Issue CollaboraOnline#27: Move controller access checks to the route …

…definition for view and edit routes.
donquixote · Sep 13, 2024 · c8754f1 · c8754f1
1 parent 602a659
commit c8754f1
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 17 deletions.
diff --git a/collabora_online.routing.yml b/collabora_online.routing.yml
@@ -3,30 +3,47 @@ collabora-online.view:
   defaults:
     _controller: '\Drupal\collabora_online\Controller\ViewerController::editor'
     _title: 'Collabora Online'
+    # The controller method has a boolean parameter '$edit'.
     edit: false
+    # The custom access method has a string parameter '$operation'.
+    # @todo Unify the parameter on access method and controller method.
+    operation: preview
   options:
     parameters:
       media:
         type: entity:media
       edit:
         type: boolean
   requirements:
-    _permission: 'access content'
+    # Media id must be an integer.
+    media: \d+
+    # The user must be allowed to view the media entity.
+    _entity_access: 'media.view'
+    # The user must be allowed to preview media in Collabora.
+    _custom_access: 'Drupal\collabora_online\Access\CollaboraAccessCheck:mediaAccess'
 
 collabora-online.edit:
   path: '/cool/edit/{media}'
   defaults:
     _controller: '\Drupal\collabora_online\Controller\ViewerController::editor'
     _title: 'Collabora Online'
+    # The controller method has a boolean parameter '$edit'.
     edit: true
+    # The custom access method has a string parameter '$operation'.
+    operation: edit
   options:
     parameters:
       media:
         type: entity:media
       edit:
         type: boolean
   requirements:
-    _permission: 'access content'
+    # Media id must be an integer.
+    media: \d+
+    # The user must be allowed to view the media entity.
+    _entity_access: 'media.view'
+    # The user must be allowed to edit media in Collabora.
+    _custom_access: 'Drupal\collabora_online\Access\CollaboraAccessCheck:mediaAccess'
 
 collabora-online.settings:
   path: '/admin/config/cool/settings'

diff --git a/src/Controller/ViewerController.php b/src/Controller/ViewerController.php
@@ -11,7 +11,6 @@
 
 namespace Drupal\collabora_online\Controller;
 
-use Drupal\collabora_online\Access\CollaboraAccessCheck;
 use Drupal\collabora_online\Cool\CoolUtils;
 use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\Render\RendererInterface;
@@ -28,7 +27,6 @@ class ViewerController extends ControllerBase {
      */
     public function __construct(
         private readonly RendererInterface $renderer,
-        private readonly CollaboraAccessCheck $accessCheck,
     ) {}
 
     /**
@@ -43,19 +41,6 @@ public function editor(Media $media, $edit = false) {
             'closebutton' => 'true',
         ];
 
-        if (!$this->accessCheck->mediaAccess($media, 'preview')->isAllowed()) {
-            $error_msg = 'Authentication failed.';
-            \Drupal::logger('cool')->error($error_msg);
-            return new Response(
-                $error_msg,
-                Response::HTTP_FORBIDDEN,
-                ['content-type' => 'text/plain']
-            );
-        }
-
-        /* Make sure that the user is a collaborator if edit is true */
-        $edit = $edit && $this->accessCheck->mediaAccess($media, 'edit')->isAllowed();
-
         $render_array = CoolUtils::getViewerRender($media, $edit, $options);
 
         if (!$render_array ||  array_key_exists('error', $render_array)) {