Merge branch '6.x' into feature/users-service

riasvdv · riasvdv · commit 6ccc2c285b15 · 2025-12-16T12:15:56.000+01:00
diff --git a/src/Http/Controllers/PreviewController.php b/src/Http/Controllers/PreviewController.php
@@ -4,6 +4,7 @@
 
 namespace CraftCms\Cms\Http\Controllers;
 
+use Craft;
 use craft\helpers\ElementHelper;
 use CraftCms\Cms\Http\EnforcesPermissions;
 use CraftCms\Cms\Http\Middleware\HandleTokenRequest;
@@ -25,9 +26,9 @@
     public function createToken(Request $request, RouteTokens $tokens, RouteToken $tokenData): JsonResponse|RedirectResponse
     {
         match (true) {
-            isset($tokenData->draftId) => $this->requirePermission("previewDraft:{$tokenData->draftId}"),
-            isset($tokenData->revisionId) => $this->requirePermission("previewRevision:{$tokenData->revisionId}"),
-            default => $this->requirePermission("previewElement:{$tokenData->getCanonicalId()}"),
+            isset($tokenData->draftId) => $this->requireSessionAuthorization("previewDraft:{$tokenData->draftId}"),
+            isset($tokenData->revisionId) => $this->requireSessionAuthorization("previewRevision:{$tokenData->revisionId}"),
+            default => $this->requireSessionAuthorization("previewElement:{$tokenData->getCanonicalId()}"),
         };
 
         $token = $tokens->createPreviewToken([
@@ -85,7 +86,7 @@ public function preview(Request $request, Kernel $kernel, RouteToken $tokenData)
             }
 
             $element->previewing = true;
-            \Craft::$app->getElements()->setPlaceholderElement($element);
+            Craft::$app->getElements()->setPlaceholderElement($element);
         }
 
         /** @var \Illuminate\Support\Uri $originalUri */
diff --git a/src/Http/Controllers/StructuresController.php b/src/Http/Controllers/StructuresController.php
@@ -4,6 +4,7 @@
 
 namespace CraftCms\Cms\Http\Controllers;
 
+use Craft;
 use craft\base\ElementInterface;
 use CraftCms\Cms\Http\EnforcesPermissions;
 use CraftCms\Cms\Http\RespondsWithFlash;
@@ -36,15 +37,15 @@ public function __construct(
             'siteId' => ['required', 'integer'],
         ]);
 
-        $this->requirePermission("editStructure:$structureId");
+        $this->requireSessionAuthorization("editStructure:$structureId");
 
         abort_if(
             is_null($this->structure = $structures->getStructureById($structureId)),
             404,
             'Structure not found.'
         );
 
-        $elementsService = \Craft::$app->getElements();
+        $elementsService = Craft::$app->getElements();
 
         abort_if(
             is_null($elementType = $elementsService->getElementTypeById($elementId)),
@@ -77,10 +78,10 @@ public function moveElement(): Response
         $prevElementId = $this->request->input('prevId');
 
         if ($prevElementId) {
-            $prevElement = \Craft::$app->getElements()->getElementById($prevElementId, null, $this->element->siteId);
+            $prevElement = Craft::$app->getElements()->getElementById($prevElementId, null, $this->element->siteId);
             $success = $this->structures->moveAfter($this->structure->id, $this->element, $prevElement);
         } elseif ($parentElementId) {
-            $parentElement = \Craft::$app->getElements()->getElementById($parentElementId, null, $this->element->siteId);
+            $parentElement = Craft::$app->getElements()->getElementById($parentElementId, null, $this->element->siteId);
             $success = $this->structures->prepend($this->structure->id, $this->element, $parentElement);
         } else {
             $success = $this->structures->prependToRoot($this->structure->id, $this->element);
diff --git a/src/Http/EnforcesPermissions.php b/src/Http/EnforcesPermissions.php
@@ -40,6 +40,13 @@ protected function enforceEditEntryPermissions(Entry $entry, bool $duplicate = f
         abort_unless($canSave, 403, 'User is not authorized to perform this action.');
     }
 
