Improve authorization middleware

Author: mevdschee

api.php

@@ -667,7 +667,7 @@ public function __construct(GenericDB $db, ReflectionService $reflection)
 
     public function updateTable(String $tableName, /* object */ $changes): bool
     {
-        $table = $this->reflection->getTable($tableName);
+        $table = $database->get($tableName);
         $newTable = ReflectedTable::fromJson((object) array_merge((array) $table->jsonSerialize(), (array) $changes));
         if ($table->getName() != $newTable->getName()) {
             if (!$this->db->definition()->renameTable($table->getName(), $newTable->getName())) {
@@ -679,7 +679,7 @@ public function updateTable(String $tableName, /* object */ $changes): bool
 
     public function updateColumn(String $tableName, String $columnName, /* object */ $changes): bool
     {
-        $table = $this->reflection->getTable($tableName);
+        $table = $database->get($tableName);
         $column = $table->get($columnName);
 
         $newColumn = ReflectedColumn::fromJson((object) array_merge((array) $column->jsonSerialize(), (array) $changes));
@@ -780,7 +780,7 @@ public function removeTable(String $tableName)
 
     public function removeColumn(String $tableName, String $columnName)
     {
-        $table = $this->reflection->getTable($tableName);
+        $table = $database->get($tableName);
         $newColumn = $table->get($columnName);
         if ($newColumn->getPk()) {
             $newColumn->setPk(false);
@@ -901,21 +901,23 @@ public function getDatabase(Request $request): Response
     public function getTable(Request $request): Response
     {
         $tableName = $request->getPathSegment(2);
-        if (!$this->reflection->hasTable($tableName)) {
+        $database = $this->reflection->getDatabase();
+        if (!$database->exists($tableName)) {
             return $this->responder->error(ErrorCode::TABLE_NOT_FOUND, $tableName);
         }
-        $table = $this->reflection->getTable($tableName);
+        $table = $database->get($tableName);
         return $this->responder->success($table);
     }
 
     public function getColumn(Request $request): Response
     {
         $tableName = $request->getPathSegment(2);
         $columnName = $request->getPathSegment(3);
-        if (!$this->reflection->hasTable($tableName)) {
+        $database = $this->reflection->getDatabase();
+        if (!$database->exists($tableName)) {
             return $this->responder->error(ErrorCode::TABLE_NOT_FOUND, $tableName);
         }
-        $table = $this->reflection->getTable($tableName);
+        $table = $database->get($tableName);
         if (!$table->exists($columnName)) {
             return $this->responder->error(ErrorCode::COLUMN_NOT_FOUND, $columnName);
         }
@@ -926,7 +928,8 @@ public function getColumn(Request $request): Response
     public function updateTable(Request $request): Response
     {
         $tableName = $request->getPathSegment(2);
-        if (!$this->reflection->hasTable($tableName)) {
+        $database = $this->reflection->getDatabase();
+        if (!$database->exists($tableName)) {
             return $this->responder->error(ErrorCode::TABLE_NOT_FOUND, $tableName);
         }
         $success = $this->definition->updateTable($tableName, $request->getBody());
@@ -940,10 +943,11 @@ public function updateColumn(Request $request): Response
     {
         $tableName = $request->getPathSegment(2);
         $columnName = $request->getPathSegment(3);
-        if (!$this->reflection->hasTable($tableName)) {
+        $database = $this->reflection->getDatabase();
+        if (!$database->exists($tableName)) {
             return $this->responder->error(ErrorCode::TABLE_NOT_FOUND, $tableName);
         }
-        $table = $this->reflection->getTable($tableName);
+        $table = $database->get($tableName);
         if (!$table->exists($columnName)) {
             return $this->responder->error(ErrorCode::COLUMN_NOT_FOUND, $columnName);
         }
@@ -970,11 +974,12 @@ public function addTable(Request $request): Response
     public function addColumn(Request $request): Response
     {
         $tableName = $request->getPathSegment(2);
-        if (!$this->reflection->hasTable($tableName)) {
+        $database = $this->reflection->getDatabase();
+        if (!$database->exists($tableName)) {
             return $this->responder->error(ErrorCode::TABLE_NOT_FOUND, $tableName);
         }
         $columnName = $request->getBody()->name;
-        $table = $this->reflection->getTable($tableName);
+        $table = $database->get($tableName);
         if ($table->exists($columnName)) {
             return $this->responder->error(ErrorCode::COLUMN_ALREADY_EXISTS, $columnName);
         }
@@ -988,7 +993,8 @@ public function addColumn(Request $request): Response
     public function removeTable(Request $request): Response
     {
         $tableName = $request->getPathSegment(2);
-        if (!$this->reflection->hasTable($tableName)) {
+        $database = $this->reflection->getDatabase();
+        if (!$database->exists($tableName)) {
             return $this->responder->error(ErrorCode::TABLE_NOT_FOUND, $tableName);
         }
         $success = $this->definition->removeTable($tableName);
@@ -1002,10 +1008,11 @@ public function removeColumn(Request $request): Response
     {
         $tableName = $request->getPathSegment(2);
         $columnName = $request->getPathSegment(3);
-        if (!$this->reflection->hasTable($tableName)) {
+        $database = $this->reflection->getDatabase();
+        if (!$database->exists($tableName)) {
             return $this->responder->error(ErrorCode::TABLE_NOT_FOUND, $tableName);
         }
-        $table = $this->reflection->getTable($tableName);
+        $table = $database->get($tableName);
         if (!$table->exists($columnName)) {
             return $this->responder->error(ErrorCode::COLUMN_NOT_FOUND, $columnName);
         }

