Example #1
0
 /**
  * @param string $attribute
  * @param ProgramInterface $program
  * @param TokenInterface $token
  * @return bool
  */
 protected function voteOnAttribute($attribute, $program, TokenInterface $token)
 {
     $user = $token->getUser();
     if (!$user instanceof UserInterface) {
         return false;
     }
     switch ($attribute) {
         case self::VIEW:
             // do not enforce special views permissions on programs.
             return true;
             break;
         case self::CREATE:
         case self::EDIT:
         case self::DELETE:
             // the given user is granted CREATE, EDIT and DELETE permissions on the given program
             // when at least one of the following statements is true
             // 1. The user's primary school is the same as the program's owning school
             //    and the user has at least one of 'Course Director' and 'Developer' role.
             // 2. The user has WRITE permissions on the program's owning school
             //    and the user has at least one of 'Course Director' and 'Developer' role.
             // 3. The user has WRITE permissions on the program.
             return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($program->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $program->getSchool()->getId())) || $this->permissionManager->userHasWritePermissionToProgram($user, $program);
             break;
     }
     return false;
 }
 /**
  * @param string $attribute
  * @param InstructorGroupInterface $group
  * @param TokenInterface $token
  * @return bool
  */
 protected function voteOnAttribute($attribute, $group, TokenInterface $token)
 {
     $user = $token->getUser();
     if (!$user instanceof UserInterface) {
         return false;
     }
     switch ($attribute) {
         case self::VIEW:
             // unlike instructor details, instructor groups
             // should be visible to any authenticated user in the system.
             // do not enforce any special permissions for viewing them.
             return true;
             break;
         case self::CREATE:
         case self::EDIT:
         case self::DELETE:
             // grant CREATE, EDIT and DELETE privileges if at least one of the following
             // statements is true:
             // 1. the user's primary school is the group's owning school
             //    and the user has at least one of the 'Course Director' and 'Developer' roles.
             // 2. the user has WRITE rights on the group's owning school via the permissions system
             //    and the user has at least one of the 'Course Director' and 'Developer' roles.
             return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $group->getSchool()->getId()));
             break;
     }
     return false;
 }
Example #3
0
 /**
  * @param string $attribute
  * @param SchoolInterface $school
  * @param TokenInterface $token
  * @return bool
  */
 protected function voteOnAttribute($attribute, $school, TokenInterface $token)
 {
     $user = $token->getUser();
     if (!$user instanceof UserInterface) {
         return false;
     }
     switch ($attribute) {
         case self::VIEW:
             // grant view access on schools to all authn. users.
             return true;
             break;
         case self::CREATE:
             // only developers can create schools.
             return $this->userHasRole($user, ['Developer']);
             break;
         case self::EDIT:
         case self::DELETE:
             // Only grant EDIT and DELETE permissions if the user has the 'Developer' role.
             // - and -
             // the user must be associated with the given school,
             // either by its primary school attribute
             //     - or - by WRITE rights for the school
             // via the permissions system.
             return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($school, $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $school->getId()));
             break;
     }
     return false;
 }
Example #4
0
 /**
  * @param string $attribute
  * @param UserInterface $requestedUser
  * @param TokenInterface $token
  * @return bool
  */
 protected function voteOnAttribute($attribute, $requestedUser, TokenInterface $token)
 {
     $user = $token->getUser();
     if (!$user instanceof UserInterface) {
         return false;
     }
     switch ($attribute) {
         // at least one of these must be true.
         // 1. the requested user is the current user
         // 2. the current user has faculty/course director/developer role
         case self::VIEW:
             return $user->getId() === $requestedUser->getId() || $this->userHasRole($user, ['Course Director', 'Faculty', 'Developer']);
             break;
             // at least one of these must be true.
             // 1. the current user has developer role
             //    and has the same primary school affiliation as the given user
             // 2. the current user has developer role
             //    and has WRITE rights to one of the users affiliated schools.
         // at least one of these must be true.
