Session authorization is different

riasvdv · riasvdv · commit 45d8a7d1e9de · 2025-12-16T10:48:30.000+01:00
diff --git a/src/Http/Controllers/PreviewController.php b/src/Http/Controllers/PreviewController.php
@@ -4,6 +4,7 @@
 
 namespace CraftCms\Cms\Http\Controllers;
 
+use Craft;
 use craft\helpers\ElementHelper;
 use CraftCms\Cms\Http\EnforcesPermissions;
 use CraftCms\Cms\Http\Middleware\HandleTokenRequest;
@@ -25,9 +26,9 @@
     public function createToken(Request $request, RouteTokens $tokens, RouteToken $tokenData): JsonResponse|RedirectResponse
     {
         match (true) {
-            isset($tokenData->draftId) => $this->requirePermission("previewDraft:{$tokenData->draftId}"),
-            isset($tokenData->revisionId) => $this->requirePermission("previewRevision:{$tokenData->revisionId}"),
-            default => $this->requirePermission("previewElement:{$tokenData->getCanonicalId()}"),
+            isset($tokenData->draftId) => $this->requireSessionAuthorization("previewDraft:{$tokenData->draftId}"),
+            isset($tokenData->revisionId) => $this->requireSessionAuthorization("previewRevision:{$tokenData->revisionId}"),
+            default => $this->requireSessionAuthorization("previewElement:{$tokenData->getCanonicalId()}"),
         };
 
         $token = $tokens->createPreviewToken([
@@ -85,7 +86,7 @@ public function preview(Request $request, Kernel $kernel, RouteToken $tokenData)
             }
 
             $element->previewing = true;
-            \Craft::$app->getElements()->setPlaceholderElement($element);
+            Craft::$app->getElements()->setPlaceholderElement($element);
         }
 
         /** @var \Illuminate\Support\Uri $originalUri */
diff --git a/src/Http/Controllers/StructuresController.php b/src/Http/Controllers/StructuresController.php
@@ -4,6 +4,7 @@
 
 namespace CraftCms\Cms\Http\Controllers;
 
+use Craft;
 use craft\base\ElementInterface;
 use CraftCms\Cms\Http\EnforcesPermissions;
 use CraftCms\Cms\Http\RespondsWithFlash;
@@ -36,15 +37,15 @@ public function __construct(
             'siteId' => ['required', 'integer'],
         ]);
 
-        $this->requirePermission("editStructure:$structureId");
+        $this->requireSessionAuthorization("editStructure:$structureId");
 
         abort_if(
             is_null($this->structure = $structures->getStructureById($structureId)),
             404,
             'Structure not found.'
         );
 
-        $elementsService = \Craft::$app->getElements();
+        $elementsService = Craft::$app->getElements();
 
         abort_if(
             is_null($elementType = $elementsService->getElementTypeById($elementId)),
@@ -77,10 +78,10 @@ public function moveElement(): Response
         $prevElementId = $this->request->input('prevId');
 
         if ($prevElementId) {
-            $prevElement = \Craft::$app->getElements()->getElementById($prevElementId, null, $this->element->siteId);
+            $prevElement = Craft::$app->getElements()->getElementById($prevElementId, null, $this->element->siteId);
             $success = $this->structures->moveAfter($this->structure->id, $this->element, $prevElement);
         } elseif ($parentElementId) {
-            $parentElement = \Craft::$app->getElements()->getElementById($parentElementId, null, $this->element->siteId);
+            $parentElement = Craft::$app->getElements()->getElementById($parentElementId, null, $this->element->siteId);
             $success = $this->structures->prepend($this->structure->id, $this->element, $parentElement);
         } else {
             $success = $this->structures->prependToRoot($this->structure->id, $this->element);
diff --git a/src/Http/EnforcesPermissions.php b/src/Http/EnforcesPermissions.php
@@ -39,6 +39,13 @@ protected function enforceEditEntryPermissions(Entry $entry, bool $duplicate = f
         abort_unless($canSave, 403, 'User is not authorized to perform this action.');
     }
 
+    protected function requireSessionAuthorization(string $permission): void
+    {
+        if (! Craft::$app->getSession()->checkAuthorization($permission)) {
+            abort(403, 'User is not authorized to perform this action.');
+        }
+    }
+
     protected function requirePermission(string $permission): void
     {
         if (! $user = Auth::user()) {
diff --git a/src/Structure/Data/Structure.php b/src/Structure/Data/Structure.php
@@ -4,7 +4,7 @@
 
 namespace CraftCms\Cms\Structure\Data;
 
-use Illuminate\Support\Facades\Auth;
+use Craft;
 use Spatie\LaravelData\Dto;
 
 final class Structure extends Dto
@@ -17,6 +17,6 @@ public function __construct(
 
     public function isSortable(): bool
     {
-        return Auth::user()?->can("editStructure:{$this->id}");
+        return Craft::$app->getSession()->checkAuthorization("editStructure:{$this->id}");
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,13 @@ protected function enforceEditEntryPermissions(Entry $entry, bool $duplicate = f`
`39`	`39`	`abort_unless($canSave, 403, 'User is not authorized to perform this action.');`
`40`	`40`	`}`
`41`	`41`
	`42`	`+ protected function requireSessionAuthorization(string $permission): void`
	`43`	`+ {`
	`44`	`+ if (! Craft::$app->getSession()->checkAuthorization($permission)) {`
	`45`	`+ abort(403, 'User is not authorized to perform this action.');`
	`46`	`+ }`
	`47`	`+ }`
	`48`	`+`
`42`	`49`	`protected function requirePermission(string $permission): void`
`43`	`50`	`{`
`44`	`51`	`if (! $user = Auth::user()) {`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`
`5`	`5`	`namespace CraftCms\Cms\Structure\Data;`
`6`	`6`
`7`		`-use Illuminate\Support\Facades\Auth;`
	`7`	`+use Craft;`
`8`	`8`	`use Spatie\LaravelData\Dto;`
`9`	`9`
`10`	`10`	`final class Structure extends Dto`
`@@ -17,6 +17,6 @@ public function __construct(`
`17`	`17`
`18`	`18`	`public function isSortable(): bool`
`19`	`19`	`{`
`20`		`- return Auth::user()?->can("editStructure:{$this->id}");`
	`20`	`+ return Craft::$app->getSession()->checkAuthorization("editStructure:{$this->id}");`
`21`	`21`	`}`
`22`	`22`	`}`