vendor/shopware/core/Framework/DataAbstractionLayer/EntityProtection/EntityProtectionValidator.php line 77

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\DataAbstractionLayer\EntityProtection;
  5. use Shopware\Core\Framework\Context;
  6. use Shopware\Core\Framework\DataAbstractionLayer\EntityDefinition;
  7. use Shopware\Core\Framework\DataAbstractionLayer\Event\EntitySearchedEvent;
  8. use Shopware\Core\Framework\DataAbstractionLayer\Field\AssociationField;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Field\Field;
  10. use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
  11. use Shopware\Core\Framework\DataAbstractionLayer\Write\Validation\PreWriteValidationEvent;
  12. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  13. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  15. /**
  16.  * @deprecated tag:v6.5.0 - reason:becomes-internal - EventSubscribers will become internal in v6.5.0
  17.  */
  18. class EntityProtectionValidator implements EventSubscriberInterface
  19. {
  20.     /**
  21.      * @return array<string, string|array{0: string, 1: int}|list<array{0: string, 1?: int}>>
  22.      */
  23.     public static function getSubscribedEvents()
  24.     {
  25.         return [
  26.             PreWriteValidationEvent::class => 'validateWriteCommands',
  27.             EntitySearchedEvent::class => 'validateEntitySearch',
  28.         ];
  29.     }
  31.     /**
  32.      * @param list<array{entity: string, value: string|null, definition: EntityDefinition, field: Field|null}> $pathSegments
  33.      * @param array<string> $protections FQCN of the protections that need to be validated
  34.      */
  35.     public function validateEntityPath(array $pathSegments, array $protectionsContext $context): void
  36.     {
  37.         foreach ($pathSegments as $pathSegment) {
  38.             /** @var EntityDefinition $definition */
  39.             $definition $pathSegment['definition'];
  41.             foreach ($protections as $protection) {
  42.                 $protectionInstance $definition->getProtections()->get($protection);
  43.                 if (!$protectionInstance || $protectionInstance->isAllowed($context->getScope())) {
  44.                     continue;
  45.                 }
  47.                 throw new AccessDeniedHttpException(
  48.                     sprintf('API access for entity "%s" not allowed.'$pathSegment['entity'])
  49.                 );
  50.             }
  51.         }
  52.     }
  54.     public function validateEntitySearch(EntitySearchedEvent $event): void
  55.     {
  56.         $definition $event->getDefinition();
  57.         $readProtection $definition->getProtections()->get(ReadProtection::class);
  58.         $context $event->getContext();
  60.         if ($readProtection && !$readProtection->isAllowed($context->getScope())) {
  61.             throw new AccessDeniedHttpException(
  62.                 sprintf(
  63.                     'Read access to entity "%s" not allowed for scope "%s".',
  64.                     $definition->getEntityName(),
  65.                     $context->getScope()
  66.                 )
  67.             );
  68.         }
  70.         $this->validateCriteriaAssociation(
  71.             $definition,
  72.             $event->getCriteria()->getAssociations(),
  73.             $context
  74.         );
  75.     }
  77.     public function validateWriteCommands(PreWriteValidationEvent $event): void
  78.     {
  79.         foreach ($event->getCommands() as $command) {
  80.             // Don't validate commands that fake operations on DB level, e.g. cascade deletes
  81.             if (!$command->isValid()) {
  82.                 continue;
  83.             }
  85.             $writeProtection $command->getDefinition()->getProtections()->get(WriteProtection::class);
  86.             if ($writeProtection && !$writeProtection->isAllowed($event->getContext()->getScope())) {
  87.                 throw new AccessDeniedHttpException(
  88.                     sprintf(
  89.                         'Write access to entity "%s" are not allowed in scope "%s".',
  90.                         $command->getDefinition()->getEntityName(),
  91.                         $event->getContext()->getScope()
  92.                     )
  93.                 );
  94.             }
  95.         }
  96.     }
  98.     /**
  99.      * @param array<string, Criteria> $associations
  100.      */
  101.     private function validateCriteriaAssociation(EntityDefinition $definition, array $associationsContext $context): void
  102.     {
  103.         /** @var Criteria $criteria */
  104.         foreach ($associations as $associationName => $criteria) {
  105.             $field $definition->getField($associationName);
  106.             if (!$field instanceof AssociationField) {
  107.                 continue;
  108.             }
  110.             $associationDefinition $field->getReferenceDefinition();
  111.             $readProtection $associationDefinition->getProtections()->get(ReadProtection::class);
  112.             if ($readProtection && !$readProtection->isAllowed($context->getScope())) {
  113.                 throw new AccessDeniedHttpException(
  114.                     sprintf(
  115.                         'Read access to nested association "%s" on entity "%s" not allowed for scope "%s".',
  116.                         $associationName,
  117.                         $definition->getEntityName(),
  118.                         $context->getScope()
  119.                     )
  120.                 );
  121.             }
  123.             $this->validateCriteriaAssociation($associationDefinition$criteria->getAssociations(), $context);
  124.         }
  125.     }
  126. }