Add more security option to the inline edit, refactor a bit the code

Controller/HelperController.php

@@ -146,7 +146,7 @@ class HelperController extends Controller
 
         return new Response($description);
     }
-    
+
     /**
      * Toggle boolean value of property in list
      * @return \Symfony\Component\HttpFoundation\Response
@@ -158,15 +158,24 @@ class HelperController extends Controller
         $objectId   = $this->get('request')->query->get('objectId');
         $uniqid     = $this->get('request')->query->get('uniqid');
         $value      = $this->get('request')->query->get('value');
+        $context    = $this->get('request')->query->get('context');
 
         $admin  = $this->container->get('sonata.admin.pool')->getInstance($code);
-        
+
+        // alter should be done by using a post method
+        if ($this->getRequest()->getMethod() != 'POST') {
+            return new Response(json_encode(array('status' => 'KO', 'message' => 'Expected a POST Request')), 200, array(
+                'Content-Type' => 'application/json'
+            ));
+        }
+
+        // check user permission
         if (false === $admin->isGranted('EDIT')) {
-            $response = new Response(json_encode(array('status' => 'Error')));
-            $response->headers->set('Content-Type', 'application/json');
-            return $response;
+            return new Response(json_encode(array('status' => 'KO', 'message' => 'Invalid permissions')), 200, array(
+                'Content-Type' => 'application/json'
+            ));
         }
-               
+
         if ($uniqid) {
             $admin->setUniqid($uniqid);
         }
@@ -174,13 +183,31 @@ class HelperController extends Controller
         $object = $admin->getObject($objectId);
 
         if (!$object) {
-            $response = new Response(json_encode(array('status' => 'Error')));
-            $response->headers->set('Content-Type', 'application/json');
-            return $response;
+            return new Response(json_encode(array('status' => 'KO', 'message' => 'Object does not exist')), 200, array(
+                'Content-Type' => 'application/json'
+            ));
+        }
+
+        if ($context == 'list') {
+            $fieldDescription = $admin->getListFieldDescription($field);
+        } else if ($context == 'show') {
+            $fieldDescription = $admin->getShowFieldDescription($field);
+        } else {
+            return new Response(json_encode(array('status' => 'KO', 'message' => 'Invalid context')), 200, array(
+                'Content-Type' => 'application/json'
+            ));
+        }
+
+        if (!$fieldDescription->getOption('editable')) {
+            return new Response(json_encode(array('status' => 'KO', 'message' => 'The field cannot be edit, editable option must be set to true')), 200, array(
+                'Content-Type' => 'application/json'
+            ));
         }
-        
+
+        // TODO : call the validator component ...
         $propertyPath = new PropertyPath($field);
         $propertyPath->setValue($object, $value);
+
         $admin->update($object);
 
         // render the widget
@@ -188,9 +215,11 @@ class HelperController extends Controller
         $twig = $this->get('twig');
         $extension = $twig->getExtension('sonata_admin');
         $extension->initRuntime($this->get('twig'));
-        
-        $response = new Response(json_encode(array('status' => 'OK', 'data' => $extension->renderListElement($object, $admin->getListFieldDescription($field)))));
-        $response->headers->set('Content-Type', 'application/json');
-        return $response;
+
+        $content = $extension->renderListElement($object, $fieldDescription);
+
+        return new Response(json_encode(array('status' => 'OK', 'content' => $content)), 200, array(
+            'Content-Type' => 'application/json'
+        ));
     }
 }

Resources/public/base.js

@@ -113,7 +113,7 @@ var Admin = {
            jQuery('div.filter_container', jQuery(event.target).parent()).toggle();
         });
     },
-    
+
     /**
      * Change object field value
      * @param MouseEvent
@@ -121,22 +121,20 @@ var Admin = {
     set_object_field_value: function(event) {
         var targetElement = Admin.stopEvent(event);
         var a = jQuery(targetElement).closest('a');
-    
+
         jQuery.ajax({
             url: a.attr('href'),
-            type: 'GET',
+            type: 'POST',
             success: function(json) {
-                if(json.status === "OK")
-                {
-                    var td = jQuery(a).parent();
-                    td.children().remove();
-                    var result_td =json.data.replace(/<!--[\s\S]*?-->/g, "");
-                    result_td = jQuery(result_td).html();
-                    td.html(result_td);
-                    td.effect("highlight", {'color' : '#57A957'}, 2000);
-                }
-                else
+                if(json.status === "OK") {
+                    var elm = jQuery(a).parent();
+                    elm.children().remove();
+                    // fix issue with html comment ...
+                    elm.html(jQuery(json.content.replace(/<!--[\s\S]*?-->/g, "")).html());
+                    elm.effect("highlight", {'color' : '#57A957'}, 2000);
+                } else {
                     jQuery(a).parent().effect("highlight", {'color' : '#C43C35'}, 2000);
+                }
             }
         });
     }

Resources/views/CRUD/list_boolean.html.twig

@@ -13,10 +13,33 @@ file that was distributed with this source code.
 
