mirror of
https://github.com/firefly-iii/firefly-iii.git
synced 2026-03-21 12:42:10 +00:00
Compare commits
6 Commits
develop-20
...
v6.5.7
| Author | SHA1 | Date | |
|---|---|---|---|
|
4190c4d243 | ||
|
|
70cbbc1523 | ||
|
c724f13501 | ||
|
5f01a83b43 | ||
|
|
53c13d221d | ||
|
|
266cd7d8d0 |
@@ -28,9 +28,7 @@ use FireflyIII\Api\V1\Controllers\Controller;
|
||||
use FireflyIII\Exceptions\FireflyException;
|
||||
use FireflyIII\Models\TransactionCurrency;
|
||||
use FireflyIII\Repositories\Currency\CurrencyRepositoryInterface;
|
||||
use FireflyIII\Repositories\User\UserRepositoryInterface;
|
||||
use FireflyIII\Support\Facades\Preferences;
|
||||
use FireflyIII\User;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Support\Facades\Validator;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
@@ -41,7 +39,6 @@ use Illuminate\Validation\ValidationException;
|
||||
final class DestroyController extends Controller
|
||||
{
|
||||
private CurrencyRepositoryInterface $repository;
|
||||
private UserRepositoryInterface $userRepository;
|
||||
|
||||
/**
|
||||
* CurrencyRepository constructor.
|
||||
@@ -50,8 +47,7 @@ final class DestroyController extends Controller
|
||||
{
|
||||
parent::__construct();
|
||||
$this->middleware(function ($request, $next) {
|
||||
$this->repository = app(CurrencyRepositoryInterface::class);
|
||||
$this->userRepository = app(UserRepositoryInterface::class);
|
||||
$this->repository = app(CurrencyRepositoryInterface::class);
|
||||
$this->repository->setUser(auth()->user());
|
||||
|
||||
return $next($request);
|
||||
@@ -69,15 +65,8 @@ final class DestroyController extends Controller
|
||||
*/
|
||||
public function destroy(TransactionCurrency $currency): JsonResponse
|
||||
{
|
||||
/** @var User $admin */
|
||||
$admin = auth()->user();
|
||||
$rules = ['currency_code' => 'required'];
|
||||
|
||||
if (!$this->userRepository->hasRole($admin, 'owner')) {
|
||||
// access denied:
|
||||
$messages = ['currency_code' => '200005: You need the "owner" role to do this.'];
|
||||
Validator::make([], $rules, $messages)->validate();
|
||||
}
|
||||
if ($this->repository->currencyInUse($currency)) {
|
||||
$messages = ['currency_code' => '200006: Currency in use.'];
|
||||
Validator::make([], $rules, $messages)->validate();
|
||||
|
||||
@@ -32,7 +32,6 @@ use FireflyIII\Support\Facades\Preferences;
|
||||
use FireflyIII\Support\Http\Api\TransactionFilter;
|
||||
use FireflyIII\User;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
|
||||
/**
|
||||
* Class DestroyController
|
||||
@@ -72,11 +71,6 @@ final class DestroyController extends Controller
|
||||
if (false === $linkType->editable) {
|
||||
throw new FireflyException('200020: Link type cannot be changed.');
|
||||
}
|
||||
if (false === auth()->user()->hasRole('owner')) {
|
||||
Log::channel('audit')->warning('Non-owner user tries to delete a link type.');
|
||||
|
||||
return response()->json([], 401);
|
||||
}
|
||||
|
||||
$this->repository->destroy($linkType);
|
||||
Preferences::mark();
|
||||
|
||||
@@ -27,12 +27,10 @@ namespace FireflyIII\Api\V1\Controllers\Models\TransactionLinkType;
|
||||
use FireflyIII\Api\V1\Controllers\Controller;
|
||||
use FireflyIII\Api\V1\Requests\Models\TransactionLinkType\StoreRequest;
|
||||
use FireflyIII\Repositories\LinkType\LinkTypeRepositoryInterface;
|
||||
use FireflyIII\Repositories\User\UserRepositoryInterface;
|
||||
use FireflyIII\Support\Http\Api\TransactionFilter;
|
||||
use FireflyIII\Transformers\LinkTypeTransformer;
|
||||
use FireflyIII\User;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Support\Facades\Validator;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use League\Fractal\Resource\Item;
|
||||
|
||||
@@ -44,7 +42,6 @@ final class StoreController extends Controller
|
||||
use TransactionFilter;
|
||||
|
||||
private LinkTypeRepositoryInterface $repository;
|
||||
private UserRepositoryInterface $userRepository;
|
||||
|
||||
/**
|
||||
* LinkTypeController constructor.
