vendor/shopware/core/Framework/App/Subscriber/CustomFieldProtectionSubscriber.php line 43

  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\App\Subscriber;
  5. use Doctrine\DBAL\Connection;
  6. use Shopware\Core\Framework\Api\Context\AdminApiSource;
  7. use Shopware\Core\Framework\Api\Context\SystemSource;
  8. use Shopware\Core\Framework\Context;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Write\Command\InsertCommand;
  10. use Shopware\Core\Framework\DataAbstractionLayer\Write\Command\WriteCommand;
  11. use Shopware\Core\Framework\DataAbstractionLayer\Write\Validation\PreWriteValidationEvent;
  12. use Shopware\Core\Framework\Log\Package;
  13. use Shopware\Core\Framework\Uuid\Uuid;
  14. use Shopware\Core\Framework\Validation\WriteConstraintViolationException;
  15. use Shopware\Core\System\CustomField\Aggregate\CustomFieldSet\CustomFieldSetDefinition;
  16. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  17. use Symfony\Component\Validator\ConstraintViolation;
  18. use Symfony\Component\Validator\ConstraintViolationInterface;
  19. use Symfony\Component\Validator\ConstraintViolationList;
  21. /**
  22.  * @internal only for use by the app-system, will be considered internal from v6.4.0 onward
  23.  */
  24. #[Package('core')]
  25. class CustomFieldProtectionSubscriber implements EventSubscriberInterface
  26. {
  27.     final public const VIOLATION_NO_PERMISSION 'no_permission_violation';
  29.     public function __construct(private readonly Connection $connection)
  30.     {
  31.     }
  33.     /**
  34.      * @return array<string, string|array{0: string, 1: int}|list<array{0: string, 1?: int}>>
  35.      */
  36.     public static function getSubscribedEvents(): array
  37.     {
  38.         return [
  39.             PreWriteValidationEvent::class => 'checkWrite',
  40.         ];
  41.     }
  43.     public function checkWrite(PreWriteValidationEvent $event): void
  44.     {
  45.         $context $event->getContext();
  47.         if ($context->getSource() instanceof SystemSource || $context->getScope() === Context::SYSTEM_SCOPE) {
  48.             return;
  49.         }
  51.         $integrationId $this->getIntegrationId($context);
  52.         $violationList = new ConstraintViolationList();
  54.         foreach ($event->getCommands() as $command) {
  55.             if (
  56.                 !($command->getDefinition() instanceof CustomFieldSetDefinition)
  57.                 || $command instanceof InsertCommand
  58.             ) {
  59.                 continue;
  60.             }
  62.             $appIntegrationId $this->fetchIntegrationIdOfAssociatedApp($command);
  63.             if (!$appIntegrationId) {
  64.                 continue;
  65.             }
  67.             if ($integrationId !== $appIntegrationId) {
  68.                 $this->addViolation($violationList$command);
  69.             }
  70.         }
  71.         if ($violationList->count() > 0) {
  72.             $event->getExceptions()->add(new WriteConstraintViolationException($violationList));
  73.         }
  74.     }
  76.     private function getIntegrationId(Context $context): ?string
  77.     {
  78.         $source $context->getSource();
  79.         if (!($source instanceof AdminApiSource)) {
  80.             return null;
  81.         }
  83.         return $source->getIntegrationId();
  84.     }
  86.     private function fetchIntegrationIdOfAssociatedApp(WriteCommand $command): ?string
  87.     {
  88.         $id $command->getPrimaryKey()['id'];
  89.         $integrationId $this->connection->executeQuery('
  90.             SELECT `app`.`integration_id`
  91.             FROM `app`
  92.             INNER JOIN `custom_field_set` ON `custom_field_set`.`app_id` = `app`.`id`
  93.             WHERE `custom_field_set`.`id` = :customFieldSetId
  94.         ', ['customFieldSetId' => $id])->fetchOne();
  96.         if (!$integrationId) {
  97.             return null;
  98.         }
  100.         return Uuid::fromBytesToHex($integrationId);
  101.     }
  103.     private function addViolation(ConstraintViolationList $violationListWriteCommand $command): void
  104.     {
  105.         $violationList->add(
  106.             $this->buildViolation(
  107.                 'No permissions to %privilege%".',
  108.                 ['%privilege%' => 'write:custom_field_set'],
  109.                 '/' $command->getDefinition()->getEntityName(),
  110.                 self::VIOLATION_NO_PERMISSION
  111.             )
  112.         );
  113.     }
  115.     /**
  116.      * @param array<string, string> $parameters
  117.      */
  118.     private function buildViolation(
  119.         string $messageTemplate,
  120.         array $parameters,
  121.         ?string $propertyPath null,
  122.         ?string $code null
  123.     ): ConstraintViolationInterface {
  124.         return new ConstraintViolation(
  125.             str_replace(array_keys($parameters), array_values($parameters), $messageTemplate),
  126.             $messageTemplate,
  127.             $parameters,
  128.             null,
  129.             $propertyPath,
  130.             null,
  131.             null,
  132.             $code
  133.         );
  134.     }
  135. }