/**
* @param string $attribute
* @param ProgramInterface $program
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $program, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// do not enforce special views permissions on programs.
return true;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// the given user is granted CREATE, EDIT and DELETE permissions on the given program
// when at least one of the following statements is true
// 1. The user's primary school is the same as the program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 2. The user has WRITE permissions on the program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 3. The user has WRITE permissions on the program.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($program->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $program->getSchool()->getId())) || $this->permissionManager->userHasWritePermissionToProgram($user, $program);
break;
}
return false;
}
/**
* @param string $attribute
* @param LearnerGroupInterface $group
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $group, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// do not enforce special views permissions on learner groups.
return true;
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// grant CREATE, EDIT and DELETE privileges if at least one of the following
// statements is true:
// 1. the user's primary school is the group's owning school
// and the user has at least one of the 'Course Director' and 'Developer' roles.
// 2. the user has WRITE rights on the group's owning school via the permissions system
// and the user has at least one of the 'Course Director' and 'Developer' roles.
// 3. the user has WRITE rights to the group's owning program.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $group->getSchool()->getId())) || $this->permissionManager->userHasWritePermissionToProgram($user, $group->getProgram());
break;
}
return false;
}
/**
* @param ObjectiveInterface $objective
* @param UserInterface $user
* @return bool
*/
protected function isCreateEditDeleteGrantedForProgramYearObjective($objective, $user)
{
/* @var ProgramYearInterface $programYear */
$programYear = $objective->getProgramYears()->first();
// there should ever only be one
// Code below has been copy/pasted straight out of ProgramYearVoter::isGranted().
// TODO: consolidate. [ST 2015/08/05]
if ($programYear->isLocked() || $programYear->isArchived()) {
return false;
}
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($programYear->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $programYear->getSchool()->getId()) || $this->stewardManager->schoolIsStewardingProgramYear($user, $programYear)) || $this->permissionManager->userHasWritePermissionToProgram($user, $programYear->getProgram());
}
/**
* @param ProgramYearInterface $programYear
* @param UserInterface $user
* @return bool
*/
protected function isWriteGranted(ProgramYearInterface $programYear, $user)
{
// the given user is granted CREATE/EDIT/DELETE permissions on the given program year
// when at least one of the following statements is true
// 1. The user's primary school is the same as the parent program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 2. The user has WRITE permissions on the parent program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 3. The user's primary school matches at least one of the schools owning the
// program years' stewarding department,
// and the user has at least one of 'Course Director' and 'Developer' role.
// 4. The user has WRITE permissions on the parent program.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($programYear->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $programYear->getSchool()->getId()) || $this->stewardManager->schoolIsStewardingProgramYear($user, $programYear)) || $this->permissionManager->userHasWritePermissionToProgram($user, $programYear->getProgram());
}
/**
* @param string $attribute
* @param ProgramYearStewardInterface $steward
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $steward, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// the given user is granted VIEW permissions on the given steward
// when at least one of the following statements is true
// 1. The user's primary school is the same as the parent program's owning school
// and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
// 2. The user has READ permissions on the parent program's owning school
// and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
// 3. The user's primary school matches the stewarding school
// and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
// 4. The user has READ permissions on the owning program.
return $this->userHasRole($user, ['Course Director', 'Developer', 'Faculty']) && ($this->schoolsAreIdentical($steward->getProgramOwningSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $steward->getProgramOwningSchool()->getId()) || $this->schoolsAreIdentical($steward->getSchool(), $user->getSchool())) || $this->permissionManager->userHasReadPermissionToProgram($user, $steward->getProgram());
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// the given user is granted CREATE, EDIT and DELETE permissions on the given steward
// when at least one of the following statements is true
// 1. The user's primary school is the same as the parent program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 2. The user has WRITE permissions on the parent program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 3. The user's primary school matches the stewarding school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 4. The user has WRITE permissions on the parent program.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($steward->getProgramOwningSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $steward->getProgramOwningSchool()->getId()) || $this->schoolsAreIdentical($steward->getSchool(), $user->getSchool())) || $this->permissionManager->userHasWritePermissionToProgram($user, $steward->getProgram());
break;
}
return false;
}
/**
* @covers \Ilios\CoreBundle\Entity\Manager\PermissionManager::userHasWritePermissionToProgram
*/
public function testUserHasWritePermissionToProgram()
{
$user = new User();
$user->setId(10);
$program = new Program();
$program->setId(100);
$class = 'Ilios\\CoreBundle\\Entity\\Permission';
$em = m::mock('Doctrine\\ORM\\EntityManager');
$repository = m::mock('Doctrine\\ORM\\Repository')->shouldReceive('findOneBy')->with(['tableRowId' => 100, 'tableName' => 'program', 'canWrite' => true, 'user' => $user], null)->andReturn(new Permission())->mock();
$registry = m::mock('Doctrine\\Bundle\\DoctrineBundle\\Registry')->shouldReceive('getManagerForClass')->andReturn($em)->shouldReceive('getRepository')->andReturn($repository)->mock();
$manager = new PermissionManager($registry, $class);
$this->assertTrue($manager->userHasWritePermissionToProgram($user, $program));
$this->assertFalse($manager->userHasWritePermissionToProgram($user, null));
}
