[FEATURE] Add authentication check for lead detail view

Classes/Controller/LeadController.php

@@ -21,6 +21,7 @@
 use In2code\Lux\Domain\Repository\CompanyRepository;
 use In2code\Lux\Domain\Repository\VisitorRepository;
 use In2code\Lux\Domain\Service\CompanyConfigurationService;
+use In2code\Lux\Exception\AuthenticationException;
 use In2code\Lux\Utility\BackendUtility;
 use In2code\Lux\Utility\LocalizationUtility;
 use In2code\Lux\Utility\ObjectUtility;
@@ -101,8 +102,16 @@ public function listAction(FilterDto $filter, string $export = ''): ResponseInte
         return $this->defaultRendering();
     }
 
+    /**
+     * @param Visitor $visitor
+     * @return ResponseInterface
+     * @throws AuthenticationException
+     */
     public function detailAction(Visitor $visitor): ResponseInterface
     {
+        if ($visitor->canBeRead() === false) {
+            throw new AuthenticationException('Not allowed to view this visitor', 1709071863);
+        }
         $filter = ObjectUtility::getFilterDtoFromStartAndEnd($visitor->getDateOfPagevisitFirst(), new DateTime())
             ->setVisitor($visitor);
         $this->view->assignMultiple([
@@ -294,6 +303,9 @@ public function detailAjax(ServerRequestInterface $request): ResponseInterface
         $standaloneView->setPartialRootPaths(['EXT:lux/Resources/Private/Partials/']);
         /** @var Visitor $visitor */
         $visitor = $visitorRepository->findByUid((int)$request->getQueryParams()['visitor']);
+        if ($visitor->canBeRead() === false) {
+            throw new AuthenticationException('Not allowed to view this visitor', 1709072495);
+        }
         $filter = ObjectUtility::getFilterDtoFromStartAndEnd($visitor->getDateOfPagevisitFirst(), new DateTime())
             ->setVisitor($visitor);
         $standaloneView->assignMultiple([

Classes/Domain/Model/Visitor.php

@@ -14,7 +14,9 @@
 use In2code\Lux\Domain\Service\Image\VisitorImageService;
 use In2code\Lux\Domain\Service\Provider\Telecommunication;
 use In2code\Lux\Domain\Service\ScoringService;
+use In2code\Lux\Domain\Service\SiteService;
 use In2code\Lux\Exception\ConfigurationException;
+use In2code\Lux\Utility\BackendUtility;
 use In2code\Lux\Utility\LocalizationUtility;
 use In2code\Lux\Utility\ObjectUtility;
 use In2code\Lux\Utility\StringUtility;
@@ -1125,6 +1127,21 @@ public function getLongitude(): string
         return $lng;
     }
 
+    /**
+     * Check if this visitor can be viewed by current editor
+     *
+     * @return bool
+     */
+    public function canBeRead(): bool
+    {
+        if (BackendUtility::isAdministrator()) {
+            return true;
+        }
+        $sites = GeneralUtility::makeInstance(SiteService::class)->getAllowedSites();
+        return GeneralUtility::makeInstance(VisitorRepository::class)
+            ->canVisitorBeReadBySites($this, array_keys($sites));
+    }
+
     /**
      * Sort all categoryscorings by scoring desc
      *

Classes/Domain/Repository/VisitorRepository.php

@@ -562,6 +562,17 @@ public function findByCompany(Company $company, int $limit = 200): array
         return $visitors;
     }
 
+    public function canVisitorBeReadBySites(Visitor $visitor, array $sites): bool
+    {
+        $sql = 'select v.uid from ' . Visitor::TABLE_NAME . ' v'
+            . ' left join ' . Pagevisit::TABLE_NAME . ' pv on v.uid = pv.visitor'
+            . ' where v.deleted=0 and v.blacklisted=0 and v.uid=' . $visitor->getUid()
+            . ' and pv.site in ("' . implode('","', $sites) . '")'
+            . ' limit 1';
+        $connection = DatabaseUtility::getConnectionForTable(Visitor::TABLE_NAME);
+        return (int)$connection->executeQuery($sql)->fetchOne() > 0;
+    }
+
     /**
      * @param int $visitorIdentifier
      * @param int $frontenduserIdentifier

Classes/Exception/AuthenticationException.php

@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+namespace In2code\Lux\Exception;
+
+use Exception;
+
+class AuthenticationException extends Exception
+{
+}