/**
* @param string $attribute
* @param TopicInterface $topic
* @param UserInterface $user
* @return bool
*/
protected function isGranted($attribute, $topic, $user = null)
{
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
// grant VIEW privileges
// if the user's primary school is the the topic's owning school
// - or -
// if the user has READ rights on the topic's owning school
// via the permissions system.
case self::VIEW:
return $this->schoolsAreIdentical($topic->getSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $topic->getSchool());
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// grant CREATE, EDIT and DELETE privileges
// if the user has the 'Developer' role
// - and -
// if the user's primary school is the the topic's owning school
// - or -
// if the user has WRITE rights on the topic's owning school
// via the permissions system.
return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($topic->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $topic->getSchool()));
break;
}
return false;
}
/**
* @param string $attribute
* @param SchoolInterface $school
* @param UserInterface|null $user
* @return bool
*/
protected function isGranted($attribute, $school, $user = null)
{
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// Only grant VIEW permissions if the given school is the given user's
// primary school
// - or -
// if the given user has been granted READ right on the given school
// via the permissions system.
return $this->schoolsAreIdentical($school, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $school);
break;
case self::CREATE:
// only developers can create schools.
return $this->userHasRole($user, ['Developer']);
break;
case self::EDIT:
case self::DELETE:
// Only grant EDIT and DELETE permissions if the user has the 'Developer' role.
// - and -
// the user must be associated with the given school,
// either by its primary school attribute
// - or - by WRITE rights for the school
// via the permissions system.
return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($school, $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $school));
break;
}
return false;
}
/**
* @param string $attribute
* @param UserInterface $requestedUser
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $requestedUser, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
// at least one of these must be true.
// 1. the requested user is the current user
// 2. the current user has faculty/course director/developer role
case self::VIEW:
return $user->getId() === $requestedUser->getId() || $this->userHasRole($user, ['Course Director', 'Faculty', 'Developer']);
break;
// at least one of these must be true.
// 1. the current user has developer role
// and has the same primary school affiliation as the given user
// 2. the current user has developer role
// and has WRITE rights to one of the users affiliated schools.
// at least one of these must be true.
// 1. the current user has developer role
// and has the same primary school affiliation as the given user
// 2. the current user has developer role
// and has WRITE rights to one of the users affiliated schools.
case self::CREATE:
case self::EDIT:
case self::DELETE:
return $this->userHasRole($user, ['Developer']) && ($requestedUser->getAllSchools()->contains($user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchools($user, $requestedUser->getAllSchools()));
break;
}
return false;
}
/**
* Utility method, determines if a given user has any of the given roles.
* @param UserInterface $user the user object
* @param array $eligibleRoles a list of role names
* @return bool TRUE if the user has at least one of the roles, FALSE otherwise.
*/
public function userHasRole(UserInterface $user, $eligibleRoles = array())
{
$roles = array_map(function (UserRoleInterface $role) {
return $role->getTitle();
}, $user->getRoles()->toArray());
$intersection = array_intersect($eligibleRoles, $roles);
return !empty($intersection);
}
/**
* @param CourseInterface $course
* @param UserInterface $user
* @return bool
*/
protected function isViewGranted($course, $user)
{
// grant VIEW privileges if at least one of the following
// statements is true:
// 1. the user's primary school is the course's owning school
// 2. the user has READ rights on the course's owning school via the permissions system
// 3. the user has READ rights on the course via the permissions system
return $this->schoolsAreIdentical($course->getSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $course->getSchool()) || $this->permissionManager->userHasReadPermissionToCourse($user, $course);
}
/**
* @param int $courseId
* @param int $owningSchoolId
* @param UserInterface $user
*
* @return bool
*/
protected function isViewGranted($courseId, $owningSchoolId, UserInterface $user)
{
// grant VIEW privileges if at least one of the following
// statements is true:
// 1. the user's primary school is the course's owning school
// 2. the user is instructing ILMs or offerings in this course
// 3. the user is directing this course
// 4. the user has READ rights on the course's owning school via the permissions system
// 5. the user has READ rights on the course via the permissions system
return $owningSchoolId === $user->getSchool()->getId() || $this->courseManager->isUserInstructingInCourse($user, $courseId) || $user->isDirectingCourse($courseId) || $this->permissionManager->userHasReadPermissionToSchool($user, $owningSchoolId) || $this->permissionManager->userHasReadPermissionToCourse($user, $courseId);
}
/**
* Build a token from a user
* @param UserInterface $user
* @param string $timeToLive PHP DateInterval notation for the length of time the token shoud be valid
* @return string
*/
public function createJwtFromUser(UserInterface $user, $timeToLive = 'PT8H')
{
$requestedInterval = new \DateInterval($timeToLive);
$maximumInterval = new \DateInterval('P364D');
$interval = $requestedInterval > $maximumInterval ? $maximumInterval : $requestedInterval;
$now = new DateTime();
$expires = clone $now;
$expires->add($interval);
$arr = array('iss' => self::TOKEN_ISS, 'aud' => self::TOKEN_AUD, 'iat' => $now->format('U'), 'exp' => $expires->format('U'), 'user_id' => $user->getId());
return JWT::encode($arr, $this->jwtKey);
}
/**
* @param string $attribute
* @param UserEvent $event
* @param UserInterface|null $user
* @return bool
*/
protected function isGranted($attribute, $event, $user = null)
{
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// check if the event-owning user is the given user
return $user->getId() === $event->user;
break;
}
return false;
}
/**
* @param string $attribute
* @param SchoolEvent $event
* @param UserInterface|null $user
* @return bool
*/
protected function isGranted($attribute, $event, $user = null)
{
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// grant VIEW permissions if the event-owning school matches any of the given user's schools.
