/** * @param string $attribute * @param CurriculumInventoryExportInterface $export * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $export, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::CREATE: // Only grant VIEW permissions to users with at least one of // 'Course Director' and 'Developer' roles. // - and - // the user must be associated with the school owning the parent report's program // either by its primary school attribute // - or - by WROTE rights for the school // via the permissions system. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $export->getReport()->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $export->getReport()->getSchool()->getId())); case self::VIEW: // Only grant VIEW permissions to users with at least one of // 'Course Director' and 'Developer' roles. // - and - // the user must be associated with the school owning the parent report's program // either by its primary school attribute // - or - by READ rights for the school // via the permissions system. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $export->getReport()->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $export->getReport()->getSchool()->getId())); break; } return false; }
/** * @param string $attribute * @param DepartmentInterface $department * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $department, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { // grant VIEW privileges // if the user's primary school is the the departments's owning school // - or - // if the user has READ rights on the department's owning school // via the permissions system. case self::VIEW: return $this->schoolsAreIdentical($department->getSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $department->getSchool()->getId()); break; case self::CREATE: case self::EDIT: case self::DELETE: // grant CREATE, EDIT and DELETE privileges // if the user has the 'Developer' role // - and - // if the user's primary school is the the department's owning school // - or - // if the user has WRITE rights on the departments's owning school // via the permissions system. return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($department->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $department->getSchool()->getId())); break; } return false; }
/** * @param int $courseId * @param int $owningSchoolId * @param UserInterface $user * * @return bool */ protected function isViewGranted($courseId, $owningSchoolId, UserInterface $user) { // grant VIEW privileges if at least one of the following // statements is true: // 1. the user's primary school is the course's owning school // 2. the user is instructing ILMs or offerings in this course // 3. the user is directing this course // 4. the user has READ rights on the course's owning school via the permissions system // 5. the user has READ rights on the course via the permissions system return $owningSchoolId === $user->getSchool()->getId() || $this->courseManager->isUserInstructingInCourse($user, $courseId) || $user->isDirectingCourse($courseId) || $this->permissionManager->userHasReadPermissionToSchool($user, $owningSchoolId) || $this->permissionManager->userHasReadPermissionToCourse($user, $courseId); }
/** * @param CurriculumInventoryReportInterface $report * @param UserInterface $user * @return bool */ protected function isViewGranted($report, $user) { // Only grant VIEW permissions to users with at least one of // 'Course Director' and 'Developer' roles. // - and - // the user must be associated with the school owning the report's program // either by its primary school attribute // - or - by READ rights for the school // via the permissions system. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $report->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $report->getSchool()->getId())); }
/** * @param string $attribute * @param SchoolEvent $event * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $event, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // grant VIEW permissions if the event-owning school matches any of the given user's schools. // In addition, if the given user has NOT elevated privileges, // then do not grant access to view un-published events. /* @var SchoolInterface $eventOwningSchool */ $eventOwningSchool = $this->schoolManager->findOneBy(['id' => $event->school]); if ($this->userHasRole($user, ['Faculty', 'Course Director', 'Developer'])) { return $this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool->getId()); } else { return ($this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool->getId())) && $event->isPublished; } break; } return false; }
/** * @param string $attribute * @param ProgramYearStewardInterface $steward * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $steward, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // the given user is granted VIEW permissions on the given steward // when at least one of the following statements is true // 1. The user's primary school is the same as the parent program's owning school // and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role. // 2. The user has READ permissions on the parent program's owning school // and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role. // 3. The user's primary school matches the stewarding school // and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role. // 4. The user has READ permissions on the owning program. return $this->userHasRole($user, ['Course Director', 'Developer', 'Faculty']) && ($this->schoolsAreIdentical($steward->getProgramOwningSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $steward->getProgramOwningSchool()->getId()) || $this->schoolsAreIdentical($steward->getSchool(), $user->getSchool())) || $this->permissionManager->userHasReadPermissionToProgram($user, $steward->getProgram()); break; case self::CREATE: case self::EDIT: case self::DELETE: // the given user is granted CREATE, EDIT and DELETE permissions on the given steward // when at least one of the following statements is true // 1. The user's primary school is the same as the parent program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 2. The user has WRITE permissions on the parent program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 3. The user's primary school matches the stewarding school // and the user has at least one of 'Course Director' and 'Developer' role. // 4. The user has WRITE permissions on the parent program. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($steward->getProgramOwningSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $steward->getProgramOwningSchool()->getId()) || $this->schoolsAreIdentical($steward->getSchool(), $user->getSchool())) || $this->permissionManager->userHasWritePermissionToProgram($user, $steward->getProgram()); break; } return false; }
/** * @covers \Ilios\CoreBundle\Entity\Manager\PermissionManager::userHasReadPermissionToSchool */ public function testUserHasReadPermissionToSchool() { $user = new User(); $user->setId(10); $school = new School(); $school->setId(100); $class = 'Ilios\\CoreBundle\\Entity\\Permission'; $em = m::mock('Doctrine\\ORM\\EntityManager'); $repository = m::mock('Doctrine\\ORM\\Repository')->shouldReceive('findOneBy')->with(['tableRowId' => 100, 'tableName' => 'school', 'canRead' => true, 'user' => $user], null)->andReturn(new Permission())->mock(); $registry = m::mock('Doctrine\\Bundle\\DoctrineBundle\\Registry')->shouldReceive('getManagerForClass')->andReturn($em)->shouldReceive('getRepository')->andReturn($repository)->mock(); $manager = new PermissionManager($registry, $class); $this->assertTrue($manager->userHasReadPermissionToSchool($user, $school->getId())); $this->assertFalse($manager->userHasReadPermissionToSchool($user, null)); }