         // 1. the current user has developer role
         //    and has the same primary school affiliation as the given user
         // 2. the current user has developer role
         //    and has WRITE rights to one of the users affiliated schools.
         case self::CREATE:
         case self::EDIT:
         case self::DELETE:
             return $this->userHasRole($user, ['Developer']) && ($requestedUser->getAllSchools()->contains($user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchools($user, $requestedUser->getAllSchools()));
             break;
     }
     return false;
 }
Example #5
0
 /**
  * @param string $attribute
  * @param SessionTypeInterface $sessionType
  * @param TokenInterface $token
  * @return bool
  */
 protected function voteOnAttribute($attribute, $sessionType, TokenInterface $token)
 {
     $user = $token->getUser();
     if (!$user instanceof UserInterface) {
         return false;
     }
     switch ($attribute) {
         // grant VIEW privileges
         // do not impose any restrictions.
         case self::VIEW:
             return true;
             break;
         case self::CREATE:
         case self::EDIT:
         case self::DELETE:
             // grant CREATE, EDIT and DELETE privileges
             // if the user has the 'Developer' role
             // - and -
             //   if the user's primary school is the session type's owning school
             //   - or -
             //   if the user has WRITE rights on the session type's owning school
             // via the permissions system.
             return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($sessionType->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $sessionType->getSchool()->getId()));
             break;
     }
     return false;
 }
 /**
  * @param string $attribute
  * @param CurriculumInventoryExportInterface $export
  * @param TokenInterface $token
  * @return bool
  */
 protected function voteOnAttribute($attribute, $export, TokenInterface $token)
 {
     $user = $token->getUser();
     if (!$user instanceof UserInterface) {
         return false;
     }
     switch ($attribute) {
         case self::CREATE:
             // Only grant VIEW permissions to users with at least one of
             // 'Course Director' and 'Developer' roles.
             // - and -
             // the user must be associated with the school owning the parent report's program
             // either by its primary school attribute
             //     - or - by WROTE rights for the school
             // via the permissions system.
             return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $export->getReport()->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $export->getReport()->getSchool()->getId()));
         case self::VIEW:
             // Only grant VIEW permissions to users with at least one of
             // 'Course Director' and 'Developer' roles.
             // - and -
             // the user must be associated with the school owning the parent report's program
             // either by its primary school attribute
             //     - or - by READ rights for the school
             // via the permissions system.
             return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $export->getReport()->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $export->getReport()->getSchool()->getId()));
             break;
     }
     return false;
 }
Example #7
0
 /**
  * @param int $courseId
  * @param int $owningSchoolId
  * @param UserInterface $user
  *
  * @return bool
  */
 protected function isWriteGranted($courseId, $owningSchoolId, UserInterface $user)
 {
     // grant CREATE/EDIT/DELETE privileges if at least one of the following
     // statements is true:
     // 1. the user's primary school is the course's owning school
     //    and the user has at least one of the 'Faculty', 'Course Director' and 'Developer' roles.
     // 2. the user has WRITE rights on the course's owning school via the permissions system
     //    and the user has at least one of the 'Faculty', 'Course Director' and 'Developer' roles.
     // 3. the user has WRITE rights on the course via the permissions system
     return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($owningSchoolId === $user->getSchool()->getId() || $this->permissionManager->userHasWritePermissionToSchool($user, $owningSchoolId)) || $this->permissionManager->userHasWritePermissionToCourse($user, $courseId);
 }
 /**
  * @param CurriculumInventoryReportInterface $report
  * @param UserInterface $user
  * @return bool
  */
 protected function isCreateGranted($report, $user)
 {
     // Only grant CREATE, permissions to users with at least one of
     // 'Course Director' and 'Developer' roles.
