/**
* @param string $attribute
* @param TopicInterface $topic
* @param UserInterface $user
* @return bool
*/
protected function isGranted($attribute, $topic, $user = null)
{
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
// grant VIEW privileges
// if the user's primary school is the the topic's owning school
// - or -
// if the user has READ rights on the topic's owning school
// via the permissions system.
case self::VIEW:
return $this->schoolsAreIdentical($topic->getSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $topic->getSchool());
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// grant CREATE, EDIT and DELETE privileges
// if the user has the 'Developer' role
// - and -
// if the user's primary school is the the topic's owning school
// - or -
// if the user has WRITE rights on the topic's owning school
// via the permissions system.
return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($topic->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $topic->getSchool()));
break;
}
return false;
}
/**
* @param string $attribute
* @param InstructorGroupInterface $group
* @param UserInterface|null $user
* @return bool
*/
protected function isGranted($attribute, $group, $user = null)
{
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// grant VIEW privileges if at least one of the following
// statements is true:
// 1. the user's primary school is the group's owning school
// and has at least one of 'Course Director', 'Faculty' and 'Developer' roles.
// 2. the user has READ rights on the group's owning school via the permissions system
// and has at least one of 'InstructorGroup Director', 'Faculty' and 'Developer' roles.
return $this->userHasRole($user, ['Course Director', 'Faculty', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $group->getSchool()));
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// grant CREATE, EDIT and DELETE privileges if at least one of the following
// statements is true:
// 1. the user's primary school is the group's owning school
// and the user has at least one of the 'Course Director' and 'Developer' roles.
// 2. the user has WRITE rights on the group's owning school via the permissions system
// and the user has at least one of the 'Course Director' and 'Developer' roles.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $group->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $group->getSchool()));
break;
}
return false;
}
/**
* @param string $attribute
* @param LearningMaterialInterface $material
* @param UserInterface|null $user
* @return bool
*/
protected function isGranted($attribute, $material, $user = null)
{
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// any authenticated user can see all learning materials.
return true;
break;
case self::CREATE:
// users with 'Faculty', 'Course director' or 'Developer' role can create materials.
return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']);
break;
case self::EDIT:
case self::DELETE:
// in order to grant EDIT and DELETE privileges on the given learning material to the given user,
// at least one of the following statements must be true:
// 1. the user owns the learning material
// 2. the user and the owner of the learning material share the same primary school,
// and the user has at least one of 'Faculty', 'Course Director' or 'Developer' roles.
// 3. the user has WRITE rights in the learning material owner's primary school,
// and the user has at least one of 'Faculty', 'Course Director' or 'Developer' roles.
return $user->getId() === $material->getOwningUser()->getId() || $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $material->getOwningUser()->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $material->getOwningUser()->getSchool()));
break;
}
return false;
}
/**
* @param string $attribute
* @param SchoolInterface $school
* @param UserInterface|null $user
* @return bool
*/
protected function isGranted($attribute, $school, $user = null)
{
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// Only grant VIEW permissions if the given school is the given user's
// primary school
// - or -
// if the given user has been granted READ right on the given school
// via the permissions system.
return $this->schoolsAreIdentical($school, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $school);
break;
case self::CREATE:
// only developers can create schools.
return $this->userHasRole($user, ['Developer']);
break;
case self::EDIT:
case self::DELETE:
// Only grant EDIT and DELETE permissions if the user has the 'Developer' role.
// - and -
// the user must be associated with the given school,
// either by its primary school attribute
// - or - by WRITE rights for the school
// via the permissions system.
return $this->userHasRole($user, ['Developer']) && ($this->schoolsAreIdentical($school, $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $school));
break;
}
return false;
}
/**
* @param string $attribute
* @param UserInterface $requestedUser
* @param UserInterface|null $user
* @return bool
*/
protected function isGranted($attribute, $requestedUser, $user = null)
{
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
// at least one of these must be true.