+    protected function requireSessionAuthorization(string $permission): void
+    {
+        if (! Craft::$app->getSession()->checkAuthorization($permission)) {
+            abort(403, 'User is not authorized to perform this action.');
+        }
+    }
+
     protected function requirePermission(string $permission): void
     {
         if (! $user = Auth::user()) {
diff --git a/src/Structure/Data/Structure.php b/src/Structure/Data/Structure.php
@@ -4,7 +4,7 @@
 
 namespace CraftCms\Cms\Structure\Data;
 
-use Illuminate\Support\Facades\Auth;
+use Craft;
 use Spatie\LaravelData\Dto;
 
 final class Structure extends Dto
@@ -17,6 +17,6 @@ public function __construct(
 
     public function isSortable(): bool
     {
-        return Auth::user()?->can("editStructure:{$this->id}");
+        return Craft::$app->getSession()->checkAuthorization("editStructure:{$this->id}");
     }
 }
diff --git a/tests/Http/Controllers/PreviewControllerTest.php b/tests/Http/Controllers/PreviewControllerTest.php
@@ -17,6 +17,8 @@
     actingAs(User::find()->one());
 
     $this->entry = Entry::factory()->create();
+
+    Craft::$app->getSession()->authorize("previewElement:{$this->entry->id}");
 });
 
 it('can create a token', function () {
diff --git a/tests/Http/Controllers/StructuresControllerTest.php b/tests/Http/Controllers/StructuresControllerTest.php
@@ -59,6 +59,8 @@
     $user->update(['admin' => true]);
     actingAs($user->asElement());
 
+    Craft::$app->getSession()->authorize("editStructure:{$structure->id}");
+
     $status = postJson($route, [
         'structureId' => $structure->id,
         'elementId' => $structure->structureElements()->first()->elementId,
@@ -71,6 +73,8 @@
 it('needs a valid element', function (string $route) {
     $structure = Structure::factory()->create();
 
+    Craft::$app->getSession()->authorize("editStructure:{$structure->id}");
+
     postJson($route, [
         'structureId' => $structure->id,
         'elementId' => 999,
@@ -82,6 +86,7 @@
     $structure = Structure::factory()->create();
     $root = $structure->structureElements()->firstOrFail();
     Entry::factory()->create(['id' => $root->elementId]);
+    Craft::$app->getSession()->authorize("editStructure:{$structure->id}");
 
     $child = new StructureElement([
         'structureId' => $structure->id,
@@ -116,6 +121,7 @@
     $structure = Structure::factory()->create();
     $root = $structure->structureElements()->firstOrFail();
     Entry::factory()->create(['id' => $root->elementId]);
+    Craft::$app->getSession()->authorize("editStructure:{$structure->id}");
 
     $child1 = new StructureElement([
         'structureId' => $structure->id,

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,13 @@ protected function enforceEditEntryPermissions(Entry $entry, bool $duplicate = f`
`40`	`40`	`abort_unless($canSave, 403, 'User is not authorized to perform this action.');`
`41`	`41`	`}`
`42`	`42`
	`43`	`+ protected function requireSessionAuthorization(string $permission): void`
	`44`	`+ {`
	`45`	`+ if (! Craft::$app->getSession()->checkAuthorization($permission)) {`
	`46`	`+ abort(403, 'User is not authorized to perform this action.');`
	`47`	`+ }`
	`48`	`+ }`
	`49`	`+`
`43`	`50`	`protected function requirePermission(string $permission): void`
`44`	`51`	`{`
`45`	`52`	`if (! $user = Auth::user()) {`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`
`5`	`5`	`namespace CraftCms\Cms\Structure\Data;`
`6`	`6`
`7`		`-use Illuminate\Support\Facades\Auth;`
	`7`	`+use Craft;`
`8`	`8`	`use Spatie\LaravelData\Dto;`
`9`	`9`
`10`	`10`	`final class Structure extends Dto`
`@@ -17,6 +17,6 @@ public function __construct(`
`17`	`17`
`18`	`18`	`public function isSortable(): bool`
`19`	`19`	`{`
`20`		`- return Auth::user()?->can("editStructure:{$this->id}");`
	`20`	`+ return Craft::$app->getSession()->checkAuthorization("editStructure:{$this->id}");`
`21`	`21`	`}`
`22`	`22`	`}`