     // - and -
     // the user must be associated with the school owning the report's program
     // either by its primary school attribute
     //     - or - by WRITE rights for the school
     // via the permissions system.
     return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $report->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $report->getSchool()->getId()));
 }
Example #9
0
 /**
  * @param string $attribute
  * @param SchoolEvent $event
  * @param TokenInterface $token
  * @return bool
  */
 protected function voteOnAttribute($attribute, $event, TokenInterface $token)
 {
     $user = $token->getUser();
     if (!$user instanceof UserInterface) {
         return false;
     }
     switch ($attribute) {
         case self::VIEW:
             // grant VIEW permissions if the event-owning school matches any of the given user's schools.
             // In addition, if the given user has NOT elevated privileges,
             // then do not grant access to view un-published events.
             /* @var SchoolInterface $eventOwningSchool */
             $eventOwningSchool = $this->schoolManager->findOneBy(['id' => $event->school]);
             if ($this->userHasRole($user, ['Faculty', 'Course Director', 'Developer'])) {
                 return $this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool->getId());
             } else {
                 return ($this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool->getId())) && $event->isPublished;
             }
             break;
     }
     return false;
 }
Example #10
0
 /**
  * @param ObjectiveInterface $objective
  * @param UserInterface $user
  * @return bool
  */
 protected function isCreateEditDeleteGrantedForCourseObjective($objective, $user)
 {
     /* @var CourseInterface $course */
     $course = $objective->getCourses()->first();
     // there should ever only be one
     // Code below has been copy/pasted straight out of CourseVoter::isGranted().
     // TODO: consolidate. [ST 2015/08/05]
     // HALT!
     // deny DELETE and CREATE privileges if the owning course is locked or archived.
     if ($course->isArchived() || $course->isLocked()) {
         return false;
     }
     return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($this->schoolsAreIdentical($course->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $course->getSchool()->getId())) || $this->permissionManager->userHasWritePermissionToCourse($user, $course);
 }
 /**
  * @param ProgramYearInterface $programYear
  * @param UserInterface $user
  * @return bool
  */
 protected function isWriteGranted(ProgramYearInterface $programYear, $user)
 {
     // the given user is granted CREATE/EDIT/DELETE permissions on the given program year
     // when at least one of the following statements is true
     // 1. The user's primary school is the same as the parent program's owning school
     //    and the user has at least one of 'Course Director' and 'Developer' role.
     // 2. The user has WRITE permissions on the parent program's owning school
     //    and the user has at least one of 'Course Director' and 'Developer' role.
     // 3. The user's primary school matches at least one of the schools owning the
     //    program years' stewarding department,
     //    and the user has at least one of 'Course Director' and 'Developer' role.
     // 4. The user has WRITE permissions on the parent program.
     return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($programYear->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $programYear->getSchool()->getId()) || $this->stewardManager->schoolIsStewardingProgramYear($user, $programYear)) || $this->permissionManager->userHasWritePermissionToProgram($user, $programYear->getProgram());
 }
 /**
  * @param string $attribute
  * @param ProgramYearStewardInterface $steward
  * @param TokenInterface $token
  * @return bool
  */
 protected function voteOnAttribute($attribute, $steward, TokenInterface $token)
 {
     $user = $token->getUser();
     if (!$user instanceof UserInterface) {
         return false;
     }
     switch ($attribute) {
         case self::VIEW:
             // the given user is granted VIEW permissions on the given steward
             // when at least one of the following statements is true
             // 1. The user's primary school is the same as the parent program's owning school
             //    and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
             // 2. The user has READ permissions on the parent program's owning school
             //    and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
             // 3. The user's primary school matches the stewarding school
             //    and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
             // 4. The user has READ permissions on the owning program.
             return $this->userHasRole($user, ['Course Director', 'Developer', 'Faculty']) && ($this->schoolsAreIdentical($steward->getProgramOwningSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $steward->getProgramOwningSchool()->getId()) || $this->schoolsAreIdentical($steward->getSchool(), $user->getSchool())) || $this->permissionManager->userHasReadPermissionToProgram($user, $steward->getProgram());
             break;
         case self::CREATE:
         case self::EDIT:
         case self::DELETE:
             // the given user is granted CREATE, EDIT and DELETE permissions on the given steward
             // when at least one of the following statements is true
             // 1. The user's primary school is the same as the parent program's owning school
             //    and the user has at least one of 'Course Director' and 'Developer' role.