$eventOwningSchool = $this->schoolManager->findSchoolBy(['id' => $event->school]);
return $this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool);
break;
}
return false;
}
/**
* @param string $attribute
* @param UserMadeReminderInterface $reminder
* @param UserInterface $user
* @return bool
*/
protected function isGranted($attribute, $reminder, $user = null)
{
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
// Users can perform any CRUD operations on their own reminders.
// Check if the given reminder's owning user is the given user.
case self::CREATE:
case self::VIEW:
case self::EDIT:
case self::DELETE:
return $user->getId() === $reminder->getUser()->getId();
break;
}
return false;
}
public function getJwt()
{
if (!$this->user) {
throw new \Exception('Can not build a JWT, we have no user');
}
$now = new \DateTime();
$expires = new \Datetime();
$expires->add(new \DateInterval("PT8H"));
$arr = array('iss' => 'ilios', 'aud' => 'ilios', 'iat' => $now->format('U'), 'exp' => $expires->format('U'), 'user_id' => $this->user->getId());
return TokenLib::encode($arr, $this->key);
}
/**
* Finds all courses associated with a given user.
* A user can be associated as either course director, learner or instructor with a given course.
*
* @param UserInterface $user
* @param array $criteria
* @param array|null $orderBy
* @param null $limit
* @param null $offset
* @return CourseInterface[]
* @throws \Exception
*/
public function findByUser(UserInterface $user, array $criteria, array $orderBy = null, $limit = null, $offset = null)
{
$rsm = new ResultSetMappingBuilder($this->_em);
$rsm->addRootEntityFromClassMetadata('IliosCoreBundle:Course', 'c');
$meta = $this->_em->getClassMetadata('IliosCoreBundle:Course');
if (empty($orderBy)) {
$orderBy = ['id' => 'ASC'];
}
$sql = <<<EOL
SELECT * FROM (
SELECT c.* FROM course c
JOIN course_director cd ON cd.course_id = c.course_id
JOIN user u ON u.user_id = cd.user_id
WHERE u.user_id = :user_id
UNION
SELECT c.* FROM course c
JOIN `session` s ON s.course_id = c.course_id
JOIN offering o ON o.session_id = s.session_id
JOIN offering_x_learner oxl ON oxl.offering_id = o.offering_id
JOIN user u ON u.user_id = oxl.user_id
WHERE u.user_id = :user_id
UNION
SELECT c.* FROM course c
JOIN `session` s ON s.course_id = c.course_id
JOIN offering o ON o.session_id = s.session_id
JOIN offering_x_group oxg ON oxg.offering_id = o.offering_id
JOIN `group` g ON g.group_id = oxg.group_id
JOIN group_x_user gxu ON gxu.group_id = g.group_id
JOIN user u ON u.user_id = gxu.user_id
WHERE u.user_id = :user_id
UNION
SELECT c.* FROM course c
JOIN `session` s ON s.course_id = c.course_id
JOIN ilm_session_facet ilm ON ilm.session_id = s.session_id
JOIN ilm_session_facet_x_learner ilmxl ON ilmxl.ilm_session_facet_id = ilm.ilm_session_facet_id
JOIN user u ON u.user_id = ilmxl.user_id
WHERE u.user_id = :user_id
UNION
SELECT c.* FROM course c
JOIN `session` s ON s.course_id = c.course_id
JOIN ilm_session_facet ilm ON ilm.session_id = s.session_id
JOIN ilm_session_facet_x_group ilmxg ON ilmxg.ilm_session_facet_id = ilm.ilm_session_facet_id
JOIN `group` g ON g.group_id = ilmxg.group_id
JOIN group_x_user gxu ON gxu.group_id = g.group_id
JOIN user u ON u.user_id = gxu.user_id
WHERE u.user_id = :user_id
UNION
SELECT c.* FROM course c
JOIN `session` s ON s.course_id = c.course_id
JOIN offering o ON o.session_id = s.session_id
JOIN offering_x_instructor oxi ON oxi.offering_id = o.offering_id
JOIN user u ON u.user_id = oxi.user_id
