From 8fc781dc69a994ea8c208a8383284560edd1846a Mon Sep 17 00:00:00 2001
From: Sebastian Marcet <smarcet@gmail.com>
Date: Mon, 8 Oct 2018 13:57:35 -0300
Subject: [PATCH] Fixed CFP endpoints

* fixed delete presentation
* fixed scopes issues

Change-Id: I141f144de11d459c1743e90bdd628c8900b6afe9
---
 Libs/ModelSerializers/AbstractSerializer.php  | 17 ++++++++++----
 Libs/ModelSerializers/IModelSerializer.php    |  1 +
 .../Summit/OAuth2SummitApiController.php      |  8 ++++++-
 .../Exceptions/HTTP403ForbiddenException.php  | 23 +++++++++++++++++++
 app/Http/routes.php                           |  6 ++---
 app/ModelSerializers/SerializerRegistry.php   | 15 ++++++++----
 .../SilverStripeSerializer.php                |  1 -
 .../Summit/SummitSerializer.php               | 15 ++++++++++--
 app/ModelSerializers/TagSerializer.php        |  5 ++--
 .../Events/Presentations/Presentation.php     |  2 +-
 app/Services/Model/PresentationService.php    |  2 +-
 tests/OAuth2SummitApiTest.php                 |  6 ++---
 12 files changed, 77 insertions(+), 24 deletions(-)
 create mode 100644 app/Http/Exceptions/HTTP403ForbiddenException.php

diff --git a/Libs/ModelSerializers/AbstractSerializer.php b/Libs/ModelSerializers/AbstractSerializer.php
index 1cf1db7f..872cecfb 100644
--- a/Libs/ModelSerializers/AbstractSerializer.php
+++ b/Libs/ModelSerializers/AbstractSerializer.php
@@ -14,6 +14,7 @@
  **/
 
 use libs\utils\JsonUtils;
+use models\oauth2\IResourceServerContext;
 use models\utils\IEntity;
 
 /**
@@ -27,13 +28,19 @@ abstract class AbstractSerializer implements IModelSerializer
      */
     protected $object;
 
+    /**
+     * @var IResourceServerContext
+     */
+    protected $resource_server_context;
+
     /**
      * AbstractSerializer constructor.
      * @param $object
+     * @param IResourceServerContext $resource_server_context
      */
-    public function __construct($object){
+    public function __construct($object, IResourceServerContext $resource_server_context){
         $this->object = $object;
-
+        $this->resource_server_context = $resource_server_context;
     }
 
     protected static $array_mappings    = [];
@@ -52,7 +59,7 @@ abstract class AbstractSerializer implements IModelSerializer
 
         foreach($hierarchy as $class_name){
             if($class_name === 'Libs\ModelSerializers\AbstractSerializer') continue;
-            $class    = new $class_name($this->object);
+            $class    = new $class_name($this->object, $this->resource_server_context);
             $mappings = array_merge($mappings, $class->getSelfAllowedFields());
         }
         $mappings  = array_merge($mappings, $this->getSelfAllowedFields());
@@ -73,7 +80,7 @@ abstract class AbstractSerializer implements IModelSerializer
 
         foreach($hierarchy as $class_name){
             if($class_name === 'Libs\ModelSerializers\AbstractSerializer') continue;
-            $class    = new $class_name($this->object);
+            $class    = new $class_name($this->object, $this->resource_server_context);
             $mappings = array_merge($mappings, $class->getSelfAllowedRelations());
         }
         $mappings  = array_merge($mappings, $this->getSelfAllowedRelations());
@@ -94,7 +101,7 @@ abstract class AbstractSerializer implements IModelSerializer
 
