Open link-transport-mickoz opened 4 months ago
Seems to me the following needs updated, note that I have not tested the modifications;
public function actionCreate($containerId)
{
$containerRecord = ContentContainer::findOne(['id' => $containerId]);
if ($containerRecord === null) {
return $this->returnError(404, 'Content container not found!');
}
/** @var ContentContainerActiveRecord $container */
$container = $containerRecord->getPolymorphicRelation();
// Check if the user is an admin
$isAdmin = Yii::$app->user->isAdmin();
$hasPermission = $container->permissionManager->can([CreateTask::class, ManageTasks::class]);
if (!in_array(get_class($container), Yii::$app->getModule('tasks')->getContentContainerTypes()) ||
(!$isAdmin && !$hasPermission)) {
return $this->returnError(403, 'You are not allowed to create task!');
}
$taskParams = Yii::$app->request->post('Task', []);
$taskForm = new TaskForm([
'cal' => isset($taskParams['cal_mode']) ? $taskParams['cal_mode'] : null,
'taskListId' => isset($taskParams['task_list_id']) ? $taskParams['task_list_id'] : null,
'dateFormat' => 'php:Y-m-d',
'timeFormat' => 'php:H:i',
]);
$taskForm->createNew($container);
// Bypass the content edit check if the user is an admin
if (!$isAdmin && !$taskForm->task->content->canEdit()) {
return $this->returnError(403, 'You are not allowed to edit this task!');
}
if ($this->saveTask($taskForm)) {
return $this->returnContentDefinition(Task::findOne(['id' => $taskForm->task->id]));
}
if ($taskForm->hasErrors() || $taskForm->task->hasErrors()) {
return $this->returnError(422, 'Validation failed', [
'taskForm' => $taskForm->getErrors(),
'task' => $taskForm->task->getErrors(),
]);
} else {
Yii::error('Could not create validated task.', 'api');
return $this->returnError(500, 'Internal error while save task!');
}
}
If actionCreate()
has this issue then actionUpdate()
may also have the same issue so the following may need done here as well;
https://github.com/humhub/tasks/blob/25c18da9ee5e061569067925f21b1ab3ffad1317/controllers/rest/TasksController.php#L93-L123
public function actionUpdate($id)
{
$task = Task::findOne(['id' => $id]);
if (! $task) {
return $this->returnError(404, 'Task not found!');
}
$taskForm = new TaskForm([
'task' => $task,
'dateFormat' => 'php:Y-m-d',
'timeFormat' => 'php:H:i',
]);
// Check if the user is an admin
$isAdmin = Yii::$app->user->isAdmin();
// Bypass the content edit check if the user is an admin
if (!$isAdmin && !$taskForm->task->content->canEdit()) {
return $this->returnError(403, 'You are not allowed to update this task!');
}
if ($this->saveTask($taskForm)) {
return $this->returnContentDefinition(Task::findOne(['id' => $taskForm->task->id]));
}
if ($taskForm->hasErrors() || $taskForm->task->hasErrors()) {
return $this->returnError(422, 'Validation failed', [
'taskForm' => $taskForm->getErrors(),
'task' => $taskForm->task->getErrors(),
]);
} else {
Yii::error('Could not update validated task.', 'api');
return $this->returnError(500, 'Internal error while save task!');
}
}
Thanks for the reply. Right now, I got it to work by adding group to default allowed groups in https://github.com/humhub/tasks/blob/25c18da9ee5e061569067925f21b1ab3ffad1317/permissions/CreateTask.php#L29-L35
public $defaultAllowedGroups = [
Space::USERGROUP_OWNER,
Space::USERGROUP_ADMIN,
Space::USERGROUP_MODERATOR,
Space::USERGROUP_MEMBER,
User::USERGROUP_SELF,
User::USERGROUP_USER // <--
];
Although from what I understand, now every user can create a task.
I'll try your changes and get back to you.
I changed methods, and tested out creating a task. Worked without issues.
Thanks for the help! Do you want to keep this issue open or should I close it?
I believe we should keep it open till a P/R is merged to fix the issue.
Hello,
I'm trying to create a task on user profile (content container, belonging to
user\models\User
object), but I'm receiving 403 Forbidden:I'm authenticating with bearer token of a user that belongs to Administrator group. Creating task on my own profile works through the API. I can also create a task for another user using the UI, but not the API.
Do I have to change some specific permission? If it's not possible, can you suggest a workaround?