/**
* @param Delete $delete
* @return mixed
* @throws Exception\RuntimeException
* @throws \Directus\Acl\Exception\UnauthorizedTableBigDeleteException
* @throws \Directus\Acl\Exception\UnauthorizedTableDeleteException
*/
protected function executeDelete(Delete $delete)
{
$cuurrentUserId = null;
if (Auth::loggedIn()) {
$currentUser = Auth::getUserInfo();
$currentUserId = intval($currentUser['id']);
}
$deleteState = $delete->getRawState();
$deleteTable = $this->getRawTableNameFromQueryStateTable($deleteState['table']);
$cmsOwnerColumn = $this->acl->getCmsOwnerColumnByTable($deleteTable);
$canBigHardDelete = $this->acl->hasTablePrivilege($deleteTable, 'bigharddelete');
$canHardDelete = $this->acl->hasTablePrivilege($deleteTable, 'harddelete');
$aclErrorPrefix = $this->acl->getErrorMessagePrefix();
// Is this table a junction table?
$deleteTableSchema = TableSchema::getTable($deleteTable);
$isDeleteTableAJunction = array_key_exists('is_junction_table', $deleteTableSchema) ? (bool) $deleteTableSchema['is_junction_table'] : false;
if ($isDeleteTableAJunction || !TableSchema::hasTableColumn($deleteTable, STATUS_COLUMN_NAME)) {
if ($this->acl->hasTablePrivilege($deleteTable, 'bigdelete')) {
$canBigHardDelete = true;
} else {
if ($this->acl->hasTablePrivilege($deleteTable, 'delete')) {
$canHardDelete = true;
}
}
}
// @todo: clean way
if ($deleteTable === 'directus_bookmarks') {
$canBigHardDelete = true;
}
/**
* ACL Enforcement
*/
if (!$canBigHardDelete && !$canHardDelete) {
throw new UnauthorizedTableBigDeleteException($aclErrorPrefix . "BigHardDelete/HardDelete access forbidden on table `{$deleteTable}`.");
}
if (false === $cmsOwnerColumn) {
// cannot delete if there's no magic owner column and can't big delete
if (!$canBigHardDelete) {
// All deletes are "big" deletes if there is no magic owner column.
throw new UnauthorizedTableBigDeleteException($aclErrorPrefix . "The table `{$deleteTable}` is missing the `user_create_column` within `directus_tables` (BigHardDelete Permission Forbidden)");
}
} else {
if (!$canBigHardDelete) {
// Who are the owners of these rows?
list($predicateResultQty, $predicateOwnerIds) = $this->acl->getCmsOwnerIdsByTableGatewayAndPredicate($this, $deleteState['where']);
if (in_array($currentUserId, $predicateOwnerIds)) {
$exceptionMessage = "Table harddelete access forbidden on {$predicateResultQty} `{$deleteTable}` table records owned by the authenticated CMS user (#{$currentUserId}).";
$aclErrorPrefix = $this->acl->getErrorMessagePrefix();
throw new UnauthorizedTableDeleteException($aclErrorPrefix . $exceptionMessage);
}
}
}
try {
return parent::executeDelete($delete);
} catch (\Zend\Db\Adapter\Exception\InvalidQueryException $e) {
if ('production' !== DIRECTUS_ENV) {
throw new \RuntimeException("This query failed: " . $this->dumpSql($delete), 0, $e);
}
// @todo send developer warning
throw $e;
}
}
/**
* @param Delete $delete
* @return mixed
* @throws Exception\RuntimeException
* @throws \Directus\Acl\Exception\UnauthorizedTableBigDeleteException
* @throws \Directus\Acl\Exception\UnauthorizedTableDeleteException
*/
protected function executeDelete(Delete $delete)
{
$cuurrentUserId = null;
if (Auth::loggedIn()) {
$currentUser = Auth::getUserInfo();
$currentUserId = intval($currentUser['id']);
}
$deleteState = $delete->getRawState();
$deleteTable = $this->getRawTableNameFromQueryStateTable($deleteState['table']);
$cmsOwnerColumn = $this->acl->getCmsOwnerColumnByTable($deleteTable);
$canBigDelete = $this->acl->hasTablePrivilege($deleteTable, 'bigdelete');
$canDelete = $this->acl->hasTablePrivilege($deleteTable, 'delete');
$aclErrorPrefix = $this->acl->getErrorMessagePrefix();
if (!TableSchema::hasTableColumn($deleteTable, STATUS_COLUMN_NAME)) {
if ($this->acl->hasTablePrivilege($deleteTable, 'bigdelete')) {
$canBigDelete = true;
} else {
if ($this->acl->hasTablePrivilege($deleteTable, 'delete')) {
$canDelete = true;
}
}
}
// @todo: clean way
if ($deleteTable === 'directus_bookmarks') {
$canBigDelete = true;
}
/**
* ACL Enforcement
*/
if (!$canBigDelete && !$canDelete) {
throw new UnauthorizedTableBigDeleteException($aclErrorPrefix . ' forbidden to hard delete on table `' . $deleteTable . '` because it has Status Column.');
}
if (false === $cmsOwnerColumn) {
// cannot delete if there's no magic owner column and can't big delete
if (!$canBigDelete) {
// All deletes are "big" deletes if there is no magic owner column.
throw new UnauthorizedTableBigDeleteException($aclErrorPrefix . 'The table `' . $deleteTable . '` is missing the `user_create_column` within `directus_tables` (BigHardDelete Permission Forbidden)');
}
} else {
if (!$canBigDelete) {
// Who are the owners of these rows?
list($predicateResultQty, $predicateOwnerIds) = $this->acl->getCmsOwnerIdsByTableGatewayAndPredicate($this, $deleteState['where']);
if (!in_array($currentUserId, $predicateOwnerIds)) {
// $exceptionMessage = "Table harddelete access forbidden on $predicateResultQty `$deleteTable` table records owned by the authenticated CMS user (#$currentUserId).";
$groupsTableGateway = self::makeTableGatewayFromTableName($this->acl, 'directus_groups', $this->adapter);
$group = $groupsTableGateway->find($this->acl->getGroupId());
$exceptionMessage = '[' . $group['name'] . '] permissions only allow you to [delete] your own items.';
// $aclErrorPrefix = $this->acl->getErrorMessagePrefix();
throw new UnauthorizedTableDeleteException($exceptionMessage);
}
}
}
try {
$this->emitter->run('table.delete:before', [$deleteTable]);
$this->emitter->run('table.delete.' . $deleteTable . ':before');
$result = parent::executeDelete($delete);
$this->emitter->run('table.delete', [$deleteTable]);
$this->emitter->run('table.delete:after', [$deleteTable]);
$this->emitter->run('table.delete.' . $deleteTable);
$this->emitter->run('table.delete.' . $deleteTable . ':after');
return $result;
} catch (\Zend\Db\Adapter\Exception\InvalidQueryException $e) {
if ('production' !== DIRECTUS_ENV) {
throw new \RuntimeException('This query failed: ' . $this->dumpSql($delete), 0, $e);
}
// @todo send developer warning
throw $e;
}
}
