From f4dbca7b4a7126164d3f95d4cc6b6dc335066c69 Mon Sep 17 00:00:00 2001 From: Benn Oshrin Date: Sun, 25 Nov 2018 18:32:30 -0500 Subject: [PATCH] Improve SOR handling over API (NOJIRA) --- app/src/Controller/TierApiController.php | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/app/src/Controller/TierApiController.php b/app/src/Controller/TierApiController.php index ee498f682..eda938e60 100644 --- a/app/src/Controller/TierApiController.php +++ b/app/src/Controller/TierApiController.php @@ -547,16 +547,27 @@ public function isAuthorized(Array $user) { // Authorization is as follows: - // (0) Make sure the Matchgrid is active. + // (0) Make sure the Matchgrid is active and the requested SOR exists. if(!$this->cur_mg) { Log::write('debug', "TierApiController::isAuthorized() Requested matchgrid " . $mgid . " not found"); - return false; + throw new \Cake\Http\Exception\ForbiddenException("Requested matchgrid " . $mgid . " not found"); } if($this->cur_mg->status != StatusEnum::Active) { Log::write('debug', "TierApiController::isAuthorized() Requested matchgrid " . $mgid . " is not Active"); - return false; + throw new \Cake\Http\Exception\ForbiddenException("Requested matchgrid " . $mgid . " is not Active"); + } + + if($sor && $mgid) { + $this->loadModel('SystemsOfRecord'); + + $count = $this->SystemsOfRecord->find()->where(['matchgrid_id' => $mgid, 'label' => $sor])->count(); + + if($count == 0) { + Log::write('debug', "TierApiController::isAuthorized() Requested SOR " . $sor . " not found"); + throw new \Cake\Http\Exception\ForbiddenException("Requested SOR " . $sor . " not found"); + } } // (1) A Platform API user ($user['matchgrid_id'] is NULL) may perform any action.