/** * @param string $attribute * @param TopicInterface $topic * @param UserInterface $user * @return bool */ protected function isGranted($attribute, $topic, $user = null) { if (!$user instanceof UserInterface) { return false; } switch ($attribute) { // grant VIEW privileges // if the user's primary school is the the topic's owning school // - or - // if the user has READ rights on the topic's owning school // via the permissions system. case self::VIEW: return $this->schoolsAreIdentical($topic->getSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $topic->getSchool()); break; case self::CREATE: case self::EDIT: case self::DELETE: // grant CREATE, EDIT and DELETE privileges // if the user has the 'Developer' role // - and - // if the user's primary school is the the topic's owning school // - or - // if the user has WRITE rights on the topic's owning school // via the permissions system. return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($topic->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $topic->getSchool())); break; } return false; }
/** * @param string $attribute * @param InstructorGroupInterface $group * @param UserInterface|null $user * @return bool */ protected function isGranted($attribute, $group, $user = null) { // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // grant VIEW privileges if at least one of the following // statements is true: // 1. the user's primary school is the group's owning school // and has at least one of 'Course Director', 'Faculty' and 'Developer' roles. // 2. the user has READ rights on the group's owning school via the permissions system // and has at least one of 'InstructorGroup Director', 'Faculty' and 'Developer' roles. return $this->userHasRole($user, ['Course Director', 'Faculty', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $group->getSchool())); break; case self::CREATE: case self::EDIT: case self::DELETE: // grant CREATE, EDIT and DELETE privileges if at least one of the following // statements is true: // 1. the user's primary school is the group's owning school // and the user has at least one of the 'Course Director' and 'Developer' roles. // 2. the user has WRITE rights on the group's owning school via the permissions system // and the user has at least one of the 'Course Director' and 'Developer' roles. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $group->getSchool())); break; } return false; }
/** * @param string $attribute * @param LearningMaterialInterface $material * @param UserInterface|null $user * @return bool */ protected function isGranted($attribute, $material, $user = null) { // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // any authenticated user can see all learning materials. return true; break; case self::CREATE: // users with 'Faculty', 'Course director' or 'Developer' role can create materials. return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']); break; case self::EDIT: case self::DELETE: // in order to grant EDIT and DELETE privileges on the given learning material to the given user, // at least one of the following statements must be true: // 1. the user owns the learning material // 2. the user and the owner of the learning material share the same primary school, // and the user has at least one of 'Faculty', 'Course Director' or 'Developer' roles. // 3. the user has WRITE rights in the learning material owner's primary school, // and the user has at least one of 'Faculty', 'Course Director' or 'Developer' roles. return $user->getId() === $material->getOwningUser()->getId() || $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $material->getOwningUser()->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $material->getOwningUser()->getSchool())); break; } return false; }
/** * @param string $attribute * @param SchoolInterface $school * @param UserInterface|null $user * @return bool */ protected function isGranted($attribute, $school, $user = null) { // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // Only grant VIEW permissions if the given school is the given user's // primary school // - or - // if the given user has been granted READ right on the given school // via the permissions system. return $this->schoolsAreIdentical($school, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $school); break; case self::CREATE: // only developers can create schools. return $this->userHasRole($user, ['Developer']); break; case self::EDIT: case self::DELETE: // Only grant EDIT and DELETE permissions if the user has the 'Developer' role. // - and - // the user must be associated with the given school, // either by its primary school attribute // - or - by WRITE rights for the school // via the permissions system. return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($school, $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $school)); break; } return false; }
/** * @param string $attribute * @param UserInterface $requestedUser * @param UserInterface|null $user * @return bool */ protected function isGranted($attribute, $requestedUser, $user = null) { // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof UserInterface) { return false; } switch ($attribute) { // at least one of these must be true. // 1. the requested user is the current user // 2. the current user has faculty/course director/developer role // and has the same primary school affiliation as the given user // 3. the current user has faculty/course director/developer role // and has READ rights to one of the users affiliated schools. case self::VIEW: return $user->getId() === $requestedUser->getId() || $this->userHasRole($user, ['Course Director', 'Faculty', 'Developer']) && ($requestedUser->getAllSchools()->contains($user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchools($user, $requestedUser->getAllSchools())); break; // at least one of these must be true. // 1. the current user has developer role // and has the same primary school affiliation as the given user // 2. the current user has developer role // and has WRITE rights to one of the users affiliated schools. // at least one of these must be true. // 1. the current user has developer role // and has the same primary school affiliation as the given user // 2. the current user has developer role // and has WRITE rights to one of the users affiliated schools. case self::CREATE: case self::EDIT: case self::DELETE: return $this->userHasRole($user, ['Developer']) && ($requestedUser->getAllSchools()->contains($user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchools($user, $requestedUser->getAllSchools())); break; } return false; }
