Introduce CourseContextRoleListener to dynamically assign contextual course roles

assets/vue/services/attendanceService.js

@@ -47,8 +47,12 @@ export default {
   },
 
   /**
-   * Creates a new attendance list.
-   * @param {Object} data - Data for the new attendance list.
+   * Creates a new attendance list. The course context is mirrored from the
+   * request body to the query string so CidReqListener can resolve it and
+   * CourseContextRoleListener can publish the contextual TEACHER role that
+   * the operation requires.
+   *
+   * @param {Object} data - Data for the new attendance list (includes cid, sid).
    * @returns {Promise<Object>} - Data of the created attendance list.
    */
   createAttendance: async (data) => {
@@ -66,8 +70,13 @@ export default {
   },
 
   /**
-   * Deletes an attendance list.
+   * Deletes an attendance list. The course context (cid, optional sid/gid)
+   * must be supplied as query parameters so CidReqListener can resolve the
+   * course and CourseContextRoleListener can publish the contextual TEACHER
+   * role that the operation requires.
+   *
    * @param {Number|String} attendanceId - ID of the attendance list.
+   * @param {{cid: Number|String, sid?: Number|String, gid?: Number|String}} context
    * @returns {Promise<Object>} - Result of the deletion.
    */
   deleteAttendance: async (attendanceId) => {

src/CoreBundle/Controller/Api/CreateCBlogAction.php

@@ -16,6 +16,7 @@
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Attribute\AsController;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 #[AsController]
 class CreateCBlogAction extends BaseResourceFileAction
@@ -42,6 +43,12 @@ public function __invoke(
             $resourceLinkList = \is_array($resourceLinkListRaw) ? $resourceLinkListRaw : [];
         }
 
+        // The `cid` (and optional `sid`/`gid`) query parameter establishes the
+        // course context that gated the security expression. Any
+        // resourceLinkList entry that points to a different context would
+        // bypass that gate, so we reject the request outright.
+        $this->assertResourceLinkListMatchesQueryContext($request, $resourceLinkList, $security);
+
         $blog = (new CBlog())
             ->setTitle($title)
             ->setBlogSubtitle($subtitle)
@@ -89,4 +96,47 @@ private function handleShortcutCreation(
             $shortcutRepository->addShortCut($blog, $currentUser, $course, $session);
         }
     }
+
+    /**
+     * @param array<int, mixed> $resourceLinkList
+     */
+    private function assertResourceLinkListMatchesQueryContext(
+        Request $request,
+        array $resourceLinkList,
+        Security $security,
+    ): void {
+        if ($security->isGranted('ROLE_ADMIN')) {
+            return;
+        }
+
+        if ([] === $resourceLinkList) {
+            return;
+        }
+
+        $queryCid = (int) $request->query->get('cid');
+        $querySid = (int) $request->query->get('sid');
+        $queryGid = (int) $request->query->get('gid');
+
+        foreach ($resourceLinkList as $entry) {
+            if (!\is_array($entry)) {
+                continue;
+            }
+
+            $entryCid = (int) ($entry['cid'] ?? 0);
+            $entrySid = (int) ($entry['sid'] ?? 0);
+            $entryGid = (int) ($entry['gid'] ?? 0);
+
+            if ($entryCid > 0 && $entryCid !== $queryCid) {
+                throw new AccessDeniedHttpException('resourceLinkList course does not match the request context.');
+            }
+
+            if ($entrySid > 0 && $entrySid !== $querySid) {
+                throw new AccessDeniedHttpException('resourceLinkList session does not match the request context.');
+            }
+
+            if ($entryGid > 0 && $entryGid !== $queryGid) {
+                throw new AccessDeniedHttpException('resourceLinkList group does not match the request context.');
+            }
+        }
+    }
 }

src/CoreBundle/Controller/Api/CreateDocumentFileAction.php

@@ -6,13 +6,16 @@
 
 namespace Chamilo\CoreBundle\Controller\Api;
 
