diff --git a/Classes/Controller/LeadController.php b/Classes/Controller/LeadController.php index 885419e5..06e18f74 100644 --- a/Classes/Controller/LeadController.php +++ b/Classes/Controller/LeadController.php @@ -21,6 +21,7 @@ use In2code\Lux\Domain\Repository\CompanyRepository; use In2code\Lux\Domain\Repository\VisitorRepository; use In2code\Lux\Domain\Service\CompanyConfigurationService; +use In2code\Lux\Exception\AuthenticationException; use In2code\Lux\Utility\BackendUtility; use In2code\Lux\Utility\LocalizationUtility; use In2code\Lux\Utility\ObjectUtility; @@ -101,8 +102,16 @@ public function listAction(FilterDto $filter, string $export = ''): ResponseInte return $this->defaultRendering(); } + /** + * @param Visitor $visitor + * @return ResponseInterface + * @throws AuthenticationException + */ public function detailAction(Visitor $visitor): ResponseInterface { + if ($visitor->canBeRead() === false) { + throw new AuthenticationException('Not allowed to view this visitor', 1709071863); + } $filter = ObjectUtility::getFilterDtoFromStartAndEnd($visitor->getDateOfPagevisitFirst(), new DateTime()) ->setVisitor($visitor); $this->view->assignMultiple([ @@ -294,6 +303,9 @@ public function detailAjax(ServerRequestInterface $request): ResponseInterface $standaloneView->setPartialRootPaths(['EXT:lux/Resources/Private/Partials/']); /** @var Visitor $visitor */ $visitor = $visitorRepository->findByUid((int)$request->getQueryParams()['visitor']); + if ($visitor->canBeRead() === false) { + throw new AuthenticationException('Not allowed to view this visitor', 1709072495); + } $filter = ObjectUtility::getFilterDtoFromStartAndEnd($visitor->getDateOfPagevisitFirst(), new DateTime()) ->setVisitor($visitor); $standaloneView->assignMultiple([ diff --git a/Classes/Domain/Model/Visitor.php b/Classes/Domain/Model/Visitor.php index 33d6e406..0ece7aaa 100644 --- a/Classes/Domain/Model/Visitor.php +++ b/Classes/Domain/Model/Visitor.php @@ -14,7 +14,9 @@ use In2code\Lux\Domain\Service\Image\VisitorImageService; use In2code\Lux\Domain\Service\Provider\Telecommunication; use In2code\Lux\Domain\Service\ScoringService; +use In2code\Lux\Domain\Service\SiteService; use In2code\Lux\Exception\ConfigurationException; +use In2code\Lux\Utility\BackendUtility; use In2code\Lux\Utility\LocalizationUtility; use In2code\Lux\Utility\ObjectUtility; use In2code\Lux\Utility\StringUtility; @@ -1125,6 +1127,21 @@ public function getLongitude(): string return $lng; } + /** + * Check if this visitor can be viewed by current editor + * + * @return bool + */ + public function canBeRead(): bool + { + if (BackendUtility::isAdministrator()) { + return true; + } + $sites = GeneralUtility::makeInstance(SiteService::class)->getAllowedSites(); + return GeneralUtility::makeInstance(VisitorRepository::class) + ->canVisitorBeReadBySites($this, array_keys($sites)); + } + /** * Sort all categoryscorings by scoring desc * diff --git a/Classes/Domain/Repository/VisitorRepository.php b/Classes/Domain/Repository/VisitorRepository.php index dd6d29b3..496607bb 100644 --- a/Classes/Domain/Repository/VisitorRepository.php +++ b/Classes/Domain/Repository/VisitorRepository.php @@ -562,6 +562,17 @@ public function findByCompany(Company $company, int $limit = 200): array return $visitors; } + public function canVisitorBeReadBySites(Visitor $visitor, array $sites): bool + { + $sql = 'select v.uid from ' . Visitor::TABLE_NAME . ' v' + . ' left join ' . Pagevisit::TABLE_NAME . ' pv on v.uid = pv.visitor' + . ' where v.deleted=0 and v.blacklisted=0 and v.uid=' . $visitor->getUid() + . ' and pv.site in ("' . implode('","', $sites) . '")' + . ' limit 1'; + $connection = DatabaseUtility::getConnectionForTable(Visitor::TABLE_NAME); + return (int)$connection->executeQuery($sql)->fetchOne() > 0; + } + /** * @param int $visitorIdentifier * @param int $frontenduserIdentifier diff --git a/Classes/Exception/AuthenticationException.php b/Classes/Exception/AuthenticationException.php new file mode 100644 index 00000000..e3e4fdb9 --- /dev/null +++ b/Classes/Exception/AuthenticationException.php @@ -0,0 +1,10 @@ +