             // 2. The user has WRITE permissions on the parent program's owning school
             //    and the user has at least one of 'Course Director' and 'Developer' role.
             // 3. The user's primary school matches the stewarding school
             //    and the user has at least one of 'Course Director' and 'Developer' role.
             // 4. The user has WRITE permissions on the parent program.
             return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($steward->getProgramOwningSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $steward->getProgramOwningSchool()->getId()) || $this->schoolsAreIdentical($steward->getSchool(), $user->getSchool())) || $this->permissionManager->userHasWritePermissionToProgram($user, $steward->getProgram());
             break;
     }
     return false;
 }
Example #13
0
 /**
  * @param EntityManager $em
  * @param string $class
  * @param FormFactoryInterface $formFactory
  */
 public function __construct(EntityManager $em, $class, FormFactoryInterface $formFactory)
 {
     $this->formFactory = $formFactory;
     parent::__construct($em, $class);
 }
 /**
  * @covers \Ilios\CoreBundle\Entity\Manager\PermissionManager::userHasReadPermissionToCoursesInSchool
  */
 public function testUserHasReadPermissionToCoursesBySchool()
 {
     $schoolA = new School();
     $schoolA->setId(100);
     $schoolB = new School();
     $schoolB->setId(200);
     $schoolC = new School();
     $schoolC->setId(300);
     $courseA = new Course();
     $courseA->setId(1);
     $schoolA->addCourse($courseA);
     $courseB = new Course();
     $courseB->setId(2);
     $schoolB->addCourse($courseB);
     $coursePermissionA = new Permission();
     $coursePermissionA->setTableRowId(1);
     $user = new User();
     $class = 'Ilios\\CoreBundle\\Entity\\Permission';
     $em = m::mock('Doctrine\\ORM\\EntityManager');
     $repository = m::mock('Doctrine\\ORM\\Repository')->shouldReceive('findOneBy')->with(['tableName' => 'course', 'canRead' => true, 'user' => $user, 'tableRowId' => $courseA->getId()], null)->andReturn([$coursePermissionA])->mock();
     $registry = m::mock('Doctrine\\Bundle\\DoctrineBundle\\Registry')->shouldReceive('getManagerForClass')->andReturn($em)->shouldReceive('getRepository')->andReturn($repository)->mock();
     $manager = new PermissionManager($registry, $class);
     $this->assertFalse($manager->userHasReadPermissionToCoursesInSchool($user, null));
     $this->assertTrue($manager->userHasReadPermissionToCoursesInSchool($user, $schoolA));
     $repository = m::mock('Doctrine\\ORM\\Repository')->shouldReceive('findOneBy')->with(['tableName' => 'course', 'canRead' => true, 'user' => $user, 'tableRowId' => $courseB->getId()], null)->andReturn(null)->mock();
     $registry = m::mock('Doctrine\\Bundle\\DoctrineBundle\\Registry')->shouldReceive('getManagerForClass')->andReturn($em)->shouldReceive('getRepository')->andReturn($repository)->mock();
     $manager = new PermissionManager($registry, $class);
     $this->assertFalse($manager->userHasReadPermissionToCoursesInSchool($user, $schoolB));
     $repository = m::mock('Doctrine\\ORM\\Repository')->shouldNotReceive('findOneBy')->mock();
     $registry = m::mock('Doctrine\\Bundle\\DoctrineBundle\\Registry')->shouldReceive('getManagerForClass')->andReturn($em)->shouldReceive('getRepository')->andReturn($repository)->mock();
     $manager = new PermissionManager($registry, $class);
     $this->assertFalse($manager->userHasReadPermissionToCoursesInSchool($user, $schoolC));
 }