+use Chamilo\CoreBundle\Entity\User;
 use Chamilo\CoreBundle\Helpers\AiDisclosureHelper;
 use Chamilo\CoreBundle\Helpers\CourseHelper;
 use Chamilo\CoreBundle\Repository\Node\CourseRepository;
 use Chamilo\CourseBundle\Entity\CDocument;
 use Chamilo\CourseBundle\Repository\CDocumentRepository;
 use Doctrine\ORM\EntityManager;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\KernelInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
@@ -48,7 +51,14 @@ public function __invoke(
         CourseRepository $courseRepository,
         CourseHelper $courseHelper,
         AiDisclosureHelper $aiDisclosureHelper,
+        Security $security,
     ): CDocument {
+        // Reject any resourceLinkList entry pointing to a course where the
+        // caller is not a teacher (admins bypass). The operation-level
+        // security expression only validates the role for the query `cid`,
+        // so the body could otherwise target a foreign course (IDOR).
+        $this->assertUserCanLinkToCourses($request, $security, $courseRepository);
+
         $isUncompressZipEnabled = (string) $request->get('isUncompressZipEnabled', 'false');
         $fileExistsOption = (string) $request->get('fileExistsOption', 'rename');
         $aiAssistedRaw = strtolower(trim((string) $request->get('ai_assisted', '')));
@@ -153,4 +163,65 @@ private function isAllowedCloudLinkHost(string $host): bool
 
         return false;
     }
+
+    private function assertUserCanLinkToCourses(
+        Request $request,
+        Security $security,
+        CourseRepository $courseRepository,
+    ): void {
+        $user = $security->getUser();
+        if (!$user instanceof User) {
+            throw new AccessDeniedHttpException('Authentication required.');
+        }
+
+        if ($security->isGranted('ROLE_ADMIN')) {
+            return;
+        }
+
+        $resourceLinkList = $this->extractResourceLinkList($request);
+        foreach ($resourceLinkList as $entry) {
+            if (!\is_array($entry)) {
+                continue;
+            }
+
+            $cid = (int) ($entry['cid'] ?? 0);
+            if ($cid <= 0) {
+                continue;
+            }
+
+            $course = $courseRepository->find($cid);
+            if (null === $course || !$course->hasUserAsTeacher($user)) {
+                throw new AccessDeniedHttpException('You are not a teacher of one of the referenced courses.');
+            }
+        }
+    }
+
+    /**
+     * @return array<int, mixed>
+     */
+    private function extractResourceLinkList(Request $request): array
+    {
+        $raw = (string) $request->getContent();
+        if ('' !== $raw) {
+            $decoded = json_decode($raw, true);
+            if (\is_array($decoded) && isset($decoded['resourceLinkList']) && \is_array($decoded['resourceLinkList'])) {
+                return $decoded['resourceLinkList'];
+            }
+        }
+
+        $fromForm = $request->get('resourceLinkList', []);
+        if (\is_array($fromForm)) {
+            return $fromForm;
+        }
+
+        if (\is_string($fromForm) && '' !== $fromForm) {
+            $normalized = str_contains($fromForm, '[') ? $fromForm : '['.$fromForm.']';
+            $decoded = json_decode($normalized, true);
+            if (\is_array($decoded)) {
+                return $decoded;
+            }
+        }
+
+        return [];
+    }
 }