WHERE u.user_id = :user_id
UNION
SELECT c.* FROM course c
JOIN `session` s ON s.course_id = c.course_id
JOIN offering o ON o.session_id = s.session_id
JOIN offering_x_instructor_group oxig ON oxig.offering_id = o.offering_id
JOIN instructor_group ig ON ig.instructor_group_id = oxig.instructor_group_id
JOIN instructor_group_x_user igxu ON igxu.instructor_group_id = ig.instructor_group_id
JOIN user u ON u.user_id = igxu.user_id
WHERE u.user_id = :user_id
UNION
SELECT c.* FROM course c
JOIN `session` s ON s.course_id = c.course_id
JOIN ilm_session_facet ilm ON ilm.session_id = s.session_id
JOIN ilm_session_facet_x_instructor ilmxi ON ilmxi.ilm_session_facet_id = ilm.ilm_session_facet_id
JOIN user u ON u.user_id = ilmxi.user_id
WHERE u.user_id = :user_id
UNION
SELECT c.* FROM course c
JOIN `session` s ON s.course_id = c.course_id
JOIN ilm_session_facet ilm ON ilm.session_id = s.session_id
JOIN ilm_session_facet_x_instructor_group ilmxig ON ilmxig.ilm_session_facet_id = ilm.ilm_session_facet_id
JOIN instructor_group ig ON ig.instructor_group_id = ilmxig.instructor_group_id
JOIN instructor_group_x_user igxu ON igxu.instructor_group_id = ig.instructor_group_id
JOIN user u ON u.user_id = igxu.user_id
WHERE u.user_id = :user_id
) AS my_courses
EOL;
$params = [];
$i = 0;
$sqlFragments = [];
foreach ($criteria as $name => $value) {
$i++;
if (!$meta->hasField($name)) {
throw new \Exception(sprintf('"%s" is not a property of the Course entity.', $name));
}
$column = $meta->getColumnName($name);
$label = 'param' . $i;
$params[$name] = $label;
if (is_array($value)) {
$sqlFragments[] = "{$column} IN (:{$label})";
} else {
$sqlFragments[] = "{$column} = :{$label}";
}
}
if (count($sqlFragments)) {
$sql .= ' WHERE ' . implode(' AND ', $sqlFragments);
}
if (is_array($orderBy)) {
$sqlFragments = [];
foreach ($orderBy as $sort => $order) {
if (!$meta->hasField($sort)) {
throw new \Exception(sprintf('"%s" is not a property of the Course entity.', $sort));
}
$column = $meta->getColumnName($sort);
$sqlFragments[] = "{$column} " . ('desc' === strtolower($order) ? 'DESC' : 'ASC');
}
$sql .= ' ORDER BY ';
$sql .= implode(', ', $sqlFragments);
}
if (isset($limit)) {
$sql .= ' LIMIT :limit';
}
if (isset($offset)) {
$sql .= ' OFFSET :offset';
}
$query = $this->_em->createNativeQuery($sql, $rsm);
$query->setParameter('user_id', $user->getId());
foreach ($params as $field => $label) {
$value = $criteria[$field];
$query->setParameter($label, $value);
}
if (isset($limit)) {
$query->setParameter('limit', (int) $limit);
}
if (isset($offset)) {
$query->setParameter('offset', (int) $offset);
}
return $query->getResult();
}
/**
* Build a token from a user
* @param UserInterface $user
* @param string $timeToLive PHP DateInterval notation for the length of time the token shoud be valid
* @return string
*/
public function createJwtFromUser(UserInterface $user, $timeToLive = 'PT8H')
{
return $this->createJwtFromUserId($user->getId(), $timeToLive);
}
/**
* Checks if two given users are the same.
* @param UserInterface|null $userA
* @param UserInterface|null $userB
* @return bool
*/
public function usersAreIdentical(UserInterface $userA = null, UserInterface $userB = null)
{
return $userA instanceof UserInterface && $userB instanceof UserInterface && $userA->getId() === $userB->getId();
}
/**
* @param UserInterface $instructorUser
*/
public function addInstructorUser(UserInterface $instructorUser)
{
$this->instructorUsers->add($instructorUser);
}
