mirror of
https://github.com/ZoneMinder/zoneminder.git
synced 2026-03-25 09:11:53 -04:00
fea1c850ac
- Revert accidental Users.RoleId FK change from CASCADE back to SET NULL
- Remove System != 'None' gate in beforeFilter; any authenticated user
can manage their own notifications, per-row ownership checks suffice
- Add allowMethod('post', 'put') guard to edit() for consistent REST behavior
- Change PushState validation from allowEmpty to required=false
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
184 lines
5.5 KiB
PHP
184 lines
5.5 KiB
PHP
<?php
|
|
App::uses('AppController', 'Controller');
|
|
|
|
class NotificationsController extends AppController {
|
|
|
|
public $components = array('RequestHandler');
|
|
|
|
private function _isAdmin() {
|
|
global $user;
|
|
return (!$user) || ($user->System() == 'Edit');
|
|
}
|
|
|
|
private function _userId() {
|
|
global $user;
|
|
return $user ? $user->Id() : null;
|
|
}
|
|
|
|
public function beforeFilter() {
|
|
parent::beforeFilter();
|
|
// Any authenticated user can manage their own notifications.
|
|
// Per-row ownership checks are enforced in each action.
|
|
// When auth is disabled ($user is null), allow all access.
|
|
}
|
|
|
|
public function index() {
|
|
$conditions = array();
|
|
if (!$this->_isAdmin()) {
|
|
$conditions['Notification.UserId'] = $this->_userId();
|
|
}
|
|
$notifications = $this->Notification->find('all', array(
|
|
'conditions' => $conditions,
|
|
'recursive' => -1,
|
|
));
|
|
$this->set(array(
|
|
'notifications' => $notifications,
|
|
'_serialize' => array('notifications'),
|
|
));
|
|
}
|
|
|
|
public function view($id = null) {
|
|
$this->Notification->id = $id;
|
|
if (!$this->Notification->exists()) {
|
|
throw new NotFoundException(__('Invalid notification'));
|
|
}
|
|
$notification = $this->Notification->find('first', array(
|
|
'conditions' => array('Notification.Id' => $id),
|
|
'recursive' => -1,
|
|
));
|
|
if (!$this->_isAdmin() && $notification['Notification']['UserId'] != $this->_userId()) {
|
|
throw new UnauthorizedException(__('Insufficient Privileges'));
|
|
}
|
|
$this->set(array(
|
|
'notification' => $notification,
|
|
'_serialize' => array('notification'),
|
|
));
|
|
}
|
|
|
|
public function add() {
|
|
if (!$this->request->is('post')) {
|
|
throw new BadRequestException(__('POST required'));
|
|
}
|
|
|
|
$data = $this->request->data;
|
|
if (isset($data['Notification'])) {
|
|
$data = $data['Notification'];
|
|
}
|
|
|
|
if (!$this->_isAdmin() || !isset($data['UserId'])) {
|
|
$data['UserId'] = $this->_userId();
|
|
}
|
|
|
|
if (!isset($data['CreatedOn'])) {
|
|
$data['CreatedOn'] = date('Y-m-d H:i:s');
|
|
}
|
|
|
|
if (isset($data['Token'])) {
|
|
$existing = $this->Notification->find('first', array(
|
|
'conditions' => array('Notification.Token' => $data['Token']),
|
|
'recursive' => -1,
|
|
));
|
|
if ($existing) {
|
|
if (!$this->_isAdmin() && $existing['Notification']['UserId'] != $this->_userId()) {
|
|
throw new UnauthorizedException(__('Token belongs to another user'));
|
|
}
|
|
$this->Notification->id = $existing['Notification']['Id'];
|
|
unset($data['CreatedOn']);
|
|
} else {
|
|
$this->Notification->create();
|
|
}
|
|
} else {
|
|
$this->Notification->create();
|
|
}
|
|
|
|
if ($this->Notification->save(array('Notification' => $data))) {
|
|
$notification = $this->Notification->find('first', array(
|
|
'conditions' => array('Notification.Id' => $this->Notification->id),
|
|
'recursive' => -1,
|
|
));
|
|
$this->set(array(
|
|
'notification' => $notification,
|
|
'_serialize' => array('notification'),
|
|
));
|
|
} else {
|
|
$this->response->statusCode(400);
|
|
$this->set(array(
|
|
'message' => __('Could not save notification'),
|
|
'errors' => $this->Notification->validationErrors,
|
|
'_serialize' => array('message', 'errors'),
|
|
));
|
|
}
|
|
}
|
|
|
|
public function edit($id = null) {
|
|
$this->Notification->id = $id;
|
|
if (!$this->Notification->exists()) {
|
|
throw new NotFoundException(__('Invalid notification'));
|
|
}
|
|
$this->request->allowMethod('post', 'put');
|
|
|
|
$existing = $this->Notification->find('first', array(
|
|
'conditions' => array('Notification.Id' => $id),
|
|
'recursive' => -1,
|
|
));
|
|
if (!$this->_isAdmin() && $existing['Notification']['UserId'] != $this->_userId()) {
|
|
throw new UnauthorizedException(__('Insufficient Privileges'));
|
|
}
|
|
|
|
$data = $this->request->data;
|
|
if (isset($data['Notification'])) {
|
|
$data = $data['Notification'];
|
|
}
|
|
if (!$this->_isAdmin()) {
|
|
unset($data['UserId']);
|
|
}
|
|
if ($this->Notification->save(array('Notification' => $data))) {
|
|
$notification = $this->Notification->find('first', array(
|
|
'conditions' => array('Notification.Id' => $id),
|
|
'recursive' => -1,
|
|
));
|
|
$this->set(array(
|
|
'notification' => $notification,
|
|
'_serialize' => array('notification'),
|
|
));
|
|
} else {
|
|
$this->response->statusCode(400);
|
|
$this->set(array(
|
|
'message' => __('Could not save notification'),
|
|
'errors' => $this->Notification->validationErrors,
|
|
'_serialize' => array('message', 'errors'),
|
|
));
|
|
}
|
|
}
|
|
|
|
public function delete($id = null) {
|
|
$this->Notification->id = $id;
|
|
if (!$this->Notification->exists()) {
|
|
throw new NotFoundException(__('Invalid notification'));
|
|
}
|
|
$this->request->allowMethod('post', 'delete');
|
|
|
|
$existing = $this->Notification->find('first', array(
|
|
'conditions' => array('Notification.Id' => $id),
|
|
'recursive' => -1,
|
|
));
|
|
if (!$this->_isAdmin() && $existing['Notification']['UserId'] != $this->_userId()) {
|
|
throw new UnauthorizedException(__('Insufficient Privileges'));
|
|
}
|
|
|
|
if ($this->Notification->delete()) {
|
|
$this->set(array(
|
|
'message' => __('Notification deleted'),
|
|
'_serialize' => array('message'),
|
|
));
|
|
} else {
|
|
$this->response->statusCode(400);
|
|
$this->set(array(
|
|
'message' => __('Could not delete notification'),
|
|
'_serialize' => array('message'),
|
|
));
|
|
}
|
|
}
|
|
|
|
}
|