UtilityAccess filter

craftcms · Oct 15, 2024 · 80f9711 · 80f9711
1 parent d2bb088
commit 80f9711
Show file tree

Hide file tree

Showing 8 changed files with 154 additions and 90 deletions.
diff --git a/CHANGELOG-WIP.md b/CHANGELOG-WIP.md
@@ -15,6 +15,7 @@
 - Added `craft\filters\BasicHttpAuthLogin`. ([#15720](https://github.com/craftcms/cms/pull/15720))
 - Added `craft\filters\BasicHttpAuthStatic`. ([#15720](https://github.com/craftcms/cms/pull/15720))
 - Added `craft\filters\SiteFilterTrait::$enabled`. ([#15720](https://github.com/craftcms/cms/pull/15720))
+- Added `craft\filters\UtilityAccess`.
 - Added `craft\helpers\UrlHelper::encodeUrl()`. ([#15838](https://github.com/craftcms/cms/issues/15838))
 - Added `craft\services\Addresses::EVENT_DEFINE_ADDRESS_COUNTRIES`. ([#15711](https://github.com/craftcms/cms/pull/15711))
 - Added `craft\services\Addresses::getCountryList()`. ([#15711](https://github.com/craftcms/cms/pull/15711))

diff --git a/src/controllers/AppController.php b/src/controllers/AppController.php
@@ -14,6 +14,7 @@
 use craft\errors\BusyResourceException;
 use craft\errors\InvalidPluginException;
 use craft\errors\StaleResourceException;
+use craft\filters\UtilityAccess;
 use craft\helpers\Api;
 use craft\helpers\App;
 use craft\helpers\ArrayHelper;
@@ -59,6 +60,21 @@ class AppController extends Controller
         'resource-js' => self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE,
     ];
 
+    /**
+     * @inheritdoc
+     */
+    public function behaviors(): array
+    {
+        return array_merge(parent::behaviors(), [
+            [
+                'class' => UtilityAccess::class,
+                'utility' => UpdatesUtility::class,
+                'only' => ['check-for-updates', 'cache-updates'],
+                'when' => fn() => !Craft::$app->getUser()->checkPermission('performUpdates'),
+            ],
+        ]);
+    }
+
     /**
      * @inheritdoc
      */
@@ -148,14 +164,6 @@ public function actionCheckForUpdates(): Response
     {
         $this->requireAcceptsJson();
 
-        // Require either the 'performUpdates' permission or access to the Updates utility
-        if (
-            !Craft::$app->getUser()->checkPermission('performUpdates') &&
-            !Craft::$app->getUtilities()->checkAuthorization(UpdatesUtility::class)
-        ) {
-            throw new ForbiddenHttpException('User is not permitted to perform this action');
-        }
-
         $updatesService = Craft::$app->getUpdates();
 
         if ($this->request->getParam('onlyIfCached') && !$updatesService->getIsUpdateInfoCached()) {
@@ -180,14 +188,6 @@ public function actionCacheUpdates(): Response
     {
         $this->requireAcceptsJson();
 
-        // Require either the 'performUpdates' permission or access to the Updates utility
-        if (
-            !Craft::$app->getUser()->checkPermission('performUpdates') &&
-            !Craft::$app->getUtilities()->checkAuthorization(UpdatesUtility::class)
-        ) {
-            throw new ForbiddenHttpException('User is not permitted to perform this action');
-        }
-
         $updateData = $this->request->getBodyParam('updates');
         $updatesService = Craft::$app->getUpdates();
         $updates = $updatesService->cacheUpdates($updateData);

diff --git a/src/controllers/AssetIndexesController.php b/src/controllers/AssetIndexesController.php
@@ -10,6 +10,7 @@
 use Craft;
 use craft\elements\Asset;
 use craft\errors\AssetException;
+use craft\filters\UtilityAccess;
 use craft\helpers\Json;
 use craft\i18n\Locale;
 use craft\models\AssetIndexingSession;
@@ -18,7 +19,6 @@
 use craft\web\Controller;
 use Throwable;
 use yii\web\BadRequestHttpException;
-use yii\web\ForbiddenHttpException;
 use yii\web\Response;
 
 /** @noinspection ClassOverridesFieldOfSuperClassInspection */
@@ -32,6 +32,19 @@
  */
 class AssetIndexesController extends Controller
 {
+    /**
+     * @inheritdoc
+     */
+    public function behaviors(): array
+    {
+        return array_merge(parent::behaviors(), [
+            [
+                'class' => UtilityAccess::class,
+                'utility' => AssetIndexes::class,
+            ],
+        ]);
+    }
+
     /**
      * @inheritdoc
      */
@@ -41,11 +54,6 @@ public function beforeAction($action): bool
             return false;
         }
 
