vendor/shopware/core/Framework/DataAbstractionLayer/EntityProtection/EntityProtectionValidator.php line 56

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\DataAbstractionLayer\EntityProtection;
  5. use Shopware\Core\Framework\Context;
  6. use Shopware\Core\Framework\DataAbstractionLayer\EntityDefinition;
  7. use Shopware\Core\Framework\DataAbstractionLayer\Event\EntitySearchedEvent;
  8. use Shopware\Core\Framework\DataAbstractionLayer\Field\AssociationField;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Field\Field;
  10. use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
  11. use Shopware\Core\Framework\DataAbstractionLayer\Write\Validation\PreWriteValidationEvent;
  12. use Shopware\Core\Framework\Log\Package;
  13. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  14. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  16. /**
  17.  * @deprecated tag:v6.5.0 - reason:becomes-internal - EventSubscribers will become internal in v6.5.0
  18.  */
  19. #[Package('core')]
  20. class EntityProtectionValidator implements EventSubscriberInterface
  21. {
  22.     /**
  23.      * @return array<string, string|array{0: string, 1: int}|list<array{0: string, 1?: int}>>
  24.      */
  25.     public static function getSubscribedEvents()
  26.     {
  27.         return [
  28.             PreWriteValidationEvent::class => 'validateWriteCommands',
  29.             EntitySearchedEvent::class => 'validateEntitySearch',
  30.         ];
  31.     }
  33.     /**
  34.      * @param list<array{entity: string, value: string|null, definition: EntityDefinition, field: Field|null}> $pathSegments
  35.      * @param array<string> $protections FQCN of the protections that need to be validated
  36.      */
  37.     public function validateEntityPath(array $pathSegments, array $protectionsContext $context): void
  38.     {
  39.         foreach ($pathSegments as $pathSegment) {
  40.             /** @var EntityDefinition $definition */
  41.             $definition $pathSegment['definition'];
  43.             foreach ($protections as $protection) {
  44.                 $protectionInstance $definition->getProtections()->get($protection);
  45.                 if (!$protectionInstance || $protectionInstance->isAllowed($context->getScope())) {
  46.                     continue;
  47.                 }
  49.                 throw new AccessDeniedHttpException(
  50.                     sprintf('API access for entity "%s" not allowed.'$pathSegment['entity'])
  51.                 );
  52.             }
  53.         }
  54.     }
  56.     public function validateEntitySearch(EntitySearchedEvent $event): void
  57.     {
  58.         $definition $event->getDefinition();
  59.         $readProtection $definition->getProtections()->get(ReadProtection::class);
  60.         $context $event->getContext();
  62.         if ($readProtection && !$readProtection->isAllowed($context->getScope())) {
  63.             throw new AccessDeniedHttpException(
  64.                 sprintf(
  65.                     'Read access to entity "%s" not allowed for scope "%s".',
  66.                     $definition->getEntityName(),
  67.                     $context->getScope()
  68.                 )
  69.             );
  70.         }
  72.         $this->validateCriteriaAssociation(
  73.             $definition,
  74.             $event->getCriteria()->getAssociations(),
  75.             $context
  76.         );
  77.     }
  79.     public function validateWriteCommands(PreWriteValidationEvent $event): void
  80.     {
  81.         foreach ($event->getCommands() as $command) {
  82.             // Don't validate commands that fake operations on DB level, e.g. cascade deletes
  83.             if (!$command->isValid()) {
  84.                 continue;
  85.             }
  87.             $writeProtection $command->getDefinition()->getProtections()->get(WriteProtection::class);
  88.             if ($writeProtection && !$writeProtection->isAllowed($event->getContext()->getScope())) {
  89.                 throw new AccessDeniedHttpException(
  90.                     sprintf(
  91.                         'Write access to entity "%s" are not allowed in scope "%s".',
  92.                         $command->getDefinition()->getEntityName(),
  93.                         $event->getContext()->getScope()
  94.                     )
  95.                 );
  96.             }
  97.         }
  98.     }
  100.     /**
  101.      * @param array<string, Criteria> $associations
  102.      */
  103.     private function validateCriteriaAssociation(EntityDefinition $definition, array $associationsContext $context): void
  104.     {
  105.         /** @var Criteria $criteria */
  106.         foreach ($associations as $associationName => $criteria) {
  107.             $field $definition->getField($associationName);
  108.             if (!$field instanceof AssociationField) {
  109.                 continue;
  110.             }
  112.             $associationDefinition $field->getReferenceDefinition();
  113.             $readProtection $associationDefinition->getProtections()->get(ReadProtection::class);
  114.             if ($readProtection && !$readProtection->isAllowed($context->getScope())) {
  115.                 throw new AccessDeniedHttpException(
  116.                     sprintf(
  117.                         'Read access to nested association "%s" on entity "%s" not allowed for scope "%s".',
  118.                         $associationName,
  119.                         $definition->getEntityName(),
  120.                         $context->getScope()
  121.                     )
  122.                 );
  123.             }
  125.             $this->validateCriteriaAssociation($associationDefinition$criteria->getAssociations(), $context);
  126.         }
  127.     }
  128. }