         foreach($hierarchy as $class_name){
             if($class_name === 'Libs\ModelSerializers\AbstractSerializer') continue;
-            $class    = new $class_name($this->object);
+            $class    = new $class_name($this->object, $this->resource_server_context);
             $mappings = array_merge($mappings, $class->getSelfMappings());
         }
         $mappings  = array_merge($mappings, $this->getSelfMappings());
diff --git a/Libs/ModelSerializers/IModelSerializer.php b/Libs/ModelSerializers/IModelSerializer.php
index dcc7f461..6954198f 100644
--- a/Libs/ModelSerializers/IModelSerializer.php
+++ b/Libs/ModelSerializers/IModelSerializer.php
@@ -20,6 +20,7 @@ interface IModelSerializer
      * @param array $relations
      * @param array $params
      * @return array
+     * @throw HTTP403ForbiddenException
      */
     public function serialize($expand = null, array $fields = array(), array $relations = array(), array $params = array() );
 }
\ No newline at end of file
diff --git a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitApiController.php b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitApiController.php
index 6ea521aa..945b80c5 100644
--- a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitApiController.php
+++ b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitApiController.php
@@ -11,6 +11,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
+use App\Http\Exceptions\HTTP403ForbiddenException;
 use Exception;
 use Illuminate\Support\Facades\Input;
 use Illuminate\Support\Facades\Log;
@@ -175,7 +176,12 @@ final class OAuth2SummitApiController extends OAuth2ProtectedController
             if (is_null($summit)) return $this->error404();
             $serializer_type = $this->serializer_type_selector->getSerializerType();
             return $this->ok(SerializerRegistry::getInstance()->getSerializer($summit, $serializer_type)->serialize($expand));
-        } catch (Exception $ex) {
+        }
+        catch(HTTP403ForbiddenException $ex1){
+            Log::warning($ex1);
+            return $this->error403();
+        }
+        catch (Exception $ex) {
             Log::error($ex);
             return $this->error500($ex);
         }
diff --git a/app/Http/Exceptions/HTTP403ForbiddenException.php b/app/Http/Exceptions/HTTP403ForbiddenException.php
new file mode 100644
index 00000000..bc3c0a11
--- /dev/null
+++ b/app/Http/Exceptions/HTTP403ForbiddenException.php
@@ -0,0 +1,23 @@
+<?php namespace App\Http\Exceptions;
+
+/**
+ * Copyright 2018 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+use Exception;
+/**
+ * Class HTTP403ForbiddenException
+ * @package App\Http\Exceptions
+ */
+final class HTTP403ForbiddenException extends Exception
+{
+
+}
\ No newline at end of file
diff --git a/app/Http/routes.php b/app/Http/routes.php
index 12ec1c27..dcf4bed8 100644
--- a/app/Http/routes.php
+++ b/app/Http/routes.php
@@ -549,8 +549,7 @@ Route::group([
             // track tag groups
             Route::group(['prefix' => 'track-tag-groups'], function(){
 
-                Route::get('', [ 'middleware' => 'auth.user:administrators|summit-front-end-administrators',
-                    'uses' => 'OAuth2SummitTrackTagGroupsApiController@getTrackTagGroupsBySummit']);
+                Route::get('', ['uses' => 'OAuth2SummitTrackTagGroupsApiController@getTrackTagGroupsBySummit']);
 
                 Route::post('', [ 'middleware' => 'auth.user:administrators|summit-front-end-administrators',
                     'uses' => 'OAuth2SummitTrackTagGroupsApiController@addTrackTagGroup']);
@@ -692,7 +691,8 @@ Route::group([
     Route::group(['prefix' => 'summits'], function () {
 
         Route::group(['prefix' => '{id}'], function () {
-            Route::get('', [ 'middleware' => 'auth.user:administrators|summit-front-end-administrators|summit-room-administrators', 'uses' => 'OAuth2SummitApiController@getSummit'])->where('id', 'current|[0-9]+');
+
+            Route::get('', ['uses' => 'OAuth2SummitApiController@getSummit'])->where('id', 'current|[0-9]+');
             // events
             Route::group(['prefix' => 'events'], function () {
 
