/** * @param string $attribute * @param ProgramInterface $program * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $program, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // do not enforce special views permissions on programs. return true; break; case self::CREATE: case self::EDIT: case self::DELETE: // the given user is granted CREATE, EDIT and DELETE permissions on the given program // when at least one of the following statements is true // 1. The user's primary school is the same as the program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 2. The user has WRITE permissions on the program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 3. The user has WRITE permissions on the program. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($program->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $program->getSchool()->getId())) || $this->permissionManager->userHasWritePermissionToProgram($user, $program); break; } return false; }
/** * @param string $attribute * @param InstructorGroupInterface $group * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $group, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // unlike instructor details, instructor groups // should be visible to any authenticated user in the system. // do not enforce any special permissions for viewing them. return true; break; case self::CREATE: case self::EDIT: case self::DELETE: // grant CREATE, EDIT and DELETE privileges if at least one of the following // statements is true: // 1. the user's primary school is the group's owning school // and the user has at least one of the 'Course Director' and 'Developer' roles. // 2. the user has WRITE rights on the group's owning school via the permissions system // and the user has at least one of the 'Course Director' and 'Developer' roles. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $group->getSchool()->getId())); break; } return false; }
/** * @param string $attribute * @param SchoolInterface $school * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $school, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // grant view access on schools to all authn. users. return true; break; case self::CREATE: // only developers can create schools. return $this->userHasRole($user, ['Developer']); break; case self::EDIT: case self::DELETE: // Only grant EDIT and DELETE permissions if the user has the 'Developer' role. // - and - // the user must be associated with the given school, // either by its primary school attribute // - or - by WRITE rights for the school // via the permissions system. return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($school, $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $school->getId())); break; } return false; }
/** * @param string $attribute * @param UserInterface $requestedUser * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $requestedUser, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { // at least one of these must be true. // 1. the requested user is the current user // 2. the current user has faculty/course director/developer role case self::VIEW: return $user->getId() === $requestedUser->getId() || $this->userHasRole($user, ['Course Director', 'Faculty', 'Developer']); break; // at least one of these must be true. // 1. the current user has developer role // and has the same primary school affiliation as the given user // 2. the current user has developer role // and has WRITE rights to one of the users affiliated schools. // at least one of these must be true. // 1. the current user has developer role // and has the same primary school affiliation as the given user // 2. the current user has developer role // and has WRITE rights to one of the users affiliated schools. case self::CREATE: case self::EDIT: case self::DELETE: return $this->userHasRole($user, ['Developer']) && ($requestedUser->getAllSchools()->contains($user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchools($user, $requestedUser->getAllSchools())); break; } return false; }
/** * @param string $attribute * @param SessionTypeInterface $sessionType * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $sessionType, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { // grant VIEW privileges // do not impose any restrictions. case self::VIEW: return true; break; case self::CREATE: case self::EDIT: case self::DELETE: // grant CREATE, EDIT and DELETE privileges // if the user has the 'Developer' role // - and - // if the user's primary school is the session type's owning school // - or - // if the user has WRITE rights on the session type's owning school // via the permissions system. return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($sessionType->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $sessionType->getSchool()->getId())); break; } return false; }
