line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package CatalystX::Eta::Controller::CheckRoleForPUT; |
2
|
|
|
|
|
|
|
|
3
|
2
|
|
|
2
|
|
1347
|
use Moose::Role; |
|
2
|
|
|
|
|
6
|
|
|
2
|
|
|
|
|
14
|
|
4
|
|
|
|
|
|
|
|
5
|
|
|
|
|
|
|
requires 'result_PUT'; |
6
|
|
|
|
|
|
|
|
7
|
|
|
|
|
|
|
around result_PUT => \&CheckRoleForPUT_around_result_PUT; |
8
|
|
|
|
|
|
|
|
9
|
|
|
|
|
|
|
sub CheckRoleForPUT_around_result_PUT { |
10
|
2
|
|
|
2
|
|
2547
|
my $orig = shift; |
11
|
2
|
|
|
|
|
6
|
my $self = shift; |
12
|
2
|
|
|
|
|
8
|
my $config = $self->config; |
13
|
|
|
|
|
|
|
|
14
|
2
|
|
|
|
|
119
|
my ( $c, $id ) = @_; |
15
|
2
|
|
|
|
|
3
|
my $do_detach = 0; |
16
|
|
|
|
|
|
|
|
17
|
2
|
50
|
|
|
|
6
|
if ( exists $self->config->{update_roles} ) { |
18
|
|
|
|
|
|
|
|
19
|
2
|
100
|
|
|
|
115
|
if ( !$c->check_any_user_role( @{ $config->{update_roles} } ) ) { |
|
2
|
|
|
|
|
12
|
|
20
|
1
|
|
|
|
|
605
|
$do_detach = 1; |
21
|
|
|
|
|
|
|
} |
22
|
|
|
|
|
|
|
|
23
|
|
|
|
|
|
|
# if he does not have the role, but is the creator... |
24
|
2
|
0
|
66
|
|
|
473
|
if ( |
|
|
|
33
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
|
33
|
|
|
|
|
25
|
|
|
|
|
|
|
$do_detach == 1 |
26
|
|
|
|
|
|
|
&& exists $config->{object_key} |
27
|
|
|
|
|
|
|
&& $c->stash->{ $config->{object_key} } |
28
|
|
|
|
|
|
|
&& !$config->{check_only_roles} |
29
|
|
|
|
|
|
|
&& ( $c->stash->{ $config->{object_key} }->can('id') |
30
|
|
|
|
|
|
|
|| $c->stash->{ $config->{object_key} }->can('user_id') |
31
|
|
|
|
|
|
|
|| $c->stash->{ $config->{object_key} }->can('created_by') ) |
32
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
) { |
34
|
1
|
|
|
|
|
176
|
my $obj = $c->stash->{ $config->{object_key} }; |
35
|
|
|
|
|
|
|
|
36
|
1
|
50
|
33
|
|
|
222
|
my $obj_id = |
|
|
50
|
33
|
|
|
|
|
|
|
50
|
33
|
|
|
|
|
37
|
|
|
|
|
|
|
$obj->can('created_by') && defined $obj->created_by ? $obj->created_by |
38
|
|
|
|
|
|
|
: $obj->can('user_id') && defined $obj->user_id ? $obj->user_id |
39
|
|
|
|
|
|
|
: $obj->can('roles') && $obj->can('id') ? $obj->id # user it-self. |
40
|
|
|
|
|
|
|
: -999; # false |
41
|
|
|
|
|
|
|
|
42
|
1
|
|
|
|
|
15
|
my $user_id = $c->user->id; |
43
|
|
|
|
|
|
|
|
44
|
1
|
50
|
|
|
|
340
|
$self->status_forbidden( $c, message => $config->{object_key} . ".invalid [$obj_id!=$user_id]", ), |
45
|
|
|
|
|
|
|
$c->detach |
46
|
|
|
|
|
|
|
if $obj_id != $user_id; |
47
|
|
|
|
|
|
|
|
48
|
0
|
|
|
|
|
0
|
$do_detach = 0; |
49
|
|
|
|
|
|
|
} |
50
|
|
|
|
|
|
|
|
51
|
1
|
50
|
|
|
|
5
|
if ($do_detach) { |
52
|
0
|
|
|
|
|
0
|
$self->status_forbidden( $c, message => "insufficient privileges" ); |
53
|
0
|
|
|
|
|
0
|
$c->detach; |
54
|
|
|
|
|
|
|
} |
55
|
|
|
|
|
|
|
} |
56
|
|
|
|
|
|
|
|
57
|
1
|
|
|
|
|
6
|
$self->$orig(@_); |
58
|
|
|
|
|
|
|
} |
59
|
|
|
|
|
|
|
|
60
|
|
|
|
|
|
|
1; |
61
|
|
|
|
|
|
|
|