Merge commit from fork

* fix: Add missing permission check on AJAX actions for composer actions

* fix phpstan and tests

* fix 403 response

* refine response messages

---------

Co-authored-by: Patryk Gruszka <patryk.gruszka@mautic.org>

Author: driskell

app/bundles/MarketplaceBundle/Controller/AjaxController.php

@@ -15,19 +15,23 @@
 use Mautic\CoreBundle\Security\Permissions\CorePermissions;
 use Mautic\CoreBundle\Service\FlashBag;
 use Mautic\CoreBundle\Translation\Translator;
+use Mautic\MarketplaceBundle\Security\Permissions\MarketplacePermissions;
+use Mautic\MarketplaceBundle\Service\Config;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Response;
 
 class AjaxController extends CommonAjaxController
 {
     public function __construct(
         private ComposerHelper $composer,
         private CacheHelper $cacheHelper,
         private LoggerInterface $logger,
+        private Config $config,
         ManagerRegistry $doctrine,
         MauticFactory $factory,
         ModelFactory $modelFactory,
@@ -44,6 +48,19 @@ public function __construct(
 
     public function installPackageAction(Request $request): JsonResponse
     {
+        if (!$this->config->marketplaceIsEnabled()) {
+            return $this->sendJsonResponse([
+                'error' => $this->translator->trans('marketplace.package.request.marketplace_disabled'),
+            ], Response::HTTP_BAD_REQUEST);
+        }
+
+        if (!$this->security->isGranted(MarketplacePermissions::CAN_INSTALL_PACKAGES)
+            || !$this->config->isComposerEnabled()) {
+            return $this->sendJsonResponse([
+                'error' => $this->translator->trans('marketplace.package.request.no_permissions'),
+            ], Response::HTTP_FORBIDDEN);
+        }
+
         $data   = json_decode($request->getContent(), true);
 
         if (empty($data['vendor']) || empty($data['package'])) {
@@ -82,6 +99,19 @@ public function installPackageAction(Request $request): JsonResponse
 
     public function removePackageAction(Request $request): JsonResponse
     {
+        if (!$this->config->marketplaceIsEnabled()) {
+            return $this->sendJsonResponse([
+                'error' => $this->translator->trans('marketplace.package.request.marketplace_disabled'),
+            ], Response::HTTP_BAD_REQUEST);
+        }
+
+        if (!$this->security->isGranted(MarketplacePermissions::CAN_REMOVE_PACKAGES)
+            || !$this->config->isComposerEnabled()) {
+            return $this->sendJsonResponse([
+                'error' => $this->translator->trans('marketplace.package.request.no_permissions'),
+            ], Response::HTTP_FORBIDDEN);
+        }
+
         $data   = json_decode($request->getContent(), true);
 
         if (empty($data['vendor']) || empty($data['package'])) {

app/bundles/MarketplaceBundle/Tests/Functional/Controller/AjaxControllerTest.php

@@ -17,19 +17,44 @@
 use Mautic\CoreBundle\Translation\Translator;
 use Mautic\MarketplaceBundle\Controller\AjaxController;
 use Mautic\MarketplaceBundle\DTO\ConsoleOutput;
+use Mautic\MarketplaceBundle\Security\Permissions\MarketplacePermissions;
+use Mautic\MarketplaceBundle\Service\Config;
 use PHPUnit\Framework\Assert;
+use PHPUnit\Framework\MockObject\MockObject;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
 
 final class AjaxControllerTest extends AbstractMauticTestCase
 {
+    /**
+     * @var MockObject|CorePermissions
+     */
+    private MockObject $security;
+
+    /**
+     * @var MockObject|Config
+     */
+    private MockObject $marketplaceConfig;
+
+    /**
+     * @var MockObject|RequestStack
+     */
+    private MockObject $requestStack;
+
     public function testInstallPackageAction(): void
     {
         $request    = new Request([], [], [], [], [], [], '{"vendor":"mautic","package":"test-plugin-bundle"}');
         $controller = $this->generateController(false);
 
+        $this->marketplaceConfig->method('marketplaceIsEnabled')->willReturn(true);
+        $this->marketplaceConfig->method('isComposerEnabled')->willReturn(true);
+        $this->security->expects($this->any())
+            ->method('isGranted')
+            ->with(MarketplacePermissions::CAN_INSTALL_PACKAGES)
+            ->willReturn(true);
+
         $response = $controller->installPackageAction($request);
 
         Assert::assertSame('{"success":true}', $response->getContent());
@@ -41,6 +66,13 @@ public function testRemovePackageAction(): void
         $request    = new Request([], [], [], [], [], [], '{"vendor":"mautic","package":"test-plugin-bundle"}');
         $controller = $this->generateController(true);
 
+        $this->marketplaceConfig->method('marketplaceIsEnabled')->willReturn(true);
+        $this->marketplaceConfig->method('isComposerEnabled')->willReturn(true);
+        $this->security->expects($this->any())
+            ->method('isGranted')
+            ->with(MarketplacePermissions::CAN_REMOVE_PACKAGES)
+            ->willReturn(true);
+
         $response = $controller->removePackageAction($request);
 
         Assert::assertSame('{"success":true}', $response->getContent());
@@ -66,13 +98,16 @@ private function generateController(bool $isPackageInstalled): AjaxController
         $dispatcher           = $this->createMock(EventDispatcherInterface::class);
         $translator           = $this->createMock(Translator::class);
         $flashBag             = $this->createMock(FlashBag::class);
-        $requestStack         = new RequestStack();
-        $security             = $this->createMock(CorePermissions::class);
+        $this->requestStack   = $this->createMock(RequestStack::class);
+
+        $this->security          = $this->createMock(CorePermissions::class);
+        $this->marketplaceConfig = $this->createMock(Config::class);
 
         $controller = new AjaxController(
             $composer,
             $cacheHelper,
             $logger,
+            $this->marketplaceConfig,
             $doctrine,
             $factory,
             $modelFactory,
@@ -81,8 +116,8 @@ private function generateController(bool $isPackageInstalled): AjaxController
             $dispatcher,
             $translator,
             $flashBag,
-            $requestStack,
-            $security
+            $this->requestStack,
+            $this->security
         );
         $controller->setContainer(static::getContainer());
 

app/bundles/MarketplaceBundle/Translations/en_US/messages.ini

@@ -43,6 +43,8 @@ marketplace.package.install.html.failed="Something went wrong while installing <
 marketplace.package.install.html.in.progress="<strong>%packagename%</strong> is being installed. This might take a while..."
 marketplace.package.install.html.success="Successfully installed <strong>%packagename%</strong>!"
 marketplace.package.install.html.success.continue="Go to the plugin page to activate the plugin"
+marketplace.package.request.marketplace_disabled="The marketplace is disabled."
+marketplace.package.request.no_permissions="You don't have permission to perform this action."
 marketplace.package.request.details.missing="The package vendor or name has not been provided. Please try again."
 marketplace.package.cache.clear.failed="Couldn't refresh plugins list. Please ask a developer to check server permissions and try again."
 marketplace.package.remove.not.installed="The selected package is not currently installed and can therefore not be removed. Please try again with a different package name."