/**
* @param string $attribute
* @param CurriculumInventoryExportInterface $export
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $export, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::CREATE:
// Only grant VIEW permissions to users with at least one of
// 'Course Director' and 'Developer' roles.
// - and -
// the user must be associated with the school owning the parent report's program
// either by its primary school attribute
// - or - by WROTE rights for the school
// via the permissions system.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $export->getReport()->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $export->getReport()->getSchool()->getId()));
case self::VIEW:
// Only grant VIEW permissions to users with at least one of
// 'Course Director' and 'Developer' roles.
// - and -
// the user must be associated with the school owning the parent report's program
// either by its primary school attribute
// - or - by READ rights for the school
// via the permissions system.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $export->getReport()->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $export->getReport()->getSchool()->getId()));
break;
}
return false;
}
/**
* @param string $attribute
* @param DepartmentInterface $department
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $department, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
// grant VIEW privileges
// if the user's primary school is the the departments's owning school
// - or -
// if the user has READ rights on the department's owning school
// via the permissions system.
case self::VIEW:
return $this->schoolsAreIdentical($department->getSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $department->getSchool()->getId());
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// grant CREATE, EDIT and DELETE privileges
// if the user has the 'Developer' role
// - and -
// if the user's primary school is the the department's owning school
// - or -
// if the user has WRITE rights on the departments's owning school
// via the permissions system.
return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($department->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $department->getSchool()->getId()));
break;
}
return false;
}
/**
* @param int $courseId
* @param int $owningSchoolId
* @param UserInterface $user
*
* @return bool
*/
protected function isViewGranted($courseId, $owningSchoolId, UserInterface $user)
{
// grant VIEW privileges if at least one of the following
// statements is true:
// 1. the user's primary school is the course's owning school
// 2. the user is instructing ILMs or offerings in this course
// 3. the user is directing this course
// 4. the user has READ rights on the course's owning school via the permissions system
// 5. the user has READ rights on the course via the permissions system
return $owningSchoolId === $user->getSchool()->getId() || $this->courseManager->isUserInstructingInCourse($user, $courseId) || $user->isDirectingCourse($courseId) || $this->permissionManager->userHasReadPermissionToSchool($user, $owningSchoolId) || $this->permissionManager->userHasReadPermissionToCourse($user, $courseId);
}
/**
* @param CurriculumInventoryReportInterface $report
* @param UserInterface $user
* @return bool
*/
protected function isViewGranted($report, $user)
{
// Only grant VIEW permissions to users with at least one of
// 'Course Director' and 'Developer' roles.
// - and -
// the user must be associated with the school owning the report's program
// either by its primary school attribute
// - or - by READ rights for the school
// via the permissions system.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $report->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $report->getSchool()->getId()));
}
/**
* @param string $attribute
* @param SchoolEvent $event
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $event, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// grant VIEW permissions if the event-owning school matches any of the given user's schools.
// In addition, if the given user has NOT elevated privileges,
// then do not grant access to view un-published events.
/* @var SchoolInterface $eventOwningSchool */
$eventOwningSchool = $this->schoolManager->findOneBy(['id' => $event->school]);
if ($this->userHasRole($user, ['Faculty', 'Course Director', 'Developer'])) {
return $this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool->getId());
} else {
return ($this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool->getId())) && $event->isPublished;
}
break;
}
return false;
}
/**
* @param string $attribute
* @param ProgramYearStewardInterface $steward
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $steward, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// the given user is granted VIEW permissions on the given steward
// when at least one of the following statements is true
// 1. The user's primary school is the same as the parent program's owning school
// and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
// 2. The user has READ permissions on the parent program's owning school
// and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
// 3. The user's primary school matches the stewarding school
// and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
// 4. The user has READ permissions on the owning program.
return $this->userHasRole($user, ['Course Director', 'Developer', 'Faculty']) && ($this->schoolsAreIdentical($steward->getProgramOwningSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $steward->getProgramOwningSchool()->getId()) || $this->schoolsAreIdentical($steward->getSchool(), $user->getSchool())) || $this->permissionManager->userHasReadPermissionToProgram($user, $steward->getProgram());
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// the given user is granted CREATE, EDIT and DELETE permissions on the given steward
// when at least one of the following statements is true
// 1. The user's primary school is the same as the parent program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 2. The user has WRITE permissions on the parent program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 3. The user's primary school matches the stewarding school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 4. The user has WRITE permissions on the parent program.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($steward->getProgramOwningSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $steward->getProgramOwningSchool()->getId()) || $this->schoolsAreIdentical($steward->getSchool(), $user->getSchool())) || $this->permissionManager->userHasWritePermissionToProgram($user, $steward->getProgram());
break;
}
return false;
}
/**
* @covers \Ilios\CoreBundle\Entity\Manager\PermissionManager::userHasReadPermissionToSchool
*/
public function testUserHasReadPermissionToSchool()
{
$user = new User();
$user->setId(10);
$school = new School();
$school->setId(100);
$class = 'Ilios\\CoreBundle\\Entity\\Permission';
$em = m::mock('Doctrine\\ORM\\EntityManager');
$repository = m::mock('Doctrine\\ORM\\Repository')->shouldReceive('findOneBy')->with(['tableRowId' => 100, 'tableName' => 'school', 'canRead' => true, 'user' => $user], null)->andReturn(new Permission())->mock();
$registry = m::mock('Doctrine\\Bundle\\DoctrineBundle\\Registry')->shouldReceive('getManagerForClass')->andReturn($em)->shouldReceive('getRepository')->andReturn($repository)->mock();
$manager = new PermissionManager($registry, $class);
$this->assertTrue($manager->userHasReadPermissionToSchool($user, $school->getId()));
$this->assertFalse($manager->userHasReadPermissionToSchool($user, null));
}
