From b2e07c855ec3d6334251acfd7cafdc844620f8b2 Mon Sep 17 00:00:00 2001 From: Alexander Kellner Date: Tue, 27 Feb 2024 23:19:35 +0100 Subject: [PATCH] [FEATURE] Add authentication check for lead detail view --- Classes/Controller/LeadController.php | 9 +++++++++ Classes/Domain/Model/Visitor.php | 17 +++++++++++++++++ Classes/Domain/Repository/VisitorRepository.php | 11 +++++++++++ Classes/Exception/AuthenticationException.php | 10 ++++++++++ 4 files changed, 47 insertions(+) create mode 100644 Classes/Exception/AuthenticationException.php diff --git a/Classes/Controller/LeadController.php b/Classes/Controller/LeadController.php index 885419e5..1ddfcf17 100644 --- a/Classes/Controller/LeadController.php +++ b/Classes/Controller/LeadController.php @@ -21,6 +21,7 @@ use In2code\Lux\Domain\Repository\CompanyRepository; use In2code\Lux\Domain\Repository\VisitorRepository; use In2code\Lux\Domain\Service\CompanyConfigurationService; +use In2code\Lux\Exception\AuthenticationException; use In2code\Lux\Utility\BackendUtility; use In2code\Lux\Utility\LocalizationUtility; use In2code\Lux\Utility\ObjectUtility; @@ -101,8 +102,16 @@ public function listAction(FilterDto $filter, string $export = ''): ResponseInte return $this->defaultRendering(); } + /** + * @param Visitor $visitor + * @return ResponseInterface + * @throws AuthenticationException + */ public function detailAction(Visitor $visitor): ResponseInterface { + if ($visitor->canBeRead() === false) { + throw new AuthenticationException('Not allowed to view this visitor', 1709071863); + } $filter = ObjectUtility::getFilterDtoFromStartAndEnd($visitor->getDateOfPagevisitFirst(), new DateTime()) ->setVisitor($visitor); $this->view->assignMultiple([ diff --git a/Classes/Domain/Model/Visitor.php b/Classes/Domain/Model/Visitor.php index 33d6e406..0ece7aaa 100644 --- a/Classes/Domain/Model/Visitor.php +++ b/Classes/Domain/Model/Visitor.php @@ -14,7 +14,9 @@ use In2code\Lux\Domain\Service\Image\VisitorImageService; use In2code\Lux\Domain\Service\Provider\Telecommunication; use In2code\Lux\Domain\Service\ScoringService; +use In2code\Lux\Domain\Service\SiteService; use In2code\Lux\Exception\ConfigurationException; +use In2code\Lux\Utility\BackendUtility; use In2code\Lux\Utility\LocalizationUtility; use In2code\Lux\Utility\ObjectUtility; use In2code\Lux\Utility\StringUtility; @@ -1125,6 +1127,21 @@ public function getLongitude(): string return $lng; } + /** + * Check if this visitor can be viewed by current editor + * + * @return bool + */ + public function canBeRead(): bool + { + if (BackendUtility::isAdministrator()) { + return true; + } + $sites = GeneralUtility::makeInstance(SiteService::class)->getAllowedSites(); + return GeneralUtility::makeInstance(VisitorRepository::class) + ->canVisitorBeReadBySites($this, array_keys($sites)); + } + /** * Sort all categoryscorings by scoring desc * diff --git a/Classes/Domain/Repository/VisitorRepository.php b/Classes/Domain/Repository/VisitorRepository.php index dd6d29b3..496607bb 100644 --- a/Classes/Domain/Repository/VisitorRepository.php +++ b/Classes/Domain/Repository/VisitorRepository.php @@ -562,6 +562,17 @@ public function findByCompany(Company $company, int $limit = 200): array return $visitors; } + public function canVisitorBeReadBySites(Visitor $visitor, array $sites): bool + { + $sql = 'select v.uid from ' . Visitor::TABLE_NAME . ' v' + . ' left join ' . Pagevisit::TABLE_NAME . ' pv on v.uid = pv.visitor' + . ' where v.deleted=0 and v.blacklisted=0 and v.uid=' . $visitor->getUid() + . ' and pv.site in ("' . implode('","', $sites) . '")' + . ' limit 1'; + $connection = DatabaseUtility::getConnectionForTable(Visitor::TABLE_NAME); + return (int)$connection->executeQuery($sql)->fetchOne() > 0; + } + /** * @param int $visitorIdentifier * @param int $frontenduserIdentifier diff --git a/Classes/Exception/AuthenticationException.php b/Classes/Exception/AuthenticationException.php new file mode 100644 index 00000000..e3e4fdb9 --- /dev/null +++ b/Classes/Exception/AuthenticationException.php @@ -0,0 +1,10 @@ +