bug #7555 Add authorization checks to the renderFilters() action (javiereguiluz)

This PR was merged into the 4.x branch.

Discussion
----------

Add authorization checks to the renderFilters() action

Similar to #7548 and the fix is the same.

Commits
-------

be7b6c4 Add authorization checks to the renderFilters() action

Author: javiereguiluz

src/Controller/AbstractCrudController.php

@@ -556,6 +556,12 @@ public function createIndexQueryBuilder(SearchDto $searchDto, EntityDto $entityD
 
     public function renderFilters(AdminContext $context): KeyValueStore
     {
+        // not a typo; the filter form is a sub-component of the INDEX page,
+        // so we reuse the INDEX action for permission checks here
+        if (!$this->isGranted(Permission::EA_EXECUTE_ACTION, ['action' => Action::INDEX, 'entity' => null, 'entityFqcn' => $context->getEntity()->getFqcn()])) {
+            throw new ForbiddenActionException($context);
+        }
+
         $fields = new FieldCollection($this->configureFields(Crud::PAGE_INDEX));
         $this->container->get(FieldFactory::class)->processFields($context->getEntity(), $fields, Crud::PAGE_INDEX);
         $filters = $this->container->get(FilterFactory::class)->create($context->getCrud()->getFiltersConfig(), $context->getEntity()->getFields(), $context->getEntity());

tests/Functional/Security/RolePermissionTest.php

@@ -170,4 +170,40 @@ public static function provideRolesForAutocompleteAction(): \Generator
         yield 'admin role can access autocomplete with INDEX permission' => ['admin', Response::HTTP_OK];
         yield 'super_admin role can access autocomplete with INDEX permission' => ['super_admin', Response::HTTP_OK];
     }
+
+    /**
+     * @dataProvider provideRolesForRenderFiltersAction
+     */
+    public function testRenderFiltersActionPermission(string $username, int $expectedStatusCode): void
+    {
+        if (Response::HTTP_FORBIDDEN === $expectedStatusCode) {
+            $this->expectException(ForbiddenActionException::class);
+            $this->client->catchExceptions(false);
+        }
+
+        $renderFiltersUrl = $this->getCrudUrl(
+            'renderFilters',
+            null,
+            [],
+            SecuredDashboardController::class,
+            ProtectedCategoryCrudController::class,
+        );
+
+        $this->client->request(
+            'GET',
+            $renderFiltersUrl,
+            [],
+            [],
+            ['PHP_AUTH_USER' => $username, 'PHP_AUTH_PW' => '1234']
+        );
+
+        static::assertResponseStatusCodeSame($expectedStatusCode);
+    }
+
+    public static function provideRolesForRenderFiltersAction(): \Generator
+    {
+        yield 'user role cannot access renderFilters without INDEX permission' => ['user', Response::HTTP_FORBIDDEN];
+        yield 'admin role can access renderFilters with INDEX permission' => ['admin', Response::HTTP_OK];
+        yield 'super_admin role can access renderFilters with INDEX permission' => ['super_admin', Response::HTTP_OK];
+    }
 }