看板初始化提交

2026-06-01 21:23:12 -07:00
commit 27411ebedc
1827 changed files with 192340 additions and 0 deletions
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class ActionAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class ActionAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $action_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->actionModel->getProjectId($action_id));
+        }
+    }
+}
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class CategoryAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class CategoryAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $category_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->categoryModel->getProjectId($category_id));
+        }
+    }
+}
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class ColumnAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class ColumnAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $column_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->columnModel->getProjectId($column_id));
+        }
+    }
+}
@@ -0,0 +1,46 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+use JsonRPC\Exception\AccessDeniedException;
+use Kanboard\Core\Security\Role;
+
+/**
+ * Class CommentAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class CommentAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $comment_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->commentModel->getProjectId($comment_id));
+            $this->checkCommentAccess($comment_id);
+        }
+    }
+
+    /**
+     * @param $comment_id ID of the comment to check
+     * @return void
+     * @throws AccessDeniedException
+     */
+    protected function checkCommentAccess($comment_id)
+    {
+        if (empty($comment_id)) {
+            throw new AccessDeniedException('Comment Not Found');
+        }
+
+        $commentVisibility = $this->commentModel->getVisibility($comment_id);
+        $userRole = $this->userSession->getRole();
+
+        if ($userRole === Role::APP_MANAGER && $commentVisibility === Role::APP_ADMIN) {
+            throw new AccessDeniedException('Comment Access Denied');
+        }
+
+        if ($userRole === Role::APP_USER && $commentVisibility !== Role::APP_USER) {
+            throw new AccessDeniedException('Comment Access Denied');
+        }
+    }
+}
@@ -0,0 +1,32 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+use JsonRPC\Exception\AccessDeniedException;
+use Kanboard\Core\Base;
+
+/**
+ * Class ProcedureAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class ProcedureAuthorization extends Base
+{
+    private $userSpecificProcedures = array(
+        'getMe',
+        'getMyDashboard',
+        'getMyActivityStream',
+        'createMyPrivateProject',
+        'getMyProjectsList',
+        'getMyProjects',
+        'getMyOverdueTasks',
+    );
+
+    public function check($procedure)
+    {
+        if (! $this->userSession->isLogged() && in_array($procedure, $this->userSpecificProcedures)) {
+            throw new AccessDeniedException('This procedure is not available with the API credentials');
+        }
+    }
+}
@@ -0,0 +1,35 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+use JsonRPC\Exception\AccessDeniedException;
+use Kanboard\Core\Base;
+
+/**
+ * Class ProjectAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class ProjectAuthorization extends Base
+{
+    public function check($class, $method, $project_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $project_id);
+        }
+    }
+    
+    protected function checkProjectPermission($class, $method, $project_id)
+    {
+        if (empty($project_id)) {
+            throw new AccessDeniedException('Project Not Found');
+        }
+        
+        $role = $this->projectUserRoleModel->getUserRole($project_id, $this->userSession->getId());
+
+        if (! $this->apiProjectAuthorization->isAllowed($class, $method, $role)) {
+            throw new AccessDeniedException('Project Access Denied');
+        }
+    }
+}
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class SubtaskAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class SubtaskAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $subtask_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->subtaskModel->getProjectId($subtask_id));
+        }
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class TagAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class TagAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $tag_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $tag = $this->tagModel->getById($tag_id);
+
+            if (! empty($tag)) {
+                $this->checkProjectPermission($class, $method, $tag['project_id']);
+            }
+        }
+    }
+}
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class TaskAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class TaskAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $task_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->taskFinderModel->getProjectId($task_id));
+        }
+    }
+}
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class TaskFileAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class TaskFileAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $file_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->taskFileModel->getProjectId($file_id));
+        }
+    }
+}
@@ -0,0 +1,19 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+/**
+ * Class TaskLinkAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class TaskLinkAuthorization extends ProjectAuthorization
+{
+    public function check($class, $method, $task_link_id)
+    {
+        if ($this->userSession->isLogged()) {
+            $this->checkProjectPermission($class, $method, $this->taskLinkModel->getProjectId($task_link_id));
+        }
+    }
+}
@@ -0,0 +1,22 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+use JsonRPC\Exception\AccessDeniedException;
+use Kanboard\Core\Base;
+
+/**
+ * Class UserAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class UserAuthorization extends Base
+{
+    public function check($class, $method)
+    {
+        if ($this->userSession->isLogged() && ! $this->apiAuthorization->isAllowed($class, $method, $this->userSession->getRole())) {
+            throw new AccessDeniedException('You are not allowed to access to this resource');
+        }
+    }
+}