Add: owner check to subscription endpoints

tatevikg1 · tatevikg1 · commit ff0583403616 · 2026-03-23T20:16:31.000+04:00
diff --git a/src/Subscription/Controller/SubscriberListController.php b/src/Subscription/Controller/SubscriberListController.php
@@ -176,7 +176,7 @@ public function getList(
             throw $this->createNotFoundException('Subscriber list not found.');
         }
 
-        $this->denyAccessUnlessOwnerOrPublic($list, $authUser);
+        $this->denyAccessUnlessOwner($list, $authUser);
 
         return $this->json($this->normalizer->normalize($list), Response::HTTP_OK);
     }
@@ -236,7 +236,7 @@ public function deleteList(
             throw $this->createNotFoundException('Subscriber list not found.');
         }
 
-        $this->denyAccessUnlessOwnerOrPublic($list, $authUser);
+        $this->denyAccessUnlessOwner($list, $authUser);
 
         $this->subscriberListManager->delete($list);
         $this->entityManager->flush();
@@ -356,7 +356,7 @@ public function updateList(
             throw $this->createNotFoundException('Subscriber list not found.');
         }
 
-        $this->denyAccessUnlessOwnerOrPublic($list, $authUser);
+        $this->denyAccessUnlessOwner($list, $authUser);
 
         /** @var CreateSubscriberListRequest $subscriberListRequest */
         $subscriberListRequest = $this->validator->validate($request, CreateSubscriberListRequest::class);
@@ -370,7 +370,7 @@ public function updateList(
         return $this->json($this->normalizer->normalize($data), Response::HTTP_OK);
     }
 
-    private function denyAccessUnlessOwnerOrPublic(SubscriberList $list, Administrator $user): void
+    private function denyAccessUnlessOwner(SubscriberList $list, Administrator $user): void
     {
         if ($list->getOwner() === null) {
             return;
diff --git a/src/Subscription/Controller/SubscriptionController.php b/src/Subscription/Controller/SubscriptionController.php
@@ -6,6 +6,7 @@
 
 use Doctrine\ORM\EntityManagerInterface;
 use OpenApi\Attributes as OA;
+use PhpList\Core\Domain\Identity\Model\Administrator;
 use PhpList\Core\Domain\Subscription\Model\SubscriberList;
 use PhpList\Core\Domain\Subscription\Service\Manager\SubscriptionManager;
 use PhpList\Core\Security\Authentication;
@@ -122,12 +123,14 @@ public function createSubscription(
         Request $request,
         #[MapEntity(mapping: ['listId' => 'id'])] ?SubscriberList $list = null,
     ): JsonResponse {
-        $this->requireAuthentication($request);
+        $authUser = $this->requireAuthentication($request);
 
         if (!$list) {
             throw $this->createNotFoundException('Subscriber list not found.');
         }
 
+        $this->denyAccessUnlessOwner($list, $authUser);
+
         /** @var SubscriptionRequest $subscriptionRequest */
         $subscriptionRequest = $this->validator->validate($request, SubscriptionRequest::class);
         $subscriptions = $this->subscriptionManager->createSubscriptions($list, $subscriptionRequest->emails);
@@ -188,10 +191,13 @@ public function deleteSubscriptions(
         Request $request,
         #[MapEntity(mapping: ['listId' => 'id'])] ?SubscriberList $list = null,
     ): JsonResponse {
-        $this->requireAuthentication($request);
+        $authUser = $this->requireAuthentication($request);
         if (!$list) {
             throw $this->createNotFoundException('Subscriber list not found.');
         }
+
+        $this->denyAccessUnlessOwner($list, $authUser);
+
         $subscriptionRequest = new SubscriptionRequest();
         $subscriptionRequest->emails = $request->query->all('emails');
 
@@ -202,4 +208,17 @@ public function deleteSubscriptions(
 
         return $this->json(null, Response::HTTP_NO_CONTENT);
     }
+
+    private function denyAccessUnlessOwner(SubscriberList $list, Administrator $user): void
+    {
+        if ($list->getOwner() === null) {
+            return;
+        }
+
+        if ($list->getOwner()->getId() === $user->getId()) {
+            return;
+        }
+
+        throw $this->createAccessDeniedException('Access denied.');
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,7 @@ public function getList(`
`176`	`176`	`throw $this->createNotFoundException('Subscriber list not found.');`
`177`	`177`	`}`
`178`	`178`
`179`		`- $this->denyAccessUnlessOwnerOrPublic($list, $authUser);`
	`179`	`+ $this->denyAccessUnlessOwner($list, $authUser);`
`180`	`180`
`181`	`181`	`return $this->json($this->normalizer->normalize($list), Response::HTTP_OK);`
`182`	`182`	`}`
`@@ -236,7 +236,7 @@ public function deleteList(`
`236`	`236`	`throw $this->createNotFoundException('Subscriber list not found.');`
`237`	`237`	`}`
`238`	`238`
`239`		`- $this->denyAccessUnlessOwnerOrPublic($list, $authUser);`
	`239`	`+ $this->denyAccessUnlessOwner($list, $authUser);`
`240`	`240`
`241`	`241`	`$this->subscriberListManager->delete($list);`
`242`	`242`	`$this->entityManager->flush();`
`@@ -356,7 +356,7 @@ public function updateList(`
`356`	`356`	`throw $this->createNotFoundException('Subscriber list not found.');`
`357`	`357`	`}`
`358`	`358`
`359`		`- $this->denyAccessUnlessOwnerOrPublic($list, $authUser);`
	`359`	`+ $this->denyAccessUnlessOwner($list, $authUser);`
`360`	`360`
`361`	`361`	`/** @var CreateSubscriberListRequest $subscriberListRequest */`
`362`	`362`	`$subscriberListRequest = $this->validator->validate($request, CreateSubscriberListRequest::class);`
`@@ -370,7 +370,7 @@ public function updateList(`
`370`	`370`	`return $this->json($this->normalizer->normalize($data), Response::HTTP_OK);`
`371`	`371`	`}`
`372`	`372`
`373`		`- private function denyAccessUnlessOwnerOrPublic(SubscriberList $list, Administrator $user): void`
	`373`	`+ private function denyAccessUnlessOwner(SubscriberList $list, Administrator $user): void`
`374`	`374`	`{`
`375`	`375`	`if ($list->getOwner() === null) {`
`376`	`376`	`return;`