Check permissions in API and Fiber

Co-authored-by: Ahmet Bora <[email protected]>

Author: lukasbestle

config/api/routes/languages.php

@@ -8,35 +8,35 @@
 		'pattern' => 'languages',
 		'method'  => 'GET',
 		'action'  => function () {
-			return $this->kirby()->languages();
+			return $this->languages();
 		}
 	],
 	[
 		'pattern' => 'languages',
 		'method'  => 'POST',
 		'action'  => function () {
-			return $this->kirby()->languages()->create($this->requestBody());
+			return $this->languages()->create($this->requestBody());
 		}
 	],
 	[
 		'pattern' => 'languages/(:any)',
 		'method'  => 'GET',
 		'action'  => function (string $code) {
-			return $this->kirby()->languages()->find($code);
+			return $this->languages()->find($code);
 		}
 	],
 	[
 		'pattern' => 'languages/(:any)',
 		'method'  => 'PATCH',
 		'action'  => function (string $code) {
-			return $this->kirby()->languages()->find($code)?->update($this->requestBody());
+			return $this->languages()->find($code)?->update($this->requestBody());
 		}
 	],
 	[
 		'pattern' => 'languages/(:any)',
 		'method'  => 'DELETE',
 		'action'  => function (string $code) {
-			return $this->kirby()->languages()->find($code)?->delete();
+			return $this->languages()->find($code)?->delete();
 		}
 	]
 ];

src/Cms/Api.php

@@ -138,6 +138,14 @@ public function language(): string|null
 			$this->requestHeaders('x-language');
 	}
 
+	/**
+	 * Returns the languages collection
+	 */
+	public function languages(): Languages
+	{
+		return $this->kirby()->languages()->filter('isAccessible', true);
+	}
+
 	/**
 	 * Returns the page object for the given id
 	 *
@@ -225,9 +233,15 @@ public function session(array $options = []): Session
 	/**
 	 * Returns the site object
 	 */
-	public function site(): Site
+	public function site(): Site|null
 	{
-		return $this->kirby->site();
+		$site = $this->kirby->site();
+
+		if ($site->isAccessible() === true) {
+			return $site;
+		}
+
+		return null;
 	}
 
 	/**
@@ -255,6 +269,6 @@ public function user(string|null $id = null): User|null
 	 */
 	public function users(): Users
 	{
-		return $this->kirby->users();
+		return $this->kirby->users()->filter('isAccessible', true);
 	}
 }

src/Cms/Find.php

@@ -52,7 +52,9 @@ public static function file(
 	 */
 	public static function language(string $code): Language|null
 	{
-		if ($language = App::instance()->language($code)) {
+		$language = App::instance()->language($code);
+
+		if ($language?->isAccessible() === true) {
 			return $language;
 		}
 
@@ -158,13 +160,23 @@ public static function user(string|null $id = null): User|null
 				$kirby->option('api.allowImpersonation', false)
 			);
 
-			return $user ?? throw new NotFoundException(
+			if ($user?->isAccessible() === true) {
+				return $user;
+			}
+
+			throw new NotFoundException(
 				key: 'user.undefined'
 			);
 		}
 
 		// get a specific user by id
-		return $kirby->user($id) ?? throw new NotFoundException(
+		$user = $kirby->user($id);
+
+		if ($user?->isAccessible() === true) {
+			return $user;
+		}
+
+		throw new NotFoundException(
 			key: 'user.notFound',
 			data: ['name' => $id]
 		);

tests/Cms/Api/ApiTest.php

@@ -436,6 +436,36 @@ public function testUsers()
 		$this->assertSame($this->app->users(), $this->api->users());
 	}
 
+	public function testUsersWithoutPermissions()
+	{
+		$app = $this->app->clone([
+			'users' => [
+				['email' => '[email protected]']
+			]
+		]);
+		$app->impersonate('[email protected]');
+
+		$this->assertNotSame($app->users(), $app->api()->users());
+	}
+
+	public function testUsersWithoutPermissionsDebugEnabled()
+	{
+		$app = $this->app->clone([
+			'options' => [
+				'debug' => true
+			],
+			'users'   => [
+				['email' => '[email protected]']
+			]
+		]);
+		$app->impersonate('[email protected]');
+
+		$this->expectException(AuthException::class);
+		$this->expectExceptionMessage('You are not allowed to access the users');
+
+		$app->api()->users();
+	}
+
 	public function testFileGetRoute()
 	{
 		// regular