// 1. the requested user is the current user
// 2. the current user has faculty/course director/developer role
// and has the same primary school affiliation as the given user
// 3. the current user has faculty/course director/developer role
// and has READ rights to one of the users affiliated schools.
case self::VIEW:
return $user->getId() === $requestedUser->getId() || $this->userHasRole($user, ['Course Director', 'Faculty', 'Developer']) && ($requestedUser->getAllSchools()->contains($user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchools($user, $requestedUser->getAllSchools()));
break;
// at least one of these must be true.
// 1. the current user has developer role
// and has the same primary school affiliation as the given user
// 2. the current user has developer role
// and has WRITE rights to one of the users affiliated schools.
// at least one of these must be true.
// 1. the current user has developer role
// and has the same primary school affiliation as the given user
// 2. the current user has developer role
// and has WRITE rights to one of the users affiliated schools.
case self::CREATE:
case self::EDIT:
case self::DELETE:
return $this->userHasRole($user, ['Developer']) && ($requestedUser->getAllSchools()->contains($user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchools($user, $requestedUser->getAllSchools()));
break;
}
return false;
}
/**
* @param string $attribute
* @param ProgramInterface $program
* @param UserInterface|null $user
* @return bool
*/
protected function isGranted($attribute, $program, $user = null)
{
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// the given user is granted VIEW permissions on the given program
// when at least one of the following statements is true
// 1. The user's primary school is the same as the program's owning school
// and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
// 2. The user has READ permissions on the program's owning school
// and the user has at least one of 'Course Director', 'Faculty' and 'Developer' role.
// 3. The user has READ permissions on the program.
return $this->userHasRole($user, ['Course Director', 'Developer', 'Faculty']) && ($this->schoolsAreIdentical($program->getSchool(), $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $program->getSchool())) || $this->permissionManager->userHasReadPermissionToProgram($user, $program);
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// the given user is grantedC CREATE, EDIT and DELETE permissions on the given program
// when at least one of the following statements is true
// 1. The user's primary school is the same as the program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 2. The user has WRITE permissions on the program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 3. The user has WRITE permissions on the program.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($program->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $program->getSchool())) || $this->permissionManager->userHasWritePermissionToProgram($user, $program);
break;
}
return false;
}
/**
* @param CourseInterface $course
* @param UserInterface $user
* @return bool
*/
protected function isWriteGranted($course, $user)
{
// grant CREATE/EDIT/DELETE privileges if at least one of the following
// statements is true:
// 1. the user's primary school is the course's owning school
// and the user has at least one of the 'Faculty', 'Course Director' and 'Developer' roles.
// 2. the user has WRITE rights on the course's owning school via the permissions system
// and the user has at least one of the 'Faculty', 'Course Director' and 'Developer' roles.
// 3. the user has WRITE rights on the course via the permissions system
return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($this->schoolsAreIdentical($course->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $course->getSchool())) || $this->permissionManager->userHasWritePermissionToCourse($user, $course);
}
/**
* @param string $attribute
* @param SchoolEvent $event
* @param UserInterface|null $user
* @return bool
*/
protected function isGranted($attribute, $event, $user = null)
{
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
// grant VIEW permissions if the event-owning school matches any of the given user's schools.
$eventOwningSchool = $this->schoolManager->findSchoolBy(['id' => $event->school]);
return $this->schoolsAreIdentical($eventOwningSchool, $user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $eventOwningSchool);
break;
}
return false;
}
/**
* @param CurriculumInventoryReportInterface $report
* @param UserInterface $user
* @return bool
*/
protected function isCreateGranted($report, $user)
{
// Only grant CREATE, permissions to users with at least one of
// 'Course Director' and 'Developer' roles.
