
+public/
+vendor/
+composer.lock

Classes/Attribute/GroupAccess.php

@@ -0,0 +1,21 @@
+<?php
+
+namespace AUS\GroupAccess\Attribute;
+
+use Attribute;
+
+#[Attribute(Attribute::TARGET_CLASS | Attribute::TARGET_METHOD | Attribute::IS_REPEATABLE)]
+class GroupAccess
+{
+    /**
+     * @param int[] $frontendUserGroupIds
+     */
+    public function __construct(public readonly array $frontendUserGroupIds)
+    {
+        $this->isInt(...$this->frontendUserGroupIds);
+    }
+
+    private function isInt(int ...$id): void
+    {
+    }
+}

Classes/EventListener/BeforeActionCallEventListener.php

@@ -0,0 +1,65 @@
+<?php
+
+namespace AUS\GroupAccess\EventListener;
+
+use AUS\GroupAccess\Attribute\GroupAccess;
+use AUS\GroupAccess\Exception\GroupAccessException;
+use TYPO3\CMS\Core\Context\Context;
+use TYPO3\CMS\Core\Core\Environment;
+use TYPO3\CMS\Core\Error\Http\UnauthorizedException;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Extbase\Event\Mvc\BeforeActionCallEvent;
+
+class BeforeActionCallEventListener
+{
+    public function __invoke(BeforeActionCallEvent $event): void
+    {
+        $class = new \ReflectionClass($event->getControllerClassName());
+        $classAttributes = $class->getAttributes(GroupAccess::class);
+        $method = $class->getMethod($event->getActionMethodName());
+        $methodAttributes = $method->getAttributes(GroupAccess::class);
+        if (!($classAttributes || $methodAttributes)) {
+            return;
+        }
+
+        $groupIds = $this->getCurrentUserGroupIds();
+
+        $message = 'Extbase action not allowed.';
+        $classDebugMessage = 'class Attribute allows: #[GroupAccess([%s])] given: %s';
+        $this->validateAccess($classAttributes, $groupIds, $message, $classDebugMessage, $class->getFileName() ?: '', $class->getStartLine() - 1);
+
+        $methodDebugMessage = 'method Attribute allows: #[GroupAccess([%s])] given: %s';
+        $this->validateAccess($methodAttributes, $groupIds, $message, $methodDebugMessage, $method->getFileName() ?: '', $method->getStartLine() - 1);
+    }
+
+    /**
+     * @return int[]
+     */
+    private function getCurrentUserGroupIds(): array
+    {
+        return GeneralUtility::makeInstance(Context::class)->getPropertyFromAspect('frontend.user', 'groupIds');
+    }
+
+    /**
+     * @param \ReflectionAttribute<GroupAccess>[] $attributes
+     * @param int[] $groupIds
+     * @param string $message
+     * @param string $debugMessage
+     * @return void
+     * @throws UnauthorizedException
+     */
+    protected function validateAccess(array $attributes, array $groupIds, string $message, string $debugMessage, string $file, int $line): void
+    {
+        foreach ($attributes as $attribute) {
+            $groupAccess = $attribute->newInstance();
+            $hasGroup = (bool)array_intersect($groupIds, $groupAccess->frontendUserGroupIds);
+
+            if (!$hasGroup) {
+                if (Environment::getContext()->isDevelopment()) {
+                    $message .= "\n" . sprintf($debugMessage, implode(',', $groupAccess->frontendUserGroupIds), implode(',', $groupIds));
+                }
+                throw new GroupAccessException($message, $file, $line);
+            }
+        }
+    }
+}

Classes/Exception/GroupAccessException.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace AUS\GroupAccess\Exception;
+
+use TYPO3\CMS\Core\Error\Http\UnauthorizedException;
+
+class GroupAccessException extends UnauthorizedException
+{
+    public function __construct(string $message, protected string $file, protected int $line)
+    {
+        parent::__construct($message, 1675160714);
+    }
+}

Configuration/Services.yaml

@@ -0,0 +1,15 @@
+services:
+  _defaults:
+    autowire: true
+    autoconfigure: true
+    public: false
+
+  AUS\GroupAccess\:
+    resource: '../Classes/*'
+    exclude: '../Classes/Domain/Model/*'
+
+  AUS\GroupAccess\EventListener\BeforeActionCallEventListener:
+    tags:
+      - name: event.listener
+        identifier: 'group_access'
+        event: TYPO3\CMS\Extbase\Event\Mvc\BeforeActionCallEvent

