custom/plugins/SwagPlatformSecurity/src/Fixes/NEXT15681/SecurityFix.php line 34

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Swag\Security\Fixes\NEXT15681;
  5. use Shopware\Core\Content\Product\Aggregate\ProductReview\ProductReviewEntity;
  6. use Shopware\Core\Framework\DataAbstractionLayer\EntityRepositoryInterface;
  7. use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
  8. use Shopware\Core\Framework\Validation\Exception\ConstraintViolationException;
  9. use Shopware\Core\PlatformRequest;
  10. use Shopware\Core\System\SalesChannel\SalesChannelContext;
  11. use Swag\Security\Components\AbstractSecurityFix;
  12. use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
  13. use Symfony\Component\HttpKernel\KernelEvents;
  14. use Symfony\Component\Validator\ConstraintViolation;
  15. use Symfony\Component\Validator\ConstraintViolationList;
  17. class SecurityFix extends AbstractSecurityFix
  18. {
  19.     /**
  20.      * @var EntityRepositoryInterface $productReviewRepository
  21.      */
  22.     private $productReviewRepository;
  24.     public function __construct(EntityRepositoryInterface $productReviewRepository)
  25.     {
  26.         $this->productReviewRepository $productReviewRepository;
  27.     }
  29.     public static function getTicket(): string
  30.     {
  31.         return 'NEXT-15681';
  32.     }
  34.     public function onControllerArguments(ControllerArgumentsEvent $event)
  35.     {
  36.         $request $event->getRequest();
  38.         if (!in_array($request->attributes->get('_route'), ['store-api.product-review.save''frontend.detail.review.save'])) {
  39.             return;
  40.         }
  42.         $id $request->get('id');
  44.         if ($id === null || !$request->attributes->has(PlatformRequest::ATTRIBUTE_SALES_CHANNEL_CONTEXT_OBJECT)) {
  45.             return;
  46.         }
  48.         /** @var SalesChannelContext $context */
  49.         $context $request->attributes->get(PlatformRequest::ATTRIBUTE_SALES_CHANNEL_CONTEXT_OBJECT);
  51.         $criteria = new Criteria([$id]);
  53.         /** @var ProductReviewEntity|null $review */
  54.         $review $this->productReviewRepository->search($criteria$context->getContext())->first();
  56.         if ($review === null) {
  57.             return;
  58.         }
  60.         if ($review->getCustomerId() === $context->getCustomer()->getId()) {
  61.             return;
  62.         }
  64.         throw new ConstraintViolationException(new ConstraintViolationList([new ConstraintViolation(sprintf('Cannot find product_review with id: %s'$id), '', [], '/''/id'$id)]), $request->request->all());
  66.     }
  68.     public static function getMaxVersion(): ?string
  69.     {
  70.         return '6.4.3.1';
  71.     }
  73.     public static function getMinVersion(): string
  74.     {
  75.         return '6.3.2.0';
  76.     }
  78.     public static function getSubscribedEvents(): array
  79.     {
  80.         return [
  81.             KernelEvents::CONTROLLER_ARGUMENTS => 'onControllerArguments'
  82.         ];
  83.     }
  84. }