/** * @param string $attribute * @param CurriculumInventoryExportInterface $export * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $export, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::CREATE: // Only grant VIEW permissions to users with at least one of // 'Course Director' and 'Developer' roles. // - and - // the user must be associated with the school owning the parent report's program // either by its primary school attribute // - or - by WROTE rights for the school // via the permissions system. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $export->getReport()->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $export->getReport()->getSchool()->getId())); case self::VIEW: // Only grant VIEW permissions to users with at least one of // 'Course Director' and 'Developer' roles. // - and - // the user must be associated with the school owning the parent report's program // either by its primary school attribute // - or - by READ rights for the school // via the permissions system. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $export->getReport()->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $export->getReport()->getSchool()->getId())); break; } return false; }
/** * @param int $courseId * @param int $owningSchoolId * @param UserInterface $user * * @return bool */ protected function isWriteGranted($courseId, $owningSchoolId, UserInterface $user) { // grant CREATE/EDIT/DELETE privileges if at least one of the following // statements is true: // 1. the user's primary school is the course's owning school // and the user has at least one of the 'Faculty', 'Course Director' and 'Developer' roles. // 2. the user has WRITE rights on the course's owning school via the permissions system // and the user has at least one of the 'Faculty', 'Course Director' and 'Developer' roles. // 3. the user has WRITE rights on the course via the permissions system return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($owningSchoolId === $user->getSchool()->getId() || $this->permissionManager->userHasWritePermissionToSchool($user, $owningSchoolId)) || $this->permissionManager->userHasWritePermissionToCourse($user, $courseId); }
/** * @param CurriculumInventoryReportInterface $report * @param UserInterface $user * @return bool */ protected function isCreateGranted($report, $user) { // Only grant CREATE, permissions to users with at least one of // 'Course Director' and 'Developer' roles. // - and - // the user must be associated with the school owning the report's program // either by its primary school attribute // - or - by WRITE rights for the school // via the permissions system. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $report->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $report->getSchool()->getId())); }
/** * @param string $attribute * @param SchoolEvent $event * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $event, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // grant VIEW permissions if the event-owning school matches any of the given user's schools. // In addition, if the given user has NOT elevated privileges, // then do not grant access to view un-published events. /* @var SchoolInterface $eventOwningSchool */ $eventOwningSchool = $this->schoolManager->findOneBy(['id' => $event->school]); if ($this->userHasRole($user, ['Faculty', 'Course Director', 'Developer'])) { return $this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool->getId()); } else { return ($this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool->getId())) && $event->isPublished; } break; } return false; }
/** * @param ObjectiveInterface $objective * @param UserInterface $user * @return bool */ protected function isCreateEditDeleteGrantedForCourseObjective($objective, $user) { /* @var CourseInterface $course */ $course = $objective->getCourses()->first(); // there should ever only be one // Code below has been copy/pasted straight out of CourseVoter::isGranted(). // TODO: consolidate. [ST 2015/08/05] // HALT! // deny DELETE and CREATE privileges if the owning course is locked or archived. if ($course->isArchived() || $course->isLocked()) { return false; } return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($this->schoolsAreIdentical($course->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $course->getSchool()->getId())) || $this->permissionManager->userHasWritePermissionToCourse($user, $course); }
/** * @param ProgramYearInterface $programYear * @param UserInterface $user * @return bool */ protected function isWriteGranted(ProgramYearInterface $programYear, $user) { // the given user is granted CREATE/EDIT/DELETE permissions on the given program year // when at least one of the following statements is true // 1. The user's primary school is the same as the parent program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 2. The user has WRITE permissions on the parent program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 3. The user's primary school matches at least one of the schools owning the // program years' stewarding department, // and the user has at least one of 'Course Director' and 'Developer' role. // 4. The user has WRITE permissions on the parent program. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($programYear->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $programYear->getSchool()->getId()) || $this->stewardManager->schoolIsStewardingProgramYear($user, $programYear)) || $this->permissionManager->userHasWritePermissionToProgram($user, $programYear->getProgram()); }