diff --git a/app/ModelSerializers/SerializerRegistry.php b/app/ModelSerializers/SerializerRegistry.php
index 0898c813..a810c5fb 100644
--- a/app/ModelSerializers/SerializerRegistry.php
+++ b/app/ModelSerializers/SerializerRegistry.php
@@ -55,6 +55,7 @@ use App\ModelSerializers\Summit\SummitLocationBannerSerializer;
 use App\ModelSerializers\Summit\TrackTagGroups\TrackTagGroupAllowedTagSerializer;
 use App\ModelSerializers\Summit\TrackTagGroups\TrackTagGroupSerializer;
 use Libs\ModelSerializers\IModelSerializer;
+use models\oauth2\IResourceServerContext;
 use ModelSerializers\ChatTeams\ChatTeamInvitationSerializer;
 use ModelSerializers\ChatTeams\ChatTeamMemberSerializer;
 use ModelSerializers\ChatTeams\ChatTeamPushNotificationMessageSerializer;
@@ -67,6 +68,7 @@ use ModelSerializers\Locations\SummitVenueFloorSerializer;
 use ModelSerializers\Locations\SummitVenueRoomSerializer;
 use ModelSerializers\Locations\SummitVenueSerializer;
 use App\ModelSerializers\Marketplace\ApplianceSerializer;
+use Illuminate\Support\Facades\App;
 /**
  * Class SerializerRegistry
  * @package ModelSerializers
@@ -78,6 +80,11 @@ final class SerializerRegistry
      */
     private static $instance;
 
+    /**
+     * @var IResourceServerContext
+     */
+    private $resource_server_context;
+
     const SerializerType_Public  = 'PUBLIC';
     const SerializerType_Private = 'PRIVATE';
 
@@ -94,11 +101,12 @@ final class SerializerRegistry
         return self::$instance;
     }
 
-    private $registry = array();
+    private $registry = [];
 
     private function __construct()
     {
-        $this->registry['Summit']        =
+        $this->resource_server_context = App::make(IResourceServerContext::class);
+        $this->registry['Summit']      =
             [
                 self::SerializerType_Public  =>  SummitSerializer::class,
                 self::SerializerType_Private =>  AdminSummitSerializer::class
@@ -267,7 +275,6 @@ final class SerializerRegistry
             $serializer_class = $serializer_class[$type];
         }
 
-
-        return new $serializer_class($object);
+        return new $serializer_class($object, $this->resource_server_context);
     }
 }
\ No newline at end of file
diff --git a/app/ModelSerializers/SilverStripeSerializer.php b/app/ModelSerializers/SilverStripeSerializer.php
index dec46830..2f390e37 100644
--- a/app/ModelSerializers/SilverStripeSerializer.php
+++ b/app/ModelSerializers/SilverStripeSerializer.php
@@ -19,7 +19,6 @@ use Libs\ModelSerializers\AbstractSerializer;
 class SilverStripeSerializer extends AbstractSerializer
 {
     protected static $array_mappings = [
-
         'Id'         => 'id:json_int',
         'CreatedUTC' => 'created:datetime_epoch',
         'LastEditedUTC' => 'last_edited:datetime_epoch',
diff --git a/app/ModelSerializers/Summit/SummitSerializer.php b/app/ModelSerializers/Summit/SummitSerializer.php
index 6f97772e..5a354ef5 100644
--- a/app/ModelSerializers/Summit/SummitSerializer.php
+++ b/app/ModelSerializers/Summit/SummitSerializer.php
@@ -12,6 +12,8 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
+use App\Http\Exceptions\HTTP403ForbiddenException;
+use App\Security\SummitScopes;
 use Illuminate\Support\Facades\Config;
 use models\summit\Summit;
 use DateTime;
@@ -22,7 +24,6 @@ use DateTime;
 class SummitSerializer extends SilverStripeSerializer
 {
     protected static $array_mappings = [
-
         'Name'                                           => 'name:json_string',
         'BeginDate'                                      => 'start_date:datetime_epoch',
         'EndDate'                                        => 'end_date:datetime_epoch',
@@ -53,7 +54,6 @@ class SummitSerializer extends SilverStripeSerializer
     ];
 
