From 25382d0de322264507748e350630639b1dc9540a Mon Sep 17 00:00:00 2001 From: Lukas Metzger Date: Sun, 1 Apr 2018 21:20:53 +0200 Subject: [PATCH] Added DELETE /users/{user}/permissions/{domainId} --- backend/src/controllers/Permissions.php | 23 +++++++++++++++++ backend/src/operations/Permissions.php | 33 +++++++++++++++++++++++++ backend/src/public/index.php | 1 + backend/test/tests/permissions.js | 21 ++++++++++++++++ 4 files changed, 78 insertions(+) diff --git a/backend/src/controllers/Permissions.php b/backend/src/controllers/Permissions.php index 4649937..9adeaf9 100644 --- a/backend/src/controllers/Permissions.php +++ b/backend/src/controllers/Permissions.php @@ -70,4 +70,27 @@ class Permissions return $res->withJson(['error' => 'Either domain or user were not found'], 404); } } + + public function delete(Request $req, Response $res, array $args) + { + $ac = new \Operations\AccessControl($this->c); + if (!$ac->isAdmin($req->getAttribute('userId'))) { + $this->logger->info('Non admin user tries to add permissions'); + return $res->withJson(['error' => 'You must be admin to use this feature'], 403); + } + + $user = intval($args['user']); + $domainId = intval($args['domainId']); + + $permissions = new \Operations\Permissions($this->c); + + try { + $permissions->deletePermission($user, $domainId); + + $this->logger->info('Permission was removed:', ['by' => $req->getAttribute('userId'), 'user' => $user, 'domain' => $domainId]); + return $res->withStatus(204); + } catch (\Exceptions\NotFoundException $e) { + return $res->withJson(['error' => 'Either domain or user were not found'], 404); + } + } } diff --git a/backend/src/operations/Permissions.php b/backend/src/operations/Permissions.php index 4949dc0..a57b9b8 100644 --- a/backend/src/operations/Permissions.php +++ b/backend/src/operations/Permissions.php @@ -73,6 +73,8 @@ class Permissions * @param $domainId Domain for which access should be granted * * @return void + * + * @throws NotFoundException If domain or user was not found */ public function addPermission(int $userId, int $domainId) : void { @@ -107,4 +109,35 @@ class Permissions $this->db->commit(); } + + /** + * Delete a permission + * + * @param $userId User id + * @param $domainId Domain for which access should be revoked + * + * @return void + * + * @throws NotFoundException if the entry was not found + */ + public function deletePermission(int $userId, int $domainId) : void + { + $this->db->beginTransaction(); + + $query = $this->db->prepare('SELECT * FROM permissions WHERE domain_id=:domainId AND user_id=:userId'); + $query->bindValue(':domainId', $domainId, \PDO::PARAM_INT); + $query->bindValue(':userId', $userId, \PDO::PARAM_INT); + $query->execute(); + if ($query->fetch() === false) { + $this->db->rollBack(); + throw new \Exceptions\NotFoundException(); + } + + $query = $this->db->prepare('DELETE FROM permissions WHERE domain_id=:domainId AND user_id=:userId'); + $query->bindValue(':domainId', $domainId, \PDO::PARAM_INT); + $query->bindValue(':userId', $userId, \PDO::PARAM_INT); + $query->execute(); + + $this->db->commit(); + } } diff --git a/backend/src/public/index.php b/backend/src/public/index.php index 4393656..4dd1c8f 100644 --- a/backend/src/public/index.php +++ b/backend/src/public/index.php @@ -50,6 +50,7 @@ $app->group('/v1', function () { $this->get('/users/{user}/permissions', '\Controllers\Permissions:getList'); $this->post('/users/{user}/permissions', '\Controllers\Permissions:postNew'); + $this->delete('/users/{user}/permissions/{domainId}', '\Controllers\Permissions:delete'); })->add('\Middlewares\Authentication'); }); diff --git a/backend/test/tests/permissions.js b/backend/test/tests/permissions.js index d322f0e..f771b1c 100644 --- a/backend/test/tests/permissions.js +++ b/backend/test/tests/permissions.js @@ -66,7 +66,21 @@ test.run(async function () { assert.equal(res.status, 204, 'Add of permission should succeed for not existing permission.'); + // Revoke the new permission + var res = await req({ + url: '/users/2/permissions/3', + method: 'delete' + }); + assert.equal(res.status, 204, 'Revoking should succeed'); + + // Revoke the new permission again + var res = await req({ + url: '/users/2/permissions/3', + method: 'delete' + }); + + assert.equal(res.status, 404, 'Second revocation of the same permission should fail'); }); await test('user', async function (assert, req) { @@ -86,5 +100,12 @@ test.run(async function () { }); assert.equal(res.status, 403, 'Add of permission should fail for user.'); + + var res = await req({ + url: '/users/2/permissions/1', + method: 'delete' + }); + + assert.equal(res.status, 403, 'Revoke of permission should fail for user.'); }); }); \ No newline at end of file