vendor/shopware/core/Framework/App/Subscriber/CustomFieldProtectionSubscriber.php line 46

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\App\Subscriber;
  5. use Doctrine\DBAL\Connection;
  6. use Shopware\Core\Framework\Api\Context\AdminApiSource;
  7. use Shopware\Core\Framework\Api\Context\SystemSource;
  8. use Shopware\Core\Framework\Context;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Write\Command\InsertCommand;
  10. use Shopware\Core\Framework\DataAbstractionLayer\Write\Command\WriteCommand;
  11. use Shopware\Core\Framework\DataAbstractionLayer\Write\Validation\PreWriteValidationEvent;
  12. use Shopware\Core\Framework\Log\Package;
  13. use Shopware\Core\Framework\Uuid\Uuid;
  14. use Shopware\Core\Framework\Validation\WriteConstraintViolationException;
  15. use Shopware\Core\System\CustomField\Aggregate\CustomFieldSet\CustomFieldSetDefinition;
  16. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  17. use Symfony\Component\Validator\ConstraintViolation;
  18. use Symfony\Component\Validator\ConstraintViolationInterface;
  19. use Symfony\Component\Validator\ConstraintViolationList;
  21. /**
  22.  * @internal only for use by the app-system, will be considered internal from v6.4.0 onward
  23.  */
  24. #[Package('core')]
  25. class CustomFieldProtectionSubscriber implements EventSubscriberInterface
  26. {
  27.     public const VIOLATION_NO_PERMISSION 'no_permission_violation';
  29.     private Connection $connection;
  31.     public function __construct(Connection $connection)
  32.     {
  33.         $this->connection $connection;
  34.     }
  36.     /**
  37.      * @return array<string, string|array{0: string, 1: int}|list<array{0: string, 1?: int}>>
  38.      */
  39.     public static function getSubscribedEvents()
  40.     {
  41.         return [
  42.             PreWriteValidationEvent::class => 'checkWrite',
  43.         ];
  44.     }
  46.     public function checkWrite(PreWriteValidationEvent $event): void
  47.     {
  48.         $context $event->getContext();
  50.         if ($context->getSource() instanceof SystemSource || $context->getScope() === Context::SYSTEM_SCOPE) {
  51.             return;
  52.         }
  54.         $integrationId $this->getIntegrationId($context);
  55.         $violationList = new ConstraintViolationList();
  57.         foreach ($event->getCommands() as $command) {
  58.             if (
  59.                 !($command->getDefinition() instanceof CustomFieldSetDefinition)
  60.                 || $command instanceof InsertCommand
  61.             ) {
  62.                 continue;
  63.             }
  65.             $appIntegrationId $this->fetchIntegrationIdOfAssociatedApp($command);
  66.             if (!$appIntegrationId) {
  67.                 continue;
  68.             }
  70.             if ($integrationId !== $appIntegrationId) {
  71.                 $this->addViolation($violationList$command);
  72.             }
  73.         }
  74.         if ($violationList->count() > 0) {
  75.             $event->getExceptions()->add(new WriteConstraintViolationException($violationList));
  76.         }
  77.     }
  79.     private function getIntegrationId(Context $context): ?string
  80.     {
  81.         $source $context->getSource();
  82.         if (!($source instanceof AdminApiSource)) {
  83.             return null;
  84.         }
  86.         return $source->getIntegrationId();
  87.     }
  89.     private function fetchIntegrationIdOfAssociatedApp(WriteCommand $command): ?string
  90.     {
  91.         $id $command->getPrimaryKey()['id'];
  92.         $integrationId $this->connection->executeQuery('
  93.             SELECT `app`.`integration_id`
  94.             FROM `app`
  95.             INNER JOIN `custom_field_set` ON `custom_field_set`.`app_id` = `app`.`id`
  96.             WHERE `custom_field_set`.`id` = :customFieldSetId
  97.         ', ['customFieldSetId' => $id])->fetchOne();
  99.         if (!$integrationId) {
  100.             return null;
  101.         }
  103.         return Uuid::fromBytesToHex($integrationId);
  104.     }
  106.     private function addViolation(ConstraintViolationList $violationListWriteCommand $command): void
  107.     {
  108.         $violationList->add(
  109.             $this->buildViolation(
  110.                 'No permissions to %privilege%".',
  111.                 ['%privilege%' => 'write:custom_field_set'],
  112.                 '/' $command->getDefinition()->getEntityName(),
  113.                 self::VIOLATION_NO_PERMISSION
  114.             )
  115.         );
  116.     }
  118.     /**
  119.      * @param array<string, string> $parameters
  120.      */
  121.     private function buildViolation(
  122.         string $messageTemplate,
  123.         array $parameters,
  124.         ?string $propertyPath null,
  125.         ?string $code null
  126.     ): ConstraintViolationInterface {
  127.         return new ConstraintViolation(
  128.             str_replace(array_keys($parameters), array_values($parameters), $messageTemplate),
  129.             $messageTemplate,
  130.             $parameters,
  131.             null,
  132.             $propertyPath,
  133.             null,
  134.             null,
  135.             $code
  136.         );
  137.     }
  138. }