/** * @param string $attribute * @param ProgramYearStewardInterface $steward * @param TokenInterface $token * @return bool */ protected function voteOnAttribute($attribute, $steward, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // the given user is granted VIEW permissions on the given steward // when at least one of the following statements is true // 1. The user's primary school is the same as the parent program's owning school // and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role. // 2. The user has READ permissions on the parent program's owning school // and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role. // 3. The user's primary school matches the stewarding school // and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role. // 4. The user has READ permissions on the owning program. return $this->userHasRole($user, ['Course Director', 'Developer', 'Faculty']) && ($this->schoolsAreIdentical($steward->getProgramOwningSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $steward->getProgramOwningSchool()->getId()) || $this->schoolsAreIdentical($steward->getSchool(), $user->getSchool())) || $this->permissionManager->userHasReadPermissionToProgram($user, $steward->getProgram()); break; case self::CREATE: case self::EDIT: case self::DELETE: // the given user is granted CREATE, EDIT and DELETE permissions on the given steward // when at least one of the following statements is true // 1. The user's primary school is the same as the parent program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 2. The user has WRITE permissions on the parent program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 3. The user's primary school matches the stewarding school // and the user has at least one of 'Course Director' and 'Developer' role. // 4. The user has WRITE permissions on the parent program. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($steward->getProgramOwningSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $steward->getProgramOwningSchool()->getId()) || $this->schoolsAreIdentical($steward->getSchool(), $user->getSchool())) || $this->permissionManager->userHasWritePermissionToProgram($user, $steward->getProgram()); break; } return false; }
/** * @param EntityManager $em * @param string $class * @param FormFactoryInterface $formFactory */ public function __construct(EntityManager $em, $class, FormFactoryInterface $formFactory) { $this->formFactory = $formFactory; parent::__construct($em, $class); }
/** * @covers \Ilios\CoreBundle\Entity\Manager\PermissionManager::userHasReadPermissionToCoursesInSchool */ public function testUserHasReadPermissionToCoursesBySchool() { $schoolA = new School(); $schoolA->setId(100); $schoolB = new School(); $schoolB->setId(200); $schoolC = new School(); $schoolC->setId(300); $courseA = new Course(); $courseA->setId(1); $schoolA->addCourse($courseA); $courseB = new Course(); $courseB->setId(2); $schoolB->addCourse($courseB); $coursePermissionA = new Permission(); $coursePermissionA->setTableRowId(1); $user = new User(); $class = 'Ilios\\CoreBundle\\Entity\\Permission'; $em = m::mock('Doctrine\\ORM\\EntityManager'); $repository = m::mock('Doctrine\\ORM\\Repository')->shouldReceive('findOneBy')->with(['tableName' => 'course', 'canRead' => true, 'user' => $user, 'tableRowId' => $courseA->getId()], null)->andReturn([$coursePermissionA])->mock(); $registry = m::mock('Doctrine\\Bundle\\DoctrineBundle\\Registry')->shouldReceive('getManagerForClass')->andReturn($em)->shouldReceive('getRepository')->andReturn($repository)->mock(); $manager = new PermissionManager($registry, $class); $this->assertFalse($manager->userHasReadPermissionToCoursesInSchool($user, null)); $this->assertTrue($manager->userHasReadPermissionToCoursesInSchool($user, $schoolA)); $repository = m::mock('Doctrine\\ORM\\Repository')->shouldReceive('findOneBy')->with(['tableName' => 'course', 'canRead' => true, 'user' => $user, 'tableRowId' => $courseB->getId()], null)->andReturn(null)->mock(); $registry = m::mock('Doctrine\\Bundle\\DoctrineBundle\\Registry')->shouldReceive('getManagerForClass')->andReturn($em)->shouldReceive('getRepository')->andReturn($repository)->mock(); $manager = new PermissionManager($registry, $class); $this->assertFalse($manager->userHasReadPermissionToCoursesInSchool($user, $schoolB)); $repository = m::mock('Doctrine\\ORM\\Repository')->shouldNotReceive('findOneBy')->mock(); $registry = m::mock('Doctrine\\Bundle\\DoctrineBundle\\Registry')->shouldReceive('getManagerForClass')->andReturn($em)->shouldReceive('getRepository')->andReturn($repository)->mock(); $manager = new PermissionManager($registry, $class); $this->assertFalse($manager->userHasReadPermissionToCoursesInSchool($user, $schoolC)); }