ISSUE-345: check manage subscribers privilege

tatevikg1 · tatevikg1 · commit aff2abf874d4 · 2025-06-15T22:17:36.000+04:00
diff --git a/src/Subscription/Controller/SubscriberController.php b/src/Subscription/Controller/SubscriberController.php
@@ -5,6 +5,7 @@
 namespace PhpList\RestBundle\Subscription\Controller;
 
 use OpenApi\Attributes as OA;
+use PhpList\Core\Domain\Identity\Model\PrivilegeFlag;
 use PhpList\Core\Domain\Subscription\Model\Subscriber;
 use PhpList\Core\Domain\Subscription\Service\Manager\SubscriberManager;
 use PhpList\Core\Security\Authentication;
@@ -89,7 +90,10 @@ public function __construct(
     )]
     public function createSubscriber(Request $request): JsonResponse
     {
-        $this->requireAuthentication($request);
+        $admin = $this->requireAuthentication($request);
+        if (!$admin->getPrivileges()->has(PrivilegeFlag::Subscribers)) {
+            throw $this->createAccessDeniedException('You are not allowed to create subscribers.');
+        }
 
         /** @var CreateSubscriberRequest $subscriberRequest */
         $subscriberRequest = $this->validator->validate($request, CreateSubscriberRequest::class);
@@ -156,7 +160,10 @@ public function updateSubscriber(
         Request $request,
         #[MapEntity(mapping: ['subscriberId' => 'id'])] ?Subscriber $subscriber = null,
     ): JsonResponse {
-        $this->requireAuthentication($request);
+        $admin = $this->requireAuthentication($request);
+        if (!$admin->getPrivileges()->has(PrivilegeFlag::Subscribers)) {
+            throw $this->createAccessDeniedException('You are not allowed to update subscribers.');
+        }
 
         if (!$subscriber) {
             throw $this->createNotFoundException('Subscriber not found.');
@@ -262,7 +269,10 @@ public function deleteSubscriber(
         Request $request,
         #[MapEntity(mapping: ['subscriberId' => 'id'])] ?Subscriber $subscriber = null,
     ): JsonResponse {
-        $this->requireAuthentication($request);
+        $admin = $this->requireAuthentication($request);
+        if (!$admin->getPrivileges()->has(PrivilegeFlag::Subscribers)) {
+            throw $this->createAccessDeniedException('You are not allowed to delete subscribers.');
+        }
 
         if (!$subscriber) {
             throw $this->createNotFoundException('Subscriber not found.');
diff --git a/src/Subscription/Controller/SubscriberImportController.php b/src/Subscription/Controller/SubscriberImportController.php
@@ -6,6 +6,7 @@
 
 use Exception;
 use OpenApi\Attributes as OA;
+use PhpList\Core\Domain\Identity\Model\PrivilegeFlag;
 use PhpList\Core\Domain\Subscription\Model\Dto\SubscriberImportOptions;
 use PhpList\Core\Domain\Subscription\Service\SubscriberCsvImporter;
 use PhpList\Core\Security\Authentication;
@@ -106,7 +107,10 @@ public function __construct(
     )]
     public function importSubscribers(Request $request): JsonResponse
     {
-        $this->requireAuthentication($request);
+        $admin = $this->requireAuthentication($request);
+        if (!$admin->getPrivileges()->has(PrivilegeFlag::Subscribers)) {
+            throw $this->createAccessDeniedException('You are not allowed to create subscribers.');
+        }
 
         /** @var UploadedFile|null $file */
         $file = $request->files->get('file');
diff --git a/tests/Integration/Identity/Fixtures/Administrator.csv b/tests/Integration/Identity/Fixtures/Administrator.csv
@@ -1,3 +1,3 @@
-id,loginname,email,created,modified,password,passwordchanged,disabled,superuser
-1,"john.doe","john@example.com","2017-06-22 15:01:17","2017-06-23 19:50:43","1491a3c7e7b23b9a6393323babbb095dee0d7d81b2199617b487bd0fb5236f3c","2017-06-28",0,1
-2,"jane.doe","jane@example.com","2017-06-22 15:01:17","2017-06-23 19:50:43","1491a3c7e7b23b9a6393323babbb095dee0d7d81b2199617b487bd0fb5236f3d","2017-06-28",0,1
+id,loginname,email,created,modified,password,passwordchanged,disabled,superuser,privileges
+1,"john.doe","john@example.com","2017-06-22 15:01:17","2017-06-23 19:50:43","1491a3c7e7b23b9a6393323babbb095dee0d7d81b2199617b487bd0fb5236f3c","2017-06-28",0,1,a:4:{s:11:"subscribers";b:1;s:9:"campaigns";b:1;s:10:"statistics";b:1;s:8:"settings";b:1;}
+2,"jane.doe","jane@example.com","2017-06-22 15:01:17","2017-06-23 19:50:43","1491a3c7e7b23b9a6393323babbb095dee0d7d81b2199617b487bd0fb5236f3d","2017-06-28",0,1,
diff --git a/tests/Integration/Identity/Fixtures/AdministratorFixture.php b/tests/Integration/Identity/Fixtures/AdministratorFixture.php
@@ -43,6 +43,10 @@ public function load(ObjectManager $manager): void
             $admin->setPasswordHash($row['password']);
             $admin->setDisabled((bool) $row['disabled']);
             $admin->setSuperUser((bool) $row['superuser']);
+            $privileges = unserialize($row['privileges']);
+            if ($privileges) {
+                $admin->setPrivilegesFromArray(unserialize($row['privileges']));
+            }
 
             $manager->persist($admin);
 

-Original file line number
+Diff line change
@@ @@ -1,3 +1,3 @@ @@
 -id,loginname,email,created,modified,password,passwordchanged,disabled,superuser
 -1,"john.doe","[email protected]","2017-06-22 15:01:17","2017-06-23 19:50:43","1491a3c7e7b23b9a6393323babbb095dee0d7d81b2199617b487bd0fb5236f3c","2017-06-28",0,1
 -2,"jane.doe","[email protected]","2017-06-22 15:01:17","2017-06-23 19:50:43","1491a3c7e7b23b9a6393323babbb095dee0d7d81b2199617b487bd0fb5236f3d","2017-06-28",0,1
 +id,loginname,email,created,modified,password,passwordchanged,disabled,superuser,privileges
 +1,"john.doe","[email protected]","2017-06-22 15:01:17","2017-06-23 19:50:43","1491a3c7e7b23b9a6393323babbb095dee0d7d81b2199617b487bd0fb5236f3c","2017-06-28",0,1,a:4:{s:11:"subscribers";b:1;s:9:"campaigns";b:1;s:10:"statistics";b:1;s:8:"settings";b:1;}
 +2,"jane.doe","[email protected]","2017-06-22 15:01:17","2017-06-23 19:50:43","1491a3c7e7b23b9a6393323babbb095dee0d7d81b2199617b487bd0fb5236f3d","2017-06-28",0,1,