|
||||
@@ -54,9 +51,8 @@ final class StoreController extends Controller
|
||||
parent::__construct();
|
||||
$this->middleware(function ($request, $next) {
|
||||
/** @var User $user */
|
||||
$user = auth()->user();
|
||||
$this->repository = app(LinkTypeRepositoryInterface::class);
|
||||
$this->userRepository = app(UserRepositoryInterface::class);
|
||||
$user = auth()->user();
|
||||
$this->repository = app(LinkTypeRepositoryInterface::class);
|
||||
$this->repository->setUser($user);
|
||||
|
||||
return $next($request);
|
||||
@@ -73,15 +69,6 @@ final class StoreController extends Controller
|
||||
*/
|
||||
public function store(StoreRequest $request): JsonResponse
|
||||
{
|
||||
/** @var User $admin */
|
||||
$admin = auth()->user();
|
||||
$rules = ['name' => 'required'];
|
||||
|
||||
if (!$this->userRepository->hasRole($admin, 'owner')) {
|
||||
// access denied:
|
||||
$messages = ['name' => '200005: You need the "owner" role to do this.'];
|
||||
Validator::make([], $rules, $messages)->validate();
|
||||
}
|
||||
$data = $request->getAll();
|
||||
// if currency ID is 0, find the currency by the code:
|
||||
$linkType = $this->repository->store($data);
|
||||
|
||||
@@ -29,12 +29,10 @@ use FireflyIII\Api\V1\Requests\Models\TransactionLinkType\UpdateRequest;
|
||||
use FireflyIII\Exceptions\FireflyException;
|
||||
use FireflyIII\Models\LinkType;
|
||||
use FireflyIII\Repositories\LinkType\LinkTypeRepositoryInterface;
|
||||
use FireflyIII\Repositories\User\UserRepositoryInterface;
|
||||
use FireflyIII\Support\Http\Api\TransactionFilter;
|
||||
use FireflyIII\Transformers\LinkTypeTransformer;
|
||||
use FireflyIII\User;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Support\Facades\Validator;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use League\Fractal\Resource\Item;
|
||||
|
||||
@@ -46,7 +44,6 @@ final class UpdateController extends Controller
|
||||
use TransactionFilter;
|
||||
|
||||
private LinkTypeRepositoryInterface $repository;
|
||||
private UserRepositoryInterface $userRepository;
|
||||
|
||||
/**
|
||||
* LinkTypeController constructor.
|
||||
@@ -56,9 +53,8 @@ final class UpdateController extends Controller
|
||||
parent::__construct();
|
||||
$this->middleware(function ($request, $next) {
|
||||
/** @var User $user */
|
||||
$user = auth()->user();
|
||||
$this->repository = app(LinkTypeRepositoryInterface::class);
|
||||
$this->userRepository = app(UserRepositoryInterface::class);
|
||||
$user = auth()->user();
|
||||
$this->repository = app(LinkTypeRepositoryInterface::class);
|
||||
$this->repository->setUser($user);
|
||||
|
||||
return $next($request);
|
||||
@@ -80,15 +76,6 @@ final class UpdateController extends Controller
|
||||
throw new FireflyException('200020: Link type cannot be changed.');
|
||||
}
|
||||
|
||||
/** @var User $admin */
|
||||
$admin = auth()->user();
|
||||
$rules = ['name' => 'required'];
|
||||
|
||||
if (!$this->userRepository->hasRole($admin, 'owner')) {
|
||||
$messages = ['name' => '200005: You need the "owner" role to do this.'];
|
||||
Validator::make([], $rules, $messages)->validate();
|
||||
}
|
||||
|
||||
$data = $request->getAll();
|
||||
$this->repository->update($linkType, $data);
|
||||
$manager = $this->getManager();
|
||||
|
||||
@@ -30,12 +30,10 @@ use FireflyIII\Enums\WebhookDelivery;
|
||||
use FireflyIII\Enums\WebhookResponse;
|
||||
use FireflyIII\Enums\WebhookTrigger;
|
||||
use FireflyIII\Exceptions\FireflyException;
|
||||
use FireflyIII\Repositories\User\UserRepositoryInterface;
|
||||
use FireflyIII\Support\Binder\EitherConfigKey;
|
||||
use FireflyIII\Support\Facades\FireflyConfig;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
use Illuminate\Support\Facades\Validator;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
|
||||
/**
|
||||
@@ -43,21 +41,6 @@ use Illuminate\Validation\ValidationException;
|
||||
*/
|
||||
final class ConfigurationController extends Controller
|
||||
{
|
||||
private UserRepositoryInterface $repository;
|
||||
|
||||
/**
|
||||
* ConfigurationController constructor.
