platform/src/Core/Framework/App/Subscriber/CustomFieldProtectionSubscriber.php line 47

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\App\Subscriber;
  5. use Doctrine\DBAL\Connection;
  6. use Shopware\Core\Framework\Api\Context\AdminApiSource;
  7. use Shopware\Core\Framework\Api\Context\SystemSource;
  8. use Shopware\Core\Framework\Context;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Write\Command\InsertCommand;
  10. use Shopware\Core\Framework\DataAbstractionLayer\Write\Command\WriteCommand;
  11. use Shopware\Core\Framework\DataAbstractionLayer\Write\Validation\PreWriteValidationEvent;
  12. use Shopware\Core\Framework\Uuid\Uuid;
  13. use Shopware\Core\Framework\Validation\WriteConstraintViolationException;
  14. use Shopware\Core\System\CustomField\Aggregate\CustomFieldSet\CustomFieldSetDefinition;
  15. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  16. use Symfony\Component\Validator\ConstraintViolation;
  17. use Symfony\Component\Validator\ConstraintViolationInterface;
  18. use Symfony\Component\Validator\ConstraintViolationList;
  20. /**
  21.  * @internal only for use by the app-system, will be considered internal from v6.4.0 onward
  22.  */
  23. class CustomFieldProtectionSubscriber implements EventSubscriberInterface
  24. {
  25.     public const VIOLATION_NO_PERMISSION 'no_permission_violation';
  27.     /**
  28.      * @var Connection
  29.      */
  30.     private $connection;
  32.     public function __construct(Connection $connection)
  33.     {
  34.         $this->connection $connection;
  35.     }
  37.     /**
  38.      * {@inheritdoc}
  39.      */
  40.     public static function getSubscribedEvents()
  41.     {
  42.         return [
  43.             PreWriteValidationEvent::class => 'checkWrite',
  44.         ];
  45.     }
  47.     public function checkWrite(PreWriteValidationEvent $event): void
  48.     {
  49.         $context $event->getContext();
  51.         if ($context->getSource() instanceof SystemSource || $context->getScope() === Context::SYSTEM_SCOPE) {
  52.             return;
  53.         }
  55.         $integrationId $this->getIntegrationId($context);
  56.         $violationList = new ConstraintViolationList();
  58.         foreach ($event->getCommands() as $command) {
  59.             if (
  60.                 !($command->getDefinition() instanceof CustomFieldSetDefinition)
  61.                 || $command instanceof InsertCommand
  62.             ) {
  63.                 continue;
  64.             }
  66.             $appIntegrationId $this->fetchIntegrationIdOfAssociatedApp($command);
  67.             if (!$appIntegrationId) {
  68.                 continue;
  69.             }
  71.             if ($integrationId !== $appIntegrationId) {
  72.                 $this->addViolation($violationList$command);
  73.             }
  74.         }
  75.         if ($violationList->count() > 0) {
  76.             $event->getExceptions()->add(new WriteConstraintViolationException($violationList));
  77.         }
  78.     }
  80.     private function getIntegrationId(Context $context): ?string
  81.     {
  82.         $source $context->getSource();
  83.         if (!($source instanceof AdminApiSource)) {
  84.             return null;
  85.         }
  87.         return $source->getIntegrationId();
  88.     }
  90.     private function fetchIntegrationIdOfAssociatedApp(WriteCommand $command): ?string
  91.     {
  92.         $id $command->getPrimaryKey()['id'];
  93.         $integrationId $this->connection->executeQuery('
  94.             SELECT `app`.`integration_id`
  95.             FROM `app`
  96.             INNER JOIN `custom_field_set` ON `custom_field_set`.`app_id` = `app`.`id`
  97.             WHERE `custom_field_set`.`id` = :customFieldSetId
  98.         ', ['customFieldSetId' => $id])->fetchColumn();
  100.         if (!$integrationId) {
  101.             return null;
  102.         }
  104.         return Uuid::fromBytesToHex($integrationId);
  105.     }
  107.     private function addViolation(ConstraintViolationList $violationListWriteCommand $command): void
  108.     {
  109.         $violationList->add(
  110.             $this->buildViolation(
  111.                 'No permissions to %privilege%".',
  112.                 ['%privilege%' => 'write:custom_field_set'],
  113.                 '/' $command->getDefinition()->getEntityName(),
  114.                 self::VIOLATION_NO_PERMISSION
  115.             )
  116.         );
  117.     }
  119.     /**
  120.      * @param array<string, string> $parameters
  121.      */
  122.     private function buildViolation(
  123.         string $messageTemplate,
  124.         array $parameters,
  125.         ?string $propertyPath null,
  126.         ?string $code null
  127.     ): ConstraintViolationInterface {
  128.         return new ConstraintViolation(
  129.             str_replace(array_keys($parameters), array_values($parameters), $messageTemplate),
  130.             $messageTemplate,
  131.             $parameters,
  132.             null,
  133.             $propertyPath,
  134.             null,
  135.             null,
  136.             $code
  137.         );
  138.     }
  139. }