-        // No permission no bueno
-        if (!Craft::$app->getUtilities()->checkAuthorization(AssetIndexes::class)) {
-            throw new ForbiddenHttpException('User is not authorized to perform this action.');
-        }
-
         $this->requireAcceptsJson();
 
         return true;

diff --git a/src/controllers/ProjectConfigController.php b/src/controllers/ProjectConfigController.php
@@ -8,6 +8,7 @@
 namespace craft\controllers;
 
 use Craft;
+use craft\filters\UtilityAccess;
 use craft\helpers\FileHelper;
 use craft\helpers\ProjectConfig;
 use craft\helpers\StringHelper;
@@ -30,17 +31,14 @@ class ProjectConfigController extends Controller
     /**
      * @inheritdoc
      */
-    public function beforeAction($action): bool
+    public function behaviors(): array
     {
-        if (!parent::beforeAction($action)) {
-            return false;
-        }
-
-        if (!Craft::$app->getUtilities()->checkAuthorization(ProjectConfigUtility::class)) {
-            throw new ForbiddenHttpException('User is not authorized to perform this action.');
-        }
-
-        return true;
+        return array_merge(parent::behaviors(), [
+            [
+                'class' => UtilityAccess::class,
+                'utility' => ProjectConfigUtility::class,
+            ],
+        ]);
     }
 
     /**

diff --git a/src/controllers/QueueController.php b/src/controllers/QueueController.php
@@ -8,6 +8,7 @@
 namespace craft\controllers;
 
 use Craft;
+use craft\filters\UtilityAccess;
 use craft\helpers\App;
 use craft\helpers\Json;
 use craft\queue\QueueInterface;
@@ -38,6 +39,20 @@ class QueueController extends Controller
 
     private QueueInterface $queue;
 
+    /**
+     * @inheritdoc
+     */
+    public function behaviors(): array
+    {
+        return array_merge(parent::behaviors(), [
+            [
+                'class' => UtilityAccess::class,
+                'utility' => QueueManager::class,
+                'only' => ['retry', 'retry-all', 'release', 'release-all', 'get-job-details'],
+            ],
+        ]);
+    }
+
     /**
      * @inheritdoc
      * @throws ServerErrorHttpException
@@ -97,10 +112,6 @@ public function actionRetry(): Response
         $this->requireAcceptsJson();
         $this->requirePostRequest();
 
-        if (!Craft::$app->getUtilities()->checkAuthorization(QueueManager::class)) {
-            throw new ForbiddenHttpException('User is not authorized to perform this action.');
-        }
-
         $id = $this->request->getRequiredBodyParam('id');
         $this->queue->retry($id);
 
@@ -118,10 +129,6 @@ public function actionRelease(): Response
         $this->requireAcceptsJson();
         $this->requirePostRequest();
 
-        if (!Craft::$app->getUtilities()->checkAuthorization(QueueManager::class)) {
-            throw new ForbiddenHttpException('User is not authorized to perform this action.');
-        }
-
         $id = $this->request->getRequiredBodyParam('id');
         $this->queue->release($id);
 
@@ -142,10 +149,6 @@ public function actionReleaseAll(): Response
         $this->requireAcceptsJson();
         $this->requirePostRequest();
 
-        if (!Craft::$app->getUtilities()->checkAuthorization(QueueManager::class)) {
-            throw new ForbiddenHttpException('User is not authorized to perform this action.');
-        }
-
         $this->queue->releaseAll();
 
         return $this->asSuccess();
@@ -164,10 +167,6 @@ public function actionRetryAll(): Response
         $this->requireAcceptsJson();
         $this->requirePostRequest();
 
-        if (!Craft::$app->getUtilities()->checkAuthorization(QueueManager::class)) {
-            throw new ForbiddenHttpException('User is not authorized to perform this action.');
-        }
-
         $this->queue->retryAll();
 
         return $this->actionRun();
@@ -203,10 +202,6 @@ public function actionGetJobDetails(): Response
     {
         $this->requireAcceptsJson();
 
-        if (!Craft::$app->getUtilities()->checkAuthorization(QueueManager::class)) {
-            throw new ForbiddenHttpException('User is not authorized to perform this action.');
-        }
-
         $jobId = $this->request->getRequiredParam('id');
         $details = [
             'id' => $jobId,

diff --git a/src/controllers/SystemMessagesController.php b/src/controllers/SystemMessagesController.php
@@ -8,10 +8,10 @@
 namespace craft\controllers;
 
 use Craft;
+use craft\filters\UtilityAccess;
 use craft\models\SystemMessage;
 use craft\utilities\SystemMessages;
 use craft\web\Controller;
-use yii\web\ForbiddenHttpException;
 use yii\web\Response;
 
 /**
@@ -24,6 +24,19 @@
  */
 class SystemMessagesController extends Controller
 {
+    /**
+     * @inheritdoc
+     */
+    public function behaviors(): array
+    {
+        return array_merge(parent::behaviors(), [
+            [
+                'class' => UtilityAccess::class,
+                'utility' => SystemMessages::class,
+            ],
+        ]);
+    }
+
     /**
      * @inheritdoc
      */
@@ -35,11 +48,6 @@ public function beforeAction($action): bool
 
         Craft::$app->requireEdition(Craft::Pro);
 
-        // Make sure they have access to the System Messages utility
-        if (!Craft::$app->getUtilities()->checkAuthorization(SystemMessages::class)) {
-            throw new ForbiddenHttpException('User is not authorized to perform this action.');
-        }
-
         return true;
     }