Merge commit from fork

seto1 · ryuring · web-flow · commit 111ef3b77724 · 2025-01-23T14:42:33.000+09:00
* API実行権限調整 * 管理画面テーマの選択の不具合を改善 fix #3884 --------- Co-authored-by: ryuring <egashira@catchup.co.jp>
diff --git a/plugins/baser-core/config/permission.php b/plugins/baser-core/config/permission.php
@@ -23,7 +23,7 @@
             'plugin' => 'BaserCore',
             'type' => 'Admin',
             'items' => [
-                'Edit' => ['title' => __d('baser_core', '編集'), 'url' => '/baser/admin/baser-core/content_folders/edit/*', 'method' => 'POST', 'auth' => false]
+                'Edit' => ['title' => __d('baser_core', '編集'), 'url' => '/baser/admin/baser-core/content_folders/edit/*', 'method' => 'POST', 'auth' => true]
             ]
         ],
 
@@ -33,9 +33,11 @@
             'type' => 'Admin',
             'items' => [
                 'Index' => ['title' => __d('baser_core', '一覧'), 'url' => '/baser/admin/baser-core/contents/index', 'method' => '*', 'auth' => true],
+                'Add' => ['title' => __d('baser_core', '登録'), 'url' => '/baser/admin/baser-core/contents/add', 'method' => '*', 'auth' => true],
+                'Delete' => ['title' => __d('baser_core', '削除'), 'url' => '/baser/admin/baser-core/contents/delete', 'method' => '*', 'auth' => true],
                 'Edit' => ['title' => __d('baser_core', 'ゴミ箱'), 'url' => '/baser/admin/baser-core/contents/trash_index', 'method' => 'GET', 'auth' => true],
                 'EditAlias' => ['title' => __d('baser_core', 'エイリアス編集'), 'url' => '/baser/admin/baser-core/contents/edit_alias/*', 'method' => 'POST', 'auth' => true],
-                'Delete' => ['title' => __d('baser_core', 'ゴミ箱から戻す'), 'method' => 'POST', 'url' => '/baser/admin/baser-core/contents/trash_return/*', 'auth' => true],
+                'TrashReturn' => ['title' => __d('baser_core', 'ゴミ箱から戻す'), 'method' => 'POST', 'url' => '/baser/admin/baser-core/contents/trash_return/*', 'auth' => true],
             ]
         ],
 
@@ -186,7 +188,7 @@
             'items' => [
                 'Index' => ['title' => __d('baser_core', '一覧取得'), 'url' => '/baser/api/admin/baser-core/content_folders/index.json', 'method' => '*', 'auth' => true],
                 'View' => ['title' => __d('baser_core', '単一取得'), 'url' => '/baser/api/admin/baser-core/content_folders/view/*.json', 'method' => '*', 'auth' => true],
-                'Add' => ['title' => __d('baser_core', '新規登録'), 'url' => '/baser/api/admin/baser-core/content_folders/add.json', 'method' => 'POST', 'auth' => false],
+                'Add' => ['title' => __d('baser_core', '新規登録'), 'url' => '/baser/api/admin/baser-core/content_folders/add.json', 'method' => 'POST', 'auth' => true],
                 'Edit' => ['title' => __d('baser_core', '編集'), 'url' => '/baser/api/admin/baser-core/content_folders/edit/*.json', 'method' => 'POST', 'auth' => false],
                 'Delete' => ['title' => __d('baser_core', '削除'), 'url' => '/baser/api/admin/baser-core/content_folders/delete/*.json', 'method' => 'POST', 'auth' => false]
             ]
diff --git a/plugins/baser-core/config/setting.php b/plugins/baser-core/config/setting.php
@@ -598,7 +598,9 @@
             '/baser-core/users/logout',
             '/baser-core/password_requests/*',
             '/baser/api/admin/baser-core/users/login.json',
-            '/baser/api/admin/baser-core/users/refresh_token.json'
+            '/baser/api/admin/baser-core/users/refresh_token.json',
+            '/baser/api/admin/baser-core/utilities/save_search_opened/*/*.json',
+            '/baser/api/admin/baser-core/plugins/get_available_core_version_info.json',
         ]
     ],
 
