fix config data permission

ushahidi · Dec 14, 2023 · 759808b · 759808b
1 parent 35ee9f2
commit 759808b
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 2 deletions.
diff --git a/src/Ushahidi/Modules/V5/Actions/Config/Handlers/FindConfigByNameQueryHandler.php b/src/Ushahidi/Modules/V5/Actions/Config/Handlers/FindConfigByNameQueryHandler.php
@@ -9,6 +9,8 @@
 use Ushahidi\Modules\V5\Repository\Config\ConfigRepository;
 use Ushahidi\Modules\V5\Models\Config;
 use Ushahidi\Core\Exception\NotFoundException;
+use Ushahidi\Core\Exception\AuthorizerException;
+use Ushahidi\Modules\V5\Helpers\ParameterUtilities;
 
 class FindConfigByNameQueryHandler extends AbstractQueryHandler
 {
@@ -95,6 +97,10 @@ protected function verifyGroup($group)
         if (!in_array($group, Config::AVIALABLE_CONFIG_GROUPS)) {
             throw new NotFoundException("Requested group does not exist: " . $group);
         }
+
+        if (!ParameterUtilities::checkIfUserAdmin() && (!in_array($group, Config::AVIALABLE_CONFIG_GROUPS_FOR_NON_ADMIN))) {
+            throw new AuthorizerException();
+        }
     }
 
     protected function verifyKey($group_config, $key)

diff --git a/src/Ushahidi/Modules/V5/Actions/Config/Handlers/ListConfigsQueryHandler.php b/src/Ushahidi/Modules/V5/Actions/Config/Handlers/ListConfigsQueryHandler.php
@@ -12,6 +12,7 @@
 use Ushahidi\Modules\V5\Models\Config;
 use Illuminate\Support\Collection;
 use Ushahidi\Modules\V5\Actions\Config\Queries\FindConfigByNameQuery;
+use Ushahidi\Modules\V5\Helpers\ParameterUtilities;
 
 class ListConfigsQueryHandler extends AbstractQueryHandler
 {
@@ -38,7 +39,8 @@ public function __invoke(Action $action)
         $this->isSupported($action);
 
         $results = [];
-        $required_groups = Config::AVIALABLE_CONFIG_GROUPS;
+        $required_groups =  (ParameterUtilities::checkIfUserAdmin())
+            ? Config::AVIALABLE_CONFIG_GROUPS : Config::AVIALABLE_CONFIG_GROUPS_FOR_NON_ADMIN;
         if ($action->getSearchFields()->groups()) {
             $required_groups = $action->getSearchFields()->groups();
         }

diff --git a/src/Ushahidi/Modules/V5/Actions/Config/Handlers/UpdateConfigCommandHandler.php b/src/Ushahidi/Modules/V5/Actions/Config/Handlers/UpdateConfigCommandHandler.php
@@ -13,6 +13,8 @@
 use Illuminate\Support\Facades\DB;
 use Ushahidi\Core\Entity\Config as ConfigEntity;
 use Ushahidi\Core\Exception\NotFoundException;
+use Ushahidi\Core\Exception\AuthorizerException;
+use Ushahidi\Modules\V5\Helpers\ParameterUtilities;
 
 class UpdateConfigCommandHandler extends AbstractCommandHandler
 {
@@ -72,5 +74,8 @@ protected function verifyGroup($group)
         if (!in_array($group, Config::AVIALABLE_CONFIG_GROUPS)) {
             throw new NotFoundException("Requested group does not exist: " . $group);
         }
+        if (!ParameterUtilities::checkIfUserAdmin() && (!in_array($group, Config::AVIALABLE_CONFIG_GROUPS_FOR_NON_ADMIN))) {
+            throw new AuthorizerException();
+        }
     }
 }
diff --git a/src/Ushahidi/Modules/V5/Helpers/ParameterUtilities.php b/src/Ushahidi/Modules/V5/Helpers/ParameterUtilities.php
@@ -41,6 +41,7 @@ public static function checkIfEmpty($value, $default = null)
 
     public static function checkIfUserAdmin()
     {
-        return (Auth::user()->role === "admin");
+        $role = ($genericUser = Auth::guard()->user()) ? $genericUser->role : null;
+        return ($role && $role == "admin");
     }
 }
diff --git a/src/Ushahidi/Modules/V5/Models/Config.php b/src/Ushahidi/Modules/V5/Models/Config.php
@@ -17,6 +17,12 @@ class Config extends BaseModel
         'twitter',
         'gmail'
     ];
+    const AVIALABLE_CONFIG_GROUPS_FOR_NON_ADMIN = [
+        'features',
+        'site',
+        'deployment_id',
+        'map'
+    ];
     /**
      * Add eloquent style timestamps
      *