Allowed permissions console params opt in instead of out

2024-07-01 20:50:49 +12:00 · 2022-08-29 22:25:00 +12:00 · 2022-08-29 22:25:00 +12:00 · f54b6b2ebc
parent 47db8f5bf1
commit f54b6b2ebc
2 changed files with 16 additions and 15 deletions
--- a/app/controllers/web/console.php
+++ b/app/controllers/web/console.php
@ -330,7 +330,6 @@ App::get('/console/databases/document')
    ->action(function (string $databaseId, string $collection, View $layout) {

        $logs = new View(__DIR__ . '/../../views/console/comps/logs.phtml');
-
        $logs
            ->setParam('interval', App::getEnv('_APP_MAINTENANCE_RETENTION_AUDIT', 0))
            ->setParam('method', 'databases.listDocumentLogs')
@ -342,16 +341,16 @@ App::get('/console/databases/document')
        ;

        $permissions = new View(__DIR__ . '/../../views/console/comps/permissions-matrix.phtml');
-
        $permissions
            ->setParam('method', 'databases.getDocument')
            ->setParam('events', 'load,databases.updateDocument')
            ->setParam('form', 'documentPermissions')
            ->setParam('data', 'project-document')
-            ->setParam('permissions', \array_filter(
-                Database::PERMISSIONS,
-                fn ($perm) => $perm != Database::PERMISSION_CREATE
-            ))
+            ->setParam('permissions', [
+                Database::PERMISSION_READ,
+                Database::PERMISSION_UPDATE,
+                Database::PERMISSION_DELETE,
+            ])
            ->setParam('params', [
                'collection-id' => '{{router.params.collection}}',
                'database-id' => '{{router.params.databaseId}}',
@ -453,20 +452,22 @@ App::get('/console/storage/bucket')
        $fileCreatePermissions = new View(__DIR__ . '/../../views/console/comps/permissions-matrix.phtml');
        $fileCreatePermissions
            ->setParam('form', 'fileCreatePermissions')
-            ->setParam('permissions', \array_filter(
-                Database::PERMISSIONS,
-                fn ($perm) => $perm != Database::PERMISSION_CREATE
-            ));
+            ->setParam('permissions', [
+                Database::PERMISSION_READ,
+                Database::PERMISSION_UPDATE,
+                Database::PERMISSION_DELETE,
+            ]);

        $fileUpdatePermissions = new View(__DIR__ . '/../../views/console/comps/permissions-matrix.phtml');
        $fileUpdatePermissions
            ->setParam('method', 'storage.getFile')
            ->setParam('data', 'file')
            ->setParam('form', 'fileUpdatePermissions')
-            ->setParam('permissions', \array_filter(
-                Database::PERMISSIONS,
-                fn ($perm) => $perm != Database::PERMISSION_CREATE
-            ))
+            ->setParam('permissions', [
+                Database::PERMISSION_READ,
+                Database::PERMISSION_UPDATE,
+                Database::PERMISSION_DELETE,
+            ])
            ->setParam('params', [
                'bucket-id' => '{{router.params.id}}',
            ]);
--- a/app/views/console/comps/permissions-matrix.phtml
+++ b/app/views/console/comps/permissions-matrix.phtml
@ -7,7 +7,7 @@ $params = $this->getParam('params', []);
 $events = $this->getParam('events', '');
 $permissions = $this->getParam('permissions', Database::PERMISSIONS);
 $data = $this->getParam('data', '');
-$form = $this->getParam('form', 'form');
+$form = $this->getParam('form');

 $escapedPermissions = \array_map(function ($perm) {
    // Alpine won't bind to a parameter named delete