From ab1b3b2ec3a969664a46f216163451f631e36c73 Mon Sep 17 00:00:00 2001 From: babak alizadeh Date: Wed, 9 Oct 2024 14:11:03 +0330 Subject: [PATCH] bug fix security in fech bussiness data! --- .../src/Controller/BusinessController.php | 50 ++++++++++++------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/hesabixCore/src/Controller/BusinessController.php b/hesabixCore/src/Controller/BusinessController.php index cc8df01..9009712 100644 --- a/hesabixCore/src/Controller/BusinessController.php +++ b/hesabixCore/src/Controller/BusinessController.php @@ -42,9 +42,9 @@ class BusinessController extends AbstractController throw $this->createAccessDeniedException(); $archiveUser = $entityManager->getRepository(User::class)->findOneBy([ - 'email'=>'archive@hesabix.ir' + 'email' => 'archive@hesabix.ir' ]); - if(! $archiveUser){ + if (!$archiveUser) { $archiveUser = new User(); $archiveUser->setEmail('archive@hesabix.ir'); $archiveUser->setFullName('کاربر آرشیو و بایگانی'); @@ -61,17 +61,18 @@ class BusinessController extends AbstractController //remove permissions $permissions = $entityManager->getRepository(Permission::class)->findBy([ - 'bid'=>$acc['bid'] + 'bid' => $acc['bid'] ]); - foreach($permissions as $perm){ + foreach ($permissions as $perm) { $entityManager->remove($perm); $entityManager->flush(); } return $this->json($extractor->operationSuccess()); } #[Route('/api/business/list', name: 'api_bussiness_list')] - public function api_bussiness_list(#[CurrentUser] ?User $user, EntityManagerInterface $entityManager, Provider $provider): Response + public function api_bussiness_list(#[CurrentUser] ?User $user, Access $access, EntityManagerInterface $entityManager, Provider $provider): Response { + $buss = $entityManager->getRepository(Permission::class)->findBy(['user' => $user]); $response = []; foreach ($buss as $bus) { @@ -90,9 +91,17 @@ class BusinessController extends AbstractController * @throws ReflectionException */ #[Route('/api/business/get/info/{bid}', name: 'api_business_get_info')] - public function api_business_get_info($bid, #[CurrentUser] ?User $user, Provider $provider, EntityManagerInterface $entityManager): Response + public function api_business_get_info($bid, #[CurrentUser] ?User $user, Access $access, Provider $provider, EntityManagerInterface $entityManager): Response { $bus = $entityManager->getRepository(Business::class)->findOneBy(['id' => $bid]); + if(! $bus) + throw $this->createNotFoundException(); + $perms = $entityManager->getRepository(Permission::class)->findOneBy([ + 'bid' => $bus, + 'user'=>$user + ]); + if(!$perms) + throw $this->createAccessDeniedException(); $response = []; $response['id'] = $bus->getId(); $response['name'] = $bus->getName(); @@ -237,7 +246,8 @@ class BusinessController extends AbstractController return $this->json(['result' => 2]); } else return $this->json(['result' => 2]); - if (!$business->getDateSubmit()) $business->setDateSubmit(time()); + if (!$business->getDateSubmit()) + $business->setDateSubmit(time()); $entityManager->persist($business); $entityManager->flush(); if ($isNew) { @@ -272,11 +282,13 @@ class BusinessController extends AbstractController $year->setBid($business); $year->setHead(true); $startYearArray = explode('-', $params['year']['start']); - if(count($startYearArray) == 1) $startYearArray = explode('/', $params['year']['start']); + if (count($startYearArray) == 1) + $startYearArray = explode('/', $params['year']['start']); $year->setStart($jdate->jmktime(0, 0, 0, $startYearArray[1], $startYearArray[2], $startYearArray[0])); $endYearArray = explode('-', $params['year']['end']); - if(count($endYearArray) == 1) $endYearArray = explode('/', $params['year']['end']); + if (count($endYearArray) == 1) + $endYearArray = explode('/', $params['year']['end']); $year->setEnd($jdate->jmktime(0, 0, 0, $endYearArray[1], $endYearArray[2], $endYearArray[0])); $year->setLabel($params['year']['label']); $entityManager->persist($year); @@ -287,15 +299,17 @@ class BusinessController extends AbstractController 'bid' => $business, 'head' => true ]); - if(!$year){ + if (!$year) { $year = new Year; } $startYearArray = explode('-', $params['year']['startShamsi']); - if(count($startYearArray) == 1) $startYearArray = explode('/', $params['year']['startShamsi']); + if (count($startYearArray) == 1) + $startYearArray = explode('/', $params['year']['startShamsi']); $year->setStart($jdate->jmktime(0, 0, 0, $startYearArray[1], $startYearArray[2], $startYearArray[0])); $endYearArray = explode('-', $params['year']['endShamsi']); - if(count($endYearArray) == 1) $endYearArray = explode('/', $params['year']['endShamsi']); + if (count($endYearArray) == 1) + $endYearArray = explode('/', $params['year']['endShamsi']); $year->setEnd($jdate->jmktime(0, 0, 0, $endYearArray[1], $endYearArray[2], $endYearArray[0])); $year->setLabel($params['year']['label']); $entityManager->persist($year); @@ -626,9 +640,9 @@ class BusinessController extends AbstractController } #[Route('/api/business/stat', name: 'api_business_stat')] - public function api_business_stat(Jdate $jdate,Request $request, #[CurrentUser] ?User $user, EntityManagerInterface $entityManager): Response + public function api_business_stat(Jdate $jdate, Request $request, #[CurrentUser] ?User $user, EntityManagerInterface $entityManager): Response { - $dateNow = $jdate->jdate('Y/m/d',time()); + $dateNow = $jdate->jdate('Y/m/d', time()); $buss = $entityManager->getRepository(Business::class)->find( $request->headers->get('activeBid') ); @@ -674,7 +688,7 @@ class BusinessController extends AbstractController } if ($canAdd) { $buysTotal += $item->getAmount(); - if($item->getDate() == $dateNow){ + if ($item->getDate() == $dateNow) { $buysToday += $item->getAmount(); } } @@ -695,7 +709,7 @@ class BusinessController extends AbstractController } if ($canAdd) { $sellsTotal += $item->getAmount(); - if($item->getDate() == $dateNow){ + if ($item->getDate() == $dateNow) { $sellsToday += $item->getAmount(); } } @@ -716,7 +730,7 @@ class BusinessController extends AbstractController } if ($canAdd) { $sendsTotal += $item->getAmount(); - if($item->getDate() == $dateNow){ + if ($item->getDate() == $dateNow) { $sendsToday += $item->getAmount(); } } @@ -737,7 +751,7 @@ class BusinessController extends AbstractController } if ($canAdd) { $recsTotal += $item->getAmount(); - if($item->getDate() == $dateNow){ + if ($item->getDate() == $dateNow) { $recsToday += $item->getAmount(); } }