README.md

@@ -0,0 +1,47 @@
+# EXT:group_access
+
+
+## install
+
+`composer req andersundsehr/group_access:^1`
+
+## usage:
+
+````php
+<?php
+
+#[GroupAccess([2, 6])]
+class CustomerController extends ActionController
+{
+
+    public function overviewAction(): ResponseInterface
+    {
+        //this action is only accessible if the Frontend User has group 2 or 6
+    }
+
+    #[GroupAccess([7])]
+    public function listAction(): ResponseInterface
+    {
+        //this action is only accessible if the Frontend User has group (2 or 6) and 7
+    }
+}
+````
+
+````php
+<?php
+
+class ProjectController extends ActionController
+{
+
+    public function overviewAction(): ResponseInterface
+    {
+        //this action is only accessible for all users and without user login
+    }
+
+    #[GroupAccess([7, 9, 12])]
+    public function listAction(): ResponseInterface
+    {
+        //this action is only accessible if the Frontend User has group 7 or 9 or 12
+    }
+}
+````

composer.json

@@ -0,0 +1,40 @@
+{
+    "name": "andersundsehr/group_access",
+    "description": "Allows to limit extbase actions ba frontend user group",
+    "type": "typo3-cms-extension",
+    "license": [
+        "GPL-2.0-or-later"
+    ],
+    "require": {
+        "typo3/cms-core": "^11.5 || ^12.0",
+        "php": "~8.0 || ~8.1 || ~8.2"
+    },
+    "autoload": {
+        "psr-4": {
+            "AUS\\GroupAccess\\": "Classes/"
+        }
+    },
+    "extra": {
+        "typo3/cms": {
+            "extension-key": "group_access"
+        },
+        "pluswerk/grumphp-config": {
+            "auto-setting": false
+        },
+        "grumphp": {
+            "config-default-path": "grumphp.yml"
+        }
+    },
+    "require-dev": {
+        "pluswerk/grumphp-config": "^5",
+        "typo3/cms-extbase": "^11.5 || ^12.0"
+    },
+    "config": {
+        "allow-plugins": {
+            "typo3/cms-composer-installers": true,
+            "typo3/class-alias-loader": true,
+            "phpro/grumphp": true,
+            "pluswerk/grumphp-config": true
+        }
+    }
+}

ext_emconf.php

@@ -0,0 +1,17 @@
+<?php
+
+/** @var string $_EXTKEY */
+$EM_CONF[$_EXTKEY] = [
+    'title' => 'group_access',
+    'description' => 'Allows to limit extbase actions ba frontend user group',
+    'constraints' => [
+        'depends' => [
+            'typo3' => '11.0.0-12.4.99',
+        ],
+    ],
+    'autoload' => [
+        'psr-4' => [
+            'AUS\\GroupAccess\\' => 'Classes/',
+        ],
+    ],
+];

grumphp.yml

@@ -0,0 +1,6 @@
+imports:
+  - { resource: vendor/pluswerk/grumphp-config/grumphp.yml }
+
+
+parameters:
+  convention.phpstan_level: ~

phpstan-baseline.neon

@@ -0,0 +1,11 @@
+parameters:
+	ignoreErrors:
+		-
+			message: "#^Method AUS\\\\GroupAccess\\\\EventListener\\\\BeforeActionCallEventListener\\:\\:getCurrentUserGroupIds\\(\\) should return array\\<int\\> but returns mixed\\.$#"
+			count: 1
+			path: Classes/EventListener/BeforeActionCallEventListener.php
+
+		-
+			message: "#^Parameter \\#1 \\$objectOrClass of class ReflectionClass constructor expects class\\-string\\<T of object\\>\\|T of object, string given\\.$#"
+			count: 1
+			path: Classes/EventListener/BeforeActionCallEventListener.php

phpstan.neon

@@ -0,0 +1,7 @@
+includes:
+  - phpstan-baseline.neon
+
+parameters:
+  level: max
+  paths:
+    - Classes/