     protected static $allowed_relations = [
-
         'ticket_types',
         'locations',
         'wifi_connections',
@@ -66,6 +66,7 @@ class SummitSerializer extends SilverStripeSerializer
      * @param array $relations
      * @param array $params
      * @return array
+     * @throws HTTP403ForbiddenException
      */
     public function serialize($expand = null, array $fields = [], array $relations = [], array $params = [])
     {
@@ -187,6 +188,16 @@ class SummitSerializer extends SilverStripeSerializer
                     }
                     break;
                     case 'schedule': {
+                        // only could get schedule expanded if summit its available to public or
+                        // we had proper scopes
+                        if(!$summit->isAvailableOnApi()) {
+                            $scopes = $this->resource_server_context->getCurrentScope();
+                            $current_realm = Config::get('app.url');
+                            $needed_scope = sprintf(SummitScopes::ReadAllSummitData, $current_realm);
+                            if (!in_array($needed_scope, $scopes))
+                                throw new HTTP403ForbiddenException;
+                        }
+
                         $event_types = [];
                         foreach ($summit->getEventTypes() as $event_type) {
                             $event_types[] = SerializerRegistry::getInstance()->getSerializer($event_type)->serialize();
diff --git a/app/ModelSerializers/TagSerializer.php b/app/ModelSerializers/TagSerializer.php
index 55376c33..3b0f9b45 100644
--- a/app/ModelSerializers/TagSerializer.php
+++ b/app/ModelSerializers/TagSerializer.php
@@ -18,8 +18,7 @@
  */
 final class TagSerializer extends SilverStripeSerializer
 {
-    protected static $array_mappings = array
-    (
+    protected static $array_mappings = [
         'Tag' => 'tag:json_string',
-    );
+    ];
 }
\ No newline at end of file
diff --git a/app/Models/Foundation/Summit/Events/Presentations/Presentation.php b/app/Models/Foundation/Summit/Events/Presentations/Presentation.php
index 1c0b7ff8..01e8dba6 100644
--- a/app/Models/Foundation/Summit/Events/Presentations/Presentation.php
+++ b/app/Models/Foundation/Summit/Events/Presentations/Presentation.php
@@ -719,7 +719,7 @@ class Presentation extends SummitEvent
      * @return bool
      */
     public function canEdit(PresentationSpeaker $speaker){
-        if($this->getCreatorId() == $speaker->getId()) return true;
+        if($this->getCreatorId() == $speaker->getMemberId()) return true;
         if($this->getModeratorId() == $speaker->getId()) return true;
         if($this->isSpeaker($speaker)) return true;
         return false;
diff --git a/app/Services/Model/PresentationService.php b/app/Services/Model/PresentationService.php
index 886737a4..bdc832a7 100644
--- a/app/Services/Model/PresentationService.php
+++ b/app/Services/Model/PresentationService.php
@@ -507,7 +507,7 @@ final class PresentationService
             if(is_null($current_speaker))
                 throw new EntityNotFoundException(sprintf("member %s does not has a speaker profile", $member->getId()));
 
-            $presentation = $this->event_repository->getById($presentation_id);
+            $presentation = $this->presentation_repository->getById($presentation_id);
             if(is_null($presentation))
                 throw new EntityNotFoundException(sprintf("presentation %s not found", $presentation_id));
 
diff --git a/tests/OAuth2SummitApiTest.php b/tests/OAuth2SummitApiTest.php
index 1cb90d83..a04f7219 100644
--- a/tests/OAuth2SummitApiTest.php
+++ b/tests/OAuth2SummitApiTest.php
@@ -77,11 +77,11 @@ final class OAuth2SummitApiTest extends ProtectedApiTest
     public function testGetSummit($summit_id = 25)
     {
 
-        $params = array
-        (
+        $params = [
+
             'expand' => 'schedule',
             'id'     => $summit_id
-        );
+        ];
 
         $headers = array("HTTP_Authorization" => " Bearer " . $this->access_token);
         $start = time();