/** * @param string $attribute * @param ProgramInterface $program * @param UserInterface|null $user * @return bool */ protected function isGranted($attribute, $program, $user = null) { // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // the given user is granted VIEW permissions on the given program // when at least one of the following statements is true // 1. The user's primary school is the same as the program's owning school // and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role. // 2. The user has READ permissions on the program's owning school // and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role. // 3. The user has READ permissions on the program. return $this->userHasRole($user, ['Course Director', 'Developer', 'Faculty']) && ($this->schoolsAreIdentical($program->getSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $program->getSchool())) || $this->permissionManager->userHasReadPermissionToProgram($user, $program); break; case self::CREATE: case self::EDIT: case self::DELETE: // the given user is grantedC CREATE, EDIT and DELETE permissions on the given program // when at least one of the following statements is true // 1. The user's primary school is the same as the program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 2. The user has WRITE permissions on the program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 3. The user has WRITE permissions on the program. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($program->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $program->getSchool())) || $this->permissionManager->userHasWritePermissionToProgram($user, $program); break; } return false; }
/** * @param CourseInterface $course * @param UserInterface $user * @return bool */ protected function isWriteGranted($course, $user) { // grant CREATE/EDIT/DELETE privileges if at least one of the following // statements is true: // 1. the user's primary school is the course's owning school // and the user has at least one of the 'Faculty', 'Course Director' and 'Developer' roles. // 2. the user has WRITE rights on the course's owning school via the permissions system // and the user has at least one of the 'Faculty', 'Course Director' and 'Developer' roles. // 3. the user has WRITE rights on the course via the permissions system return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($this->schoolsAreIdentical($course->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $course->getSchool())) || $this->permissionManager->userHasWritePermissionToCourse($user, $course); }
/** * @param string $attribute * @param SchoolEvent $event * @param UserInterface|null $user * @return bool */ protected function isGranted($attribute, $event, $user = null) { // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: // grant VIEW permissions if the event-owning school matches any of the given user's schools. $eventOwningSchool = $this->schoolManager->findSchoolBy(['id' => $event->school]); return $this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool); break; } return false; }
/** * @param CurriculumInventoryReportInterface $report * @param UserInterface $user * @return bool */ protected function isCreateGranted($report, $user) { // Only grant CREATE, permissions to users with at least one of // 'Course Director' and 'Developer' roles. // - and - // the user must be associated with the school owning the report's program // either by its primary school attribute // - or - by WRITE rights for the school // via the permissions system. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $report->getProgram()->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $report->getProgram()->getSchool())); }
/** * @param string $attribute * @param CurriculumInventoryInstitutionInterface $institution * @param UserInterface $user * @return bool */ protected function isGranted($attribute, $institution, $user = null) { if (!$user instanceof UserInterface) { return false; } switch ($attribute) { case self::VIEW: case self::EDIT: case self::DELETE: return $this->userHasRole($user, ['Course Director', 'Developer']); break; } switch ($attribute) { case self::VIEW: // Only grant VIEW permissions to users with at least one of // 'Course Director' and 'Developer' roles. // - and - // the user must be associated with the institution's school // either by its primary school attribute // - or - by READ rights for the school // via the permissions system. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $institution->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $institution->getSchool())); break; case self::CREATE: case self::EDIT: case self::DELETE: // Only grant CREATE, EDIT and DELETE permissions to users with at least one of // 'Course Director' and 'Developer' roles. // - and - // the user must be associated with the institution's school // either by its primary school attribute // - or - by WRITE rights for the school // via the permissions system. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $institution->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $institution->getSchool())); break; } return false; }
/** * @param ObjectiveInterface $objective * @param UserInterface $user * @return bool */ protected function isCreateEditDeleteGrantedForCourseObjective($objective, $user) { /* @var CourseInterface $course */ $course = $objective->getCourses()->first(); // there should ever only be one // Code below has been copy/pasted straight out of CourseVoter::isGranted(). // TODO: consolidate. [ST 2015/08/05] // HALT! // deny DELETE and CREATE privileges if the owning course is locked or archived. if ($course->isArchived() || $course->isLocked()) { return false; } return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($this->schoolsAreIdentical($course->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $course->getSchool())) || $this->permissionManager->userHasWritePermissionToCourse($user, $course); }
/** * @param ProgramYearInterface $programYear * @param UserInterface $user * @return bool */ protected function isWriteGranted($programYear, $user) { // the given user is granted CREATE/EDIT/DELETE permissions on the given program year // when at least one of the following statements is true // 1. The user's primary school is the same as the parent program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 2. The user has WRITE permissions on the parent program's owning school // and the user has at least one of 'Course Director' and 'Developer' role. // 3. The user's primary school matches at least one of the schools owning the // program years' stewarding department, // and the user has at least one of 'Course Director' and 'Developer' role. // 4. The user has WRITE permissions on the parent program. return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($programYear->getProgram()->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $programYear->getProgram()->getSchool()) || $this->stewardManager->schoolIsStewardingProgramYear($user, $programYear)) || $this->permissionManager->userHasWritePermissionToProgram($user, $programYear->getProgram()); }
/** * @param PublishEventInterface $event * @param UserInterface $user * @return bool * * @see CourseVoter::isGranted() */ protected function isCreateGrantedForSessionPublishEvent($event, $user) { $session = $this->sessionManager->findSessionBy(['id' => $event->getTableRowId()]); if (empty($session)) { return false; } $course = $session->getCourse(); // copied and pasted from CourseManager::isGranted() // TODO: consolidate [ST 2015/08/05] // HALT! // deny DELETE and CREATE privileges if the owning course is locked or archived. if ($course->isArchived() || $course->isLocked()) { return false; } return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($this->schoolsAreIdentical($course->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $course->getSchool())) || $this->permissionManager->userHasWritePermissionToCourse($user, $course); }