custom/plugins/SwagPlatformSecurity/src/Fixes/NEXT20305/SecurityFix.php line 68

Open in your IDE?
  1. <?php
  3. namespace Swag\Security\Fixes\NEXT20305;
  5. use Shopware\Core\Framework\Api\Context\AdminApiSource;
  6. use Shopware\Core\Framework\Context;
  7. use Shopware\Core\PlatformRequest;
  8. use Swag\Security\Components\AbstractSecurityFix;
  9. use Symfony\Component\HttpFoundation\Response;
  10. use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
  11. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  12. use Symfony\Component\HttpKernel\Exception\HttpException;
  13. use Symfony\Component\HttpKernel\KernelEvents;
  15. class SecurityFix extends AbstractSecurityFix
  16. {
  17.     private const API_PROXY_SWITCH_CUSTOMER_PRIVILEGE 'api_proxy_switch-customer';
  19.     public static function getTicket(): string
  20.     {
  21.         return 'NEXT-20305';
  22.     }
  24.     public static function getMinVersion(): string
  25.     {
  26.         return '6.3.1.0';
  27.     }
  29.     public static function getMaxVersion(): ?string
  30.     {
  31.         return '6.4.8.2';
  32.     }
  34.     public static function getSubscribedEvents(): array
  35.     {
  36.         return [
  37.             KernelEvents::CONTROLLER_ARGUMENTS => 'onSwitchCustomer',
  38.             KernelEvents::RESPONSE => 'onGetAdditionalPrivileges',
  39.         ];
  40.     }
  42.     public function onSwitchCustomer(ControllerArgumentsEvent $event): void
  43.     {
  44.         if ($event->getRequest()->attributes->get('_route') !== 'api.proxy.switch-customer') {
  45.             return;
  46.         }
  48.         /** @var Context|null $context */
  49.         $context $event->getRequest()->attributes->get(PlatformRequest::ATTRIBUTE_CONTEXT_OBJECT);
  51.         if (!$context) {
  52.             return;
  53.         }
  55.         $source $context->getSource();
  57.         if (!$source instanceof AdminApiSource) {
  58.             return;
  59.         }
  61.         if ($source->isAdmin() || $source->isAllowed(self::API_PROXY_SWITCH_CUSTOMER_PRIVILEGE)) {
  62.             return;
  63.         }
  65.         throw new HttpException(Response::HTTP_FORBIDDEN'Missing permission: ' self::API_PROXY_SWITCH_CUSTOMER_PRIVILEGE);
  66.     }
  68.     public function onGetAdditionalPrivileges(ResponseEvent $event): void
  69.     {
  70.         if ($event->getRequest()->attributes->get('_route') !== 'api.acl.privileges.additional.get') {
  71.             return;
  72.         }
  74.         /** @var string[] $privileges */
  75.         $privileges = \json_decode($event->getResponse()->getContent(), true);
  77.         if (!\in_array(self::API_PROXY_SWITCH_CUSTOMER_PRIVILEGE$privilegestrue)) {
  78.             $privileges[] = self::API_PROXY_SWITCH_CUSTOMER_PRIVILEGE;
  79.         }
  81.         $event->getResponse()->setContent(\json_encode(\array_values($privileges)));
  82.     }
  83. }