diff --git a/plugins/baser-core/src/Controller/AppController.php b/plugins/baser-core/src/Controller/AppController.php
@@ -165,13 +165,16 @@ public function beforeFilter(EventInterface $event)
         if ($this->requirePermission($this->getRequest()) && !$this->checkPermission()) {
             $prefix = BcUtil::getRequestPrefix($this->getRequest());
             if ($prefix === 'Api/Admin') {
-                throw new ForbiddenException(__d('baser_core', '指定されたAPIエンドポイントへのアクセスは許可されていません。'));
+                throw new ForbiddenException(__d('baser_core', '指定されたAPIエンドポイントへのアクセスは許可されていません。必要な場合、システム管理者に「{0} {1}」へのアクセス許可を依頼してください。',
+                    [$this->getRequest()->getMethod(), $this->getRequest()->getPath()]));
             } else {
                 if (BcUtil::loginUser()) {
                     if ($this->getRequest()->getMethod() === 'GET') {
-                        $this->BcMessage->setError(__d('baser_core', '指定されたページへのアクセスは許可されていません。'));
+                        $this->BcMessage->setError(__d('baser_core', '指定されたページへのアクセスは許可されていません。必要な場合、システム管理者に「{0} {1}」へのアクセス許可を依頼してください。',
+                            [$this->getRequest()->getMethod(), $this->getRequest()->getPath()]));
                     } else {
-                        $this->BcMessage->setError(__d('baser_core', '実行した操作は許可されていません。'));
+                        $this->BcMessage->setError(__d('baser_core', '実行した操作は許可されていません。必要な場合、システム管理者に「{0} {1}」へのアクセス許可を依頼してください。',
+                            [$this->getRequest()->getMethod(), $this->getRequest()->getPath()]));
                     }
                     $url = Configure::read("BcPrefixAuth.{$prefix}.loginRedirect");
                 } else {
diff --git a/plugins/baser-core/src/Service/PermissionsService.php b/plugins/baser-core/src/Service/PermissionsService.php
@@ -480,13 +480,6 @@ private function checkGroup(
             if ($type === 1) return true;
         }
 
-        if($prefix === 'Api/Admin') {
-            // 管理画面からAPIのURLを参照した場合は無条件に true
-            if (BcUtil::isAdminSystem()) return true;
-            // 管理画面から呼び出された API は無条件に true
-            if (BcUtil::isSameReferrerAsCurrent()) return true;
-        }
-
         // URLのプレフィックスを標準の文字列に戻す
         foreach(Configure::read('BcPrefixAuth') as $key => $value) {
             $prefixAreas = Configure::read('BcApp.' . Inflector::variable($key) . 'Prefix');
diff --git a/plugins/bc-uploader/config/permission.php b/plugins/bc-uploader/config/permission.php
@@ -89,7 +89,7 @@
             'type' => 'Api/Admin',
             'items' => [
                 'index' => ['title' => __d('baser_core', '一覧取得'), 'url' => '/baser/api/admin/bc-uploader/uploader_files/index.json', 'method' => 'GET', 'auth' => true],
-                'Add' => ['title' => __d('baser_core', '新規追加'), 'url' => '/baser/api/admin/bc-uploader/uploader_files/add.json', 'method' => 'POST', 'auth' => true],
+                'Add' => ['title' => __d('baser_core', '新規追加'), 'url' => '/baser/api/admin/bc-uploader/uploader_files/upload.json', 'method' => 'POST', 'auth' => true],
                 'edit' => ['title' => __d('baser_core', '編集'), 'url' => '/baser/api/admin/bc-uploader/uploader_files/edit/*.json', 'method' => 'POST', 'auth' => true],
                 'delete' => ['title' => __d('baser_core', '削除'), 'url' => '/baser/api/admin/bc-uploader/uploader_files/delete/*.json', 'method' => 'POST', 'auth' => true],
             ]

Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,7 @@`
`89`	`89`	`'type' => 'Api/Admin',`
`90`	`90`	`'items' => [`
`91`	`91`	`'index' => ['title' => __d('baser_core', '一覧取得'), 'url' => '/baser/api/admin/bc-uploader/uploader_files/index.json', 'method' => 'GET', 'auth' => true],`
`92`		`- 'Add' => ['title' => __d('baser_core', '新規追加'), 'url' => '/baser/api/admin/bc-uploader/uploader_files/add.json', 'method' => 'POST', 'auth' => true],`
	`92`	`+ 'Add' => ['title' => __d('baser_core', '新規追加'), 'url' => '/baser/api/admin/bc-uploader/uploader_files/upload.json', 'method' => 'POST', 'auth' => true],`
`93`	`93`	`'edit' => ['title' => __d('baser_core', '編集'), 'url' => '/baser/api/admin/bc-uploader/uploader_files/edit/*.json', 'method' => 'POST', 'auth' => true],`
`94`	`94`	`'delete' => ['title' => __d('baser_core', '削除'), 'url' => '/baser/api/admin/bc-uploader/uploader_files/delete/*.json', 'method' => 'POST', 'auth' => true],`
`95`	`95`	`]`