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
parent::__construct();
|
||||
$this->middleware(function ($request, $next) {
|
||||
$this->repository = app(UserRepositoryInterface::class);
|
||||
|
||||
return $next($request);
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* This endpoint is documented at:
|
||||
* https://api-docs.firefly-iii.org/?urls.primaryName=2.0.0%20(v1)#/configuration/getConfiguration
|
||||
@@ -142,11 +125,6 @@ final class ConfigurationController extends Controller
|
||||
*/
|
||||
public function update(UpdateRequest $request, string $name): JsonResponse
|
||||
{
|
||||
$rules = ['value' => 'required'];
|
||||
if (!$this->repository->hasRole(auth()->user(), 'owner')) {
|
||||
$messages = ['value' => '200005: You need the "owner" role to do this.'];
|
||||
Validator::make([], $rules, $messages)->validate();
|
||||
}
|
||||
$data = $request->getAll();
|
||||
$shortName = str_replace('configuration.', '', $name);
|
||||
|
||||
|
||||
@@ -74,13 +74,9 @@ final class UserController extends Controller
|
||||
return response()->json([], 500);
|
||||
}
|
||||
|
||||
if ($this->repository->hasRole($admin, 'owner')) {
|
||||
$this->repository->destroy($user);
|
||||
$this->repository->destroy($user);
|
||||
|
||||
return response()->json([], 204);
|
||||
}
|
||||
|
||||
throw new FireflyException('200025: No access to function.');
|
||||
return response()->json([], 204);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
66
app/Http/Middleware/IsAdminApi.php
Normal file
66
app/Http/Middleware/IsAdminApi.php
Normal file
@@ -0,0 +1,66 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* IsAdmin.php
|
||||
* Copyright (c) 2019 james@firefly-iii.org
|
||||
*
|
||||
* This file is part of Firefly III (https://github.com/firefly-iii).
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*/
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace FireflyIII\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use FireflyIII\Repositories\User\UserRepositoryInterface;
|
||||
use FireflyIII\User;
|
||||
use Illuminate\Auth\Access\AuthorizationException;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\Auth;
|
||||
|
||||
/**
|
||||
* Class IsAdmin.
|
||||
*/
|
||||
class IsAdminApi
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request. Must be admin.
|
||||
*
|
||||
* @param null|string $guard
|
||||
*
|
||||
* @return mixed
|
||||
*/
|
||||
public function handle(Request $request, Closure $next, $guard = null)
|
||||
{
|
||||
if (Auth::guard($guard)->guest()) {
|
||||
if ($request->ajax()) {
|
||||
return response('Unauthorized.', 401);
|
||||
}
|
||||
|
||||
return response()->redirectTo(route('login'));
|
||||
}
|
||||
|
||||
/** @var User $user */
|
||||
$user = auth()->user();
|
||||
|
||||
/** @var UserRepositoryInterface $repository */
|
||||
$repository = app(UserRepositoryInterface::class);
|
||||
if (!$repository->hasRole($user, 'owner')) {
|
||||
throw new AuthorizationException();
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@@ -29,6 +29,7 @@ use FireflyIII\Http\Middleware\EncryptCookies;
|
||||
use FireflyIII\Http\Middleware\Installer;
|
||||
use FireflyIII\Http\Middleware\InterestingMessage;
|
||||
use FireflyIII\Http\Middleware\IsAdmin;
|
||||
use FireflyIII\Http\Middleware\IsAdminApi;
|
||||
use FireflyIII\Http\Middleware\Range;
|
||||
use FireflyIII\Http\Middleware\RedirectIfAuthenticated;
|
||||
use FireflyIII\Http\Middleware\SecureHeaders;
|
||||
@@ -157,7 +158,7 @@ $app = Application::configure(basePath: dirname(__DIR__))
|
||||
// This middleware is added to ensure that the user is not only logged in and
|
||||
// authenticated (with MFA and everything), but also admin.
|
||||
$middleware->appendToGroup('api-admin', [
|
||||
IsAdmin::class,
|
||||
IsAdminApi::class,
|
||||
]);
|
||||
$middleware->appendToGroup('admin', [
|
||||
IsAdmin::class,
|
||||
|
||||
@@ -5,7 +5,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
||||
|
||||
## v6.5.7 - 2026-03-21
|
||||
|
||||
<!-- summary: There is a new security policy for AI-generated security advisories and of course, interesting and annoying bugs fixed. -->
|
||||
<!-- summary: There is a new security policy for AI-generated security advisories and of course, some interesting but annoying bugs fixed. -->
|
||||
|
||||
### Fixed
|
||||
|
||||
|
||||
@@ -78,8 +78,8 @@ return [
|
||||
'running_balance_column' => (bool)envDefaultWhenEmpty(env('USE_RUNNING_BALANCE'), true), // this is only the default value, is not used.
|
||||
// see cer.php for exchange rates feature flag.