// - and -
// the user must be associated with the school owning the report's program
// either by its primary school attribute
// - or - by WRITE rights for the school
// via the permissions system.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $report->getProgram()->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $report->getProgram()->getSchool()));
}
/**
* @param string $attribute
* @param CurriculumInventoryInstitutionInterface $institution
* @param UserInterface $user
* @return bool
*/
protected function isGranted($attribute, $institution, $user = null)
{
if (!$user instanceof UserInterface) {
return false;
}
switch ($attribute) {
case self::VIEW:
case self::EDIT:
case self::DELETE:
return $this->userHasRole($user, ['Course Director', 'Developer']);
break;
}
switch ($attribute) {
case self::VIEW:
// Only grant VIEW permissions to users with at least one of
// 'Course Director' and 'Developer' roles.
// - and -
// the user must be associated with the institution's school
// either by its primary school attribute
// - or - by READ rights for the school
// via the permissions system.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $institution->getSchool()) || $this->permissionManager->userHasReadPermissionToSchool($user, $institution->getSchool()));
break;
case self::CREATE:
case self::EDIT:
case self::DELETE:
// Only grant CREATE, EDIT and DELETE permissions to users with at least one of
// 'Course Director' and 'Developer' roles.
// - and -
// the user must be associated with the institution's school
// either by its primary school attribute
// - or - by WRITE rights for the school
// via the permissions system.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($user->getSchool(), $institution->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $institution->getSchool()));
break;
}
return false;
}
/**
* @param ObjectiveInterface $objective
* @param UserInterface $user
* @return bool
*/
protected function isCreateEditDeleteGrantedForCourseObjective($objective, $user)
{
/* @var CourseInterface $course */
$course = $objective->getCourses()->first();
// there should ever only be one
// Code below has been copy/pasted straight out of CourseVoter::isGranted().
// TODO: consolidate. [ST 2015/08/05]
// HALT!
// deny DELETE and CREATE privileges if the owning course is locked or archived.
if ($course->isArchived() || $course->isLocked()) {
return false;
}
return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($this->schoolsAreIdentical($course->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $course->getSchool())) || $this->permissionManager->userHasWritePermissionToCourse($user, $course);
}
/**
* @param ProgramYearInterface $programYear
* @param UserInterface $user
* @return bool
*/
protected function isWriteGranted($programYear, $user)
{
// the given user is granted CREATE/EDIT/DELETE permissions on the given program year
// when at least one of the following statements is true
// 1. The user's primary school is the same as the parent program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 2. The user has WRITE permissions on the parent program's owning school
// and the user has at least one of 'Course Director' and 'Developer' role.
// 3. The user's primary school matches at least one of the schools owning the
// program years' stewarding department,
// and the user has at least one of 'Course Director' and 'Developer' role.
// 4. The user has WRITE permissions on the parent program.
return $this->userHasRole($user, ['Course Director', 'Developer']) && ($this->schoolsAreIdentical($programYear->getProgram()->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $programYear->getProgram()->getSchool()) || $this->stewardManager->schoolIsStewardingProgramYear($user, $programYear)) || $this->permissionManager->userHasWritePermissionToProgram($user, $programYear->getProgram());
}
/**
* @param PublishEventInterface $event
* @param UserInterface $user
* @return bool
*
* @see CourseVoter::isGranted()
*/
protected function isCreateGrantedForSessionPublishEvent($event, $user)
{
$session = $this->sessionManager->findSessionBy(['id' => $event->getTableRowId()]);
if (empty($session)) {
return false;
}
$course = $session->getCourse();
// copied and pasted from CourseManager::isGranted()
// TODO: consolidate [ST 2015/08/05]
// HALT!
// deny DELETE and CREATE privileges if the owning course is locked or archived.
if ($course->isArchived() || $course->isLocked()) {
return false;
}
return $this->userHasRole($user, ['Faculty', 'Course Director', 'Developer']) && ($this->schoolsAreIdentical($course->getSchool(), $user->getSchool()) || $this->permissionManager->userHasWritePermissionToSchool($user, $course->getSchool())) || $this->permissionManager->userHasWritePermissionToCourse($user, $course);
}
