From 71e5cfbf2253abebe5e63c1ad5389e9872e0bf3d Mon Sep 17 00:00:00 2001 From: lukmzig Date: Wed, 12 Jun 2024 12:00:24 +0200 Subject: [PATCH] add asset permission check --- .../Controller/Video/ImageThumbnailStreamController.php | 5 +++-- src/Asset/Controller/Video/ThumbnailDownloadController.php | 5 +++-- src/Asset/Controller/Video/ThumbnailStreamController.php | 5 +++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/Asset/Controller/Video/ImageThumbnailStreamController.php b/src/Asset/Controller/Video/ImageThumbnailStreamController.php index 0ed8728fa..67ca30cc5 100644 --- a/src/Asset/Controller/Video/ImageThumbnailStreamController.php +++ b/src/Asset/Controller/Video/ImageThumbnailStreamController.php @@ -40,10 +40,12 @@ use Pimcore\Bundle\StudioBackendBundle\Security\Service\SecurityServiceInterface; use Pimcore\Bundle\StudioBackendBundle\Util\Constants\HttpResponseCodes; use Pimcore\Bundle\StudioBackendBundle\Util\Constants\HttpResponseHeaders; +use Pimcore\Bundle\StudioBackendBundle\Util\Constants\UserPermissions; use Symfony\Component\HttpFoundation\StreamedResponse; use Symfony\Component\HttpKernel\Attribute\MapQueryString; use Symfony\Component\Routing\Attribute\Route; use Symfony\Component\Security\Core\Exception\UserNotFoundException; +use Symfony\Component\Security\Http\Attribute\IsGranted; use Symfony\Component\Serializer\SerializerInterface; /** @@ -73,8 +75,7 @@ public function __construct( name: 'pimcore_studio_api_stream_video_image_thumbnail', methods: ['GET'] )] - //#[IsGranted('STUDIO_API')] - //#[IsGranted(UserPermissions::ASSETS->value)] + #[IsGranted(UserPermissions::ASSETS->value)] #[Get( path: self::API_PATH . '/assets/{id}/video/stream/imageThumbnail', operationId: 'getVideoImageThumbnail', diff --git a/src/Asset/Controller/Video/ThumbnailDownloadController.php b/src/Asset/Controller/Video/ThumbnailDownloadController.php index 807558d31..dc3105285 100644 --- a/src/Asset/Controller/Video/ThumbnailDownloadController.php +++ b/src/Asset/Controller/Video/ThumbnailDownloadController.php @@ -35,9 +35,11 @@ use Pimcore\Bundle\StudioBackendBundle\OpenApi\Config\Tags; use Pimcore\Bundle\StudioBackendBundle\Security\Service\SecurityServiceInterface; use Pimcore\Bundle\StudioBackendBundle\Util\Constants\HttpResponseCodes; +use Pimcore\Bundle\StudioBackendBundle\Util\Constants\UserPermissions; use Symfony\Component\HttpFoundation\StreamedResponse; use Symfony\Component\Routing\Attribute\Route; use Symfony\Component\Security\Core\Exception\UserNotFoundException; +use Symfony\Component\Security\Http\Attribute\IsGranted; use Symfony\Component\Serializer\SerializerInterface; /** @@ -68,8 +70,7 @@ public function __construct( name: 'pimcore_studio_api_download_video_thumbnail', methods: ['GET'] )] - //#[IsGranted('STUDIO_API')] - //#[IsGranted(UserPermissions::ASSETS->value)] + #[IsGranted(UserPermissions::ASSETS->value)] #[Get( path: self::API_PATH . '/assets/{id}/video/download/{thumbnailName}', operationId: 'downloadVideoByThumbnail', diff --git a/src/Asset/Controller/Video/ThumbnailStreamController.php b/src/Asset/Controller/Video/ThumbnailStreamController.php index e769a2ceb..fcfb9a277 100644 --- a/src/Asset/Controller/Video/ThumbnailStreamController.php +++ b/src/Asset/Controller/Video/ThumbnailStreamController.php @@ -35,9 +35,11 @@ use Pimcore\Bundle\StudioBackendBundle\OpenApi\Config\Tags; use Pimcore\Bundle\StudioBackendBundle\Security\Service\SecurityServiceInterface; use Pimcore\Bundle\StudioBackendBundle\Util\Constants\HttpResponseCodes; +use Pimcore\Bundle\StudioBackendBundle\Util\Constants\UserPermissions; use Symfony\Component\HttpFoundation\StreamedResponse; use Symfony\Component\Routing\Attribute\Route; use Symfony\Component\Security\Core\Exception\UserNotFoundException; +use Symfony\Component\Security\Http\Attribute\IsGranted; use Symfony\Component\Serializer\SerializerInterface; /** @@ -68,8 +70,7 @@ public function __construct( name: 'pimcore_studio_api_stream_video_thumbnail', methods: ['GET'] )] - //#[IsGranted('STUDIO_API')] - //#[IsGranted(UserPermissions::ASSETS->value)] + #[IsGranted(UserPermissions::ASSETS->value)] #[Get( path: self::API_PATH . '/assets/{id}/video/stream/{thumbnailName}', operationId: 'streamVideoByThumbnail',