Fix some bugs with security.

glavweb · Mar 24, 2017 · d5922e3 · d5922e3
1 parent 7cdaf95
commit d5922e3
Showing 1 changed file with 22 additions and 14 deletions.
diff --git a/Controller/ContentBlockController.php b/Controller/ContentBlockController.php
@@ -1,4 +1,5 @@
 <?php
+
 namespace Glavweb\ContentBlockBundle\Controller;
 
 use Glavweb\ActionBundle\Action\Exception;
@@ -7,9 +8,11 @@
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Core\User\User;
 
 /**
  * Class ContentBlockController
+ * 
  * @package GlavwebContentBlockBundle\Controller
  */
 class ContentBlockController extends Controller
@@ -22,7 +25,12 @@ class ContentBlockController extends Controller
      */
     public function actionSave(Request $request)
     {
-        $this->isAuth();
+        $user = $this->getAdminUser();
+        if (!$user) {
+            return new JsonResponse(array(
+                'message' => 'Нужна авторизация на сервере.'
+            ), 400);
+        }
 
         $em         = $this->getDoctrine()->getManager();
         $repository = $em->getRepository('GlavwebContentBlockBundle:ContentBlock');
@@ -58,8 +66,8 @@ public function actionSave(Request $request)
      */
     public function createAction($name)
     {
-        $user = $this->isAuth();
-        if(!$user) {
+        $user = $this->getAdminUser();
+        if (!$user) {
             return new JsonResponse(array(
                 'message' => 'Нужна авторизация на сервере.'
             ), 400);
@@ -92,8 +100,8 @@ public function createAction($name)
     public function showAction($name)
     {
         $editable = false ;
-        $user = $this->isAuth();
-        if($user) {
+        $user = $this->getAdminUser();
+        if ($user) {
             $editable = true;
         }
 
@@ -124,8 +132,8 @@ public function showAction($name)
      */
     public function editAction($name, Request $request)
     {
-        $user = $this->isAuth();
-        if(!$user) {
+        $user = $this->getAdminUser();
+        if (!$user) {
             return new JsonResponse(array(
                 'message' => 'Нужна авторизация на сервере.'
             ), 400);
@@ -154,8 +162,8 @@ public function editAction($name, Request $request)
      */
     public function removeAction($name)
     {
-        $user = $this->isAuth();
-        if(!$user) {
+        $user = $this->getAdminUser();
+        if (!$user) {
             return new JsonResponse(array(
                 'message' => 'Нужна авторизация на сервере.'
             ), 400);
@@ -176,15 +184,15 @@ public function removeAction($name)
     }
 
     /**
-     * @return mixed|null
+     * @return User|null
      */
-    private function isAuth()
+    private function getAdminUser()
     {
         $user = $this->getUser();
-        if (!$user || !$user->hasRole('ROLE_SUPER_ADMIN')) {
-            return null;
+        if ($user && $user->hasRole('ROLE_SUPER_ADMIN')) {
+            return $user;
         }
 
-        return $user;
+        return null;
     }
 }