 {% block field %}
 {% spaceless %}
+{% if field_description.options.editable is defined and field_description.options.editable and admin.isGranted('EDIT') %}
+    {% if value %}
+        <a
+            href="{{ url('sonata_admin_set_object_field_value', { 'context': 'list', 'field': field_description.name, 'objectId': object.id, 'value': 0, 'code': admin.code(object), 'uniqid': admin.uniqid(object) }) }}" class="sonata-ba-action"
+            onclick="Admin.set_object_field_value(event)"
+            >
+            <img
+                src="{{ asset('bundles/sonataadmin/famfamfam/accept.png') }}"
+                alt="{%- trans from 'SonataAdminBundle' %}label_type_yes{% endtrans -%}"
+                />
+        </a>
+    {% else %}
+        <a
+            href="{{ url('sonata_admin_set_object_field_value', { 'context': 'list', 'field': field_description.name, 'objectId': object.id, 'value': 1, 'code': admin.code(object), 'uniqid': admin.uniqid(object) }) }}" class="sonata-ba-action"
+            onclick="Admin.set_object_field_value(event)"
+            >
+            <img
+                src="{{ asset('bundles/sonataadmin/famfamfam/exclamation.png') }}"
+                alt="{%- trans from 'SonataAdminBundle' %}label_type_no{% endtrans -%}" />
+        </a>
+    {% endif %}
+{% else %}
     {% if value %}
         <img src="{{ asset('bundles/sonataadmin/famfamfam/accept.png') }}" alt="{%- trans from 'SonataAdminBundle' %}label_type_yes{% endtrans -%}" />
     {% else %}
         <img src="{{ asset('bundles/sonataadmin/famfamfam/exclamation.png') }}" alt="{%- trans from 'SonataAdminBundle' %}label_type_no{% endtrans -%}" />
     {% endif %}
+{% endif %}
 {% endspaceless %}
 {% endblock %}

Resources/views/CRUD/list_boolean_edit.html.twig

@@ -1,45 +0,0 @@
-{#
-
-This file is part of the Sonata package.
-
-(c) Thomas Rabaix <thomas.rabaix@sonata-project.org>
-
-For the full copyright and license information, please view the LICENSE
-file that was distributed with this source code.
-
-#}
-
-{% extends 'SonataAdminBundle:CRUD:base_list_field.html.twig' %}
-
-{% block field %}
-{% spaceless %}
-{% if admin.isGranted('EDIT') %}
-    {% if value %}
-        <a
-            href="{{ url('sonata_admin_set_object_field_value', { 'field': field_description.name, 'objectId': object.id, 'value': 0, 'code': admin.code(object), 'uniqid': admin.uniqid(object) }) }}" class="sonata-ba-action"
-            onclick="Admin.set_object_field_value(event)"
-            >
-            <img 
-                src="{{ asset('bundles/sonataadmin/famfamfam/accept.png') }}" 
-                alt="{%- trans from 'SonataAdminBundle' %}label_type_yes{% endtrans -%}" 
-                />
-        </a>
-    {% else %}
-        <a
-            href="{{ url('sonata_admin_set_object_field_value', { 'field': field_description.name, 'objectId': object.id, 'value': 1, 'code': admin.code(object), 'uniqid': admin.uniqid(object) }) }}" class="sonata-ba-action"
-            onclick="Admin.set_object_field_value(event)"
-            >
-            <img 
-                src="{{ asset('bundles/sonataadmin/famfamfam/exclamation.png') }}" 
-                alt="{%- trans from 'SonataAdminBundle' %}label_type_no{% endtrans -%}" />
-        </a>
-    {% endif %}
-{% else %}
-    {% if value %}
-        <img src="{{ asset('bundles/sonataadmin/famfamfam/accept.png') }}" alt="{%- trans from 'SonataAdminBundle' %}label_type_yes{% endtrans -%}" />
-    {% else %}
-        <img src="{{ asset('bundles/sonataadmin/famfamfam/exclamation.png') }}" alt="{%- trans from 'SonataAdminBundle' %}label_type_no{% endtrans -%}" />
-    {% endif %}  
-{% endif %}
-{% endspaceless %}
-{% endblock %}

Resources/views/CRUD/show_boolean.html.twig

@@ -13,10 +13,33 @@ file that was distributed with this source code.
 
 {% block field %}
 {% spaceless %}
+{% if field_description.options.editable is defined and field_description.options.editable and admin.isGranted('EDIT') %}
+    {% if value %}
+        <a
+            href="{{ url('sonata_admin_set_object_field_value', { 'context': 'show', 'field': field_description.name, 'objectId': object.id, 'value': 0, 'code': admin.code(object), 'uniqid': admin.uniqid(object) }) }}" class="sonata-ba-action"
+            onclick="Admin.set_object_field_value(event)"
+            >
+            <img
+                src="{{ asset('bundles/sonataadmin/famfamfam/accept.png') }}"
+                alt="{%- trans from 'SonataAdminBundle' %}label_type_yes{% endtrans -%}"
+                />
+        </a>
+    {% else %}
+        <a
+            href="{{ url('sonata_admin_set_object_field_value', { 'context': 'show', 'field': field_description.name, 'objectId': object.id, 'value': 1, 'code': admin.code(object), 'uniqid': admin.uniqid(object) }) }}" class="sonata-ba-action"
+            onclick="Admin.set_object_field_value(event)"
+            >
+            <img
+                src="{{ asset('bundles/sonataadmin/famfamfam/exclamation.png') }}"
+                alt="{%- trans from 'SonataAdminBundle' %}label_type_no{% endtrans -%}" />
+        </a>
+    {% endif %}
+{% else %}
     {% if value %}
         <img src="{{ asset('bundles/sonataadmin/famfamfam/accept.png') }}" alt="{%- trans from 'SonataAdminBundle' %}label_type_yes{% endtrans -%}" />
     {% else %}
         <img src="{{ asset('bundles/sonataadmin/famfamfam/exclamation.png') }}" alt="{%- trans from 'SonataAdminBundle' %}label_type_no{% endtrans -%}" />
     {% endif %}
+{% endif %}
 {% endspaceless %}
 {% endblock %}