|
||||
],
|
||||
'version' => 'develop/2026-03-20',
|
||||
'build_time' => 1774047487,
|
||||
'version' => '6.5.7',
|
||||
'build_time' => 1774075144,
|
||||
'api_version' => '2.1.0', // field is no longer used.
|
||||
'db_version' => 28, // field is no longer used.
|
||||
|
||||
|
||||
@@ -20,6 +20,14 @@
|
||||
|
||||
export default class GenericObjectRenderer {
|
||||
renderUrl(url, title, text) {
|
||||
return `<a href="${url}" title="${title}">${text}</a>`;
|
||||
return `<a href="${url}" title="${this.escapeHtml(title)}">${this.escapeHtml(text)}</a>`;
|
||||
}
|
||||
escapeHtml(unsafe) {
|
||||
return unsafe
|
||||
.replaceAll("&", "&")
|
||||
.replaceAll("<", "<")
|
||||
.replaceAll(">", ">")
|
||||
.replaceAll('"', """)
|
||||
.replaceAll("'", "'");
|
||||
};
|
||||
}
|
||||
|
||||
@@ -655,7 +655,7 @@ Route::group(
|
||||
}
|
||||
);
|
||||
|
||||
// transaction currency API routes that require admin rights:
|
||||
// Transaction currency API routes that require admin rights:
|
||||
Route::group(
|
||||
[
|
||||
'namespace' => 'FireflyIII\Api\V1\Controllers\Models\TransactionCurrency',
|
||||
@@ -664,9 +664,9 @@ Route::group(
|
||||
'middleware' => ['api-admin'],
|
||||
],
|
||||
static function (): void {
|
||||
Route::delete('{currency_code}', ['uses' => 'DestroyController@destroy', 'as' => 'delete']);
|
||||
Route::post('', ['uses' => 'StoreController@store', 'as' => 'store']);
|
||||
Route::put('{currency_code?}', ['uses' => 'UpdateController@update', 'as' => 'update']);
|
||||
Route::delete('{currency_code}', ['uses' => 'DestroyController@destroy', 'as' => 'delete']);
|
||||
}
|
||||
);
|
||||
|
||||
@@ -696,11 +696,23 @@ Route::group(
|
||||
],
|
||||
static function (): void {
|
||||
Route::get('', ['uses' => 'ShowController@index', 'as' => 'index']);
|
||||
Route::post('', ['uses' => 'StoreController@store', 'as' => 'store']);
|
||||
Route::get('{linkType}', ['uses' => 'ShowController@show', 'as' => 'show']);
|
||||
Route::get('{linkType}/transactions', ['uses' => 'ListController@transactions', 'as' => 'transactions']);
|
||||
}
|
||||
);
|
||||
|
||||
// Transaction Link Type API routes that need admin rights.
|
||||
Route::group(
|
||||
[
|
||||
'namespace' => 'FireflyIII\Api\V1\Controllers\Models\TransactionLinkType',
|
||||
'prefix' => 'v1/link-types',
|
||||
'as' => 'api.v1.link-types.',
|
||||
'middleware' => ['api-admin'],
|
||||
],
|
||||
static function (): void {
|
||||
Route::post('', ['uses' => 'StoreController@store', 'as' => 'store']);
|
||||
Route::put('{linkType}', ['uses' => 'UpdateController@update', 'as' => 'update']);
|
||||
Route::delete('{linkType}', ['uses' => 'DestroyController@destroy', 'as' => 'delete']);
|
||||
Route::get('{linkType}/transactions', ['uses' => 'ListController@transactions', 'as' => 'transactions']);
|
||||
}
|
||||
);
|
||||
|
||||
@@ -740,10 +752,23 @@ Route::group(
|
||||
],
|
||||
static function (): void {
|
||||
Route::get('', ['uses' => 'ConfigurationController@index', 'as' => 'index']);
|
||||
Route::put('{dynamicConfigKey}', ['uses' => 'ConfigurationController@update', 'as' => 'update']);
|
||||
Route::get('{eitherConfigKey}', ['uses' => 'ConfigurationController@show', 'as' => 'show']);
|
||||
}
|
||||
);
|
||||
|
||||
// Configuration API routes that need admin rights
|
||||
Route::group(
|
||||
[
|
||||
'namespace' => 'FireflyIII\Api\V1\Controllers\System',
|
||||
'prefix' => 'v1/configuration',
|
||||
'as' => 'api.v1.configuration.',
|
||||
'middleware' => ['api-admin'],
|
||||
],
|
||||
static function (): void {
|
||||
Route::put('{dynamicConfigKey}', ['uses' => 'ConfigurationController@update', 'as' => 'update']);
|
||||
}
|
||||
);
|
||||
|
||||
// Users API routes:
|
||||
Route::group(
|
||||
[
|
||||
|
||||
Reference in New Issue
Block a user