src/Tqdev/PhpCrudApi/Api.php

@@ -57,6 +57,9 @@ public function __construct(Config $config)
                 case 'sanitation':
                     new SanitationMiddleware($router, $responder, $properties, $reflection);
                     break;
+                case 'authorization':
+                    new AuthorizationMiddleware($router, $responder, $properties, $reflection);
+                    break;
             }
         }
         $data = new RecordService($db, $reflection);

src/Tqdev/PhpCrudApi/Column/DefinitionService.php

@@ -1,9 +1,9 @@
 <?php
 namespace Tqdev\PhpCrudApi\Column;
 
-use Tqdev\PhpCrudApi\Database\GenericDB;
 use Tqdev\PhpCrudApi\Column\Reflection\ReflectedColumn;
 use Tqdev\PhpCrudApi\Column\Reflection\ReflectedTable;
+use Tqdev\PhpCrudApi\Database\GenericDB;
 
 class DefinitionService
 {

src/Tqdev/PhpCrudApi/Middleware/AuthorizationMiddleware.php

@@ -19,24 +19,33 @@ public function __construct(Router $router, Responder $responder, array $propert
         $this->reflection = $reflection;
     }
 
+    private function getIncludes($all, $list)
+    {
+        $result = array_fill_keys($all, false);
+        foreach ($lists as $items) {
+            foreach (explode(',', $items) as $item) {
+                if (isset($result[$item])) {
+                    $result[$item] = true;
+                }
+            }
+        }
+        return $result;
+    }
+
     public function handle(Request $request): Response
     {
         $path = $request->getPathSegment(1);
         $tableName = $request->getPathSegment(2);
         $database = $this->reflection->getDatabase();
-        if ($path == 'records' && $database->exists($tableName)) {
-            $table = $database->get($tableName);
+        $handler = $this->getProperty('handler', '');
+        if ($handler !== '' && $path == 'records' && $database->exists($tableName)) {
             $method = $request->getMethod();
-            $tableHandler = $this->getProperty('tableHandler', '');
-            if ($tableHandler !== '') {
-                $valid = call_user_func($handler, $method, $tableName);
-                if ($valid !== true && $valid !== '') {
-                    $details[$columnName] = $valid;
-                }
-                if (count($details) > 0) {
-                    return $this->responder->error(ErrorCode::INPUT_VALIDATION_FAILED, $tableName, $details);
-                }
-
+            $tableNames = $database->getTableNames();
+            $params = $request->getParams();
+            $includes = $this->getIncludes($tableNames, $params['include']);
+            $allowed = call_user_func($handler, $method, $tableName, $includes);
+            if (!$allowed) {
+                return $this->responder->error(ErrorCode::OPERATION_FORBIDDEN, '');
             }
         }
         return $this->next->handle($request);

src/Tqdev/PhpCrudApi/Middleware/SanitationMiddleware.php

@@ -1,13 +1,13 @@
 <?php
 namespace Tqdev\PhpCrudApi\Middleware;
 
-use Tqdev\PhpCrudApi\Controller\Responder;
 use Tqdev\PhpCrudApi\Column\ReflectionService;
 use Tqdev\PhpCrudApi\Column\Reflection\ReflectedTable;
-use Tqdev\PhpCrudApi\Request;
-use Tqdev\PhpCrudApi\Response;
+use Tqdev\PhpCrudApi\Controller\Responder;
 use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
 use Tqdev\PhpCrudApi\Middleware\Router\Router;
+use Tqdev\PhpCrudApi\Request;
+use Tqdev\PhpCrudApi\Response;
 
 class SanitationMiddleware extends Middleware
 {

src/Tqdev/PhpCrudApi/Record/ErrorCode.php

@@ -25,6 +25,7 @@ class ErrorCode
     const AUTHORIZATION_REQUIRED = 1011;
     const ACCESS_DENIED = 1012;
     const INPUT_VALIDATION_FAILED = 1013;
+    const OPERATION_FORBIDDEN = 1014;
 
     private $values = [
         9999 => ["%s", Response::INTERNAL_SERVER_ERROR],
@@ -42,6 +43,7 @@ class ErrorCode
         1011 => ["Authorization required", Response::UNAUTHORIZED],
         1012 => ["Access denied for '%s'", Response::FORBIDDEN],
         1013 => ["Input validation failed for '%s'", Response::UNPROCESSABLE_ENTITY],
+        1014 => ["Operation forbidden", Response::FORBIDDEN],
     ];
 
     public function __construct(int $code)