ardent/Snips
1
0
Fork 0
Code Issues 5 Pull Requests 1 Packages Projects Releases Wiki Activity

Secure the twig renderer template loader

Browse Source
This commit is contained in:
Tim
2025-05-11 00:37:50 +02:00
parent 6adc8c4a69
commit e3549f722a
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/Service/SnipParser/Twig/SnipLoader.php
View File

@ -4,7 +4,9 @@ namespace App\Service\SnipParser\Twig;
use App\Entity\Snip;
use App\Repository\SnipRepository;
use App\Security\Voter\SnipVoter;
use App\Service\SnipContent\SnipContentService;
use Symfony\Bundle\SecurityBundle\Security;
use Twig\Error\LoaderError;
use Twig\Loader\LoaderInterface;
use Twig\Source;
@ -14,6 +16,7 @@ class SnipLoader implements LoaderInterface
public function __construct(
private readonly SnipRepository $repository,
private readonly SnipContentService $contentService,
private readonly Security $security,
) {}
public function getSourceContext(string $name): Source
@ -50,6 +53,9 @@ class SnipLoader implements LoaderInterface
if (!$snip) {
throw new LoaderError(\sprintf('Template "%s" is not defined.', $key));
}
if (!$this->security->isGranted(SnipVoter::VIEW, $snip)) {
throw new LoaderError(\sprintf('You do not have permission to view the template "%s".', $key));
}
return $snip;
}