src/CoreBundle/EventListener/CourseContextRoleListener.php

@@ -0,0 +1,111 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+declare(strict_types=1);
+
+namespace Chamilo\CoreBundle\EventListener;
+
+use Chamilo\CoreBundle\Entity\Course;
+use Chamilo\CoreBundle\Entity\Session;
+use Chamilo\CoreBundle\Entity\User;
+use Chamilo\CoreBundle\Security\CourseAccessResolver;
+use Chamilo\CourseBundle\Entity\CGroup;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken;
+
+/**
+ * Publishes the contextual ROLE_CURRENT_COURSE_* roles for the authenticated
+ * user once CidReqListener has resolved the course/session/group context.
+ *
+ * The roles are exposed in two places so that every consumer keeps working:
+ *   - User::$temporaryRoles, so ResourceNodeVoter::hasContextRole() and any
+ *     code reading $user->getRoles() continues to see them.
+ *   - The security token's roleNames, so expressions such as
+ *     `security: "is_granted('ROLE_CURRENT_COURSE_STUDENT')"` on
+ *     API Platform operations resolve correctly (AbstractToken::getRoleNames()
+ *     freezes the role list at token-creation time).
+ *
+ * Must run with a kernel.request priority lower than CidReqListener (priority 6)
+ * so the course/session/group is already in the session by the time we look it up.
+ */
+final class CourseContextRoleListener
+{
+    public function __construct(
+        private readonly TokenStorageInterface $tokenStorage,
+        private readonly CourseAccessResolver $resolver,
+    ) {}
+
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $request = $event->getRequest();
+        if (!$request->hasSession()) {
+            return;
+        }
+
+        $token = $this->tokenStorage->getToken();
+        if (null === $token) {
+            return;
+        }
+
+        $user = $token->getUser();
+        if (!$user instanceof User) {
+            return;
+        }
+
+        $sessionHandler = $request->getSession();
+        $course = $sessionHandler->get('course');
+        $courseSession = $sessionHandler->get('session');
+        $group = $sessionHandler->get('group');
+
+        $contextRoles = [];
+        if ($course instanceof Course) {
+            $contextRoles = $this->resolver->resolveCourseRoles(
+                $user,
+                $course,
+                $courseSession instanceof Session ? $courseSession : null,
+            );
+
+            if ($group instanceof CGroup) {
+                $contextRoles = array_merge(
+                    $contextRoles,
+                    $this->resolver->resolveGroupRoles($user, $course, $group),
+                );
+            }
+        }
+
+        $contextRoles = array_values(array_unique($contextRoles));
+
+        $existingRoleNames = $token->getRoleNames();
+        $hasStaleContextRoles = [] !== array_intersect($existingRoleNames, User::CONTEXT_ROLES);
+
+        // Nothing to sync: no current context and no stale roles to strip.
+        if ([] === $contextRoles && !$hasStaleContextRoles) {
+            return;
+        }
+
+        // Mirror the context roles into the User's temporary roles so that any
+        // legacy code reading $user->getRoles() observes the same state.
+        foreach ($contextRoles as $role) {
+            $user->addTemporaryRole($role);
+        }
+
+        $persistedRoleNames = array_values(array_diff($existingRoleNames, User::CONTEXT_ROLES));
+        $desiredRoleNames = array_values(array_unique(array_merge($persistedRoleNames, $contextRoles)));
+
+        $firewallName = method_exists($token, 'getFirewallName')
+            ? (string) $token->getFirewallName()
+            : 'main';
+
+        if ('' === $firewallName) {
+            $firewallName = 'main';
+        }
+
+        $this->tokenStorage->setToken(new PostAuthenticationToken($user, $firewallName, $desiredRoleNames));
+    }
+}

src/CoreBundle/Filter/CidFilter.php

@@ -41,8 +41,8 @@ public function getDescription(string $resourceClass): array
         return [
             'cid' => [
                 'property' => null,
-                'type' => 'int',
-                'required' => false,
+                'type' => 'string',
+                'required' => $this->isRequired(),
                 'description' => 'Course identifier',
             ],
         ];
@@ -76,4 +76,9 @@ protected function filterProperty(
             ->setParameter('course', $course->getId())
         ;
     }
+
+    public function isRequired(): bool
+    {
+        return true;
+    }
 }

src/CoreBundle/Filter/OptionalCourseLinkFilter.php

@@ -0,0 +1,15 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+declare(strict_types=1);
+
+namespace Chamilo\CoreBundle\Filter;
+
+class OptionalCourseLinkFilter extends CidFilter
+{
+    public function isRequired(): bool
+    {
+        return false;
+    }
+}

src/CoreBundle/Resources/config/listeners.yml

@@ -15,6 +15,13 @@ services:
             - {name: kernel.event_listener, event: kernel.request, method: onKernelRequest, priority: 6}
             - {name: kernel.event_listener, event: kernel.controller, method: onKernelController}
 
+    # Publishes ROLE_CURRENT_COURSE_* on the token after CidReqListener (priority 6)
+    # has resolved the cid/sid/gid context. Must run with a lower priority so the
+    # course, session and group are already available in the request session.
+    Chamilo\CoreBundle\EventListener\CourseContextRoleListener:
+        tags:
+            - {name: kernel.event_listener, event: kernel.request, method: onKernelRequest, priority: 5}
+
     # Sets the user access in a course listener
     Chamilo\CoreBundle\EventListener\CourseAccessListener:
       tags: